[Security] Bump electron from 9.1.1 to 9.3.1

[dependabot-preview]

⚠️ Dependabot Preview has been deactivated ⚠️

This pull request was created by Dependabot Preview, and you've upgraded to Dependabot. This means it won't respond to dependabot commands nor will it be automatically closed if a new version is found.

If you close this pull request, Dependabot will re-create it the next time it checks for updates and everything will work as expected.

---

Bumps electron from 9.1.1 to 9.3.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Unpreventable top-level navigation

Impact

The will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites.

Patches

• 11.0.0-beta.1
• 10.0.1
• 9.3.0
• 8.5.1

Workarounds

Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

For more information

If you have any questions or comments about this advisory:

• Email us at security@electronjs.org

Affected versions: >= 9.0.0-beta.0 < 9.3.0

Sourced from The GitHub Security Advisory Database.

Context isolation bypass in Electron

Impact

Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nativeWindowOpen: true are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 11.0.0-beta.6
• 10.1.2
• 9.3.1
• 8.5.2

For more information

If you have any questions or comments about this advisory:

• Email us at security@electronjs.org

Affected versions: >= 9.0.0-beta.0 < 9.3.1

Release notes

Sourced from electron's releases.

electron v9.3.1

Release Notes for v9.3.1

Fixes

• Added missing module delay loads on windows to reduce per process reference set impact. #25437 (Also in 9, 10, 11)
• Fixed a crash in the renderer process when invoking the Badging API. #25371 (Also in 9, 10, 11)
• Fixed a memory leak in net.request(). #25382
• Fixed multiple dock icons being left in system when calling dock.show/hide on macOS. #25301 (Also in 8, 9, 10, 11)

Other Changes

• Security: backported fix for 1081874. #25389
• Security: backported fix for 1098860. #25289
• Security: backported fix for 1111737. #25391
• Security: backported fix for 1122684. #25390

Unknown

• Added support for some chrome.management APIs. #25344 (Also in 9, 10, 11)

electron v9.3.0

Release Notes for v9.3.0

Features

• Added back a previously broken visibleOnFullScreen option for setVisibleOnAllWorkspaces. #25126
• Added the currencyCode field that Apple's StoreKit in-app-purchasing library provides but has not been added to the Product object that inAppPurchase.getProducts returns. #25085

Fixes

• Fixed powerMonitor not emitting suspend/resume events on some Windows machines. #25165
• Fixed an issue where filters set in dialogs on macOS would have nondeterministic ordering. #25194
• Fixed an issue where notifications with a reply button could potentially be destroyed too early when a user clicked on the notification body before replying. #25101
• Fixed frameless window's size being changed when restored from minimized state. #25045
• Fixed network permission error when there are multiple WebContents sharing same session are created with web security disabled. #25179
• Fixed node's TLS stack not allowing renegotiation. #25041
• Fixed the following issues for frameless when maximized on Windows * fix unreachable task bar when auto hidden with position top
• fix 1px extending to secondary monitor
• fix 1px overflowing into taskbar at certain resolutions
• fix white line on top of window under 4k resolutions. #25218
• Fixed window size being changed after unmaximizing. #25133

Unknown

• Fixed not working WebSQLDatabase in extension background pages. #25070

electron v9.2.1

Release Notes for v9.2.1

Fixes

Commits

• fe3378d Bump v9.3.1
• fe85a94 fix: handle electron script errors better (#25331) (#25453)
• 48779fe fix: Ensure electron delay loads the same modules as chromium (#25437)
• 5e289ce chore: cherry-pick 1283160e334f 0dc563cbbca5 from chromium (#25391)
• 5f4ccec chore: cherry-pick c1a7439efcc7 from chromium (#25390)
• 20f58fd chore: cherry-pick 5e61913985df from chromium (#25389)
• 75f193a fix: memory leak in net.request (#25382)
• 7de2539 fix: bind fake mojo service for badging (#25371)
• a90397f chore: sync 9-x-y release notes script to master (#25305)
• 6e73457 feat(extensions): add support for some chrome.management APIs (#25344)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)