🍔 A Node.js Serverless Framework for front-end/full-stack developers. Build the application for next decade. Works on AWS, Alibaba Cloud, Tencent Cloud and traditional VM/Container. Super easy integrate with React and Vue. 🌈
There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option:
If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.
If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.
Patches
This has been patched in versions 1.10.9, 1.9.15, and 1.8.22
This PR contains the following updates:
1.10.8->1.10.9GitHub Vulnerability Alerts
CVE-2024-37168
Impact
There are two separate code paths in which memory can be allocated per message in excess of the
grpc.max_receive_message_lengthchannel option:Patches
This has been patched in versions 1.10.9, 1.9.15, and 1.8.22
Release Notes
grpc/grpc-node (@grpc/grpc-js)
### [`v1.10.9`](https://togithub.com/grpc/grpc-node/compare/@grpc/grpc-js@1.10.8...674f4e351a619fd4532f84ae6dff96b8ee4e1ed3) [Compare Source](https://togithub.com/grpc/grpc-node/compare/@grpc/grpc-js@1.10.8...@grpc/grpc-js@1.10.9)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.