Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency electron to v15.3.5 [security] #20750

Merged
merged 1 commit into from
Mar 24, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 23, 2022

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 15.3.4 -> 15.3.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.


Release Notes

electron/electron

v15.3.5

Compare Source

Release Notes for v15.3.5

Fixes

  • Allowed specifying x64 arch on Mac Rosetta via npm_config_arch. #​32380 (Also in 16, 17)
  • Bug fixed for registering protocol in windows which used to set invalid command if the execution path included space. #​32330 (Also in 14, 16, 17)
  • Fixed window.open not overriding parent's webPreferences. #​32109 (Also in 16, 17)
  • Fixed a crash caused by app.getLocaleCountryCode(). #​32332 (Also in 16, 17)
  • Fixed crash when playing media files on Windows 7/8 or macOS 10.11/10.12. #​32213 (Also in 13, 14, 16, 17)
  • Fixed incorrect skipTransformProcessType option parsing in win.setVisibleOnAllWorkspaces(). #​32396 (Also in 13, 14, 16, 17)
  • No Notes. #​32245 (Also in 13, 14, 16, 17)

Other Changes


Configuration

📅 Schedule: "" in timezone America/New_York.

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner March 23, 2022 14:14
@renovate renovate bot requested review from rockhold and removed request for a team March 23, 2022 14:14
@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels Mar 23, 2022
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Mar 23, 2022

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@cypress
Copy link

cypress bot commented Mar 23, 2022



Test summary

19343 0 218 0Flakiness 3


Run details

Project cypress
Status Passed
Commit ec0441b
Started Mar 24, 2022 5:34 AM
Ended Mar 24, 2022 5:46 AM
Duration 11:52 💡
OS Linux Debian - 10.10
Browser Multiple

View run in Cypress Dashboard ➡️


Flakiness

reporter.hooks.spec.js Flakiness
1 hooks > can rerun without timeout error leaking into next run (due to run restart)
2 hooks > can rerun without timeout error leaking into next run (due to run restart)
cypress/proxy-logging_spec.ts Flakiness
1 Proxy Logging > request logging > xhr log has response body/status code when xhr response is logged second

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch 2 times, most recently from b8e6b9e to e0f3423 Compare March 23, 2022 18:02
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from e0f3423 to ec0441b Compare March 24, 2022 05:23
@jennifer-shehane jennifer-shehane requested review from jennifer-shehane and removed request for rockhold and jennifer-shehane March 24, 2022 15:09
Copy link
Contributor

@flotwig flotwig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jeez, that's a wild vulnerability. no wonder they backported it so far.

@renovate renovate bot merged commit 25abf53 into develop Mar 24, 2022
@renovate renovate bot deleted the renovate/npm-electron-vulnerability branch March 24, 2022 19:06
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Mar 28, 2022

Released in 9.5.3.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v9.5.3, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Mar 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants