Update dependency electron to v11 [SECURITY] #182
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.1.4
->^11.0.0
GitHub Vulnerability Alerts
CVE-2020-4075
Impact
The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Workarounds
Ensure you are calling
event.preventDefault()
on allnew-window
events where theurl
oroptions
is not something you expect.Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
For more information
If you have any questions or comments about this advisory:
CVE-2020-4076
Impact
Apps using
contextIsolation
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
Non-Impacted Versions
9.0.0-beta.*
For more information
If you have any questions or comments about this advisory:
CVE-2020-4077
Impact
Apps using both
contextIsolation
andcontextBridge
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
For more information
If you have any questions or comments about this advisory:
CVE-2020-15096
Impact
Apps using
contextIsolation
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
6.1.11
For more information
If you have any questions or comments about this advisory:
CVE-2020-26272
Impact
IPC messages sent from the main process to a subframe in the renderer process, through
webContents.sendToFrame
,event.reply
or when using theremote
module, can in some cases be delivered to the wrong frame.If your app does ANY of the following, then it is impacted by this issue:
remote
webContents.sendToFrame
event.reply
in an IPC message handlerPatches
This has been fixed in the following versions:
Workarounds
There are no workarounds for this issue.
For more information
If you have any questions or comments about this advisory, email us at [email protected].
CVE-2021-39184
Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
Workarounds
If your app enables
contextIsolation
, this vulnerability is significantly more difficult for an attacker to exploit.Further, if your app does not depend on the
createThumbnailFromPath
API, then you can simply disable the functionality. In the main process, before the 'ready' event:For more information
If you have any questions or comments about this advisory, email us at [email protected].
Release Notes
electron/electron
v11.5.0
Compare Source
Release Notes for v11.5.0
Other Changes
1227933
. #30614 (Also in 12)1231134
. #307611233564
. #307551234009
. #307511234764
. #30659 (Also in 12)End of Support for 11.x.y
Electron 11.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.
v11.4.12
Compare Source
Release Notes for v11.4.12
Fixes
v11.4.11
Compare Source
Release Notes for v11.4.11
Other Changes
1205059
,1196302. #30267v11.4.10
Compare Source
Release Notes for v11.4.10
Other Changes
v11.4.9
Compare Source
Release Notes for v11.4.9
Fixes
Other Changes
v11.4.8
Compare Source
Release Notes for v11.4.8
Fixes
will-resize
andwill-move
events not scaling the emittednewBounds
rectangle to the appropriate Windows display scale factor. #29225 (Also in 12, 13)--require
inNODE_OPTIONS
on Windows. #29419Other Changes
v11.4.7
Compare Source
Release Notes for v11.4.7
Fixes
Documentation
v11.4.6
Compare Source
Release Notes for v11.4.6
Fixes
<webview>
focus
/blur
events not working withcontextIsolation
enabled. #29027 (Also in 10, 12, 13)v11.4.5
Compare Source
Release Notes for v11.4.5
Fixes
uv_run()
. #28974 (Also in 12, 13)simpleFullscreen
mode were not properly resizing when display metrics changed. #28870 (Also in 12, 13)Other Changes
1161379
,1186641
. #28801v11.4.4
Compare Source
Release Notes for v11.4.4
Fixes
window.setFullScreen
could cause problems. #28773 (Also in 12, 13)window.hide()
was called while they were open. #28696 (Also in 12, 13)Other Changes
1192552
. #28819v11.4.3
Compare Source
Release Notes for v11.4.3
Fixes
setCertificateVerifyProc
with many concurrent verification requests. #28470 (Also in 12, 13)wasm-eval
csp behindWebAssemblyCSP
flag. #28576 (Also in 12, 13)Other Changes
v11.4.2
Compare Source
Release Notes for v11.4.2
Fixes
win.hide()
on Windows. #28391 (Also in 10, 12, 13)Documentation
v11.4.1
Compare Source
Release Notes for v11.4.1
Fixes
desktopCapturer.getSources()
promise result sometimes never resolving. #28282 (Also in 10, 12, 13)shell.openExternal
on windows are now correctly URI encoded. This was already occurring on macOS and Linux. #28340 (Also in 10, 12, 13)Other Changes
Documentation
v11.4.0
Compare Source
Release Notes for v11.4.0
Features
Fixes
systemPreferences.getAccentColor()
,getSystemColor
andgetColor
