Bumps electron from 4.0.1 to 5.0.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/495.json).*
> **Arbitrary Code Execution**
> A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild.
>
> Affected versions: <2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5
Release notes
*Sourced from [electron's releases](https://github.com/electron/electron/releases).*
> ## electron v5.0.2
> # Release Notes for v5.0.2
>
> ## Fixes
>
> * Added missing `'page-title-updated'` event on `webContents` to documentation. Also fixed forwarding of the `explicitSet` argument when emitted on `BrowserWindow`. [#18318](https://github-redirect.dependabot.com/electron/electron/issues/18318)
> * Fixed a crash in `systemPreferences.getAccentColor()`. [#18194](https://github-redirect.dependabot.com/electron/electron/issues/18194)
> * Fixed a regression in Kerberos SPN generation. In the M69 upgrade, the default for the `enable_negotiate_port` option was inadvertently changed from false to true; this restores the former behavior and aligns with Chromium. [#18284](https://github-redirect.dependabot.com/electron/electron/issues/18284)
> * Fixed case where the promise returned by `loadURL` and `loadFile` would be rejected with `ERR_ABORTED` if you triggered a virtual navigation before the page had finished loading. E.g. Used `history.pushState` or set `location.hash`. [#18142](https://github-redirect.dependabot.com/electron/electron/issues/18142)
>
> ## electron v5.0.1
> # Release Notes for v5.0.1
>
> ## Fixes
>
> * Fixed `fs.promises` APIs not working with ASAR paths. [#18115](https://github-redirect.dependabot.com/electron/electron/issues/18115)
> * Fixed an issue on Windows where calling `.show()` on a BrowserWindow did not focus the window. [#18080](https://github-redirect.dependabot.com/electron/electron/issues/18080)
> * Fixed crash when Electron run from SMB network share. [#17908](https://github-redirect.dependabot.com/electron/electron/issues/17908)
> * Fixed crash when quitting Electron with an inspector attached. [#18076](https://github-redirect.dependabot.com/electron/electron/issues/18076)
> * Removed non-existent `gpu-crashed` event on ``. [#18004](https://github-redirect.dependabot.com/electron/electron/issues/18004)
>
> ## Other Changes
>
> * Removed Vulkan validation layers DLLs from electron.zip, which are only meant to be used for Chromium development. [#18061](https://github-redirect.dependabot.com/electron/electron/issues/18061)
> * Updated Chromium to 73.0.3683.121. [#18001](https://github-redirect.dependabot.com/electron/electron/issues/18001)
>
> ## electron v5.0.0
> # Release Notes for v5.0.0
>
> ## Breaking Changes
>
> * Upgraded to Chromium `73.0.3683.119`, Node.js `12.0.0`, and V8 `7.3.492.27`.
> * The default values of `nodeIntegration` and `webviewTag` are now `false` to improve security. [#16235](https://github-redirect.dependabot.com/electron/electron/pull/16235)
> * Removed support for deprecated construction of a TouchBar with an array of items, use an options object instead. [#15650](https://github-redirect.dependabot.com/electron/electron/pull/15650)
> * Enabled mixed-sandbox mode by default. `enableMixedSandbox` and the `--enable-mixed-sandbox` command-line switch still exist for compatibility, but are deprecated and have no effect. [#15894](https://github-redirect.dependabot.com/electron/electron/pull/15894)
>
> ## Features
>
> * Added `ELECTRON_DISABLE_SANDBOX environment variable to make it easier to disable sandboxing in Docker-based Linux CI environments. [#16662](https://github-redirect.dependabot.com/electron/electron/pull/16662)
> * Added Promise support for the Cookies API. [#16702](https://github-redirect.dependabot.com/electron/electron/pull/16702)
> * Added `activate` option to `webContents.openDevTools`. [#13852](https://github-redirect.dependabot.com/electron/electron/pull/13852)
> * Added `app.commandLine.hasSwitch()` / `app.commandLine.getSwitchValue()`. [#16282](https://github-redirect.dependabot.com/electron/electron/pull/16282)
> * Added `fileMenu` / `viewMenu` / `appMenu` roles. [#16328](https://github-redirect.dependabot.com/electron/electron/pull/16328)
> * Added `ipc-message` and `ipc-message-sync` events to `webContents`. [#16468](https://github-redirect.dependabot.com/electron/electron/pull/16468)
> * Added `preload-error` event to `webContents` emitted when preload script fails (parse error, unhandled exception, etc.). [#16411](https://github-redirect.dependabot.com/electron/electron/pull/16411)
> * Added `win.removeMenu()` to remove application menus instead of using `win.setMenu(null)`. [#16657](https://github-redirect.dependabot.com/electron/electron/pull/16657)
> * Added a way to query for system colors on MacOS via `systemPreferences.getSystemColor()`. [#16248](https://github-redirect.dependabot.com/electron/electron/pull/16248)
> * Added about panel customization on linux. [#15658](https://github-redirect.dependabot.com/electron/electron/pull/15658)
> * Added caps lock and numlock as keyboard accelerator modifiers. [#16725](https://github-redirect.dependabot.com/electron/electron/pull/16725)
> * Added event and method to detect high contrast color schemes . [#15493](https://github-redirect.dependabot.com/electron/electron/pull/15493)
> ... (truncated)
Commits
- [`6b371a5`](https://github.com/electron/electron/commit/6b371a5ef99cde624cd4451103601c90299e6b81) Bump v5.0.2
- [`7ee06c3`](https://github.com/electron/electron/commit/7ee06c354e8560203eb9091bf29716a46c9eeb3c) fix: 'page-title-updated' event forwarding + documentation ([#18318](https://github-redirect.dependabot.com/electron/electron/issues/18318))
- [`a60ad6a`](https://github.com/electron/electron/commit/a60ad6aeed91c9ab69b5718fdedba341ce2a9817) fix: default enable_negotiate_port to false ([#18284](https://github-redirect.dependabot.com/electron/electron/issues/18284))
- [`693d840`](https://github.com/electron/electron/commit/693d84020220eab49eef2af879e3f9960bad6283) build: linux needs java on GN ([#18216](https://github-redirect.dependabot.com/electron/electron/issues/18216))
- [`7a759ea`](https://github.com/electron/electron/commit/7a759ea0b6298e1e83e1f8bf7d37fea156d59e22) fix: crash on systemPreferences.getAccentColor() ([#18194](https://github-redirect.dependabot.com/electron/electron/issues/18194))
- [`83a4b73`](https://github.com/electron/electron/commit/83a4b7371b0dab19a49b7500e4ed50fd4383518f) docs: clarify clipboard type options ([#18174](https://github-redirect.dependabot.com/electron/electron/issues/18174))
- [`82bb6d4`](https://github.com/electron/electron/commit/82bb6d4ccf2a6609b116a8a7df9ea7db796aa55d) fix: do not mark navigations interupted with same-document navigations as abo...
