Skip to content

chore: upgrade @grpc/grpc-js to ^1.14.4 to address CVE-2026-48068, CVE-2026-48069#1315

Merged
brendan-kellam merged 2 commits into
mainfrom
brendan/sou-1307-sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-99df
Jun 17, 2026
Merged

chore: upgrade @grpc/grpc-js to ^1.14.4 to address CVE-2026-48068, CVE-2026-48069#1315
brendan-kellam merged 2 commits into
mainfrom
brendan/sou-1307-sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-99df

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jun 17, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Fixes SOU-1307

Refreshes the lockfile so all instances of @grpc/grpc-js resolve to 1.14.4, patching a server crash via malformed HTTP/2 stream (CVE-2026-48068) and CVE-2026-48069, both fixed in the same release.

The package was present below the patched threshold via two paths:

  • Direct dependency in packages/web (^1.14.1 → was 1.14.1)
  • Transitive via @sourcebot/shared@google-cloud/secret-managergoogle-gax (^1.12.6 → was 1.14.0)

Both ranges already permit 1.14.4, so only yarn.lock needed refreshing (yarn up -R @grpc/grpc-js). No package.json or resolutions change required.

Verified with yarn why @grpc/grpc-js --recursive — all instances now resolve to 1.14.4.

Summary by CodeRabbit

  • Chores
    • Updated changelog to document dependency upgrade addressing stability and compatibility enhancements.

@brendan-kellam @linear-code
chore: upgrade @grpc/grpc-js to ^1.14.4 to address CVE-2026-48068, CV…
ec6aaec 
…E-2026-48069

Refreshed the lockfile so all instances of @grpc/grpc-js resolve to
1.14.4, which patches a server crash via malformed HTTP/2 stream
(CVE-2026-48068) and CVE-2026-48069. Both existing version ranges
(^1.14.1 and ^1.12.6) already permit 1.14.4, so no package.json or
resolutions change was required.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1307/sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-grpcgrpc-js#agent-session-ddcdf1e5)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3695f7e3-6127-47bc-9a35-64db86b74c81

📥 Commits

Reviewing files that changed from the base of the PR and between f5dab5f and 7e065d5.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • CHANGELOG.md

Walkthrough

A single changelog entry is added under the [Unreleased] → Fixed section, documenting the upgrade of @grpc/grpc-js to ^1.14.4 and linking to the corresponding pull request.

Changes

Changelog Update

Layer / File(s) Summary
Unreleased Fixed entry for @grpc/grpc-js
CHANGELOG.md		 Adds a bullet under [Unreleased] → Fixed recording the @grpc/grpc-js upgrade to ^1.14.4 with a PR reference.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan/sou-1307-sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-99df

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@brendan-kellam brendan-kellam force-pushed the brendan/sou-1307-sourcebot-devsourcebot-cve-2026-48068-cve-2026-48068-99df branch from 564ab01 to ec6aaec Compare June 17, 2026 21:58
@brendan-kellam brendan-kellam marked this pull request as ready for review June 17, 2026 22:04
@brendan-kellam brendan-kellam merged commit e626691 into main Jun 17, 2026
8 of 9 checks passed
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

License Audit

⚠️ Status: PASS

Metric Count
Total packages 2136
Resolved (non-standard) 11
Unresolved 0
Strong copyleft 0
Weak copyleft 39

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
dompurify 3.4.0 (MPL-2.0 OR Apache-2.0)
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (11)
Package Version Original Resolved Source
@react-grab/cli 0.1.23 UNKNOWN MIT package LICENSE file (MIT License, Copyright Aiden Bai)
@react-grab/cli 0.1.29 UNKNOWN MIT package LICENSE file (MIT License, Copyright Aiden Bai)
@react-grab/mcp 0.1.29 UNKNOWN MIT package LICENSE file (MIT License, Copyright Aiden Bai)
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 GitHub repo (livebook-dev/codemirror-lang-elixir, SPDX Apache-2.0)
element-source 0.0.3 UNKNOWN MIT package LICENSE file (MIT License, Copyright Aiden Bai)
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 GitHub repo (livebook-dev/lezer-elixir, SPDX Apache-2.0)
map-stream 0.1.0 UNKNOWN MIT GitHub repo (dominictarr/map-stream, SPDX MIT)
memorystream 0.3.1 UNKNOWN MIT extracted from object (npm registry licenses: [{type:MIT}])
pause-stream 0.0.11 MIT,Apache2 MIT OR Apache-2.0 extracted from object (license array [MIT, Apache2])
posthog-js 1.369.0 SEE LICENSE IN LICENSE Apache-2.0 GitHub repo LICENSE file (PostHog/posthog-js, Apache License 2.0)
valid-url 1.0.9 UNKNOWN MIT GitHub repo LICENSE file (ogt/valid-url, MIT license)

@github-actions github-actions Bot mentioned this pull request Jun 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam