Arbitrary Code Execution
A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild.
Changed the default value of app.allowRendererProcessReuse to true. This will prevent loading of non-context-aware native modules in renderer processes. (See #18397 for more information on this change.) #22401
Added chrome.tabs.connect extension API for background pages. #22549
Added support for property access to some getter/setter pairs on BrowserWindow. #23208
Added support for the chrome.extension.getBackgroundPage API when building with enable_electron_extensions. #22177
Allow an optional callback parameter for WebFrame.executeJavaScript* methods, which is called synchronously unless the target context is paused. #22501
Restored support for pdfium-based PDF viewer. #22131
Fixes
Don't allow window to go behind menu bar on mac. #22828
Fixed webRequest module not working with file:// protocol. #22919
Fixed webRequest not working for CORS requests. #22468
Fixed win.setMenuBarVisibility(false) not hiding menu bar. #23263
Fixed an issue where changing theme on macOS would break window maximizability state. #22724
Fixed crash in network service process when using protocol.registerSchemeAsPrivileged api. #22917
Fixed crash that could occur when calling session.fromPartition inside the ready event. #23472
Fixed incorrect hit testing on top of ::after element with layoutNG. #23190
Fixed missing debug symbols for crashpad handler on macOS. #23573
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps electron from 1.8.8 to 9.0.0. This update includes a security fix.
Vulnerabilities fixed
Sourced from The Node Security Working Group.
Release notes
Sourced from electron's releases.
Commits
4da0164
Bump v9.0.09d46395
refactor: revert release notes changes (#23649)67a905c
Revert "Bump v9.0.0"dcdca6a
Bump v9.0.07db9c35
fix: eat octokit 422 errs when scraping commit PRs (#23643)5c03d05
Revert "Bump v9.0.0"0ac262d
Bump v9.0.04de54b4
ci: use longer mocha timeout on WOA testing (#23636)29af231
Revert "Bump v9.0.0-beta.25"1a4c34b
Bump v9.0.0-beta.25Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)