Expensify / App

Welcome to New Expensify: a complete re-imagination of financial collaboration, centered around chat. Help us build the next generation of Expensify by sharing feedback and contributing to the code.
https://new.expensify.com
MIT License
3.57k stars 2.91k forks source link

[Snyk] Security upgrade electron from 29.4.6 to 32.2.3 #52267

Open melvin-bot[bot] opened 2 weeks ago

melvin-bot[bot] commented 2 weeks ago

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Access of Resource Using Incompatible Type ('Type Confusion')
SNYK-JS-ELECTRON-8352921
  ****  
high severity Improper Access Control
SNYK-JS-ELECTRON-8310521
  511  
high severity Out-of-bounds Write
SNYK-JS-ELECTRON-8310517
  501  
medium severity Access of Resource Using Incompatible Type ('Type Confusion')
SNYK-JS-ELECTRON-8310519
  416  

[!IMPORTANT]

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report 📜 Customise PR templates 🛠 Adjust project settings 📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Access of Resource Using Incompatible Type ('Type Confusion') 🦉 Improper Access Control

melvin-bot[bot] commented 2 weeks ago

This is a Snyk issue. Snyk is a tool that automatically tracks our repositories' dependencies and reports associated security vulnerabilities. It also automatically create PRs to fix these vulnerabilities.

    C+: Please follow these steps to test the linked PR before running through the reviewer checklist:
    - [ ] The first step is to understand the PR: what dependency is it upgrading, for which vulnerability, how it impacts our product & end users.
    - [ ] If the issue is not worth fixing, please add your reasoning in the issue and have the internal engineer review it.
    - [ ] Check the change log (which should be included in the PR description) to see all changes. We want to identify any breaking changes. If it is a minor version bump, it's unlikely that there are any breaking changes.
    - [ ] Test our feature(s) that make use of this package. If it does not work, we should understand what broke it. It is also a good idea to check our main flows to make sure they are not broken that you can add in the checklist screenshots/videos.