Skip to content

Update dependency electron to v39 [SECURITY]#47

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-electron-vulnerability
Open

Update dependency electron to v39 [SECURITY]#47
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-electron-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Oct 5, 2023
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
electron 13.6.939.8.5 age confidence

AutoUpdater module fails to validate certain nested components of the bundle

CVE-2022-29257 / GHSA-77xc-hjv8-ww97

More information

Details

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0
Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Exfiltration of hashed SMB credentials on Windows via file:// redirect

CVE-2022-36077 / GHSA-p2jh-44qj-pf2v

More information

Details

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

CVE-2023-39956 / GHSA-7x97-j373-85x5

More information

Details

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron affected by libvpx's heap buffer overflow in vp8 encoding

CVE-2023-5217 / GHSA-qqvq-6xgj-jw8g

More information

Details

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

ASAR Integrity bypass via filetype confusion in electron

CVE-2023-44402 / GHSA-7m48-wc93-9g85

More information

Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 22.3.24
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron vulnerable to Heap Buffer Overflow in NativeImage

CVE-2024-46993 / GHSA-6r2x-8pq8-9489

More information

Details

Impact

The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.

Workaround

There are no app-side workarounds for this issue. You must update your Electron version to be protected.

Patches
  • v28.3.2
  • v29.3.3
  • v30.0.3
For More Information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron has ASAR Integrity Bypass via resource modification

CVE-2025-55305 / GHSA-vmqv-hx8q-j7mg

More information

Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 38.0.0-beta.6
  • 37.3.1
  • 36.8.1
  • 35.7.5
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

CVE-2026-34767 / GHSA-4p4r-m79c-wq3v

More information

Details

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions
  • 41.0.3
  • 40.8.3
  • 39.8.3
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: USB device selection not validated against filtered device list

CVE-2026-34766 / GHSA-9899-m83m-qhpj

More information

Details

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

CVE-2026-34768 / GHSA-jfqx-fxh3-c62j

More information

Details

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions
  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 3.9 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in PowerMonitor on Windows and macOS

CVE-2026-34770 / GHSA-jjp3-mq3x-295m

More information

Details

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

CVE-2026-34769 / GHSA-9wfr-w7mm-pc7f

More information

Details

Impact

An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.

Workarounds

Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks

CVE-2026-34771 / GHSA-8337-3p73-46f4

More information

Details

Impact

Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.

Workarounds

Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in download save dialog callback

CVE-2026-34772 / GHSA-9w97-2464-8783

More information

Details

Impact

Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.

Workarounds

Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.

Fixed Versions
  • 41.0.0-beta.7
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in offscreen child window paint callback

CVE-2026-34774 / GHSA-532v-xpq5-8h95

More information

Details

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions
  • 41.0.0
  • 40.7.0
  • 39.8.1
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

CVE-2026-34773 / GHSA-mwmh-mq4g-g6gr

More information

Details

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

CVE-2026-34775 / GHSA-xwr5-m59h-vwqr

More information

Details

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions
  • 41.0.0
  • 40.8.4
  • 39.8.4
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Out-of-bounds read in second-instance IPC on macOS and Linux

CVE-2026-34776 / GHSA-3c8v-cfp5-9885

More information

Details

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Incorrect origin passed to permission request handler for iframe requests

CVE-2026-34777 / GHSA-r5p7-gp4j-qhrx

More information

Details

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Service worker can spoof executeJavaScript IPC replies

CVE-2026-34778 / GHSA-xj5x-m3f3-5x3h

More information

Details

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

CVE-2026-34779 / GHSA-5rqw-r77c-jp79

More information

Details

Impact

On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.

Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions
  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: Crash in clipboard.readImage() on malformed clipboard image data

CVE-2026-34781 / GHSA-f37v-82c4-4x64

More information

Details

Impact

Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.

Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.

Workarounds

Validate that the clipboard contains image data via clipboard.availableFormats() before calling clipboard.readImage(). Note this only narrows the window — upgrading to a fixed version is recommended.

Fixed Versions
  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 2.8 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

electron/electron (electron)

v39.8.5: electron v39.8.5

Compare Source

Release Notes for v39.8.5

Fixes

  • Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50493 (Also in 40, 41, 42)
  • Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50499 (Also in 40, 41, 42)

v39.8.4: electron v39.8.4

Compare Source

Release Notes for v39.8.4

Fixes

  • Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #​50468 (Also in 38, 40, 41)
  • Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #​50400 (Also in 40, 41, 42)
  • Fixed improper focus tracking in BaseWindow on MacOS. #​50338 (Also in 40, 41, 42)
  • Fixed window freeze when failing to enter/exit fullscreen on macOS. #​50341 (Also in 40, 41, 42)

Other Changes

v39.8.3: electron v39.8.3

Compare Source

Release Notes for v39.8.3

Fixes

  • Added additional ASAR support to additional fs copy methods. #​50284 (Also in 40, 41, 42)
  • Fixed user resizing of transparent windows on win32 platform. #​50300 (Also in 40, 41, 42)

v39.8.2: electron v39.8.2

Compare Source

Release Notes

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Oct 5, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @cucumber/electron@4.1.3
npm ERR! Found: electron@22.3.25
npm ERR! node_modules/electron
npm ERR!   dev electron@"22.3.25" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer electron@">=12 <14" from @cucumber/electron@4.1.3
npm ERR! node_modules/@cucumber/electron
npm ERR!   dev @cucumber/electron@"4.1.3" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: electron@13.6.9
npm ERR! node_modules/electron
npm ERR!   peer electron@">=12 <14" from @cucumber/electron@4.1.3
npm ERR!   node_modules/@cucumber/electron
npm ERR!     dev @cucumber/electron@"4.1.3" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-05-08T19_27_10_417Z-debug-0.log

@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 10 times, most recently from 8f8a184 to bf9d29e Compare October 13, 2023 00:55
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 12 times, most recently from cd3033b to 42f89df Compare October 23, 2023 19:24
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 6 times, most recently from e9a3b32 to 9ead22e Compare October 30, 2023 22:39
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 9ead22e to c5cf279 Compare October 31, 2023 01:20
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 7 times, most recently from 963e9cf to e74a01b Compare November 20, 2023 22:10
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 10 times, most recently from 941f149 to 3cca800 Compare November 28, 2023 01:35
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 10 times, most recently from b214f9f to d883083 Compare December 5, 2023 00:20
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from d883083 to 5e930e2 Compare December 6, 2023 23:23
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 11, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @cucumber/electron@4.1.3
npm ERR! Found: electron@39.8.5
npm ERR! node_modules/electron
npm ERR!   dev electron@"39.8.5" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer electron@">=12 <14" from @cucumber/electron@4.1.3
npm ERR! node_modules/@cucumber/electron
npm ERR!   dev @cucumber/electron@"4.1.3" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: electron@13.6.9
npm ERR! node_modules/electron
npm ERR!   peer electron@">=12 <14" from @cucumber/electron@4.1.3
npm ERR!   node_modules/@cucumber/electron
npm ERR!     dev @cucumber/electron@"4.1.3" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-04-29T17_05_16_046Z-debug-0.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants