chore(deps): update dependency electron to v24 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	23.3.13 -> 24.8.8

---

ASAR Integrity bypass via filetype confusion in electron

CVE-2023-44402 / GHSA-7m48-wc93-9g85

More information

Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar [fuses] (https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

• 27.0.0-alpha.7
• 26.2.1
• 25.8.1
• 24.8.3
• 23.3.14
• 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

• https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
• https://nvd.nist.gov/vuln/detail/CVE-2023-44402
• https://github.com/electron/electron/pull/39788
• https://github.com/electron/electron
• https://www.electronjs.org/docs/latest/tutorial/fuses

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

electron/electron (electron)

v24.8.8: electron v24.8.8

Compare Source

Release Notes for v24.8.8

Electron 24.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

Fixes

• Fixed an issue where calling loadURL during some webContents url loading events could crash. #​40160 (Also in 25, 26, 27)

v24.8.7: electron v24.8.7

Compare Source

Release Notes for v24.8.7

Fixes

• Fixed an issue where calling show() on a child BrowserWindow would show all other children attached to the same parent on macOS. #​40104 (Also in 25, 26, 27)
• Fixed deprecated gpu-process-crashed / renderer-process-crashed events being emitted twice and with incorrect arguments. #​40110 (Also in 22, 25, 26, 27)

Other Changes

• Security: backported fix for 1479104.
  • Security: backported fix for 1480184. #​40079

v24.8.6: electron v24.8.6

Compare Source

Release Notes for v24.8.6

Other Changes

• Security: backported fix for CVE-2023-5217. #​40025

v24.8.5: electron v24.8.5

Compare Source

Release Notes for v24.8.5

Other Changes

• Security: backported fix for CVE-2023-5217. #​40025

v24.8.4: electron v24.8.4

Compare Source

Release Notes for v24.8.4

Fixes

• Fixed a redundant permission popup while fetching screens and windows using desktopCapturer.getSources() on Wayland. #​39711 (Also in 25, 26)

v24.8.3: electron v24.8.3

Compare Source

Release Notes for v24.8.3

Other Changes

• Security: backported fix for CVE-2023-4763.
  • Security: backported fix for CVE-2023-4762.
  • Security: backported fix for CVE-2023-4761. #​39757
• Security: backported fix for CVE-2023-4863. #​39826

v24.8.2: electron v24.8.2

Compare Source

Release Notes for v24.8.2

Fixes

• Fixed an issue where child windows opened when the parent window is already fullscreen did not respect the child windows' fullscreenability and resizability settings. #​39643 (Also in 25, 26, 27)
• Fixed an issue where the Node.js assert module did not work in the renderer process. #​39621 (Also in 25, 26, 27)

Other Changes

• Security: backported fix for CVE-2023-4427.
  • Security: backported fix for CVE-2023-4428.
  • Security: backported fix for CVE-2023-4430. #​39647
• Security: backported fix for CVE-2023-4572. #​39688

v24.8.1: electron v24.8.1

Compare Source

Release Notes for v24.8.1

Fixes

• Fixed a potential crash when calling BrowserWindow.moveTop() on modal child windows. #​39526 (Also in 25, 26)
• Fixed decorations for tiled windows on Wayland. #​39567 (Also in 22, 25, 26, 27)
• Fixed to regenerate thumbnail toolbar buttons when explorer is restarted. #​39585 (Also in 25, 26)

Other Changes

• Security: backported fix for CVE-2023-4355.
  • Security: backported fix for CVE-2023-4354.
  • Security: backported fix for CVE-2023-4353.
  • Security: backported fix for CVE-2023-4352.
  • Security: backported fix for CVE-2023-4351. #​39558

v24.8.0: electron v24.8.0

Compare Source

Release Notes for v24.8.0

Features

• Added support for several more Node.js cli flags in the main process. #​39372 (Also in 25, 26)

Fixes

• Fixed an accessibility issue where VoiceOver couldn't trigger the tray action when selected to emit the click event. #​39447 (Also in 26)

v24.7.1: electron v24.7.1

Compare Source

Release Notes for v24.7.1

Fixes

• Fixed an issue where browserView.removeBrowserView could cause a crash in some cases. #​39407 (Also in 25, 26)

v24.7.0: electron v24.7.0

Compare Source

Release Notes for v24.7.0

Features

• Added senderIsMainFrame to messages sent via ipcRenderer.sendTo(). #​39207 (Also in 25, 26)

Fixes

• Fixed a potential crash when re-parenting a BrowserWindow whose first parent has been destroyed. #​39307 (Also in 26)

Other Changes

• Fixed a crash while screen sharing on Wayland with PipeWire. #​39273
• Security: backported fix for 1444438.
  • Security: backported fix for CVE-2023-3732.
  • Security: backported fix for CVE-2023-3728.
  • Security: backported fix for CVE-2023-3730. #​39267

v24.6.5: electron v24.6.5

Compare Source

Release Notes for v24.6.5

Fixes

• Fixed an issue where macOS traffic lights could malfunction on child windows in some circumstances. #​39243 (Also in 25, 26)
• Fixed an issue where non-resizable windows incorrectly enabled the fullscreen/maximize button on initial window creation on macOS. #​39230 (Also in 25, 26)
• Fixed asar integration for node:child_process imports. #​39236 (Also in 25, 26)

v24.6.4: electron v24.6.4

Compare Source

Release Notes for v24.6.4

Fixes

• Fixed an issue where BrowserWindow.moveAbove() and BrowserWindow.moveTop() did not work for child windows on macOS. #​39072 (Also in 25, 26)
• Fixed an issue where navigator.connection returned incorrect data. #​39100 (Also in 25)
• Fixed an issue where files could in some circumstances be selection when openFile was not passed as a dialog property. #​39097 (Also in 25, 26)

v24.6.3: electron v24.6.3

Compare Source

Release Notes for v24.6.3

Fixes

• Fixed a crash when listing desktop capture sources on Wayland with PipeWire. #​39050 (Also in 25, 26)
• Fixed an issue where notifications created on macOS which have no actions will erroneously have a Show button visible. #​39012 (Also in 25, 26)
• Fixed an issue where removing a webview in a close callback could cause crashes. #​39009 (Also in 25, 26)

v24.6.2: electron v24.6.2

Compare Source

Release Notes for v24.6.2

Other Changes

• Security: backported fix for CVE-2023-3422.
  • Security: backported fix for CVE-2023-3421.
  • Security: backported fix for CVE-2023-3420.
  • Security: backported fix for 1454860. #​38947

v24.6.1: electron v24.6.1

Compare Source

Release Notes for v24.6.1

Fixes

• Fixed preload script may not run in some child windows opened by window.open. #​38932 (Also in 23, 25, 26)
• Fixed a potential crash calling BrowserWindow.removeBrowserView() with a destroyed webContents. #​38884 (Also in 25, 26)
• Fixed minimize button to be visible when all buttons reenabled. #​38881 (Also in 23, 25)

v24.6.0: electron v24.6.0

Compare Source

Release Notes for v24.6.0

Features

• node: prefixed requires are now supported in sandboxed renderer preloads for events, timers and url. #​38727 (Also in 25, 26)

Fixes

• Fixed webContents.printToPDF preferCSSPageSize type error. #​38792 (Also in 25, 26)

Other Changes

• Security: backported fix for CVE-2023-3215.
  • Security: backported fix for CVE-2023-3216.
  • Security: backported fix for 1450536. #​38787

v24.5.1: electron v24.5.1

Compare Source

Release Notes for v24.5.1

Fixes

• Fixed an issue where passing webContents.print(null) could incorrectly trigger an error. #​38640 (Also in 25, 26)
• Fixed an issue with potential use-after-free of child windows on close and reparent. #​38677 (Also in 25, 26)
• Fixed visibility of menu bar when exiting full screen. #​38681 (Also in 23, 25, 26)

Other Changes

• Backported fix for b:251677220, 1431532. #​38711
• Security: backported fix for 1447430.
  • Security: backported fix for CVE-2023-3079. #​38654
• Security: backported fix for CVE-2023-2933.
  • Security: backported fix for CVE-2023-2932.
  • Security: backported fix for CVE-2023-2931.
  • Security: backported fix for 1444195.
  • Security: backported fix for CVE-2023-2936.
  • Security: backported fix for CVE-2023-2935.
  • Security: backported fix for CVE-2023-2934
  • Security: backported fix for CVE-2023-2930. #​38536

v24.5.0: electron v24.5.0

Compare Source

Release Notes for v24.5.0

Features

• Added setUSBProtectedClassesHandler to allow access to protected USB classes with WebUSB. #​38498 (Also in 25)

