fix(deps): bump @grpc/grpc-js to 1.14.4 (GHSA-5375-pq7m-f5r2, GHSA-99f4-grh7-6pcq)

[vfarcic]

Summary

Bumps @grpc/grpc-js 1.14.3 → 1.14.4 to resolve two high-severity advisories that the Security Analysis (better-npm-audit) CI step now flags:

• GHSA-5375-pq7m-f5r2 (npm advisory 1120582)
• GHSA-99f4-grh7-6pcq (npm advisory 1120588)

These advisories were published after main last ran CI, so the audit fails on every PR (e.g. #628) regardless of its contents — this is a repo-wide blocker. @grpc/grpc-js is a direct dependency (also pulled by the OpenTelemetry exporters).

Validation (local)

• npx --no-install better-npm-audit audit --level moderate → "All good!" (both advisories cleared)
• npm run build → pass
• npm run test:unit → 481 passed

Full integration suite runs here in CI.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated internal gRPC dependency to the latest patch version for improved stability and maintenance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c2e3f76c-d7f1-4f9c-97e6-e374c61b4063

📥 Commits

Reviewing files that changed from the base of the PR and between 198c40b and fe92858.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

@grpc/grpc-js dependency version is updated from ^1.14.3 to ^1.14.4 in package.json. No other dependencies, scripts, or package metadata are modified.

Changes

Dependency Updates

Layer / File(s)	Summary
gRPC dependency version bump package.json	@grpc/grpc-js dependency version is bumped to ^1.14.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

dependencies

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping @grpc/grpc-js to 1.14.4 to resolve two security advisories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-grpc-js-advisories

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vfarcic]

Superseded by #628, which bundled the grpc-js + esbuild + operate fixes. Shipped in v1.21.1.