dependency: bump Electron to 27.3.10 (#29431)

* fix: bump Electron to 27.3.10

* add changelog entry

* do windows builds for good measure

* temporarily set branch to publish binary with updated electron

* Update binary-integrity-check-source.js

---------

Co-authored-by: Ryan Manuel <ryanm@cypress.io>

.circleci/workflows.yml

@@ -40,7 +40,7 @@ macWorkflowFilters: &darwin-workflow-filters
     - equal: [ develop, << pipeline.git.branch >> ]
     # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
     - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
-    - equal: [ 'mschile/service_worker_uncontrolled', << pipeline.git.branch >> ]
+    - equal: [ 'bump-electron-27.3.10', << pipeline.git.branch >> ]
     - matches:
         pattern: /^release\/\d+\.\d+\.\d+$/
         value: << pipeline.git.branch >>
@@ -51,7 +51,7 @@ linuxArm64WorkflowFilters: &linux-arm64-workflow-filters
     - equal: [ develop, << pipeline.git.branch >> ]
     # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
     - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
-    - equal: [ 'mschile/service_worker_uncontrolled', << pipeline.git.branch >> ]
+    - equal: [ 'bump-electron-27.3.10', << pipeline.git.branch >> ]
     - matches:
         pattern: /^release\/\d+\.\d+\.\d+$/
         value: << pipeline.git.branch >>
@@ -74,7 +74,7 @@ windowsWorkflowFilters: &windows-workflow-filters
     - equal: [ develop, << pipeline.git.branch >> ]
     # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
     - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
-    - equal: [ 'mschile/service_worker_uncontrolled', << pipeline.git.branch >> ]
+    - equal: [ 'bump-electron-27.3.10', << pipeline.git.branch >> ]
     - matches:
         pattern: /^release\/\d+\.\d+\.\d+$/
         value: << pipeline.git.branch >>
@@ -141,7 +141,7 @@ commands:
           name: Set environment variable to determine whether or not to persist artifacts
           command: |
             echo "Setting SHOULD_PERSIST_ARTIFACTS variable"
-            echo 'if ! [[ "$CIRCLE_BRANCH" != "develop" && "$CIRCLE_BRANCH" != "release/"* && "$CIRCLE_BRANCH" != "mschile/service_worker_uncontrolled" ]]; then
+            echo 'if ! [[ "$CIRCLE_BRANCH" != "develop" && "$CIRCLE_BRANCH" != "release/"* && "$CIRCLE_BRANCH" != "bump-electron-27.3.10" ]]; then
                 export SHOULD_PERSIST_ARTIFACTS=true
             fi' >> "$BASH_ENV"
   # You must run `setup_should_persist_artifacts` command and be using bash before running this command

cli/CHANGELOG.md

@@ -1,4 +1,12 @@
 <!-- See the ../guides/writing-the-cypress-changelog.md for details on writing the changelog. -->
+## 13.8.2
+
+_Released 5/7/2024 (PENDING)_
+
+**Dependency Updates:**
+
+- Updated electron from `27.1.3` to `27.3.10` to address [CVE-2024-3156](https://nvd.nist.gov/vuln/detail/CVE-2024-3156). Addressed in [#29367](https://github.com/cypress-io/cypress/pull/29367).
+
 ## 13.8.1
 
 _Released 4/23/2024_

package.json

@@ -145,7 +145,7 @@
     "dedent": "^0.7.0",
     "del": "3.0.0",
     "detect-port": "^1.3.0",
-    "electron": "27.1.3",
+    "electron": "27.3.10",
     "electron-builder": "^23.6.0",
     "enzyme-adapter-react-16": "1.12.1",
     "eslint": "^8.56.0",

