From ec6aaec13949973a4566819c9461f575b0408409 Mon Sep 17 00:00:00 2001
From: Brendan Kellam <10233483+brendan-kellam@users.noreply.github.com>
Date: Wed, 17 Jun 2026 21:57:44 +0000
Subject: [PATCH] chore: upgrade @grpc/grpc-js to ^1.14.4 to address
 CVE-2026-48068, CVE-2026-48069

Refreshed the lockfile so all instances of @grpc/grpc-js resolve to
1.14.4, which patches a server crash via malformed HTTP/2 stream
(CVE-2026-48068) and CVE-2026-48069. Both existing version ranges
(^1.14.1 and ^1.12.6) already permit 1.14.4, so no package.json or
resolutions change was required.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1307/sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-grpcgrpc-js#agent-session-ddcdf1e5)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
---
 CHANGELOG.md |  3 +++
 yarn.lock    | 18 ++++--------------
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0eaf3c57d..504a4b84c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- Upgraded `@grpc/grpc-js` to `^1.14.4`. [#1315](https://github.com/sourcebot-dev/sourcebot/pull/1315)
+
 ## [5.0.3] - 2026-06-17
 
 ### Changed
diff --git a/yarn.lock b/yarn.lock
index 9f8532d5d..d8bda048a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2492,23 +2492,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@grpc/grpc-js@npm:^1.12.6":
-  version: 1.14.0
-  resolution: "@grpc/grpc-js@npm:1.14.0"
-  dependencies:
-    "@grpc/proto-loader": "npm:^0.8.0"
-    "@js-sdsl/ordered-map": "npm:^4.4.2"
-  checksum: 10c0/51e0eb32f6dac68c49502b227e565c4244f53983d2efab8ef3fd2cc923999751c059f6c77fec4941a93c44eaa58cbc321ce1e9868e1ec226fba5a6c93722c3b1
-  languageName: node
-  linkType: hard
-
-"@grpc/grpc-js@npm:^1.14.1":
-  version: 1.14.1
-  resolution: "@grpc/grpc-js@npm:1.14.1"
+"@grpc/grpc-js@npm:^1.12.6, @grpc/grpc-js@npm:^1.14.1":
+  version: 1.14.4
+  resolution: "@grpc/grpc-js@npm:1.14.4"
   dependencies:
     "@grpc/proto-loader": "npm:^0.8.0"
     "@js-sdsl/ordered-map": "npm:^4.4.2"
-  checksum: 10c0/a9a8fc7f4dfa374a34e37350b37ad2c092ed533b203fe16d45ba3220fe38195d17a87527dade2e5546afeeeccfcf68d3e914705d94e44e8df461321b0c02cc7a
+  checksum: 10c0/0ff6395e8112ad30e8f99dbb684b997ebc3264e770b8e354f23effeedf181a380e0ecef8bca466cbbf3e9141968656144851de1da50f840a1efd9314c9812449
   languageName: node
   linkType: hard