electron-bin is chronically outdated #295770
Comments
|
It should go without saying that we should not be keeping around unmaintained browser runtimes, that have such a large surface area. Getting strong libwebp/libvpx vibes¹²³. [1] https://video.fosdem.org/2024/h1302/fosdem-2024-1983-remediating-thousands-of-untracked-security-vulnerabilities-in-nixpkgs.av1.webm |
mweinelt
added
the
1.severity: security
|
As I think we have a consensus that the old versions should be removed, I'm tagging the maintainers of packages that depend on them:
I would kindly ask you to help with migrating these packages away from insecure electron versions, and keeping them updated in the future. |
|
whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs #284125 |
Thanks for the response, I'll make sure we can update it |
Things changed: - Unpin electron version. Upstream updates usually fix electron incompatibilities and we also have a test which can detect them. (NixOS#295770) - Add updater script. It scrapes the upstream website for the current version number. Lets hope the website structure doesn't change too much. - Update to the latest version
Things changed: - Unpin electron version. Upstream updates usually fix electron incompatibilities and we also have a test which can detect them. (#295770) - Add updater script. It scrapes the upstream website for the current version number. Lets hope the website structure doesn't change too much. - Update to the latest version
Diff: jeffvli/feishin@v0.5.1...v0.6.1 Changelog: https://github.com/jeffvli/feishin/releases/tag/v0.6.1 Feishin now depends on electron_27; electron_25 has been marked as EOL since 9652f98. Fixes NixOS#287765 (package update request) and addresses NixOS#295770 (outdated Electron).
Diff: jeffvli/feishin@v0.5.1...v0.6.1 Changelog: https://github.com/jeffvli/feishin/releases/tag/v0.6.1 Feishin now depends on electron_27; electron_25 has been marked as EOL since 9652f98. Fixes #287765 (package update request) and addresses #295770 (outdated Electron).
The last time the listed maintainers were active was 2015 (@travisbhartwell) and 2018 (@manveru) respectively.
Nobody is doing the regular bumps for security updates of electron-bin. Also the default electron-bin attribute points to the now-unmaintained version electron_26-bin.
It was last updated by:
@yayayayaka in October 2023
delroth in Sept 2023 (but this was part of a one-off tree-wide effort to fix a vulnerability in libwebp)
@teutat3s in July 2023
Currently electron-bin is used in two situations:
I am also once again questioning the keeping around old versions of electron-bin. This does not match our general policy:
Keeping electron-bin around does generate involuntary maintenance effort through bug reports from users who are not aware which electron build they are using.
The text was updated successfully, but these errors were encountered: