fix(deps): update dependency electron to v17.2.0 [security] #153
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
17.0.1
->17.2.0
GitHub Vulnerability Alerts
CVE-2022-29247
Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with
nodeIntegrationInSubFrames
enabled which in turn allows effective access toipcRenderer
.Please note the misleadingly named
nodeIntegrationInSubFrames
option does not implicitly grant Node.js access rather it depends on the existingsandbox
setting. If your application is sandboxed thennodeIntegrationInSubFrames
just gives access to the sandboxed renderer APIs (which includesipcRenderer
).If your application then additionally exposes IPC messages without IPC
senderFrame
validation that perform privileged actions or return confidential data this access toipcRenderer
can in turn compromise your application / user even with the sandbox enabled.Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.6
15.5.5
Workarounds
Ensure that all IPC message handlers appropriately validate
senderFrame
as per our security tutorial here.For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2022-29257
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.0
15.5.0
Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Release Notes
electron/electron
v17.2.0
Compare Source
Release Notes for v17.2.0
Features
ses.setCodeCachePath()
API for setting code cache directory. #33285 (Also in 18)Fixes
Other Changes
v17.1.2
Compare Source
Release Notes for v17.1.2
Fixes
maxHeight
ormaxWidth
made it so the width and height could no longer be resized. #33118 (Also in 18)v17.1.1
Compare Source
Release Notes for v17.1.1
Fixes
alternateImage
s did not work properly on macOS. #33105 (Also in 15, 16, 18)Other Changes
v17.1.0
Compare Source
Release Notes for v17.1.0
Features
height
option for Windows Control Overlay. #32939Fixes
window.print()
, the print button in the PDF viewer, or withBrowserWindow.webContents()
and clicked cancel in the resulting print dialog. #33015webContents.openDevTools({ mode })
did not work for certain dock positions. #32945 (Also in 18)webContents.savePage
failed when passing a relative path instead of an absolute one. #33016 (Also in 15, 16, 18)Other Changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.