chore(deps): update dependency electron to v18 [security] #893
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
15.5.5
->18.3.7
GitHub Vulnerability Alerts
CVE-2022-29257
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.0
15.5.0
Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2022-36077
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the
WebContents.on('will-redirect')
event, for all WebContents:For more information
If you have any questions or comments about this advisory, email us at [email protected].
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
Release Notes
electron/electron (electron)
v18.3.7
: electron v18.3.7Compare Source
Release Notes for v18.3.7
Fixes
webContents.getUserAgent()
incorrectly returning an empty string unless previously set. #35130 (Also in 17, 19, 20)Other Changes
v18.3.6
: electron v18.3.6Compare Source
Release Notes for v18.3.6
Fixes
BrowserWindow.setEnabled()
. #34973 (Also in 19, 20)titleBarStyle
. #34873 (Also in 17, 19, 20)BrowserWindow.setRepresentedFilename
on macOS withtitlebarStyle: 'hiddenInset'
ortitlebarStyle: 'hidden'
inadvertently moves the traffic light location. #34847 (Also in 19, 20)BrowserWindow
s opened from new links wouldn't properly load URLs. #34910 (Also in 19)BrowserView
s on Windows. #33478 (Also in 16)Other Changes
1287804
. #351021333333
. #346891335054
. #346871335458
. #346851336014
. #350041339844
. #350021340335
. #350001340654
. #34998v18.3.5
: electron v18.3.5Compare Source
Release Notes for v18.3.5
Fixes
crashReporter.start()
on macOS. #34640 (Also in 17, 19, 20)setWindowOpenHandler()
would crash if the callback threw an error. #34627 (Also in 19, 20)w.setWindowButtonVisibility(true)
immediately after exiting fullscreen fails to show window buttons. #34673 (Also in 19, 20)Other Changes
setBounds
. #34641 (Also in 19, 20)1228661
. #345691306751
. #345601314310
. #345581316578
. #345681317673
. #345661318610
. #345561321078
. #34692v18.3.4
: electron v18.3.4Compare Source
Release Notes for v18.3.4
Fixes
{ name: 'All Files', extensions: ['*'] }
in thefilters
param of open or save dialogs on Linux would disallow choosing files without an extension. #34518 (Also in 19, 20)Other Changes
1227995
. #345621320024
. #345541324864
,1218100
. #34534v18.3.3
: electron v18.3.3Compare Source
Release Notes for v18.3.3
Fixes
v18.3.2
: electron v18.3.2Compare Source
Release Notes for v18.3.2
Fixes
window.close()
is called during a fullscreen transition. #34392 (Also in 17, 19, 20)Other Changes
v18.3.1
: electron v18.3.1Compare Source
Release Notes for v18.3.1
Fixes
Other Changes
crash_reporter::Start
under theelectron
category forcrash_reporter::Start()
. #34325 (Also in 17, 19)v18.3.0
: electron v18.3.0Compare Source
Release Notes for v18.3.0
Fixes
loadExtension
on an extension directory that's missing a manifest file. #34304 (Also in 16, 17, 19)event.preventDefault
was called in eitherwill-resize
orwill-move
on Windows. #34284 (Also in 16, 17, 19)v18.2.4
: electron v18.2.4Compare Source
Release Notes for v18.2.4
Fixes
node_cli_inspect
fuse is disabled. #34180 (Also in 16, 17)Other Changes
v18.2.3
: electron v18.2.3Compare Source
Release Notes for v18.2.3
Fixes
safeStorage
on Linux. #34148 (Also in 19)v18.2.2
: electron v18.2.2Compare Source
Release Notes for v18.2.2
Fixes
SetLoginItemSettings()
could potentially cause network volumes to be incorrectly mounted. #34106 (Also in 17, 19)Other Changes
v18.2.0
: electron v18.2.0Compare Source
Release Notes for v18.2.0
Features
Fixes
app.requestSingleInstanceLock()
API where it would sometimes hang. #33778Other Changes
v18.1.0
: electron v18.1.0Compare Source
Release Notes for v18.1.0
Features
systemPreferences.subscribe{Local|Workspace}Notification
to take anull
value for theevent
parameter. #33771Fixes
alt
is shown with accessibility features enabled. #33843 (Also in 19)Other Changes
v18.0.4
: electron v18.0.4Compare Source
Release Notes for v18.0.4
Fixes
Escape
keyboard events would not be properly propagated to the parent window after entering fullscreen and then exiting it again on Windows. #33787shell.openExternal()
now reports more detailed errors on Windows. #33659 (Also in 15, 16, 17, 19)shell.openExternal()
now reports more detailed errors on Windows. #33705 (Also in 15, 16, 17, 19)Other Changes
v18.0.3
: electron v18.0.3Compare Source
Release Notes for v18.0.3
Other Changes
v18.0.2
: electron v18.0.2Compare Source
Release Notes for v18.0.2
Fixes
Browser.getFocusedWindow()
when child windows are closed. #33538 (Also in 17)BrowserWindow.unmaximize
was called on a window whose user bounds were maximized. #33550 (Also in 16, 17)app.requestSingleInstanceLock()
when setting non-existent user data folder. #33592 (Also in 16, 17, 19)v18.0.1
: electron v18.0.1Compare Source
Release Notes for v18.0.1
Fixes
Other Changes
v18.0.0
: electron v18.0.0Compare Source
Release Notes for v18.0.0
Stack Upgrades
Breaking Changes
BrowserWindowProxy
-based implementation ofwindow.open
. This also removes thenativeWindowOpen
option fromwebPreferences
. #29405Features
Additions
WebContents
. #25873BrowserWindow
method to change the button color, symbol color, and height of a window with WCO enabled. #33440nativeTheme.inForcedColorsMode
API to allow detecting forced color mode. #33357 (Also in 15, 16, 17)showSubstitutions
,toggleSmartQuotes
,toggleSmartDashes
,toggleTextReplacement
. #32024first-instance-ack
event to theapp.requestSingleInstanceLock()
flow, so that users can pass some data back from the second instance to the first instance. #31460height
option for Windows Control Overlay. #31222 (Also in 15, 16, 17)ses.setCodeCachePath()
API for setting code cache directory. #33286 (Also in 17)setBackgroundColor
. #33364Fixes
BrowserWindow.fromWebContents
would returnundefined
during thebrowser-window-created
event. #33316setBounds
was not correctly applied if the user was moving or resizing the window concurrently on Windows. #33375Also in earlier versions....
npm_config_arch
. #32266 (Also in 15, 16, 17)showSaveDialogSync()
code path has been fixed. (Fixes #31997). #32049 (Also in 14, 15, 16, 17)maxWidth
not working in BrowserWindow constructor options. #32628 (Also in 17)window.open
not overriding parent'swebPreferences
. #32057 (Also in 15, 16, 17)window.print()
, the print button in the PDF viewer, or withBrowserWindow.webContents()
and clicked cancel in the resulting print dialog. #32632 (Also in 17)BrowserView
s. #31863 (Also in 14, 15, 16, 17)alert()
dialog title is corrupted. #32434 (Also in 14, 15, 16, 17)alternateImage
s did not work properly on macOS. #33107 (Also in 15, 16, 17)ipcRenderer.postMessage
would throw errors when thetransfer
argument was not passed. #32433 (Also in 14, 15, 16, 17)webContents.openDevTools({ mode })
did not work for certain dock positions. #32946 (Also in 17)webContents.savePage
failed when passing a relative path instead of an absolute one. #33019 (Also in 15, 16, 17)backgroundColor
was set toundefined
, vibrancy failed to work and thebackgroundColor
would show up as white. #32517 (Also in 16, 17)maxHeight
ormaxWidth
made it so the width and height could no longer be resized. #33119 (Also in 17)maximize
andunmaximize
events on Windows. #32643 (Also in 17)webContents.setZoomFactor(1.0)
. #32604 (Also in 13, 14, 15, 16, 17)skipTransformProcessType
option parsing inwin.setVisibleOnAllWorkspaces()
. #32364 (Also in 13, 14, 15, 16, 17)session.setDevicePermissionHandler
. #32651 (Also in 17)desktopCapturer.getSources
. #32052 (Also in 16, 17)