This repository has been archived by the owner on Jan 30, 2024. It is now read-only.
chore(deps): update dependency electron to v23.3.13 [security] #44
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
23.2.0->23.3.13GitHub Vulnerability Alerts
CVE-2023-29198
Impact
Apps using
contextIsolationandcontextBridgeare affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
This issue is exploitable under either of two conditions:
contextBridgecan return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrownError: object could not be cloned.contextBridgehas a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.
Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.
Fixed Versions
25.0.0-alpha.224.0.123.2.322.3.6For more information
If you have any questions or comments about this advisory, email us at [email protected]
CVE-2023-39956
Impact
Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as
myapp --helpSpecifically this issue can only be exploited if the following conditions are met:
This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
26.0.0-beta.1325.5.024.7.123.3.1322.3.19For more information
If you have any questions or comments about this advisory, email us at [email protected]
Release Notes
electron/electron (electron)
v23.3.13: electron v23.3.13Compare Source
Release Notes for v23.3.13
End of Support for 23.x.y
Electron 23.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.
v23.3.12: electron v23.3.12Compare Source
Release Notes for v23.3.12
Other Changes
v23.3.11: electron v23.3.11Compare Source
Release Notes for v23.3.11
Fixes
v23.3.10: electron v23.3.10Compare Source
Release Notes for v23.3.10
Other Changes
1454860. #38948v23.3.9: electron v23.3.9Compare Source
Release Notes for v23.3.9
Fixes
preloadscript may not run in some child windows opened bywindow.open. #38933 (Also in 24, 25, 26)v23.3.8: electron v23.3.8Compare Source
Release Notes for v23.3.8
Other Changes
1450536. #38788v23.3.7: electron v23.3.7Compare Source
Release Notes for v23.3.7
Fixes
Other Changes
1439691.1425115.1431761.1442263. #383311447430.1444195.v23.3.6: electron v23.3.6Compare Source
Release Notes for v23.3.6
Fixes
<datalist>popups are positions incorrectly inBrowserViews. #38607 (Also in 24, 25, 26)Other Changes
contentTracing.stopRecording()fails because no trace was in progress. #38518 (Also in 24, 25)v23.3.5: electron v23.3.5Compare Source
Release Notes for v23.3.5
Fixes
getNormalBounds()returns incorrect bounds for transparent maximized windows on Windows. #38347 (Also in 24, 25)Other Changes
1423360. #38276v23.3.4: electron v23.3.4Compare Source
Release Notes for v23.3.4
Fixes
getNormalBounds()returns incorrect bounds for transparent maximized windows on Windows. #38347 (Also in 24, 25)Other Changes
1423360. #38276v23.3.3: electron v23.3.3Compare Source
Release Notes for v23.3.3
Fixes
BrowserWindow.isMaximized()could incorrectly return true for minimized or fullscreened windows on macOS. #38306 (Also in 24, 25)BrowserWindow.isVisible()would incorrectly returntruefor minimized windows on Windows. #38315 (Also in 24, 25)BrowserWindow.idthrew an error after the window was destroyed. #38309 (Also in 24, 25)win.minimize()directly after callingwin.maximize(), and then callingwin.isMaximized()incorrectly returnstrue. #38344 (Also in 24, 25)Other Changes
v23.3.2: electron v23.3.2Compare Source
Release Notes for v23.3.2
Fixes
AXManualAccessibilityattribute works as expected in all relevant protocol methods. #38225 (Also in 24, 25)v23.3.1: electron v23.3.1Compare Source
Release Notes for v23.3.1
Fixes
AXManualAccessibilityto enable a11y features in Electron. #38151 (Also in 24)v23.3.0: electron v23.3.0Compare Source
Release Notes for v23.3.0
Features
Fixes
shell.openExternal()options. #38091 (Also in 22, 24, 25)Other Changes
1408315. #380111360571. #380611404790. #380631427388. #379821428820.1428820. #38067v23.2.4: electron v23.2.4Compare Source
Release Notes for v23.2.4
Fixes
v23.2.3: electron v23.2.3Compare Source
Release Notes for v23.2.3
Fixes
abouton Linux as well. #37874 (Also in 24, 25)Fn+Fsystem shortcut would fail or create strange window side effects. #37822 (Also in 24)node-gypversion innode.herror. #37941 (Also in 22, 24, 25)Other Changes
v23.2.2: electron v23.2.2Compare Source
Release Notes for v23.2.2
Fixes
v23.2.1: electron v23.2.1Compare Source
Release Notes for v23.2.1
Fixes
port.postMessageinMessagePortMainwith some invalid parameters could cause a crash. #37724 (Also in 22, 24)Other Changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.