🚨 [security] Update electron: 17.1.0 → 17.4.10 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ electron (17.1.0 → 17.4.10) · Repo

Security Advisories 🚨

🚨 AutoUpdater module fails to validate certain nested components of the bundle

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

• 18.0.0-beta.6
• 17.2.0
• 16.2.0
• 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

🚨 Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

• 18.0.0-beta.6
• 17.2.0
• 16.2.6
• 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

Release Notes

17.4.10

Release Notes for v17.4.10

Other Changes

• Security: backported fix for 1335054. #34686
• Security: backported fix for 1335458. #34684

17.4.7

Release Notes for v17.4.7

Fixes

• Fixed an issue where zombie windows can be created if window.close() is called during a fullscreen transition. #34390 (Also in 18, 19, 20)

17.3.0

Release Notes for v17.3.0

Features

• Added nativeTheme.inForcedColorsMode API to allow detecting forced color mode. #33358 (Also in 15, 16, 18)

Fixes

• Fix: initialize asar support in worker threads. #33395 (Also in 18)
• Fixed maximizing frameless windows by double-clicking on a draggable (title bar) region. #33445 (Also in 15, 16, 18)
• Fixed slowness when using child_process.spawn and related methods on macOS Big Sur and newer. #33408 (Also in 16, 18)
• Fixed the IncrementCapturerCount regression introduced by 13.0.0-beta.21. #33430 (Also in 18)

Other Changes

• Updated Chromium to 98.0.4758.141. #33483

17.2.0

Release Notes for v17.2.0

Features

• Added ses.setCodeCachePath() API for setting code cache directory. #33285 (Also in 18)

Fixes

• Fire 'show' event when a BrowserWindow is shown via maximize(). #33213 (Also in 16, 18)
• Fixed a network service crash that could occur when using setCertificateVerifyProc. #33254 (Also in 18)
• Fixed an issue where BrowserView layout bounds where limited to it's visible bounds. #33398 (Also in 18)
• Fixed an issue where Chrome DevTools settings didn't persist between loads. #33273 (Also in 18)
• Fixed an issue where clicking "Open in Containing Folder" in the Sources tab in Devtools caused a crash. #33196 (Also in 16, 18)
• Fixed broken event loop in renderer process when process reuse is enabled on windows platform. #33362 (Also in 16, 18)
• Fixed crash in the render process on reload with pending node fs.promises. #33335 (Also in 15, 16, 18)
• Fixed drag regions on WCO windows on Windows. #33201 (Also in 15, 16, 18)
• Fixed incorrect external memory allocation tracking in nativeImage module. #33306 (Also in 15, 16, 18)
• Theoretical fix for a crash we're seeing when closing multiple child windows at the same time on macOS. #33283 (Also in 18)

Other Changes

• Fixed an issue where adding/removing display changes the BrowserWindow size. #33251 (Also in 14, 15, 16, 18)
• Fixed an issue where moving a window created in a scaled display to a regular display would increase the window size. #33231

17.1.2

Release Notes for v17.1.2

Fixes

• Fixed an issue where setting window maxHeight or maxWidth made it so the width and height could no longer be resized. #33118 (Also in 18)
• Strip crashpad_handler binary on Linux, reducing bundle size. #33176 (Also in 15, 16, 18)

17.1.1

Release Notes for v17.1.1

Fixes

• Fixed an issue where alternateImages did not work properly on macOS. #33105 (Also in 15, 16, 18)
• Fixed an issue where the Tray could get garbage collected incorrectly under some circumstances. #33076 (Also in 15, 16, 18)
• Fixed an occasional crash on Mac when spawning a child process. #33116 (Also in 18)
• Fixed broken transparency option in offscreen window rendering. #33052 (Also in 16, 18)

Other Changes

• Updated Chromium to 98.0.4758.109. #33085

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication