chore(deps): update dependency electron to v24.8.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	24.0.0 -> 24.8.5

GitHub Vulnerability Alerts

CVE-2023-39956

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

• Your app is launched with an attacker-controlled working directory
• The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

• 26.0.0-beta.13
• 25.5.0
• 24.7.1
• 23.3.13
• 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2023-4863

Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

CVE-2023-5217

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-44402

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

• 27.0.0-alpha.7
• 26.2.1
• 25.8.1
• 24.8.3
• 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

---

Release Notes

electron/electron (electron)

v24.8.5: electron v24.8.5

Compare Source

Release Notes for v24.8.5

Other Changes

• Security: backported fix for CVE-2023-5217. #​40025

v24.8.4: electron v24.8.4

Compare Source

Release Notes for v24.8.4

Fixes

• Fixed a redundant permission popup while fetching screens and windows using desktopCapturer.getSources() on Wayland. #​39711 (Also in 25, 26)

v24.8.3: electron v24.8.3

Compare Source

Release Notes for v24.8.3

Other Changes

• Security: backported fix for CVE-2023-4763.
  • Security: backported fix for CVE-2023-4762.
  • Security: backported fix for CVE-2023-4761. #​39757
• Security: backported fix for CVE-2023-4863. #​39826

v24.8.2: electron v24.8.2

Compare Source

Release Notes for v24.8.2

Fixes

• Fixed an issue where child windows opened when the parent window is already fullscreen did not respect the child windows' fullscreenability and resizability settings. #​39643 (Also in 25, 26, 27)
• Fixed an issue where the Node.js assert module did not work in the renderer process. #​39621 (Also in 25, 26, 27)

Other Changes

• Security: backported fix for CVE-2023-4427.
  • Security: backported fix for CVE-2023-4428.
  • Security: backported fix for CVE-2023-4430. #​39647
• Security: backported fix for CVE-2023-4572. #​39688

v24.8.1: electron v24.8.1

Compare Source

Release Notes for v24.8.1

Fixes

• Fixed a potential crash when calling BrowserWindow.moveTop() on modal child windows. #​39526 (Also in 25, 26)
• Fixed decorations for tiled windows on Wayland. #​39567 (Also in 22, 25, 26, 27)
• Fixed to regenerate thumbnail toolbar buttons when explorer is restarted. #​39585 (Also in 25, 26)

Other Changes

• Security: backported fix for CVE-2023-4355.
  • Security: backported fix for CVE-2023-4354.
  • Security: backported fix for CVE-2023-4353.
  • Security: backported fix for CVE-2023-4352.
  • Security: backported fix for CVE-2023-4351. #​39558

v24.8.0: electron v24.8.0

Compare Source

Release Notes for v24.8.0

Features

• Added support for several more Node.js cli flags in the main process. #​39372 (Also in 25, 26)

Fixes

• Fixed an accessibility issue where VoiceOver couldn't trigger the tray action when selected to emit the click event. #​39447 (Also in 26)

v24.7.1: electron v24.7.1

Compare Source

Release Notes for v24.7.1

Fixes

• Fixed an issue where browserView.removeBrowserView could cause a crash in some cases. #​39407 (Also in 25, 26)

v24.7.0: electron v24.7.0

Compare Source

Release Notes for v24.7.0

Features

• Added senderIsMainFrame to messages sent via ipcRenderer.sendTo(). #​39207 (Also in 25, 26)

Fixes

• Fixed a potential crash when re-parenting a BrowserWindow whose first parent has been destroyed. #​39307 (Also in 26)

Other Changes

• Fixed a crash while screen sharing on Wayland with PipeWire. #​39273
• Security: backported fix for 1444438.
  • Security: backported fix for CVE-2023-3732.
  • Security: backported fix for CVE-2023-3728.
  • Security: backported fix for CVE-2023-3730. #​39267

v24.6.5: electron v24.6.5

Compare Source

Release Notes for v24.6.5

Fixes

• Fixed an issue where macOS traffic lights could malfunction on child windows in some circumstances. #​39243 (Also in 25, 26)
• Fixed an issue where non-resizable windows incorrectly enabled the fullscreen/maximize button on initial window creation on macOS. #​39230 (Also in 25, 26)
• Fixed asar integration for node:child_process imports. #​39236 (Also in 25, 26)

v24.6.4: electron v24.6.4

Compare Source

Release Notes for v24.6.4

Fixes

• Fixed an issue where BrowserWindow.moveAbove() and BrowserWindow.moveTop() did not work for child windows on macOS. #​39072 (Also in 25, 26)
• Fixed an issue where navigator.connection returned incorrect data. #​39100 (Also in 25)
• Fixed an issue where files could in some circumstances be selection when openFile was not passed as a dialog property. #​39097 (Also in 25, 26)

v24.6.3: electron v24.6.3

Compare Source

Release Notes for v24.6.3

Fixes

• Fixed a crash when listing desktop capture sources on Wayland with PipeWire. #​39050 (Also in 25, 26)
• Fixed an issue where notifications created on macOS which have no actions will erroneously have a Show button visible. #​39012 (Also in 25, 26)
• Fixed an issue where removing a webview in a close callback could cause crashes. #​39009 (Also in 25, 26)

v24.6.2: electron v24.6.2

Compare Source

Release Notes for v24.6.2

Other Changes

• Security: backported fix for CVE-2023-3422.
  • Security: backported fix for CVE-2023-3421.
  • Security: backported fix for CVE-2023-3420.
  • Security: backported fix for 1454860. #​38947

v24.6.1: electron v24.6.1

Compare Source

Release Notes for v24.6.1

Fixes

• Fixed preload script may not run in some child windows opened by window.open. #​38932 (Also in 23, 25, 26)
• Fixed a potential crash calling BrowserWindow.removeBrowserView() with a destroyed webContents. #​38884 (Also in 25, 26)
• Fixed minimize button to be visible when all buttons reenabled. #​38881 (Also in 23, 25)

v24.6.0: electron v24.6.0

Compare Source

Release Notes for v24.6.0

Features

• node: prefixed requires are now supported in sandboxed renderer preloads for events, timers and url. #​38727 (Also in 25, 26)

Fixes

• Fixed webContents.printToPDF preferCSSPageSize type error. #​38792 (Also in 25, 26)

Other Changes

• Security: backported fix for CVE-2023-3215.
  • Security: backported fix for CVE-2023-3216.
  • Security: backported fix for 1450536. #​38787

v24.5.1: electron v24.5.1

Compare Source

Release Notes for v24.5.1

Fixes

• Fixed an issue where passing webContents.print(null) could incorrectly trigger an error. #​38640 (Also in 25, 26)
• Fixed an issue with potential use-after-free of child windows on close and reparent. #​38677 (Also in 25, 26)
• Fixed visibility of menu bar when exiting full screen. #​38681 (Also in 23, 25, 26)

Other Changes

• Backported fix for b:251677220, 1431532. #​38711
• Security: backported fix for 1447430.
  • Security: backported fix for CVE-2023-3079. #​38654
• Security: backported fix for CVE-2023-2933.
  • Security: backported fix for CVE-2023-2932.
  • Security: backported fix for CVE-2023-2931.
  • Security: backported fix for 1444195.
  • Security: backported fix for CVE-2023-2936.
  • Security: backported fix for CVE-2023-2935.
  • Security: backported fix for CVE-2023-2934
  • Security: backported fix for CVE-2023-2930. #​38536

v24.5.0: electron v24.5.0

Compare Source

Release Notes for v24.5.0

Features

• Added setUSBProtectedClassesHandler to allow access to protected USB classes with WebUSB. #​38498 (Also in 25)

Fixes

• Fixed an issue where <datalist> popups are positions incorrectly in BrowserViews. #​38608 (Also in 23, 25, 26)

v24.4.1: electron v24.4.1

Compare Source

Release Notes for v24.4.1

Fixes

• Fixed an issue where MediaStreamTrack.getCaptureHandle() always returned null. #​38434 (Also in 25)
• Fixed potential issues when minimizing parent windows with non-modal children on macOS. #​38508 (Also in 25)

