chore(deps): update dependency electron to v15.3.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	15.3.4 -> 15.3.5

GitHub Vulnerability Alerts

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

• 17.0.0-alpha.6
• 16.0.6
• 15.3.5
• 14.2.4
• 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

---

Release Notes

electron/electron

v15.3.5

Compare Source

Release Notes for v15.3.5

Fixes

• Allowed specifying x64 arch on Mac Rosetta via npm_config_arch. #​32380 (Also in 16, 17)
• Bug fixed for registering protocol in windows which used to set invalid command if the execution path included space. #​32330 (Also in 14, 16, 17)
• Fixed window.open not overriding parent's webPreferences. #​32109 (Also in 16, 17)
• Fixed a crash caused by app.getLocaleCountryCode(). #​32332 (Also in 16, 17)
• Fixed crash when playing media files on Windows 7/8 or macOS 10.11/10.12. #​32213 (Also in 13, 14, 16, 17)
• Fixed incorrect skipTransformProcessType option parsing in win.setVisibleOnAllWorkspaces(). #​32396 (Also in 13, 14, 16, 17)
• No Notes. #​32245 (Also in 13, 14, 16, 17)

Other Changes

• Backported fix for CVE-2021-38006. #​32009
• Backported fix for CVE-2021-38008. #​32011
• Backported fix for CVE-2021-38018. #​32257
• Backported fix for CVE-2021-4056. #​32235
• Backported fix for CVE-2021-4057. #​32232
• Backported fix for CVE-2021-4058. #​32223
• Backported fix for CVE-2021-4059. #​32210
• Backported fix for CVE-2021-4078. #​32216
• Backported fix for CVE-2021-4079. #​32226
• Backported fix for CVE-2021-4098. #​32181
• Backported fix for CVE-2021-4099. #​32187
• Backported fix for CVE-2021-4101. #​32190

---

Configuration

📅 Schedule: "" in timezone America/New_York.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[cypress-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

[cypress]

---

Test summary

19343 • 0 • 218 • 0 • 3

---

Run details

Project	cypress
Status	Passed
Commit	ec0441b
Started	Mar 24, 2022 5:34 AM
Ended	Mar 24, 2022 5:46 AM
Duration	11:52 💡
OS	Linux Debian - 10.10
Browser	Multiple

View run in Cypress Dashboard ➡️

---

Flakiness

	reporter.hooks.spec.js		2
1	hooks > can rerun without timeout error leaking into next run (due to run restart)
2	hooks > can rerun without timeout error leaking into next run (due to run restart)
	cypress/proxy-logging_spec.ts		1
1	Proxy Logging > request logging > xhr log has response body/status code when xhr response is logged second

---

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

[flotwig]

jeez, that's a wild vulnerability. no wonder they backported it so far.

[cypress-bot]

Released in 9.5.3.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v9.5.3, please open a new issue.