[Security] Bump electron from 8.2.3 to 9.0.5

[dependabot-preview]

Bumps electron from 8.2.3 to 9.0.5.

Release notes

Sourced from electron's releases.

electron v9.0.5

Release Notes for v9.0.5

Fixes

• Fixed "Paste and Match Style" shortcut on macOS to match OS's "Option-Shift-Command-V". #24185
• Fixed "null path-to-app" in test-app when Electron's path contains spaces or special characters. #24232
• Fixed an error when calling dialog.showCertificateTrustDialog with no BrowserWindow. #24121
• Fixed an issue where shutdown would be emitted both on app and system shutdown on macOS. #24141
• Fixed an issue where withFileTypes was not supported as an option to fs.readdir or fs.readdirSync under asar. #24108
• Fixed an issue which would cause streaming protocol responses to stall in some cases. #24082
• Fixed an issue with click events not being emitted on macOS for Trays with context menus set. #24236
• Fixed delayed execution of some Node.js callbacks in the main process. #24178
• Fixed tray menu showing in taskbar on Windows. #24193
• Fixed window titlebar not responding to pen on Windows 10. #24103

Other Changes

• Fixed issue with some IMEs on windows (for ex: Zhuyin) don't terminate after pressing shift. #24059
• Fixed mac app store rejection notice for invalid symbolic link in bundle. #24238
• Updated Chromium to 83.0.4103.119. #24234

Documentation

• Documentation changes: #24177

electron v9.0.4

Release Notes for v9.0.4

Fixes

• Added missing support for isComposing KeyboardEvent property. #23996
• Enable NTLM v2 for POSIX platforms and added --disable-ntlm-v2 switch to disable it. #23934
• Fix: Allow windows behind macOS elements if "frame" is false. #24033
• Fixed chrome://media-internals and chrome://webrtc-internals pages not loading. #24058
• Fixed a crash that could occur when using the ipcRenderer module after blink had released the context. Instead, a JS exception will be thrown. #23978
• Fixed an issue where rmdir and rmdirSync work with original-fs in an asar context. #23956
• Fixed no session in webContents of type remote. #24065
• Fixed: On some Windows machines, especially Windows Insider builds, Electron would crash silently during startup. #24039

Other Changes

• Updated Chromium to 83.0.4103.104. #24068
• [a11y] fix incorrect position and size reported for grouped items in a listbox. #24060
• [a11y] fix incorrect selection item count for listbox with grouped items. #24061

electron v9.0.3

Release Notes for v9.0.3

Features

Commits

• 28350b4 Bump v9.0.5
• 31e8b9f build: remove dead symlink from MAS build (#24158) (#24238)
• 06902de fix: emit click events with tray context menu (#24236)
• f92b42e chore: bump chromium in DEPS to 83.0.4103.119 (#24234)
• 3704dc9 fix: isTrustedSender() in test-app (#24232)
• d321e29 chore: bump chromium to 83.0.4103.118 (9-x-y) (#24219)
• 305d755 chore: bump chromium in DEPS to 83.0.4103.115 (#24210)
• 5d18005 chore: bump chromium in DEPS to 83.0.4103.114 (#24198)
• ee27523 fix: do not use CONTEXT_MENU flag for tray menu (reland) (#24193)
• 368f583 fix: volume key globalShortcut deregistration (#24155)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via leaked cross-context objects in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 9.0.0-beta.21
  ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via contextBridge in Electron

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 9.0.0-beta.21
  ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Arbitrary file read via window-open IPC in Electron

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

• 9.0.0-beta.21
• 8.2.4
• 7.2.4
  ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via Promise in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 9.0.0-beta.21
  ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]