Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency electron to v13 [security] #62278

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency electron to v13 [security] #62278

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 26, 2022
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 12.2.3 -> 13.6.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at [email protected].

Release Notes

electron/electron

v13.6.6

Compare Source

Release Notes for v13.6.6

Fixes

  • Fixed a JavaScript exception from webContents if render frame was disposed in WebFrameMain, resets the value of render_frame_disposed_ after updating render frame host. #​32130 (Also in 14, 15, 16)
  • No Notes. #​32241 (Also in 14, 15, 16, 17)

Other Changes

v13.6.3

Compare Source

Release Notes for v13.6.3

Fixes

  • Fixed window frame glitch when calling setContentProtection. #​31829 (Also in 14, 15, 16)
  • Generate valid config.gypi file in Node.js headers. #​31989 (Also in 14, 15, 16)

Other Changes

v13.6.2

Compare Source

Release Notes for v13.6.2

Fixes

  • Fixed an issue where Content-Disposition filenames would be incorrectly truncated at the first comma for a filename attachment which contained one. #​31691 (Also in 14, 15, 16)
  • Fixed an issue which caused print settings to not work properly when printing silently. #​31618 (Also in 14, 15, 16)

Other Changes

v13.6.1

Compare Source

Release Notes for v13.6.1

Fixes

  • Fixed an issue where MediaMetadata did not work properly. #​31532 (Also in 14, 15, 16)
  • Fixed black window when screen capturing a content-protected BrowserWindow on Windows 10. #​31550 (Also in 14, 15, 16)

Other Changes

v13.6.0

Compare Source

Release Notes for v13.6.0

Features

  • Added warning when ipcRenderer.sendSync() is called with no listeners for channel on ipcMain. #​31432 (Also in 14, 15, 16)
  • Began passing securityOrigin in details for permission request handlers for media requests in addition to permission check handlers. #​31437 (Also in 14, 15, 16)

Fixes

  • Fixed issue where non-resizable frameless windows aren't draggable. #​31414 (Also in 14, 15, 16)
  • Removes several Chromium private enterprise APIs from Mac Apple Store builds. #​31486 (Also in 14, 15, 16)

v13.5.2

Compare Source

Release Notes for v13.5.2

Fixes

  • Fixed an potential crash in WebContents::MessageTo when a render frame has been destroyed. #​31335 (Also in 14, 15, 16)
  • Fixed navigator.serial.getPorts() to return previously selected ports. #​31190 (Also in 12)
  • Removed expired DST Root CA X3 from the bundled trust store. #​31220 (Also in 12)

Other Changes

v13.5.1

Compare Source

Release Notes for v13.5.1

Fixes

  • Fixed Let's Encrypt DST Root CA X3 certificate expiration. #​31215 (Also in 12, 14, 15, 16)
  • Fixed an issue where BrowserView dragging behavior was inconsistent with MacOS window dragging. #​31175 (Also in 14, 15, 16)
  • Fixed an issue where changes to draggable regions in a BrowserWindow incorrectly affected those in an attached BrowserView. #​31197 (Also in 14, 15, 16)
  • Fixed crash in v8 due to (Check failed: !regexp_stack_->is_in_use()). #​31142 (Also in 14, 15, 16)
  • Fixed media key globalShortcuts on macOS. #​30568 (Also in 14, 15)

Other Changes

v13.5.0

Compare Source

Release Notes for v13.5.0

Features

  • Added support for Windows Control Overlay on Windows. #​30887 (Also in 14, 15)
  • Added support for Windows Control Overlay on macOS. #​30698 (Also in 14)

Fixes

  • Fixed an issue where BrowserView webContents would appear not to load in some circumstances. #​31047 (Also in 14, 15)
  • Fixed an issue where non-resizable non-fullscreenable windows with aspect ratios set could return incorrect results for isMaximized(). #​31039 (Also in 14, 15)
  • Fixed an issue where out-of-focus BrowserViews could not be immediately dragged. #​31098 (Also in 16)
  • Fixed black border around the page after resizing is disabled. #​31078 (Also in 14, 15, 16)
  • Fixed crash in seccomp sandbox with glibc 2.34. #​31091
  • None. #​31097 (Also in 14, 15)

Other Changes

v13.4.0

Compare Source

Release Notes for v13.4.0

Features

  • Added webContents.fromDevToolsTargetId(targetId) to lookup a WebContents instance from an associated Chrome DevTools Protocol TargetID. #​30731 (Also in 14, 15)
  • Fixed crash that occasionally happens when closing or opening BrowserWindows. #​30834 (Also in 15)

Fixes

  • Fixed crash when launching app with systemd v249. #​30893
  • Fixed transparent frameless windows having an opaque background when opened in a maximized state. #​30862 (Also in 12, 14, 15)

Other Changes

Documentation

v13.3.0

Compare Source

Release Notes for v13.3.0

Other Changes

v13.2.3

Compare Source

Release Notes for v13.2.3
Fixes
  • Fixed an issue where the TouchBarScrubber crashes when showArrowButtons is enabled if items is an empty array. #​30680 (Also in 14, 15)
  • Fixed titlebar showing under simple fullscreen mode. #​30706 (Also in 14, 15)

v13.2.2

Compare Source

Release Notes for v13.2.2

Fixes

  • Fixed an issue present in webView where the leave-html-full-screen event is not emitted if the user exits fullscreen with esc instead of by clicking into the webView. #​30560 (Also in 14, 15)
  • Fixed an issue where background color would not be correctly applied to BrowserViews on Windows when either the x or y coordinate is negative (off-screen). #​30540 (Also in 14, 15)
  • Fixed an issue where toggling documentEdited status on macOS with titlebarStyle: 'hiddenInset' inadvertently moves the traffic light location. #​30603 (Also in 14, 15)

Other Changes

v13.2.1

Compare Source

Release Notes for v13.2.1

Fixes

  • Fixed potential crash when programmatically closing a draggable frameless child window. #​30572

v13.2.0

Compare Source

Release Notes for v13.2.0

Features

  • Added support for the des-ede3 cipher in node crypto. #​30453 (Also in 11, 12)

Fixes

  • Fixed an issue on Mac where an application could not capture its own window using the desktop capture or getMediaSourceId APIs. #​30523 (Also in 14, 15)
  • Fixed rare crash in UpdateDraggableRegions. #​30557

Other Changes

v13.1.9

Compare Source

Release Notes for v13.1.9

Fixes

  • Fixed documentEdited status not updating close button for frameless window on macOS. #​30393 (Also in 14, 15)

Other Changes

v13.1.8

Compare Source

Release Notes for v13.1.8

Fixes

  • Fixed a potential crash that would occur with draggable regions on Windows. #​30326 (Also in 14, 15)
  • Fixed an issue where a specified aspect ratio could become incorrect when maximizing a window on macOS. #​30330 (Also in 12, 14, 15)
  • Fixed frameless window having wrong traffic lights position on macOS 11. #​30319 (Also in 14, 15)
  • Fixed pressing ESC not exiting fullscreen from webview. #​30128 (Also in 12, 14)
  • Fixed stack overflow crash in v8 on windows 32-bit builds. #​30241 (Also in 12, 14, 15)
  • Fixed tray.setTitle not respecting ANSI colors if a font type was specified. #​30163 (Also in 14)

Other Changes

v13.1.7

Compare Source

Release Notes for v13.1.7

Fixes

  • Fixed requestFullscreen inside webview does not make the element take fullscreen. #​29987 (Also in 12, 14)
  • Fixed a crash when calling the webContents.on('login') callback synchronously. #​30091 (Also in 12, 14)
  • Fixed a possible renderer crash when using fsPromises.readFile. #​29928
  • Fixed an issue where Electron would sometimes not honor the user-defined Downloads directory. #​29968 (Also in 12, 14)
  • Fixed an issue where the traffic lights would get double-drawn when exiting fullscreen and adding a BrowserView on macOS. #​30149 (Also in 14)
  • Fixed incorrect value of document.focus when opening multiple windows on macOS
    • fix key window status on mac when opening panels or using custom window switchers. #​29234 (Also in 12, 14)
  • Fixed systemPreferences.getSystemColor returning colors missing alpha values. #​30088 (Also in 14)

Other Changes

Documentation

v13.1.6

Compare Source

Release Notes for v13.1.6

Fixes

  • Fixed a potential crash when calling app.quit() on macOS. #​29961 (Also in 14)
  • Fixed an issue where self.module.paths wouldn't work in Workers. #​30013 (Also in 12, 14)
  • Fixed crash when clicking links with target=_blank from webview. #​29951 (Also in 12, 14)
  • Fixed memory leak when creating notification on macOS. #​30009 (Also in 14)
  • Fixed page title not being updated on child windows without navigation entries under nativeWindowOpen. #​29958 (Also in 12, 14)

Other Changes

v13.1.5

Compare Source

Release Notes for v13.1.5

Fixes

  • Fixed a hang when denying a window.open using setWindowOpenHandler when nativeWindowOpen: false. #​29882 (Also in 12, 14)
  • Fixed an issue where dropdown menus did not work in DevTools when contextIsolation was enabled. #​29885 (Also in 14)
  • Fixed an issue where request headers were cleared if the optional "requestHeaders" parameter was not included in the webRequest.onBeforeSendHeaders callback response object. #​29836 (Also in 12, 14)
  • Fixed an issue where the setAlwaysOnTop value would sometimes not be preserved for child windows on macOS. #​29956 (Also in 12, 14)
  • Fixed crashes on macOS when Geolocation was used. #​29912 (Also in 14)

Other Changes

  • Updated Chromium to 91.0.4472.124. #​29774

v13.1.4

Compare Source

Release Notes for v13.1.4

Fixes

  • Fixed an issue with PDF loading on Windows, where metadata was not loading correctly and causing the PDF to load as a blank page. #​29830 (Also in 14)

v13.1.3

Compare Source

Release Notes for v13.1.3

Fixes

  • Fixed CORS preflight request always being cancelled when connecting via proxy requiring authentication for apps that had registered WebRequest listeners. #​29811 (Also in 12, 14)
  • Fixed select-bluetooth-device firing on Windows. #​29611 (Also in 12, 14)
  • Fixed warnAboutRemoteModuleWithRemoteContent for the new default value of enableRemoteModule. #​29691
  • Fixed a potential crash when setting vibrancy on macOS. #​29722 (Also in 14)
  • Fixed an issue where custom traffic lights could be covered by BrowserViews on macOS. #​29663 (Also in 14)
  • Fixed an issue where draggable regions sometimes did not work properly when DevTools is open. #​29734 (Also in 12, 14)
  • Fixed crashes in debug builds caused by microtasks policy mismatch. #​29808 (Also in 12, 14)
  • Fixed hover state not clear bug when BrowserWindow is not resizable. #​29800 (Also in 12, 14)
  • Fixed issue where the update permission prompt would cause 100% CPU spin while the prompt was open. #​29805 (Also in 14)
  • Fixed potential corruption of piped response data when using interceptHttpProtocol/registerHttpProtocol. #​29669 (Also in 11, 12, 14)
  • Fixed the color select eyedropper not working within DevTools. #​29760 (Also in 14)
  • Fixed the spelling of 'attachment' in 'Content-Disposition' header when using the webRequest module. #​29672 (Also in 12, 14)

Other Changes

  • Fixed a feature flag issue where spellchecker methods returned empty suggestion lists on Windows. #​29706 (Also in 14)
  • Updated Chromium to 91.0.4472.106. #​29700

Documentation

v13.1.2

Compare Source

Release Notes for v13.1.2

Fixes

  • Electron Fuses are now in a consistent order across platforms. #​29615 (Also in 14)
  • Fixd an issue where fs.promises.readFile would improperly error when passing a FileHandle to the path argument. #​29576 (Also in 14)
  • Fixed sending intermediate certificates with 'select-client-certificate' event callback. #​29569 (Also in 12, 14)
  • Fixed shifted character getting changed in menu accelerator. #​29482 (Also in 12, 14)

v13.1.1

Compare Source

Release Notes for v13.1.1
Fixes
  • Fixed crashes on latest gen Intel and Ryzen processors. #​29546
  • Fixed memory leak when requesting files in ASAR archive from renderer. #​29535 (Also in 14)

v13.1.0

Compare Source

Release Notes for v13.1.0

Features

Fixes

  • Fixed missing 'fetch' event in service workers for requests using a registered protocol. #​29446 (Also in 12, 14)
  • Fixed pressing Alt with mouse click results in toggling menu bar. #​29450 (Also in 12, 14)
  • Fixed pressing Alt+Shift and Alt+Ctrl toggling menu bar on KDE. #​29443 (Also in 12, 14)

Other Changes

  • Backported fix for 1090441,1173656,1181434,1188117. #​29494
  • Fixed using custom v8 snapshots on Apple Silicon. #​29339 (Also in 12)
  • Updated Chromium to 91.0.4472.77. #​29321

Documentation

v13.0.1

Compare Source

Release Notes for v13.0.1

Fixes

  • Fixed SHA issue when creating a universal macOS build.

v13.0.0

Compare Source

Release Notes for v13.0.0

Stack Upgrades

Breaking Changes

  • Fixed so window.open() parameter frameName is no longer set as window title. #​27481
  • Changed session.setPermissionCheckHandler(handler) to allow for handler's first parameter, webContents to be null. #​19903

Features

Additions
  • Added process.contextId used by @electron/remote. #​28251
  • Added process.contextIsolated property that indicates whether the current renderer context has contextIsolation enabled. #​28252
  • Added process.uptime() to sandboxed renderers. #​26684
  • Added roundedCorners option for BrowserWindow. #​27572
  • Added missing fields to the parameters emitted as part of the context-menu event. #​26788
  • Added new session.storagePath API to get the path on disk for session-specific data. #​28866
  • Added support for passing DOM elements over the context bridge. #​26776
  • Added support for registering Manifest V3 extension service workers.
    • Added 'registration-completed' event to ServiceWorkers. #​27562
  • Added disposition, referrer and postBody to the details object passed to the window open handler registered with setWindowOpenHandler. #​29277
Improvements
  • Additional permission checks are now routed through session.setPermissionCheckHandler. These include Notification.permission, and permission.query. Please note that the webContents parameter to the check handler can now be null. #​19903
  • Allowed skipping process type transformation in win.SetVisibleOnAllWorkspaces on macOS. #​27200
  • Reverted WebFrameMain.executeJavaScriptInIsolatedWorld(). #​27926
  • Made trafficLightPosition option work for customButtonOnHover window. #​26789
  • The submitURL option for crashReporter.start is no longer a required argument when uploadToServer is false. #​28283
  • Improved performance of napi_threadsafe_function. #​29048 (Also in 12)
Removed/Deprecated
  • Removed deprecated BrowserWindow extension APIs. #​26696
  • Removed deprecated shell.moveItemToTrash(). #​26723
  • Removed deprecated systemPreferences methods. #​26849

