Skip to content
This repository has been archived by the owner on Dec 28, 2020. It is now read-only.

[Security] Bump electron from 8.2.3 to 9.0.5 #139

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link
Contributor

@dependabot-preview dependabot-preview bot commented Jun 23, 2020

Bumps electron from 8.2.3 to 9.0.5.

Release notes

Sourced from electron's releases.

electron v9.0.5

Release Notes for v9.0.5

Fixes

  • Fixed "Paste and Match Style" shortcut on macOS to match OS's "Option-Shift-Command-V". #24185
  • Fixed "null path-to-app" in test-app when Electron's path contains spaces or special characters. #24232
  • Fixed an error when calling dialog.showCertificateTrustDialog with no BrowserWindow. #24121
  • Fixed an issue where shutdown would be emitted both on app and system shutdown on macOS. #24141
  • Fixed an issue where withFileTypes was not supported as an option to fs.readdir or fs.readdirSync under asar. #24108
  • Fixed an issue which would cause streaming protocol responses to stall in some cases. #24082
  • Fixed an issue with click events not being emitted on macOS for Trays with context menus set. #24236
  • Fixed delayed execution of some Node.js callbacks in the main process. #24178
  • Fixed tray menu showing in taskbar on Windows. #24193
  • Fixed window titlebar not responding to pen on Windows 10. #24103

Other Changes

  • Fixed issue with some IMEs on windows (for ex: Zhuyin) don't terminate after pressing shift. #24059
  • Fixed mac app store rejection notice for invalid symbolic link in bundle. #24238
  • Updated Chromium to 83.0.4103.119. #24234

Documentation

  • Documentation changes: #24177

electron v9.0.4

Release Notes for v9.0.4

Fixes

  • Added missing support for isComposing KeyboardEvent property. #23996
  • Enable NTLM v2 for POSIX platforms and added --disable-ntlm-v2 switch to disable it. #23934
  • Fix: Allow windows behind macOS elements if "frame" is false. #24033
  • Fixed chrome://media-internals and chrome://webrtc-internals pages not loading. #24058
  • Fixed a crash that could occur when using the ipcRenderer module after blink had released the context. Instead, a JS exception will be thrown. #23978
  • Fixed an issue where rmdir and rmdirSync work with original-fs in an asar context. #23956
  • Fixed no session in webContents of type remote. #24065
  • Fixed: On some Windows machines, especially Windows Insider builds, Electron would crash silently during startup. #24039

Other Changes

  • Updated Chromium to 83.0.4103.104. #24068
  • [a11y] fix incorrect position and size reported for grouped items in a listbox. #24060
  • [a11y] fix incorrect selection item count for listbox with grouped items. #24061

electron v9.0.3

Release Notes for v9.0.3

Features

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added the dependencies Pull requests that update a dependency file label Jun 23, 2020
@dependabot-preview
Copy link
Contributor Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via leaked cross-context objects in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
    ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

@dependabot-preview
Copy link
Contributor Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via contextBridge in Electron

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
    ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

@dependabot-preview
Copy link
Contributor Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Arbitrary file read via window-open IPC in Electron

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
    ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

@dependabot-preview dependabot-preview bot changed the title Bump electron from 8.2.3 to 9.0.5 [Security] Bump electron from 8.2.3 to 9.0.5 Jul 7, 2020
@dependabot-preview dependabot-preview bot changed the title Bump electron from 8.2.3 to 9.0.5 [Security] Bump electron from 8.2.3 to 9.0.5 Jul 7, 2020
@dependabot-preview
Copy link
Contributor Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via Promise in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
    ... (truncated)

Affected versions: [">= 8.0.0 < 8.2.4"]

@dependabot-preview dependabot-preview bot added security Pull requests that address a security vulnerability labels Jul 7, 2020
@dependabot-preview dependabot-preview bot force-pushed the dependabot/npm_and_yarn/electron-9.0.5 branch from 6bbc537 to 9a6ca55 Compare October 29, 2020 04:45
Bumps [electron](https://github.com/electron/electron) from 8.2.3 to 9.0.5.
- [Release notes](https://github.com/electron/electron/releases)
- [Changelog](https://github.com/electron/electron/blob/master/docs/breaking-changes.md)
- [Commits](electron/electron@v8.2.3...v9.0.5)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot force-pushed the dependabot/npm_and_yarn/electron-9.0.5 branch from 9a6ca55 to 8d826ef Compare October 31, 2020 19:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

0 participants