chore(deps): update dependency electron to v28 [security] #519
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
25.9.8
->28.3.2
GitHub Vulnerability Alerts
CVE-2024-46993
Impact
The
nativeImage.createFromPath()
andnativeImage.createFromBuffer()
functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.Workaround
There are no app-side workarounds for this issue. You must update your Electron version to be protected.
Patches
v28.3.2
v29.3.3
v30.0.3
For More Information
If you have any questions or comments about this advisory, email us at [email protected].
Release Notes
electron/electron (electron)
v28.3.2
: electron v28.3.2Compare Source
Release Notes for v28.3.2
Fixes
console.log()
in AudioWorkletGlobalScope produced incorrect output. #41895Other Changes
1517088
. #420933270271
. #421033307568
. #420923392667
. #420983394581
. #421243402211
. #421763296996
.3385743
. #422213350038
.3335087
. #42008v28.3.1
: electron v28.3.1Compare Source
Release Notes for v28.3.1
Fixes
Other Changes
v28.3.0
: electron v28.3.0Compare Source
Release Notes for v28.3.0
Features
Fixes
Other Changes
v28.2.10
: electron v28.2.10Compare Source
Release Notes for v28.2.10
Fixes
Storage.{get|set|clear}Cookies
via the Chrome DevTools Protocol. #41738 (Also in 29, 30)Other Changes
3296748
.3271834
.3263494
. #41747Documentation
v28.2.9
: electron v28.2.9Compare Source
Release Notes for v28.2.9
Fixes
shell.showItemInFolder
not opening Windows Explorer if the passed path contains forward slashes. #41670 (Also in 29, 30)serial-port-added
event improperly respected filters set byserial.requestPort()
. #41637 (Also in 29, 30)Other Changes
v28.2.8
: electron v28.2.8Compare Source
Release Notes for v28.2.8
Other Changes
3252967
. #41607v28.2.7
: electron v28.2.7Compare Source
Release Notes for v28.2.7
Fixes
chrome://process-internals
failing to load. #41541 (Also in 29, 30)user-did-{resign|become}-active
were not emitted properly on macOS. #41526 (Also in 29, 30)Other Changes
v28.2.6
: electron v28.2.6Compare Source
Release Notes for v28.2.6
Fixes
webContents.print(options)
failed ifoptions
was not passed orundefined
is passed. #41478 (Also in 29, 30)Other Changes
v28.2.5
: electron v28.2.5Compare Source
Release Notes for v28.2.5
Other Changes
v28.2.4
: electron v28.2.4Compare Source
Release Notes for v28.2.4
Fixes
-webkit-app-region: drag;
has no effect in full screen mode. #41330 (Also in 27, 29)Other Changes
4149197
. #41374v28.2.3
: electron v28.2.3Compare Source
Release Notes for v28.2.3
Fixes
webContents.printToPDF
could fail when certain combinations ofmargins
andpageSize
values are passed. #41267 (Also in 29)node::Environment
destruction potentially wouldn't be propagated to theNodeService
exit handler. #41302 (Also in 27, 29)Other Changes
v28.2.2
: electron v28.2.2Compare Source
Release Notes for v28.2.2
Fixes
select-usb-device
did not respect thefilter
option innavigator.usb.requestDevice()
. #41198 (Also in 27, 29)Other Changes
1511567
.1514777
.1511085
.1519980
. #41178v28.2.1
: electron v28.2.1Compare Source
Release Notes for v28.2.1
Fixes
async_hooks
crash when listening for therestore
event on Windows after minimizing a maximized BrowserWindow. #41145 (Also in 27, 29)printBackground
option inwebContents.printToPDF
did not work as expected. #41179 (Also in 29)Other Changes
1407197
. #41105v28.2.0
: electron v28.2.0Compare Source
Release Notes for v28.2.0
Features
Fixes
session.fromPartition()
key lookup bug. #41083 (Also in 29)dialog.showMessageBoxSync
. #41042 (Also in 27, 29)Other Changes
v28.1.4
: electron v28.1.4Compare Source
Release Notes for v28.1.4
Fixes
inAppPurchase.getProducts
andinAppPurchase.purchasedProduct
did not resolve as expected. #40956 (Also in 27, 29)Other Changes
1506535
.v28.1.3
: electron v28.1.3Compare Source
Release Notes for v28.1.3
Fixes
ready
event was emitted on Linux. #40924 (Also in 26, 27, 29)v28.1.2
: electron v28.1.2Compare Source
Release Notes for v28.1.2
Fixes
Other Changes
v28.1.1
: electron v28.1.1Compare Source
Release Notes for v28.1.1
Fixes
v28.1.0
: electron v28.1.0Compare Source
Release Notes for v28.1.0
Features
protocol.registerSchemesAsPrivileged
to allow V8 code cache in custom schemes. #40709 (Also in 27)Fixes
--inspect
port. #40743 (Also in 27)Other Changes
v28.0.0
: electron v28.0.0Compare Source
Release Notes for 28.0.0
Stack Upgrades
120.0.6099.56
18.18.2
12.0
Breaking Changes
BrowserWindow.getTrafficLightPosition()
andBrowserWindow.setTrafficLightPosition()
methods have been removed. #39479app.runningUnderRosettaTranslation()
method has been removed. #39956ipcRenderer.sendTo()
method has been removed. #39087scroll-touch-{begin,end,edge}
events have been removed. #39814backgroundThrottling
to false will disable frames throttling in theBrowserWindow
for allWebContents
displayed by it. #38924Features
Additions
UtilityProcess
API now supports ESM entrypoints. #40047display
object includingdetected
,maximumCursorSize
, andnativeOrigin
. #40554ELECTRON_OZONE_PLATFORM_HINT
environment variable on Linux. #39792In addition to enabling ESM support in Electron itself, Electron Forge also supports using ESM to package, build and develop Electron applications. You can find this support in Forge v7.0.0 or higher: https://github.com/electron/forge/releases/tag/v7.0.0
getWebRTCUDPPortRange
andsetWebRTCUDPPortRange
APIs to specify UDP port range for WebRTC. #39046keyboardLock
toses.setPermissionRequestHandler(handler)
. #40460 (Also in 26, 27)mouse-enter
andmouse-leave
Tray events for Windows. #40072generateTaggedPDF
option towebContents.printToPDF()
to allow generating tagged (accessible) PDFs. #39563tabbingIdentifier
property toBrowserWindow
. #39980 (Also in 26, 27)display
object includingdetected
,maximumCursorSize
, andnativeOrigin
. #40554ELECTRON_OZONE_PLATFORM_HINT
environment variable on Linux. #39792chrome.scripting
extension APIs. #39395 (Also in 25, 26, 27)host_permissions
,author
, andshort_name
. #39599 (Also in 26, 27)webContents.downloadURL()
. #39455 (Also in 25, 26, 27)systemPreferences.getColor(name)
to return an RGBA hex value (#RRGGBBAA
) instead of a plain RGB (#RRGGBB
) value. #38960module.exports
. #39484Improvements
fork()
andexecve()
performance forchild_process
API on Linux. #39253Removed/Deprecated
app.runningUnderRosettaTranslation
property has been deprecated. #39897 (Also in 25, 26, 27)gpu-process-crashed
event onapp
has been deprecated. #40195renderer-process-crashed
event onapp
andcrashed
event onWebContents
and<webview>
have been deprecated. #40089Fixes
MessagePorts
from being garbage collected when not referenced. #40201shell.showItemInFolder
not being escaped in Linux. #40562node_modules
. Support thethrowIfNoEntry
option infs.statSync
/fs.lstatSync
in asar files. #40224activateIgnoringOtherApps
for focusing non-panels on macOS. #40621Also in earlier versions...