Fixes

  • Fixed hiddenInset titleBarStyle's abnormal fullscreen titlebar. Fix hiddenInset titleBarStyle not working with trafficLightPosition option. #​27489
  • Fixed a use-after-free bug during shutdown when using off-the-record sessions. #​26680
  • Fixed an issue where contextBridge might incorrectly try to serialize some WebAssembly objects. #​27518
  • Fixed behavior of 302/303/307 redirect responses in the protocol module. #​26297
  • Made BrowserWindow.setWindowButtonVisibility work for window with customButtonsOnHover titlebar style. #​27073
  • Fixed a rare crash on boot. #​29109
  • Fixed permissions issue that was preventing the PDF viewer from displaying. #​29252
  • Fixed the possibility for incorrect visual artifacts when using vibrancy and making frameless windows fullscreen on macOS. #​29099
  • Fixed using vibrancy with titleBarStyle together resulting in weird window shadow on macOS. #​29165
  • Restored cross-platform noop implementation of app.setAppUserModelId. #​28921
  • Security: backported fix for chromium:1196683. #​28637
Also in earlier versions....
  • Allow Node.js to manage microtasks queue by using explicit microtasks policy before calling uv_run(). #​28973 (Also in 11, 12)
  • Allow loading source maps from custom protocols and asar bundles. #​28615 (Also in 12)
  • Child windows with specified background colors or transpency now work as intended. #​28112 (Also in 12)
  • Colors returned from systemPreferences.getAccentColor(), getSystemColor and getColor are now correctly converted into the devices color space. Previously the color would have been subtly incorrect. #​28173 (Also in 11, 12)
  • Fixed ECDH.setPrivateKey() not updating the key. #​27688 (Also in 12)
  • Fixed <webview> focus / blur events not working with contextIsolation enabled. #​29025 (Also in 10, 11, 12)
  • Fixed desktopCapturer.getSources() promise result sometimes never resolving. #​28280 (Also in 10, 11, 12)
  • Fixed postData parameter missing from new-window event. #​28542 (Also in 12)
  • Fixed webFrame spell checker APIs crashing when called in sandboxed renderer. #​29087 (Also in 12)
  • Fixed a bug where, when a JumpList task description exceeded 260 characters, the JumpList was empty, despite valid entries. #​28526 (Also in 11, 12)
  • Fixed a crash when calling shell.trashItem() from the renderer process. #​28788 (Also in 12)
  • Fixed a crash when loading pepper plugins. #​28372 (Also in 12)
  • Fixed a network process crash that could happen when using setCertificateVerifyProc with many concurrent verification requests. #​28433 (Also in 11, 12)
  • Fixed a potential crash when resetting BrowserViews. #​27786 (Also in 12)
  • Fixed a rare crash on Windows that could occur when emitting certain Tray events. #​26668 (Also in 12)
  • Fixed an issue where BrowserViews could have mismatched draggable regions to their bounds. #​27952 (Also in 10, 11, 12)
  • Fixed an issue where illegal access error could be thrown when nodeIntegrationInSubFrames is enabled. #​29170 (Also in 12)
  • Fixed an issue where select-serial-port callback crashes when called with an invalid serial port ID. #​28619 (Also in 12)
  • Fixed an issue where win.capturePage() never called back after calling hide() for a hidden window on some platforms. #​28076 (Also in 11, 12)
  • Fixed an issue where window.print() did not work properly when printing a pdf from the pdf plugin. #​28351 (Also in 12)
  • Fixed an issue where drag regions on macOS would be offset incorrectly when no drag regions were set,. #​29017 (Also in 11, 12)
  • Fixed an issue where errors thrown in functions passed over the contextBridge could be displayed incorrectly. #​28446 (Also in 12)
  • Fixed an issue where extensions without a background page might not have file access. #​29171 (Also in 12)
  • Fixed an issue where libuv might hang with multiple subframes when nodeIntegrationInSubframes is enabled. #​27582 (Also in 10, 11, 12)
  • Fixed an issue where multiple calls to window.setFullScreen could cause problems. #​28763 (Also in 11, 12)
  • Fixed an issue where some Node.js modules would hang on page reload on Windows. #​28335 (Also in 11, 12)
  • Fixed an issue where some dialogs would stop working on macOS if window.hide() was called while they were open. #​28694 (Also in 11, 12)
  • Fixed an issue where the drag regions in BrowserViews on macOS could be off in their y-axis. [#​28298](https://togithub.com/electr

Configuration

📅 Schedule: "" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from a team March 26, 2022 12:04
@matticbot matticbot added the [Status] Needs Review The PR is ready for review. This also triggers e2e canary tests and wp-desktop tests automatically. label Mar 26, 2022
@github-actions
Copy link

github-actions bot commented Mar 26, 2022
edited by matticbot
Loading

Calypso Live (direct link)
https://calypso.live?image=registry.a8c.com/calypso/app:build-30057
Jetpack Cloud live (direct link)
https://calypso.live?image=registry.a8c.com/calypso/app:build-30057&env=jetpack

@matticbot
Copy link
Contributor

This PR does not affect the size of JS and CSS bundles shipped to the user's browser.

Generated by performance advisor bot at iscalypsofastyet.com.

@noahtallen noahtallen requested a review from nsakaimbo April 4, 2022 20:54
@noahtallen noahtallen closed this Aug 3, 2023
@github-actions github-actions bot removed the [Status] Needs Review The PR is ready for review. This also triggers e2e canary tests and wp-desktop tests automatically. label Aug 3, 2023
@matticbot matticbot deleted the renovate/npm-electron-vulnerability branch August 3, 2023 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nsakaimbo nsakaimbo Awaiting requested review from nsakaimbo

Assignees
No one assigned
Labels
Framework [Type] Task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@matticbot @noahtallen @renovate-bot