Update @grpc/grpc-js

[denyeart]

Security vulnerability scan found an issue with grpc-js:
https://github.com/hyperledger/fabric-chaincode-node/actions/runs/9475979432

I was going to update fabric-shim package.json to 1.8.22, but then realized I don't understand all the dependency files such as common/config/rush/pnpm-lock.yaml. Is this file managed by pnpm or rush? What command should be used to update the dependencies?

Is looks like CONTRIBUTING.md has information about rush, but I wanted to confirm that information is up to date and perhaps update it with the proper rush guidance for updating a dependency.

Also, is it typically safe and advisable to jump to new minor versions of grpc-js, e.g. 1.9.x or 1.10.x?

@bestbeforetoday @mbwhite Can you advise?

[bestbeforetoday]

Updating to the latest minor release version of @grpc/grpc-js is generally fine. If you're updating dependencies then I would look to do that. If there are any other out-of-date dependencies that can be safely updated, this might be a good opportunity to do that too since we'll want to publish a new release with the vulnerability addressed.

I notice that fabric-shim depends on an old version of @hyperledger/fabric-protos. It also depends on @grpc/proto-loader but I don't spot any code that imports that so it can probably be removed.

There is Rush documentation for modifying dependencies. The repository also contains a script in common/scripts to run Rush without it being installed globally. For example, in the libraries/fabric-shim directory, you could run:

node ../../common/scripts/install-run-rush.js add --package @grpc/grpc-js@latest

[mbwhite]

Always go via rush to update dependencies - this will then delegate to pnpm for the actual work (it was more efficient at the time to use pnpm rather than npm or yarn)

Those scripts @bestbeforetoday are the recommended way of running the tool when in a CI environment. Without needing to install the tool itself.

[denyeart]

Guidance provided in this issue has been added to CONTRIBUTING.md in #432.