Fixes

• Fixed an issue where <datalist> popups are positions incorrectly in BrowserViews. #​38608 (Also in 23, 25, 26)

v24.4.1: electron v24.4.1

Compare Source

Release Notes for v24.4.1

Fixes

• Fixed an issue where MediaStreamTrack.getCaptureHandle() always returned null. #​38434 (Also in 25)
• Fixed potential issues when minimizing parent windows with non-modal children on macOS. #​38508 (Also in 25)

Other Changes

• Improved error message when contentTracing.stopRecording() fails because no trace was in progress. #​38520

v24.4.0: electron v24.4.0

Compare Source

Release Notes for v24.4.0

Features

• Added several new cursor values to the cursor-changed event. #​38364 (Also in 25)
• Added support for Mica and Acrylic background effects on Windows. #​38361 (Also in 25)

Fixes

• Fixed an issue where getNormalBounds() returns incorrect bounds for transparent maximized windows on Windows. #​38349 (Also in 23, 25)

Other Changes

• Updated Chromium to 112.0.5615.204. #​38350

v24.3.1: electron v24.3.1

Compare Source

Release Notes for v24.3.1

Fixes

• Fixed an issue where BrowserWindow.isMaximized() could incorrectly return true for minimized or fullscreened windows on macOS. #​38308 (Also in 23, 25)
• Fixed an issue where BrowserWindow.isVisible() would incorrectly return true for minimized windows on Windows. #​38313 (Also in 23, 25)
• Fixed an issue where accessing BrowserWindow.id threw an error after the window was destroyed. #​38310 (Also in 23, 25)
• Fixed an issue where calling win.minimize() directly after calling win.maximize(), and then calling win.isMaximized() incorrectly returns true. #​38343 (Also in 23, 25)

Other Changes

• Security: backported fix for 1433328. #​38271
• Updated Chromium to 112.0.5615.183. #​38319

v24.3.0: electron v24.3.0

Compare Source

Release Notes for v24.3.0

Features

• Added net.resolveHost that resolves hosts using defaultSession object. #​38153 (Also in 25)

Fixes

• Ensured that Electron's custom AXManualAccessibility attribute works as expected in all relevant protocol methods. #​38224 (Also in 23, 25)

v24.2.0: electron v24.2.0

Compare Source

Release Notes for v24.2.0

Features

• Added thermal management information to powerMonitor. #​38027 (Also in 25)

Fixes

• Fixed a potential crash when right-clicking on macOS windows with draggable regions. #​38136 (Also in 25)
• Fixed an issue where default background color for windows might be incorrect. #​38158 (Also in 25)
• Fixed an perceived failure when when using Accessibility attribute AXManualAccessibility to enable a11y features in Electron. #​38147 (Also in 23)

v24.1.3: electron v24.1.3

Compare Source

Release Notes for v24.1.3

Fixes

• Fixed broken defaults in shell.openExternal() options. #​38072 (Also in 22, 23, 25)
• Fixed crash when executing eval in the utility process. #​38041 (Also in 23, 25)

Other Changes

• Security: backported fix for CVE-2023-2136. #​38082
• Updated Chromium to 112.0.5615.165. #​38047

v24.1.2: electron v24.1.2

Compare Source

Release Notes for v24.1.2

Fixes

• Fixed an issue on Linux where menus would not open after resizing/maximizing/unmaximizing a window. #​37906 (Also in 23, 25)
• Fixed an issue where the 'swipe' event wasn't being emitted properly on macOS. #​37965 (Also in 25)
• Fixed an issue which made defaultFontFamily in webPreferences have no effect. #​37968 (Also in 22, 23, 25)

Other Changes

• Updated Chromium to 112.0.5615.87. #​37974

v24.1.1: electron v24.1.1

Compare Source

Release Notes for v24.1.1

Fixes

• Fixed recommended node-gyp version in node.h error. #​37927 (Also in 22, 23, 25)

v24.1.0: electron v24.1.0

Compare Source

Release Notes for v24.1.0

Features

• Introduced session.resolveHost for resolving hostnames with Chromium's DNS resolver. #​37847