scripts/binary/binary-integrity-check-source.js

@@ -94,7 +94,7 @@ function validateElectron (electron) {
 
 function validateFs (fs) {
   // Hard coded function as this is electron code and there's not an easy way to get the function string at package time. If this fails on an updated version of electron, we'll need to update this.
-  if (originalToString.call(fs.readFileSync) !== `function(e,s){const r=splitPath(e);if(!r.isAsar)return F.apply(this,arguments);const{asarPath:n,filePath:i}=r,o=getOrCreateArchive(n);if(!o)throw createError("INVALID_ARCHIVE",{asarPath:n});const c=o.getFileInfo(i);if(!c)throw createError("NOT_FOUND",{asarPath:n,filePath:i});if(0===c.size)return s?"":a.Buffer.alloc(0);if(c.unpacked){const e=o.copyFileOut(i);return t.readFileSync(e,s)}if(s){if("string"==typeof s)s={encoding:s};else if("object"!=typeof s)throw new TypeError("Bad arguments")}else s={encoding:null};const{encoding:f}=s,l=a.Buffer.alloc(c.size),u=o.getFdAndValidateIntegrityLater();if(!(u>=0))throw createError("NOT_FOUND",{asarPath:n,filePath:i});return logASARAccess(n,i,c.offset),t.readSync(u,l,0,c.size,c.offset),validateBufferIntegrity(l,c.integrity),f?l.toString(f):l}`) {
+  if (originalToString.call(fs.readFileSync) !== `function(e,s){const n=splitPath(e);if(!n.isAsar)return F.apply(this,arguments);const{asarPath:a,filePath:i}=n,o=getOrCreateArchive(a);if(!o)throw createError("INVALID_ARCHIVE",{asarPath:a});const c=o.getFileInfo(i);if(!c)throw createError("NOT_FOUND",{asarPath:a,filePath:i});if(0===c.size)return s?"":r.Buffer.alloc(0);if(c.unpacked){const e=o.copyFileOut(i);return t.readFileSync(e,s)}if(s){if("string"==typeof s)s={encoding:s};else if("object"!=typeof s)throw new TypeError("Bad arguments")}else s={encoding:null};const{encoding:f}=s,l=r.Buffer.alloc(c.size),u=o.getFdAndValidateIntegrityLater();if(!(u>=0))throw createError("NOT_FOUND",{asarPath:a,filePath:i});return logASARAccess(a,i,c.offset),t.readSync(u,l,0,c.size,c.offset),validateBufferIntegrity(l,c.integrity),f?l.toString(f):l}`) {
     console.error(`Integrity check failed for toString.call(fs.readFileSync)`)
     throw new Error(integrityErrorMessage)
   }

scripts/binary/trigger-publish-binary-pipeline.js

@@ -16,7 +16,7 @@ const { getNextVersionForBinary } = require('../get-next-version')
       job_name: process.env.CIRCLE_JOB,
       triggered_workflow_id: process.env.CIRCLE_WORKFLOW_ID,
       triggered_job_url: process.env.CIRCLE_BUILD_URL,
-      branch: process.env.CIRCLE_BRANCH,
+      branch: 'ryanm/chore/bump-electron',
       should_persist_artifacts: Boolean(process.env.SHOULD_PERSIST_ARTIFACTS),
       binary_version: nextVersion,
     },

yarn.lock

@@ -14437,10 +14437,10 @@ electron-to-chromium@^1.4.477:
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.480.tgz#40e32849ca50bc23ce29c1516c5adb3fddac919d"
   integrity sha512-IXTgg+bITkQv/FLP9FjX6f9KFCs5hQWeh5uNSKxB9mqYj/JXhHDbu+ekS43LVvbkL3eW6/oZy4+r9Om6lan1Uw==
 
-electron@27.1.3:
-  version "27.1.3"
-  resolved "https://registry.yarnpkg.com/electron/-/electron-27.1.3.tgz#3fd6decda95c1dd0a7e51a9ac77ee0ba37b7c5c6"
-  integrity sha512-7eD8VMhhlL5J531OOawn00eMthUkX1e3qN5Nqd7eMK8bg5HxQBrn8bdPlvUEnCano9KhrVwaDnGeuzWoDOGpjQ==
+electron@27.3.10:
+  version "27.3.10"
+  resolved "https://registry.yarnpkg.com/electron/-/electron-27.3.10.tgz#3c9a3c918a644bb3ba07e4d4744f277636a54e58"
+  integrity sha512-fwJRWVP8/U42D5rk/xLvxN94zbM8P14PisJIWkOX6wctXOLGDTUFZb4jrkZA3/Fzuo8pzwXrXJmBL9FTwXzP3Q==
   dependencies:
     "@electron/get" "^2.0.0"
     "@types/node" "^18.11.18"