[HOLD for payment 2024-02-20] [Snyk] Security upgrade electron from 25.9.4 to 26.6.8

[melvin-bot[bot]]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Issue | Breaking Change | Exploit Maturity :-------------------------:|:-------------------------|:-------------------------|:-------------------------  | Use After Free
[SNYK-JS-ELECTRON-6226524](https://snyk.io/vuln/SNYK-JS-ELECTRON-6226524) | Yes | No Known Exploit Check the changes in this PR to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/expensify/project/a75415c0-01a0-4906-abb8-070d86e05d58?utm_source=github&utm_medium=referral&page=fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/expensify/project/a75415c0-01a0-4906-abb8-070d86e05d58?utm_source=github&utm_medium=referral&page=fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"f4d9d2c9-de50-407c-80ed-7f3ab047e10c","prPublicId":"f4d9d2c9-de50-407c-80ed-7f3ab047e10c","dependencies":[{"name":"electron","from":"25.9.4","to":"26.6.8"}],"packageManager":"npm","projectPublicId":"a75415c0-01a0-4906-abb8-070d86e05d58","projectUrl":"https://app.snyk.io/org/expensify/project/a75415c0-01a0-4906-abb8-070d86e05d58?utm_source=github&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-JS-ELECTRON-6226524"],"upgrade":["SNYK-JS-ELECTRON-6226524"],"isBreakingChange":true,"env":"prod","prType":"fix","templateVariants":["updated-fix-title"],"priorityScoreList":[null],"remediationStrategy":"vuln"}) --- **Learn how to fix vulnerabilities with free interactive lessons:** 🦉 [Use After Free](https://learn.snyk.io/lesson/use-after-free/?loc=fix-pr)

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~012d3ec8e2707df38b
• Upwork Job ID: 1753383789157388288
• Last Price Increase: 2024-02-02

[melvin-bot[bot]]

This is a Snyk issue. Snyk is a tool that automatically tracks our repositories' dependencies and reports associated security vulnerabilities. It also automatically create PRs to fix these vulnerabilities.

    C+: Please follow these steps to test the linked PR before running through the reviewer checklist:
    - [ ] The first step is to understand the PR: what dependency is it upgrading, for which vulnerability, how it impacts our product & end users.
    - [ ] If the issue is not worth fixing, please add your reasoning in the issue and have the internal engineer review it.
    - [ ] Check the change log (which should be included in the PR description) to see all changes. We want to identify any breaking changes. If it is a minor version bump, it's unlikely that there are any breaking changes.
    - [ ] Test our feature(s) that make use of this package. If it does not work, we should understand what broke it. It is also a good idea to check our main flows to make sure they are not broken that you can add in the checklist screenshots/videos.

[melvin-bot[bot]]

Job added to Upwork: https://www.upwork.com/jobs/~012d3ec8e2707df38b

[melvin-bot[bot]]

Triggered auto assignment to Contributor Plus for review of internal employee PR - @allroundexperts (Internal)

[pecanoro]

@allroundexperts Could you prioritize this one, please?

[pecanoro]

@allroundexperts Ohh wait, I thought this was the PR, let me assign you to the PR

[allroundexperts]

On it today!

[melvin-bot[bot]]

The solution for this issue has been :rocket: deployed to production :rocket: in version 1.4.40-5 and is now subject to a 7-day regression period :calendar:. Here is the list of pull requests that resolve this issue:

• https://github.com/Expensify/App/pull/35656

If no regressions arise, payment will be issued on 2024-02-20. :confetti_ball:

For reference, here are some details about the assignees on this issue:

• @allroundexperts requires payment through NewDot Manual Requests

[melvin-bot[bot]]

Issue is ready for payment but no BZ is assigned. @muttmuure you are the lucky winner! Please verify the payment summary looks correct and complete the checklist. Thanks!

[melvin-bot[bot]]

Payment Summary

Upwork Job

• Reviewer: @allroundexperts owed $250 via NewDot

BugZero Checklist (@muttmuure)

• [x] I have verified the correct assignees and roles are listed above and updated the neccesary manual offers
• [x] I have verified that there are no duplicate or incorrect contracts on Upwork for this job (https://www.upwork.com/ab/applicants/1753383789157388288/hired)
• [x] I have paid out the Upwork contracts or cancelled the ones that are incorrect
• [x] I have verified the payment summary above is correct

[muttmuure]

Ready for you to request money @allroundexperts

[situchan]

@muttmuure was there bounty discussion about these kind of issues (mostly Snyk)? I am asking because it was $250 in my issue (you're also BZ there) https://github.com/Expensify/App/issues/34251#issuecomment-1904238410

[pecanoro]

Hmm, yeah, you are right, these should be $250 since they are extremely straightforward, it only entails testing.

[muttmuure]

Oh wait- they should be $250

[muttmuure]

I updated the summary

[muttmuure]

@allroundexperts can submit a request for $250 in New Expensify

[JmillsExpensify]

$250 approved for @allroundexperts based on summary above.