chore(deps): update dependency electron to v24 [security] #794
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
23.3.13
->24.8.8
ASAR Integrity bypass via filetype confusion in electron
CVE-2023-44402 / GHSA-7m48-wc93-9g85
More information
Details
Impact
This only impacts apps that have the
embeddedAsarIntegrityValidation
andonlyLoadAppFromAsar
[fuses] (https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the
.app
bundle on macOS which these fuses are supposed to protect against.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
27.0.0-alpha.7
26.2.1
25.8.1
24.8.3
23.3.14
22.3.24
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
electron/electron (electron)
v24.8.8
: electron v24.8.8Compare Source
Release Notes for v24.8.8
Electron 24.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.
Fixes
loadURL
during somewebContents
url loading events could crash. #40160 (Also in 25, 26, 27)v24.8.7
: electron v24.8.7Compare Source
Release Notes for v24.8.7
Fixes
show()
on a childBrowserWindow
would show all other children attached to the same parent on macOS. #40104 (Also in 25, 26, 27)gpu-process-crashed
/renderer-process-crashed
events being emitted twice and with incorrect arguments. #40110 (Also in 22, 25, 26, 27)Other Changes
1479104
.1480184
. #40079v24.8.6
: electron v24.8.6Compare Source
Release Notes for v24.8.6
Other Changes
v24.8.5
: electron v24.8.5Compare Source
Release Notes for v24.8.5
Other Changes
v24.8.4
: electron v24.8.4Compare Source
Release Notes for v24.8.4
Fixes
desktopCapturer.getSources()
on Wayland. #39711 (Also in 25, 26)v24.8.3
: electron v24.8.3Compare Source
Release Notes for v24.8.3
Other Changes
v24.8.2
: electron v24.8.2Compare Source
Release Notes for v24.8.2
Fixes
assert
module did not work in the renderer process. #39621 (Also in 25, 26, 27)Other Changes
v24.8.1
: electron v24.8.1Compare Source
Release Notes for v24.8.1
Fixes
BrowserWindow.moveTop()
on modal child windows. #39526 (Also in 25, 26)Other Changes
v24.8.0
: electron v24.8.0Compare Source
Release Notes for v24.8.0
Features
Fixes
VoiceOver
couldn't trigger the tray action when selected to emit the click event. #39447 (Also in 26)v24.7.1
: electron v24.7.1Compare Source
Release Notes for v24.7.1
Fixes
browserView.removeBrowserView
could cause a crash in some cases. #39407 (Also in 25, 26)v24.7.0
: electron v24.7.0Compare Source
Release Notes for v24.7.0
Features
senderIsMainFrame
to messages sent viaipcRenderer.sendTo()
. #39207 (Also in 25, 26)Fixes
Other Changes
1444438
.v24.6.5
: electron v24.6.5Compare Source
Release Notes for v24.6.5
Fixes
node:child_process
imports. #39236 (Also in 25, 26)v24.6.4
: electron v24.6.4Compare Source
Release Notes for v24.6.4
Fixes
BrowserWindow.moveAbove()
andBrowserWindow.moveTop()
did not work for child windows on macOS. #39072 (Also in 25, 26)navigator.connection
returned incorrect data. #39100 (Also in 25)openFile
was not passed as a dialog property. #39097 (Also in 25, 26)v24.6.3
: electron v24.6.3Compare Source
Release Notes for v24.6.3
Fixes
Show
button visible. #39012 (Also in 25, 26)v24.6.2
: electron v24.6.2Compare Source
Release Notes for v24.6.2
Other Changes
1454860
. #38947v24.6.1
: electron v24.6.1Compare Source
Release Notes for v24.6.1
Fixes
preload
script may not run in some child windows opened bywindow.open
. #38932 (Also in 23, 25, 26)BrowserWindow.removeBrowserView()
with a destroyedwebContents
. #38884 (Also in 25, 26)v24.6.0
: electron v24.6.0Compare Source
Release Notes for v24.6.0
Features
node:
prefixed requires are now supported in sandboxed renderer preloads forevents
,timers
andurl
. #38727 (Also in 25, 26)Fixes
webContents.printToPDF
preferCSSPageSize
type error. #38792 (Also in 25, 26)Other Changes
1450536
. #38787v24.5.1
: electron v24.5.1Compare Source
Release Notes for v24.5.1
Fixes
webContents.print(null)
could incorrectly trigger an error. #38640 (Also in 25, 26)Other Changes
1431532
. #387111447430
.1444195
.v24.5.0
: electron v24.5.0Compare Source
Release Notes for v24.5.0
Features
Fixes
<datalist>
popups are positions incorrectly inBrowserView
s. #38608 (Also in 23, 25, 26)v24.4.1
: electron v24.4.1Compare Source
Release Notes for v24.4.1
Fixes
MediaStreamTrack.getCaptureHandle()
always returnednull
. #38434 (Also in 25)Other Changes
contentTracing.stopRecording()
fails because no trace was in progress. #38520v24.4.0
: electron v24.4.0Compare Source
Release Notes for v24.4.0
Features
cursor-changed
event. #38364 (Also in 25)Fixes
getNormalBounds()
returns incorrect bounds for transparent maximized windows on Windows. #38349 (Also in 23, 25)Other Changes
v24.3.1
: electron v24.3.1Compare Source
Release Notes for v24.3.1
Fixes
BrowserWindow.isMaximized()
could incorrectly return true for minimized or fullscreened windows on macOS. #38308 (Also in 23, 25)BrowserWindow.isVisible()
would incorrectly returntrue
for minimized windows on Windows. #38313 (Also in 23, 25)BrowserWindow.id
threw an error after the window was destroyed. #38310 (Also in 23, 25)win.minimize()
directly after callingwin.maximize()
, and then callingwin.isMaximized()
incorrectly returnstrue
. #38343 (Also in 23, 25)Other Changes
1433328
. #38271v24.3.0
: electron v24.3.0Compare Source
Release Notes for v24.3.0
Features
Fixes
AXManualAccessibility
attribute works as expected in all relevant protocol methods. #38224 (Also in 23, 25)v24.2.0
: electron v24.2.0Compare Source
Release Notes for v24.2.0
Features
powerMonitor
. #38027 (Also in 25)Fixes
AXManualAccessibility
to enable a11y features in Electron. #38147 (Also in 23)v24.1.3
: electron v24.1.3Compare Source
Release Notes for v24.1.3
Fixes
shell.openExternal()
options. #38072 (Also in 22, 23, 25)Other Changes
v24.1.2
: electron v24.1.2Compare Source
Release Notes for v24.1.2
Fixes
Other Changes
v24.1.1
: electron v24.1.1Compare Source
Release Notes for v24.1.1
Fixes
node-gyp
version innode.h
error. #37927 (Also in 22, 23, 25)v24.1.0
: electron v24.1.0Compare Source
Release Notes for v24.1.0
Features
session.resolveHost
for resolving hostnames with Chromium's DNS resolver. #37847Fixes
about
on Linux as well. #37872 (Also in 23, 25)Fn+F
system shortcut would fail or create strange window side effects. #37823 (Also in 23)Other Changes
v24.0.0
: electron v24.0.0Compare Source
Release Notes for v24.0.0
Stack Upgrades
Breaking Changes
nativeImage.createThumbnailFromPath()
now takessize
instead ofmaxSize
. #37796Features
httpOnly
to the cookie filter. #37365logUsage
toshell.openExternal()
options, which allows passing theSEE_MASK_FLAG_LOG_USAGE
flag toShellExecuteEx
on Windows. #37291types
towebRequest
filter. #37427webContents.print()
. #37265 (Also in 22, 23)enableLocalEcho
flag to the session handlerses.setDisplayMediaRequestHandler()
callback for allowing remote audio input to be echoed in the local output stream whenaudio
is aWebFrameMain
. #37528 (Also in 23)Fixes
BrowserWindow
fullscreening is disabled. #37368 (Also in 23)destroyed
event not emitted onclose
forBrowserView.webContents
. #37450 (Also in 23)BrowserView
s are present and a user attempts to preventbeforeunload
in the renderer process. #37268 (Also in 22, 23)BroadcastChannel
did not work correctly whencontextIsolation: false
. #37443 (Also in 23)minWidth
/minHeight
andmaxWidth
/maxHeight
would not be enforced if the user set anaspectRatio
on macOS. #37456 (Also in 22, 23)port.postMessage
inMessagePortMain
with some invalid parameters could cause a crash. #37726 (Also in 22, 23)hasReply
andactions
to a main process Notification on macOS resulted in the first action being obscured and unavailable. #37449 (Also in 22, 23)session.cookies.set
failure. #37597 (Also in 22, 23)app.showAboutPanel()
no longer blocks the main thread on Windows or Linux, thus matching macOS. #37508Other Changes
contents.takeHeapSnapshot
. #37461 (Also in 22, 23)Documentation
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.