Open mrjoshuaesmith opened 3 months ago
electron-builder only leverages the version of electron-prebuilt installed within your own package.json, electron-prebuilt is not a dependency of electron-builder
/**
* The version of electron you are packaging for. Defaults to version of `electron`, `electron-prebuilt` or `electron-prebuilt-compile` dependency.
*/
electronVersion?: string | null
From https://www.npmjs.com/package/electron-prebuilt
electron-prebuilt has been renamed to electron. For more details, see http://electron.atom.io/blog/2016/08/16/npm-install-electron
Since it looks like you're on latest electron, I'm assuming you're not using electron-prebuilt?
I was unaware of the name change, and my package.json still had: "devDependencies": { "electron-prebuilt": "31.1.0" }, but I guess something was correcting that error, because it's definitely using the latest electron. I updated my package.json to say "electron" and it didn't need to download anything new, so you're right. I'm using electron. Sorry about that mis-statement. But the scan result is still there when I changed the package.json to correctly say "electron" and rebuilt the .exe.
Are you saying I should report this issue over at electron's issue tracker instead of this one?
Hmmm in that case, if it's the assembled .exe and not reproducing with electron-forge, then it's something else during the packaging process of electron-builder. It's likely a false positive as the files used haven't changed in over 3 years and each asset download is matched by sha256 to prevent any man in the middle attacks or supply chain ovverrides
Today, we also got a hit for "Win.Packed.Mikey-9859574-0" with the virus scanner "ClamAV" on the malware service https://virusscan.jotti.org (This service scans a file with 14 different virus scanner). Beside some other dependencies, our Win x64 Electron app was updated from "electron": "21.4.4" to "electron": "31.2.1" and from "electron-squirrel-startup": "1.0.0" to "electron-squirrel-startup": "1.0.1".
The build before was ok. So it is related to the dependency update of Electron. The mac version of the problematic build was also ok.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.
Scanning the .exe created by electron-builder with scanii.com is flagging positive for content.malicious.win-packed-mikey-9859574-0
It's probably a false positive, but I thought it would be prudent to bring this to your attention so you can check that this isn't the result of a supply chain attack on electron-prebuilt.