BrowserView.setBounds()
calls not painting view in new bounds in some cases. #39994 (Also in 25, 26, 27)app.runningUnderARM64Translation()
always returning true on ARM64. #39920 (Also in 25, 26, 27)will-navigate
not being emitted when pressing links inchrome:
pages. #40525 (Also in 27)webContents.capturePage()
issue that caused an empty image to be returned for fully-occluded windows on Linux and Windows. #40185 (Also in 25, 26, 27)async_hook
corruption in some error contexts. #40594 (Also in 26, 27)dialog.showOpenDialog
on macOS. #40346 (Also in 27)chrome.tabs
events would throw incorrectly. #39729 (Also in 25, 26, 27)frame: false
androundedCorners: false
when going fullscreen. #39747 (Also in 25, 26, 27)notification.close()
if they'd previously been dismissed. #40243 (Also in 26, 27)BrowserViews
that had their bounds set prior to being added to aBrowserWindow
could have unexpected incorrect offsets. #39605 (Also in 25, 26, 27)chrome://gpu
failed to load. #39556 (Also in 25, 26, 27)navigator.keyboard.lock()
did not work per latest expected behavior. #40389 (Also in 26, 27)webContents.print
could fail whenoptions
is a frozen object. #39985 (Also in 25, 26, 27)webContents.sendInputEvent()
. #39776 (Also in 25, 26, 27)loadURL
during somewebContents
url loading events could crash. #40143 (Also in 24, 25, 26, 27)show()
on a childBrowserWindow
would show all other children attached to the same parent on macOS. #40062 (Also in 24, 25, 26, 27)chrome.tabs
Tab objects were not properly considered privileged. #39595 (Also in 25, 26, 27)assert
module did not work in the renderer process. #39540 (Also in 24, 25, 26, 27)webcrypto.subtle.importKey()
could error and fail ifSharedArrayBuffers
are not defined. #40070 (Also in 27)gpu-process-crashed
/renderer-process-crashed
events being emitted twice and with incorrect arguments. #40090 (Also in 22, 24, 25, 26, 27)child_process.spawn()
on windows affected by launching store applications. #40101 (Also in 25, 26, 27)Electron.TitleBarOverlay
. #39799 (Also in 26, 27)BrowserWindow.setResizable()
. #40582 (Also in 26, 27)contextBridge
are now called with the expected receiver (this
). #40263 (Also in 27)enable_electron_extensions=false
. #40032 (Also in 25, 26, 27)Notices
End of Support for 25.x.y
Electron 25.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.
v27.3.11
: electron v27.3.11Compare Source
Release Notes for v27.3.11
27-x-y end of support
Electron 27.x.y has reached end-of-support as per the project's support policy.
Developers and applications are encouraged to upgrade to a newer version of Electron.
Other Changes
4007170
.4148882
.4149123
. #41856v27.3.10
: electron v27.3.10Compare Source
Release Notes for v27.3.10
Other Changes
v27.3.9
: electron v27.3.9Compare Source
Release Notes for v27.3.9
Other Changes
3252967
. #416083296748
.3271834
.3263494
. #41748v27.3.8
: electron v27.3.8Compare Source
Release Notes for v27.3.8
Other Changes
v27.3.7
: electron v27.3.7Compare Source
Release Notes for v27.3.7
Other Changes
v27.3.6
: electron v27.3.6Compare Source
Release Notes for v27.3.6
Other Changes
v27.3.5
: electron v27.3.5Compare Source
Release Notes for v27.3.5
Other Changes
v27.3.4
: electron v27.3.4Compare Source
Release Notes for v27.3.4
Other Changes
v27.3.3
: electron v27.3.3Compare Source
Release Notes for v27.3.3
Fixes
-webkit-app-region: drag;
has no effect in full screen mode. #41331 (Also in 28, 29)node::Environment
destruction potentially wouldn't be propagated to theNodeService
exit handler. #41300 (Also in 28, 29)Other Changes
4149665
.4149197
. #41375v27.3.2
: electron v27.3.2Compare Source
Release Notes for v27.3.2
Fixes
select-usb-device
did not respect thefilter
option innavigator.usb.requestDevice()
. #41196 (Also in 28, 29)Other Changes
1511567
.1514777
.1511085
.1519980
. #41176v27.3.1
: electron v27.3.1Compare Source
Release Notes for v27.3.1
Fixes
async_hooks
crash when listening for therestore
even