[Security] Bump electron from 1.8.8 to 8.3.0

[dependabot-preview[bot]]

Bumps electron from 1.8.8 to 8.3.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Arbitrary Code Execution A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild.

Affected versions: <2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5

Release notes

Sourced from electron's releases.

electron v8.3.0

Release Notes for v8.3.0

Features

• Added a new force parameter to app.focus() on macOS to allow apps to forcefully take focus. #23574
• EnableWebSQL is a new webpreference option to enable/disable websql api. #23581

Fixes

• Ensured that exit callbacks are run for Node.js in the renderer process. #23564
• Fixed a crash which could occur during page navigations. #23396
• Fixed an issue whereby macOS would fail to allow file extensions containing periods. #23449
• Fixed behaviour of navigator.language/s and app.getLocale to use OS locale. #23407
• Fixed crash with webview during some window management events like resize, scroll etc. #23397

Other Changes

• Fixed v8_context_snapshot_generator included in arm/arm64 mksnapshot zip files. #23542
• None. #23402, #23591
• Security: Backport Chromium fix for https://crbug.com/1062861. #23528
• Security: backported fix for CVE-2020-6458: Out of bounds read and write in PDFium. #23465
• Security: backported fix for CVE-2020-6459: Use after free in payments. #23456
• Security: backported fix for CVE-2020-6460: Insufficient data validation in URL formatting. #23462
• Security: backported fix for CVE-2020-6461: use-after-free in storage. #23504
• Security: backported fix for CVE-2020-6462: Use after free in task scheduling. #23517
• Security: backported fix for CVE-2020-6463: use-after-free in Angle. #23561
• Security: backported fix for CVE-2020-6464: Type confusion in blink. #23532
• Security: backported fix for CVE-2020-6831: Stack buffer overflow in SCTP. #23514

Documentation

• Documentation changes: #23355

electron v8.2.5

Release Notes for v8.2.5

Fixes

• Backported blink fix for zero-size pixels on high-dpi screens. #23336
• Fixed memory leaks in sandbox mode when using contextBridge with promises or ipcRenderer.invoke. #23339

electron v8.2.4

Release Notes for v8.2.4

Fixes

• Fixed Promise timeout issue when running Electron as Node. #23234
• Fixed a use-after-free error that could happen if a Tray was destroyed while showing a custom context menu. #23181
• Fixed an issue where windows without nativeWindowOpen: true could invoke the non-native-open path. #23225

... (truncated)

Commits

• 426d45c Bump v8.3.0
• 79298d3 build: remove unused header from a patch (#23591)
• 2a44b1a feat: add enableWebSQL webpreference (#23311) (#23581)
• 6f331e4 feat: add force option to app.focus() (#23574)
• dc71541 chore: cherry-pick 7101418f85a0 from chromium (#23532)
• a4de479 chore: cherry-pick 1288aa12369e from angle (#23561)
• f7509d5 fix: leave behind the unmodified XDG_CURRENT_DESKTOP variable (#23552)
• 42ab97f fix: run Node.js at-exit callbacks in renderer proc (#23564)
• faf2871 chore: cherry-pick 86c02c5dcd37 from chromium (#23528)
• ea4e92f fix: do not destroy thread in UI thread (#23550)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Superseded by #36.