Skip to content

chore(deps): update dependency electron to v11 [security] #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency electron to v11 [security] #43

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 6, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 4.0.0 -> 11.5.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-4075

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

CVE-2020-4076

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

Non-Impacted Versions

  • 9.0.0-beta.*

For more information

If you have any questions or comments about this advisory:

CVE-2020-4077

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

CVE-2020-15096

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
  • 6.1.11

For more information

If you have any questions or comments about this advisory:

CVE-2021-39184

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at [email protected].

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at [email protected].

CVE-2022-29257

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at [email protected]

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at [email protected].

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

  • 9.4.0
  • 10.2.0
  • 11.1.0
  • 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

Release Notes

electron/electron (electron)

v11.5.0: electron v11.5.0

Compare Source

Release Notes for v11.5.0

Other Changes

End of Support for 11.x.y

Electron 11.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v11.4.12: electron v11.4.12

Compare Source

Release Notes for v11.4.12

Fixes

v11.4.11: electron v11.4.11

Compare Source

Release Notes for v11.4.11

Other Changes

v11.4.10: electron v11.4.10

Compare Source

Release Notes for v11.4.10

Other Changes

v11.4.9: electron v11.4.9

Compare Source

Release Notes for v11.4.9

Fixes

  • Fixed potential corruption of piped response data when using interceptHttpProtocol/registerHttpProtocol. #​29667 (Also in 12, 13, 14)
  • Security: backported fix for CVE-2021-30551. #​29780

Other Changes

v11.4.8: electron v11.4.8

Compare Source

Release Notes for v11.4.8

Fixes

  • Fixed will-resize and will-move events not scaling the emitted newBounds rectangle to the appropriate Windows display scale factor. #​29225 (Also in 12, 13)
  • Fixed drag and drop not working correctly for some x11 window managers. #​29271 (Also in 12)
  • Fixed packaged apps allowing --require in NODE_OPTIONS on Windows. #​29419

Other Changes

v11.4.7: electron v11.4.7

Compare Source

Release Notes for v11.4.7

Fixes

  • Fixed an incorrect warning about enableRemoteModule being issued when the option was undefined (and thus defaulting to false). #​29023
  • Fixed an issue where events on webview elements were missing properties if contextIsolation was enabled. #​29150 (Also in 10)
  • Fixed corner radius for vibrancy view in macOS 11. #​29072 (Also in 12, 13)

Documentation

v11.4.6: electron v11.4.6

Compare Source

Release Notes for v11.4.6

Fixes

  • Fixed <webview> focus / blur events not working with contextIsolation enabled. #​29027 (Also in 10, 12, 13)
  • Fixed an issue where drag regions on macOS would be offset incorrectly when no drag regions were set,. #​29018 (Also in 12, 13)

v11.4.5: electron v11.4.5

Compare Source

Release Notes for v11.4.5

Fixes

  • Allow Node.js to manage microtasks queue by using explicit microtasks policy before calling uv_run(). #​28974 (Also in 12, 13)
  • Fixed an issue where some Node.js modules would hang on page reload on Windows. #​28336 (Also in 12, 13)
  • Fixed an issue where windows in simpleFullscreen mode were not properly resizing when display metrics changed. #​28870 (Also in 12, 13)
  • Fixed the window-all-closed event being emitted while the last BrowserWindow was still in the process of being closed. #​28912 (Also in 12, 13)

Other Changes

v11.4.4: electron v11.4.4

Compare Source

Release Notes for v11.4.4

Fixes

  • Fixed an issue where multiple calls to window.setFullScreen could cause problems. #​28773 (Also in 12, 13)
  • Fixed an issue where some dialogs would stop working on macOS if window.hide() was called while they were open. #​28696 (Also in 12, 13)
  • Fixed crash on m1 mac. #​28745
  • No longer set backgroundColor in default-app when opening custom files / URLs. #​28843 (Also in 10, 12, 13)

Other Changes

v11.4.3: electron v11.4.3

Compare Source

Release Notes for v11.4.3

Fixes

  • Fixed a bug where, when a JumpList task description exceeded 260 characters, the JumpList was empty, despite valid entries. #​28524 (Also in 12, 13)
  • Fixed a network process crash that could happen when using setCertificateVerifyProc with many concurrent verification requests. #​28470 (Also in 12, 13)
  • Fixed failing to request file:// resources when web security is disabled. #​28589 (Also in 12, 13)
  • Support wasm-eval csp behind WebAssemblyCSP flag. #​28576 (Also in 12, 13)
  • Transparent windows cannot be maximized using the Windows system menu or by double clicking the title bar. #​28635 (Also in 12, 13)

Other Changes

  • Security: backported fix for chromium:1196683. #​28639

v11.4.2: electron v11.4.2

Compare Source

Release Notes for v11.4.2

Fixes

  • Fixed an issue where the thumbar disappeared after win.hide() on Windows. #​28391 (Also in 10, 12, 13)
  • Fixed bug where TouchBarPopover and TouchBarGroup were no longer rendering. #​28412 (Also in 12)
  • Fixed crash when exiting app with active nodejs worker_threads. #​28471
  • Fixed service worker not working with custom protocol. #​28353 (Also in 12, 13)

Documentation

v11.4.1: electron v11.4.1

Compare Source

Release Notes for v11.4.1

Fixes

  • Fixed desktopCapturer.getSources() promise result sometimes never resolving. #​28282 (Also in 10, 12, 13)
  • Fixed an issue where the drag regions in BrowserViews on macOS could be off in their y-axis. #​28297 (Also in 10, 12, 13)
  • Fixed context menus not being positioned correctly when near the edge of the screen. #​28278 (Also in 12, 13)
  • Fixed intensive I/O from asar files causing ERR_FILE_NOT_FOUND after a while. #​28201 (Also in 12, 13)
  • Fixed issue where window.open() would not return an object with a location.href setter when contextIsolation is enabled and nativeWindowOpen is disabled. #​28161 (Also in 10, 12)
  • URLS passed to shell.openExternal on windows are now correctly URI encoded. This was already occurring on macOS and Linux. #​28340 (Also in 10, 12, 13)

Other Changes

Documentation

v11.4.0: electron v11.4.0

Compare Source

Release Notes for v11.4.0

Features

  • Added support for the des-ede3 cipher in node crypto. #​27993 (Also in 12)

Fixes

  • Colors returned from systemPreferences.getAccentColor(), getSystemColor and getColor are now correctly converted into the devices color space. Previously the color would have been subtly incorrect. #​28171 (Also in 12, 13)
  • Fixed a potential crash when resetting BrowserViews. #​27948 (Also in 10, 12)
  • Fixed an issue where BrowserViews could have mismatched draggable regions to their bounds. #​27987 (Also in 10, 12)
  • Fixed an issue where win.capturePage() never called back after calling hide() for a hidden window on some platforms. #​28074 (Also in 12, 13)
  • Fixed an issue where libuv might hang with multiple subframes when nodeIntegrationInSubframes is enabled. #​27880 (Also in 10, 12)
  • Fixed an out-of-bounds access in WebContents.sendInputEvent. #​27853 (Also in 10, 12)
  • Fixed background color not being applied for child windows created by native window.open path. #​27944 (Also in 10, 12)
  • Fixed crash when calling getBackgroundColor on a transparent window with no assigned background color. #​28186 (Also in 12, 13)
  • Fixed native window.open() to not use windowName/frameName as title by default. #​27813 (Also in 10, 12)
  • Fixed navigator.bluetooth.requestDevice crash. #​27941 (Also in 12)
  • Fixed warning when worldSafeExecuteJavaScript is disabled. #​27968 (Also in 10, 12)

Other Changes

v11.3.0: electron v11.3.0

Compare Source

Release Notes for v11.3.0

Features

  • Added allowFileAccess option to loadExtension() API. #​27703 (Also in 12)
  • Added win.setTopBrowserView() so that BrowserViews can be raised. #​27712 (Also in 10, 12)

Fixes

  • Backported fix for https://crbug.com/1125165. #​27558
  • Fixed OS-level shortcuts on macOS (e.g. Ctrl + F2, ⌘ + ~). #​27787 (Also in 12)
  • Fixed SVG content with filter sometimes not being rendered. #​27699
  • Fixed a crash when calling crypto.createDiffieHellman() with certain parameters. #​27766 (Also in 12)
  • Fixed a memory leak when creating BrowserWindows. #​27640 (Also in 12)
  • Fixed an erroneous enableBlinkFeatures warning shown webviews which enabled no Blink features. #​27789 (Also in 10, 12)
  • Fixed an issue where deleted download directories would be sometimes recreated by the operating system. #​27808 (Also in 10, 12)
  • Fixed an occasional white flicker present when rendering BrowserViews in close succession. #​27659 (Also in 10, 12)
  • Fixed crash when destroying WebContents in the crashed event. #​27757 (Also in 10, 12)
  • Fixed memory leak when sending non-primitives over the context bridge. #​27638 (Also in 10, 12)
  • Fixed native window freeze on Windows when Electron app is sent to tray and external display changes. #​27669 (Also in 12)
  • Fixed svg with filter content not being rendered. #​27635

Other Changes

Documentation

v11.2.3: electron v11.2.3

Compare Source

Release Notes for v11.2.3

Fixes

Other Changes

v11.2.2: electron v11.2.2

Compare Source

Release Notes for v11.2.2

Fixes

  • Fixed CSP with unsafe-eval detection with Trusted Types. #​27469 (Also in 9, 10, 12)
  • Fixed <webview> not working with Trusted Types. #​27464 (Also in 9, 10, 12)
  • Fixed regression that crashed Electron when processing an invalid icon. #​27478 (Also in 12)
  • None. #​27509 (Also in 12)

Other Changes

v11.2.1: electron v11.2.1

Compare Source

Release Notes for v11.2.1

Fixes

  • Apps requesting the CAMERA_PAN_TILT_ZOOM permission will have the permission request handler called with a permission string of "media" instead of "font-access". #​27423
  • Fixed crash when a keyboard event immediately precedes calling browserWindow.close() on Windows. #​27357 (Also in 10, 12)
  • Fixed shutdown crash when quitting with in-progress downloads. #​27419 (Also in 10, 12)
  • Increase stack size on windows x64 to 8MB. #​27385 (Also in 10, 12)
  • Updated the ICU time zone database to the latest 2020f version. #​27369

Other Changes

v11.2.0: electron v11.2.0

Compare Source

Release Notes for v11.2.0

Features

  • Made win.setAspectRatio() work on Windows. #​27203 (Also in 12)

Fixes

  • Fixed a crash that could occur on app quit when using the remote module. #​27069 (Also in 12)
  • Fixed an issue where BrowserViews couldn't be effectively reparented. #​27219 (Also in 12)
  • Fixed an issue where non-draggable regions on BrowserViews could have incorrectly calculated bounds. #​27183 (Also in 10, 12)
  • Fixed an issue where some draggable regions were not clickable when loaded into BrowserViews on Windows. #​27178 (Also in 10, 12)
  • Fixed the pretty-print JavaScript feature in DevTools not functioning correctly. #​27102

Other Changes

  • Updated Chromium to 87.0.4280.141. #​27213

Unknown

  • Fixed chrome.webRequest extensions API not intercepting any requests. #​27096 (Also in 10, 12)

v11.1.1: electron v11.1.1

Compare Source

Release Notes for v11.1.1

Fixes

  • Fixed protocol methods not being accessible via remote.protocol. #​27044 (Also in 12)
  • Fixed readdir/readdirSync (w/ withFileTypes) failing on a deep directory within archive. #​27010 (Also in 12)
  • Fixed a memory leak in desktopCapturer.getSources. #​27056 (Also in 10, 12)
  • Fixed an issue where SIGINT was improperly handled in Node.js processes. #​26972 (Also in 10, 12)
  • Fixed an issue where renderer process stack traces were broken with contextIsolation enabled. #​26997 (Also in 12)
  • Fixed an issue where some async_hooks were not properly emitted after an error in the renderer process. #​26991 (Also in 12)
  • Fixed an issue whereby remote.screen EventEmitter methods are undefined in the renderer. #​26989 (Also in 12)

v11.1.0: electron v11.1.0

Compare Source

Release Notes for v11.1.0

Fixes

  • Added Electron DLLs like libGLESv2.dll to symbol server. #​26965 (Also in 9, 10, 12)
  • Fixed an issue that a message box in GTK contains no buttons. #​26916 (Also in 10, 12)
  • Fixed an issue where event.reply could sometimes not deliver a reply to an IPC message when cross-site iframes were present. #​26926 (Also in 9, 10, 12)
  • Fixed an occasional crash on Windows related to NativeViewHost::SetParentAccessible. #​26951 (Also in 9, 10, 12)

v11.0.5: electron v11.0.5

Compare Source

Release Notes for v11.0.5

Fixes

  • Fixed "screen" methods to be reassignable again. #​26873 (Also in 12)
  • Fixed systemPreferences.effectiveAppearance returning systemPreferences.getAppLevelAppearance(). #​26878 (Also in 9, 10, 12)
  • Fixed callbacks passed via the remote module not being released after all references are dropped. #​26836 (Also in 12)
  • Fixed uncaught promise rejection when creating webContents with javascript disabled. #​26870 (Also in 10, 12)

Other Changes

  • Updated Chromium to 87.0.4280.88. #​26817

v11.0.4: electron v11.0.4

Compare Source

Release Notes for v11.0.4

Fixes

  • Added default Bluetooth permission strings to info.plist. #​26768 (Also in 12)
  • Fixed an issue where IsMaximized would incorrectly return false for some windows on Windows. #​26780 (Also in 12)
  • Fixed an issue where draggable regions did not work exclusively on BrowserViews on Windows. #​26774 (Also in 12)
  • Fixed an issue where draggable regions in BrowserWindow causes BrowserView to become draggable in non-correspondent places. #​26754 (Also in 10, 12)
  • Fixed import of unpacked node modules. #​26751 (Also in 12)

v11.0.3: electron v11.0.3

Compare Source

Release Notes for v11.0.3

Fixes

  • Fixed &lt;webview&gt; render-process-gone event dispatch. #​26578
  • Fixed contentTracing.stopRecording() not rejecting when there is no trace in progress. #​26655 <span style="font-size:s

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 24ad634 to 2238d91 Compare August 8, 2024 02:48
@renovate renovate bot changed the title chore(deps): update dependency electron to v22 [security] chore(deps): update dependency electron to v11 [security] Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants