chore: upgrade @grpc/grpc-js to ^1.14.4 to address CVE-2026-48068, CVE-2026-48069 (#1315)

brendan-kellam · linear-code[bot] · web-flow · commit e62669147c6e · 2026-06-17T15:05:03.000-07:00
Refreshed the lockfile so all instances of @grpc/grpc-js resolve to 1.14.4, which patches a server crash via malformed HTTP/2 stream (CVE-2026-48068) and CVE-2026-48069. Both existing version ranges (^1.14.1 and ^1.12.6) already permit 1.14.4, so no package.json or resolutions change was required. Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1307/sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-grpcgrpc-js#agent-session-ddcdf1e5) Co-authored-by: Brendan Kellam <10233483+brendan-kellam@users.noreply.github.com> Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Fixed
+- Upgraded `@grpc/grpc-js` to `^1.14.4`. [#1315](https://github.com/sourcebot-dev/sourcebot/pull/1315)
 - Upgraded `vite` to `^8.0.16`. [#1313](https://github.com/sourcebot-dev/sourcebot/pull/1313)
 
 ## [5.0.3] - 2026-06-17
diff --git a/yarn.lock b/yarn.lock
@@ -2492,23 +2492,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@grpc/grpc-js@npm:^1.12.6":
-  version: 1.14.0
-  resolution: "@grpc/grpc-js@npm:1.14.0"
-  dependencies:
-    "@grpc/proto-loader": "npm:^0.8.0"
-    "@js-sdsl/ordered-map": "npm:^4.4.2"
-  checksum: 10c0/51e0eb32f6dac68c49502b227e565c4244f53983d2efab8ef3fd2cc923999751c059f6c77fec4941a93c44eaa58cbc321ce1e9868e1ec226fba5a6c93722c3b1
-  languageName: node
-  linkType: hard
-
-"@grpc/grpc-js@npm:^1.14.1":
-  version: 1.14.1
-  resolution: "@grpc/grpc-js@npm:1.14.1"
+"@grpc/grpc-js@npm:^1.12.6, @grpc/grpc-js@npm:^1.14.1":
+  version: 1.14.4
+  resolution: "@grpc/grpc-js@npm:1.14.4"
   dependencies:
     "@grpc/proto-loader": "npm:^0.8.0"
     "@js-sdsl/ordered-map": "npm:^4.4.2"
-  checksum: 10c0/a9a8fc7f4dfa374a34e37350b37ad2c092ed533b203fe16d45ba3220fe38195d17a87527dade2e5546afeeeccfcf68d3e914705d94e44e8df461321b0c02cc7a
+  checksum: 10c0/0ff6395e8112ad30e8f99dbb684b997ebc3264e770b8e354f23effeedf181a380e0ecef8bca466cbbf3e9141968656144851de1da50f840a1efd9314c9812449
   languageName: node
   linkType: hard
 