Fixes

• Added about panel for menu role about on Linux as well. #​37872 (Also in 23, 25)
• Fixed an issue on macOS where entering fullscreen with the Fn+F system shortcut would fail or create strange window side effects. #​37823 (Also in 23)
• Fixed an issue where certain buttons in the PDF viewer didn't work. #​37918 (Also in 25)
• Security: Fixed an issue with Content-Security-Policy not being correctly enforced when sandbox: false and contextIsolation: false. (CVE-2023-23623). #​37839

Other Changes

• Updated Chromium to 112.0.5615.50. #​37833

v24.0.0: electron v24.0.0

Compare Source

Release Notes for v24.0.0

Stack Upgrades

• Chromium 112.0.5615.49
  • New in Chrome 112
  • New in Chrome 111
• Node.js 18.14.0
  • Node 18.14.0 blog post
• V8 11.2

Breaking Changes

• nativeImage.createThumbnailFromPath() now takes size instead of maxSize. #​37796

Features

• Added httpOnly to the cookie filter. #​37365
• Added logUsage to shell.openExternal() options, which allows passing the SEE_MASK_FLAG_LOG_USAGE flag to ShellExecuteEx on Windows. #​37291
• Added types to webRequest filter. #​37427
• Added several standard page size options to webContents.print(). #​37265 (Also in 22, 23)
• Added the enableLocalEcho flag to the session handler ses.setDisplayMediaRequestHandler() callback for allowing remote audio input to be echoed in the local output stream when audio is a WebFrameMain. #​37528 (Also in 23)

Fixes

• Corrects an issue with HTML fullscreen when BrowserWindow fullscreening is disabled. #​37368 (Also in 23)
• Fixed WebUSB on ARM64 macs. #​37522 (Also in 23)
• Fixed destroyed event not emitted on close for BrowserView.webContents. #​37450 (Also in 23)
• Fixed a crash on capturing sources when using desktopCapturer API on Wayland. #​37527 (Also in 23)
• Fixed a crash when BrowserViews are present and a user attempts to prevent beforeunload in the renderer process. #​37268 (Also in 22, 23)
• Fixed an incorrect result returned when using secure as a cookies filter. #​37246 (Also in 22, 23)
• Fixed an issue where BroadcastChannel did not work correctly when contextIsolation: false. #​37443 (Also in 23)
• Fixed an issue where minWidth/minHeight and maxWidth/maxHeight would not be enforced if the user set an aspectRatio on macOS. #​37456 (Also in 22, 23)
• Fixed an issue where calling port.postMessage in MessagePortMain with some invalid parameters could cause a crash. #​37726 (Also in 22, 23)
• Fixed an issue where draggable regions incorrectly captured clicks in framed windows. #​37741 (Also in 23)
• Fixed an issue where passing both hasReply and actions to a main process Notification on macOS resulted in the first action being obscured and unavailable. #​37449 (Also in 22, 23)
• Fixed an issue where unhandled rejections could cause duplicate logs in some cases. #​37500 (Also in 22, 23)
• Fixed an issue with potential dock icon duplication on macOS. #​37625 (Also in 22, 23)
• Fixed canceling of bluetooth requests when no devices are returned. #​37717 (Also in 23)
• Fixed draggable regions not working in Mac App Store builds. #​37474 (Also in 23)
• Fixed issue with BrowserWindow not updating after call to previewFile. #​37578 (Also in 22, 23)
• Fixed potential private API usage for MAS builds on macOS. #​37364 (Also in 23)
• Fixed right-click events not being delivered in frameless window draggable regions. #​37395 (Also in 23)
• Fixed the active background color for top-level menu items on Windows. #​37785
• Fixed window could not go back to maximized state when restored on Linux. #​37358 (Also in 22, 23)
• Improved error messages on session.cookies.set failure. #​37597 (Also in 22, 23)
• Setting the about panel's options no longer crashes. #​37442
• app.showAboutPanel() no longer blocks the main thread on Windows or Linux, thus matching macOS. #​37508

Other Changes

• Improved error messages for contents.takeHeapSnapshot. #​37461 (Also in 22, 23)
• Updated Chromium to 112.0.5615.49. Fixed performance regression. #​37767

Documentation

• Documentation changes: #​37288

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[setchy]

24.x has been working fine locally for me. Given it's security related, we should address asap

[afonsojramos]

Working for me as well!