Other Changes

• Improved error message when contentTracing.stopRecording() fails because no trace was in progress. #​38520

v24.4.0: electron v24.4.0

Compare Source

Release Notes for v24.4.0

Features

• Added several new cursor values to the cursor-changed event. #​38364 (Also in 25)
• Added support for Mica and Acrylic background effects on Windows. #​38361 (Also in 25)

Fixes

• Fixed an issue where getNormalBounds() returns incorrect bounds for transparent maximized windows on Windows. #​38349 (Also in 23, 25)

Other Changes

• Updated Chromium to 112.0.5615.204. #​38350

v24.3.1: electron v24.3.1

Compare Source

Release Notes for v24.3.1

Fixes

• Fixed an issue where BrowserWindow.isMaximized() could incorrectly return true for minimized or fullscreened windows on macOS. #​38308 (Also in 23, 25)
• Fixed an issue where BrowserWindow.isVisible() would incorrectly return true for minimized windows on Windows. #​38313 (Also in 23, 25)
• Fixed an issue where accessing BrowserWindow.id threw an error after the window was destroyed. #​38310 (Also in 23, 25)
• Fixed an issue where calling win.minimize() directly after calling win.maximize(), and then calling win.isMaximized() incorrectly returns true. #​38343 (Also in 23, 25)

Other Changes

• Security: backported fix for 1433328. #​38271
• Updated Chromium to 112.0.5615.183. #​38319

v24.3.0: electron v24.3.0

Compare Source

Release Notes for v24.3.0

Features

• Added net.resolveHost that resolves hosts using defaultSession object. #​38153 (Also in 25)

Fixes

• Ensured that Electron's custom AXManualAccessibility attribute works as expected in all relevant protocol methods. #​38224 (Also in 23, 25)

v24.2.0: electron v24.2.0

Compare Source

Release Notes for v24.2.0

Features

• Added thermal management information to powerMonitor. #​38027 (Also in 25)

Fixes

• Fixed a potential crash when right-clicking on macOS windows with draggable regions. #​38136 (Also in 25)
• Fixed an issue where default background color for windows might be incorrect. #​38158 (Also in 25)
• Fixed an perceived failure when when using Accessibility attribute AXManualAccessibility to enable a11y features in Electron. #​38147 (Also in 23)

v24.1.3: electron v24.1.3

Compare Source

Release Notes for v24.1.3

Fixes

• Fixed broken defaults in shell.openExternal() options. #​38072 (Also in 22, 23, 25)
• Fixed crash when executing eval in the utility process. #​38041 (Also in 23, 25)

Other Changes

• Security: backported fix for CVE-2023-2136. #​38082
• Updated Chromium to 112.0.5615.165. #​38047

v24.1.2: electron v24.1.2

Compare Source

Release Notes for v24.1.2

Fixes

• Fixed an issue on Linux where menus would not open after resizing/maximizing/unmaximizing a window. #​37906 (Also in 23, 25)
• Fixed an issue where the 'swipe' event wasn't being emitted properly on macOS. #​37965 (Also in 25)
• Fixed an issue which made defaultFontFamily in webPreferences have no effect. #​37968 (Also in 22, 23, 25)

Other Changes

• Updated Chromium to 112.0.5615.87. #​37974

v24.1.1: electron v24.1.1

Compare Source

Release Notes for v24.1.1

Fixes

• Fixed recommended node-gyp version in node.h error. #​37927 (Also in 22, 23, 25)

v24.1.0: electron v24.1.0

Compare Source

Release Notes for v24.1.0

Features

• Introduced session.resolveHost for resolving hostnames with Chromium's DNS resolver. #​37847

Fixes

• Added about panel for menu role about on Linux as well. #​37872 (Also in 23, 25)
• Fixed an issue on macOS where entering fullscreen with the Fn+F system shortcut would fail or create strange window side effects. #​37823 (Also in 23)
• Fixed an issue where certain buttons in the PDF viewer didn't work. #​37918 (Also in 25)
• Security: Fixed an issue with Content-Security-Policy not being correctly enforced when sandbox: false and contextIsolation: false. (CVE-2023-23623). #​37839

Other Changes

• Updated Chromium to 112.0.5615.50. #​37833

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.