chore(deps): update dependency @grpc/grpc-js to v1.14.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@grpc/grpc-js (source)	1.14.3 → 1.14.4

---

@​grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash

CVE-2026-48069 / GHSA-99f4-grh7-6pcq

More information

Details

Impact

An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @​grpc/grpc-js

Patches

The following version have fixes for this vulnerability:

• 1.9.16
• 1.10.12
• 1.11.4
• 1.12.7
• 1.13.5
• 1.14.4

Workarounds

There is no workaround.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16
• https://github.com/advisories/GHSA-99f4-grh7-6pcq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​grpc/grpc-js: A malformed request can cause a server crash

CVE-2026-48068 / GHSA-5375-pq7m-f5r2

More information

Details

Impact

An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @​grpc/grpc-js.

Patches

The following version have fixes for this vulnerability:

• 1.9.16
• 1.10.12
• 1.11.4
• 1.12.7
• 1.13.5
• 1.14.4

Workarounds

There is no workaround.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4
• https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16
• https://github.com/advisories/GHSA-5375-pq7m-f5r2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

grpc/grpc-node (@​grpc/grpc-js)

v1.14.4: @​grpc/grpc-js 1.14.4

Compare Source

• Fix a bug that could cause servers to crash when handling malformed requests (advisory GHSA-5375-pq7m-f5r2)
• Fix a bug that could cause clients and servers to crash when handling malformed compressed messages (advisory GHSA-99f4-grh7-6pcq)

---

Configuration

📅 Schedule: (in timezone Asia/Singapore)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.