Current Squirrel.Windows version is 1.9.0. However this version still have vulnerable to DLL hijacking.
To checking:
Build a Squirrel-based Electron app with windows-installer. I've tested this Electron app
Open procmon
In procmon add next rules: set path to the dir of ${App}Setup.exe (dir where the installer is stored), "Result" contains "NAME NOT FOUND", "Operation" contains "CreateFile"
$.
Open ${MyApp}Setup.exe
Observe "urlmon.dll" gets required on location that doesn't require administrator permisson.
Note: I'm trying to build Squirrel.Windows and set enviroment variable to make electron-builder download this instead but it's not working cause electron-builder have checksum check :(
Current Squirrel.Windows version is 1.9.0. However this version still have vulnerable to DLL hijacking. To checking:
However, squirrel.window has fixed this problem and release version 1.9.1. (https://github.com/Squirrel/Squirrel.Windows/pull/1444)
Note: I'm trying to build Squirrel.Windows and set enviroment variable to make electron-builder download this instead but it's not working cause electron-builder have checksum check :(