Open yu-re-ka opened 6 months ago
It should go without saying that we should not be keeping around unmaintained browser runtimes, that have such a large surface area. Getting strong libwebp/libvpx vibes¹²³.
[1] https://video.fosdem.org/2024/h1302/fosdem-2024-1983-remediating-thousands-of-untracked-security-vulnerabilities-in-nixpkgs.av1.webm [2] https://github.com/NixOS/nixpkgs/issues/254798 [3] https://github.com/NixOS/nixpkgs/issues/258048
As I think we have a consensus that the old versions should be removed, I'm tagging the maintainers of packages that depend on them:
I would kindly ask you to help with migrating these packages away from insecure electron versions, and keeping them updated in the future. I'd explicitly encourage you to hack around, interact with upstream, see if a later electron version maybe works, open an issue to update the electron version in upstream.
whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs https://github.com/NixOS/nixpkgs/pull/284125
whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs #284125
Thanks for the response, I'll make sure we can update it
The last time the listed maintainers were active was 2015 (@travisbhartwell) and 2018 (@manveru) respectively. Nobody is doing the regular bumps for security updates of electron-bin. Also the default electron-bin attribute points to the now-unmaintained version electron_26-bin.
It was last updated by:
@yayayayaka in October 2023 delroth in Sept 2023 (but this was part of a one-off tree-wide effort to fix a vulnerability in libwebp) @teutat3s in July 2023
Currently electron-bin is used in two situations:
I am also once again questioning the keeping around old versions of electron-bin. This does not match our general policy:
Keeping electron-bin around does generate involuntary maintenance effort through bug reports from users who are not aware which electron build they are using.