are now correctly converted into the devices color space. Previously the color would have been subtly incorrect. #28171 (Also in 12, 13)BrowserView
s. #27948 (Also in 10, 12)BrowserView
s could have mismatched draggable regions to their bounds. #27987 (Also in 10, 12)win.capturePage()
never called back after callinghide()
for a hidden window on some platforms. #28074 (Also in 12, 13)nodeIntegrationInSubframes
is enabled. #27880 (Also in 10, 12)WebContents.sendInputEvent
. #27853 (Also in 10, 12)getBackgroundColor
on a transparent window with no assigned background color. #28186 (Also in 12, 13)worldSafeExecuteJavaScript
is disabled. #27968 (Also in 10, 12)Other Changes
1180871
. #280461177593
. #28050v11.3.0
Compare Source
Release Notes for v11.3.0
Features
allowFileAccess
option toloadExtension()
API. #27703 (Also in 12)win.setTopBrowserView()
so that BrowserViews can be raised. #27712 (Also in 10, 12)Fixes
crypto.createDiffieHellman()
with certain parameters. #27766 (Also in 12)enableBlinkFeatures
warning shown webviews which enabled no Blink features. #27789 (Also in 10, 12)crashed
event. #27757 (Also in 10, 12)Other Changes
1138143
. #277801155974
. #277791166504
. #277781170657
. #277811171954
. #277771172192
. #277761177341
. #27750Documentation
v11.2.3
Compare Source
Release Notes for v11.2.3
Fixes
Other Changes
v11.2.2
Compare Source
Release Notes for v11.2.2
Fixes
unsafe-eval
detection with Trusted Types. #27469 (Also in 9, 10, 12)<webview>
not working with Trusted Types. #27464 (Also in 9, 10, 12)Other Changes
1162198
). #27401v11.2.1
Compare Source
Release Notes for v11.2.1
Fixes
browserWindow.close()
on Windows. #27357 (Also in 10, 12)Other Changes
v11.2.0
Compare Source
Release Notes for v11.2.0
Features
win.setAspectRatio()
work on Windows. #27203 (Also in 12)Fixes
Other Changes
Unknown
chrome.webRequest
extensions API not intercepting any requests. #27096 (Also in 10, 12)v11.1.1
Compare Source
Release Notes for v11.1.1
Fixes
protocol
methods not being accessible viaremote.protocol
. #27044 (Also in 12)readdir
/readdirSync
(w/withFileTypes
) failing on a deep directory within archive. #27010 (Also in 12)contextIsolation
enabled. #26997 (Also in 12)async_hooks
were not properly emitted after an error in the renderer process. #26991 (Also in 12)remote.screen
EventEmitter
methods are undefined in the renderer. #26989 (Also in 12)v11.1.0
Compare Source
Release Notes for v11.1.0
Fixes
event.reply
could sometimes not deliver a reply to an IPC message when cross-site iframes were present. #26926 (Also in 9, 10, 12)v11.0.5
Compare Source
Release Notes for v11.0.5
Fixes
systemPreferences.effectiveAppearance
returningsystemPreferences.getAppLevelAppearance()
. #26878 (Also in 9, 10, 12)remote
module not being released after all references are dropped. #26836 (Also in 12)webContents
with javascript disabled. #26870 (Also in 10, 12)Other Changes
v11.0.4
Compare Source
Release Notes for v11.0.4
Fixes
v11.0.3
Compare Source
Release Notes for v11.0.3
Fixes
<webview>
render-process-gone
event dispatch. #26578contentTracing.stopRecording()
not rejecting when there is no trace in progress. #26655 (Also in 12)screen
methods not being accessible viaremote.screen
. #26660webContents.fromId
with an unknown ID. #26652v11.0.2
Compare Source
Release Notes for v11.0.2
Fixes
LC_ALL
environment variable getting changed in Electron. #26551 (Also in 9, 10)CTFontDescriptorIsSystemUIFont
in MAS build. #26574Other Changes
Unknown
v11.0.1
Compare Source
Release Notes for v11.0.1
Fixes
v11.0.0
Compare Source
Release Notes for v11.0.0
Stack Upgrades
Breaking Changes
BrowserView.{destroy, fromId, fromWebContents, getAllViews}
and theid
property ofBrowserView
. #23578Features
Additions
system-context-menu
event to allow preventing and overriding the system context menu. #25835webContents.forcefullyCrashRenderer()
to forcefully terminate a renderer process to assist with recovering a hung renderer. #25756app.getApplicationInfoForProtocol()
API that returns detailed information about the app that handles a certain protocol. #24112name
toapp.getAppMetrics()
output. #24359utility-process-gone
event toapp
. #24367visualEffectState
option to BrowserWindows to allow customization of vibrancy effect state on macOS. #25083visibleOnFullScreen
option forsetVisibleOnAllWorkspaces
. #24956worldSafeExecuteJavaScript
webPreference to ensure that the return values from `webFrame.eConfiguration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.