fix(deps): update dependency electron to v22 [security] #2631
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
20.3.12
->22.3.25
GitHub Vulnerability Alerts
CVE-2023-29198
Impact
Apps using
contextIsolation
andcontextBridge
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
This issue is exploitable under either of two conditions:
contextBridge
can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrownError: object could not be cloned
.contextBridge
has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.
Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.
Fixed Versions
25.0.0-alpha.2
24.0.1
23.2.3
22.3.6
For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2023-39956
Impact
Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as
myapp --help
Specifically this issue can only be exploited if the following conditions are met:
This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
26.0.0-beta.13
25.5.0
24.7.1
23.3.13
22.3.19
For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2023-5217
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2023-44402
Impact
This only impacts apps that have the
embeddedAsarIntegrityValidation
andonlyLoadAppFromAsar
[fuses] (https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the
.app
bundle on macOS which these fuses are supposed to protect against.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
27.0.0-alpha.7
26.2.1
25.8.1
24.8.3
23.3.14
22.3.24
For more information
If you have any questions or comments about this advisory, email us at [email protected]
Release Notes
electron/electron (electron)
v22.3.25
: electron v22.3.25Compare Source
Release Notes for v22.3.25
Other Changes
v22.3.24
: electron v22.3.24Compare Source
Release Notes for v22.3.24
Other Changes
v22.3.23
: electron v22.3.23Compare Source
Release Notes for v22.3.23
Other Changes
v22.3.22
: electron v22.3.22Compare Source
Release Notes for v22.3.22
Fixes
Other Changes
v22.3.21
: electron v22.3.21Compare Source
Release Notes for v22.3.21
Fixes
Other Changes
1444438
.v22.3.18
: electron v22.3.18Compare Source
Release Notes for v22.3.18
Other Changes
1454860
. #38949v22.3.17
: electron v22.3.17Compare Source
Release Notes for v22.3.17
Other Changes
1454860
. #38949v22.3.16
: electron v22.3.16Compare Source
Release Notes for v22.3.16
Other Changes
1450536
.v22.3.15
: electron v22.3.15Compare Source
Release Notes for v22.3.15
Other Changes
1450536
.v22.3.14
: electron v22.3.14Compare Source
Release Notes for v22.3.14
Other Changes
1450536
.v22.3.13
: electron v22.3.13Compare Source
Release Notes for v22.3.13
Other Changes
1437346
.1439691
.1425115
.1431761
.1442263
. #383321447430
.1444195
.v22.3.12
: electron v22.3.12Compare Source
Release Notes for v22.3.12
Other Changes
1423360
. #38277v22.3.11
: electron v22.3.11Compare Source
Release Notes for v22.3.11
Other Changes
1423360
. #38277v22.3.10
: electron v22.3.10Compare Source
Release Notes for v22.3.10
Other Changes
v22.3.9
: electron v22.3.9Compare Source
Release Notes for v22.3.9
Other Changes
v22.3.8
: electron v22.3.8Compare Source
Release Notes for v22.3.8
Fixes
v22.3.7
: electron v22.3.7Compare Source
Release Notes for v22.3.7
Fixes
shell.openExternal()
options. #38092 (Also in 23, 24, 25)Other Changes
1360571
. #380621404790
. #380641417317
. #376651427388
. #379831428820
. #38068v22.3.6
: electron v22.3.6Compare Source
Release Notes for v22.3.6
Fixes
node-gyp
version innode.h
error. #37942 (Also in 23, 24, 25)Other Changes
v22.3.5
: electron v22.3.5Compare Source
Release Notes for v22.3.5
Fixes
port.postMessage
inMessagePortMain
with some invalid parameters could cause a crash. #37725 (Also in 23, 24)Other Changes
1412991
. #376591418734
. #37661v22.3.4
: electron v22.3.4Compare Source
Release Notes for v22.3.4
Fixes
session.cookies.set
failure. #37595 (Also in 23, 24)Other Changes
1415249
. #376711416916
. #376571417585
. #37663v22.3.3
: electron v22.3.3Compare Source
Release Notes for v22.3.3
Fixes
Other Changes
1414224
. #37483v22.3.2
: electron v22.3.2Compare Source
Release Notes for v22.3.2
Fixes
minWidth
/minHeight
andmaxWidth
/maxHeight
would not be enforced if the user set anaspectRatio
on macOS. #37458 (Also in 23, 24)hasReply
andactions
to a main process Notification on macOS resulted in the first action being obscured and unavailable. #37447 (Also in 23, 24)Other Changes
contents.takeHeapSnapshot
. #37459 (Also in 23, 24)v22.3.1
: electron v22.3.1Compare Source
Release Notes for v22.3.1
Other Changes
Documentation
v22.3.0
: electron v22.3.0Compare Source
Release Notes for v22.3.0
Features
webContents.print()
. #37263 (Also in 23, 24)Fixes
BrowserView
s are present and a user attempts to preventbeforeunload
in the renderer process. #37266 (Also in 23, 24)Other Changes
v22.2.1
: electron v22.2.1Compare Source
Release Notes for v22.2.1
Features
Fixes
nodeIntegrationInWorker: true
. #37102 (Also in 23)Documentation
v22.2.0
: electron v22.2.0Compare Source
Release Notes for v22.0.0
Stack Upgrades
Breaking Changes
input-event
event.scroll-touch-*
events. #35531new-window
event has been removed. #34526Features
LoadBrowserProcessSpecificV8Snapshot
as a new fuse that will let the main/browser process load its v8 snapshot from a file atbrowser_v8_context_snapshot.bin
. Any other process will use the same path as is used today. #35266 (Also in 20, 21)WebContents.opener
to access window opener.webContents.fromFrame(frame)
to get the WebContents corresponding to a WebFrameMain instance. #35140 (Also in 21)app.getSystemLocale()
method. #35697 (Also in 21)contextBridge.exposeInIsolatedWorld(worldId, key, api)
to expose an API to anisolatedWorld
within a renderer from a preload script. #34974webContents.close()
method. #35509webFrameMain.origin
. #35438 (Also in 19, 20, 21)app.getPreferredSystemLanguages()
API to return the user's system languages. #36291 (Also in 21)content-bounds-updated
. #35533WebContents.ipc
andWebFrameMain.ipc
APIs. #34959 (Also in 21)navigator.mediaDevices.getDisplayMedia
via a new session handler,ses.setDisplayMediaRequestHandler
. #30702serialPort.forget()
as well as a new eventserial-port-revoked
emitted when a given origin is revoked. #36062Fixes
click
event and tooltip ofTray
not working on Linux. #36472Also in earlier versions...
uv_os_gethostname
failing on Windows 7. #35702 (Also in 19, 20, 21)atob
in the renderer process could fail under some circumstances. #35415 (Also in 19, 20, 21)webContents.printToPDF()
. #36065 (Also in 21)app.isInApplicationsFolder()
which would return false incorrectly in some cases. #35636 (Also in 19, 20, 21)screen.getCursorScreenPoint()
crashed on Wayland when it was called before aBrowserWindow
had been created. #35503 (Also in 21)serialPort.open()
failed withNetworkError: Failed to open serial port.
. #35306 (Also in 21)app.dock.setIcon(/path/t/icon)
would crash when called before theready
event onapp
. #36293 (Also in 20, 21)roundedCorners: false
couldn't enter fullscreen without crashing. #35421 (Also in 19, 20, 21)setBounds
on some windows. #34713 (Also in 19, 20, 21)webContents.printToPDF()
. #35993 (Also in 21)webContents.loadURL
when navigating to a hash. #36151 (Also in 20, 21)nodeIntegrationInWorker
in Service Workers and Shared Workers owing to sandboxing policies. #36010 (Also in 21)safeStorage
now consistently uses the correct service name on macOS regardless of timing with browser window construction. #34683 (Also in 19, 20)import('electron')
andimport 'electron'
now work natively. #35957 (Also in 20, 21)Other Changes
webContents.printToPDF().
. #36095win.getBrowserViews()
not being updated when a BrowserView was moved to a different window. #35511common.gypi
for native modules to support C++17 features in V8. #36369 (Also in 20, 21)Documentation
Notices
Sunsetting Windows 7/8/8.1
Electron will be ending support for Windows 7/8/8.1 after version 22.x.y following Chromium's plan to end support. Older versions of Electron will continue to work, but no further updates will be made for these operating systems.
End of Support for 19.x.y
Electron 19.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.
v22.1.0
: electron v22.1.0Compare Source
Release Notes for v22.1.0
Features
label
property toDisplay
objects. #36932 (Also in 21, 23)Fixes
webView
s could have an incorrect initial background color following reloads. #36940 (Also in 21, 23)Other Changes
v22.0.3
: electron v22.0.3Compare Source
Release Notes for v22.0.3
Fixes
Cmd+Tab
after exiting Kiosk Mode. #36918 (Also in 21, 23)setPermissionRequestHandler
callback would be invoked twice when usingnavigator.getUserMedia(...)
. #36873 (Also in 23)v22.0.2
: electron v22.0.2Compare Source
Release Notes for v22.0.2
Fixes
BrowserWindow.setTrafficLightPosition()
on macOS. #36851 (Also in 21, 23)Other Changes
v22.0.1
: electron v22.0.1Compare Source
Release Notes for v22.0.1
Fixes
requireInteraction
option to not timeout on Linux and Windows. #36501 (Also in 21)dialog.showMessageBox()
. #36802 (Also in 21, 23)WebSwapCGLLayer
symbols when Electron starts on macOS. #36800 (Also in 21, 23)Other Changes
v22.0.0
: electron v22.0.0Compare Source
Release Notes for v22.0.0
Stack Upgrades
Breaking Changes
input-event
event.scroll-touch-*
events. #35531new-window
event has been removed. #34526Features
LoadBrowserProcessSpecificV8Snapshot
as a new fuse that will let the main/browser process load its v8 snapshot from a file atbrowser_v8_context_snapshot.bin
. Any other process will use the same path as is used today. #35266 (Also in 20, 21)WebContents.opener
to access window opener.webContents.fromFrame(frame)
to get the WebContents corresponding to a WebFrameMain instance. #35140 (Also in 21)app.getSystemLocale()
method. #35697 (Also in 21)contextBridge.exposeInIsolatedWorld(worldId, key, api)
to expose an API to anisolatedWorld
within a renderer from a preload script. #34974webContents.close()
method. #35509webFrameMain.origin
. #35438 (Also in 19, 20, 21)app.getPreferredSystemLanguages()
API to return the user's system languages. #36291 (Also in 21)content-bounds-updated
. #35533WebContents.ipc
andWebFrameMain.ipc
APIs. #34959 (Also in 21)navigator.mediaDevices.getDisplayMedia
via a new session handler,ses.setDisplayMediaRequestHandler
. #30702serialPort.forget()
as well as a new eventserial-port-revoked
emitted when a given origin is revoked. #36062Fixes