- [`2de54a3`](https://github.com/electron/electron/commit/2de54a3dbc2ecb1427e5df335b4bb7b57b6c1067) Bump v5.0.1
- [`7eac676`](https://github.com/electron/electron/commit/7eac676fa740d8f6f19671a38a805e0e3f4fcacd) fix: fs.promises does not work with asar paths ([#18115](https://github-redirect.dependabot.com/electron/electron/issues/18115))
- [`54199d2`](https://github.com/electron/electron/commit/54199d21c366ba3060ac37f45079b499b01b4994) chore: bump chromium in DEPS to 73.0.3683.121 ([#18001](https://github-redirect.dependabot.com/electron/electron/issues/18001))
- Additional commits viewable in [compare view](https://github.com/electron/electron/compare/v4.0.1...v5.0.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking Bump now in your Dependabot dashboard.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps electron from 4.0.1 to 5.0.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/495.json).* > **Arbitrary Code Execution** > A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild. > > Affected versions: <2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5Release notes
*Sourced from [electron's releases](https://github.com/electron/electron/releases).* > ## electron v5.0.2 > # Release Notes for v5.0.2 > > ## Fixes > > * Added missing `'page-title-updated'` event on `webContents` to documentation. Also fixed forwarding of the `explicitSet` argument when emitted on `BrowserWindow`. [#18318](https://github-redirect.dependabot.com/electron/electron/issues/18318) > * Fixed a crash in `systemPreferences.getAccentColor()`. [#18194](https://github-redirect.dependabot.com/electron/electron/issues/18194) > * Fixed a regression in Kerberos SPN generation. In the M69 upgrade, the default for the `enable_negotiate_port` option was inadvertently changed from false to true; this restores the former behavior and aligns with Chromium. [#18284](https://github-redirect.dependabot.com/electron/electron/issues/18284) > * Fixed case where the promise returned by `loadURL` and `loadFile` would be rejected with `ERR_ABORTED` if you triggered a virtual navigation before the page had finished loading. E.g. Used `history.pushState` or set `location.hash`. [#18142](https://github-redirect.dependabot.com/electron/electron/issues/18142) > > ## electron v5.0.1 > # Release Notes for v5.0.1 > > ## Fixes > > * Fixed `fs.promises` APIs not working with ASAR paths. [#18115](https://github-redirect.dependabot.com/electron/electron/issues/18115) > * Fixed an issue on Windows where calling `.show()` on a BrowserWindow did not focus the window. [#18080](https://github-redirect.dependabot.com/electron/electron/issues/18080) > * Fixed crash when Electron run from SMB network share. [#17908](https://github-redirect.dependabot.com/electron/electron/issues/17908) > * Fixed crash when quitting Electron with an inspector attached. [#18076](https://github-redirect.dependabot.com/electron/electron/issues/18076) > * Removed non-existent `gpu-crashed` event on `Commits
- [`6b371a5`](https://github.com/electron/electron/commit/6b371a5ef99cde624cd4451103601c90299e6b81) Bump v5.0.2 - [`7ee06c3`](https://github.com/electron/electron/commit/7ee06c354e8560203eb9091bf29716a46c9eeb3c) fix: 'page-title-updated' event forwarding + documentation ([#18318](https://github-redirect.dependabot.com/electron/electron/issues/18318)) - [`a60ad6a`](https://github.com/electron/electron/commit/a60ad6aeed91c9ab69b5718fdedba341ce2a9817) fix: default enable_negotiate_port to false ([#18284](https://github-redirect.dependabot.com/electron/electron/issues/18284)) - [`693d840`](https://github.com/electron/electron/commit/693d84020220eab49eef2af879e3f9960bad6283) build: linux needs java on GN ([#18216](https://github-redirect.dependabot.com/electron/electron/issues/18216)) - [`7a759ea`](https://github.com/electron/electron/commit/7a759ea0b6298e1e83e1f8bf7d37fea156d59e22) fix: crash on systemPreferences.getAccentColor() ([#18194](https://github-redirect.dependabot.com/electron/electron/issues/18194)) - [`83a4b73`](https://github.com/electron/electron/commit/83a4b7371b0dab19a49b7500e4ed50fd4383518f) docs: clarify clipboard type options ([#18174](https://github-redirect.dependabot.com/electron/electron/issues/18174)) - [`82bb6d4`](https://github.com/electron/electron/commit/82bb6d4ccf2a6609b116a8a7df9ea7db796aa55d) fix: do not mark navigations interupted with same-document navigations as abo... - [`2de54a3`](https://github.com/electron/electron/commit/2de54a3dbc2ecb1427e5df335b4bb7b57b6c1067) Bump v5.0.1 - [`7eac676`](https://github.com/electron/electron/commit/7eac676fa740d8f6f19671a38a805e0e3f4fcacd) fix: fs.promises does not work with asar paths ([#18115](https://github-redirect.dependabot.com/electron/electron/issues/18115)) - [`54199d2`](https://github.com/electron/electron/commit/54199d21c366ba3060ac37f45079b499b01b4994) chore: bump chromium in DEPS to 73.0.3683.121 ([#18001](https://github-redirect.dependabot.com/electron/electron/issues/18001)) - Additional commits viewable in [compare view](https://github.com/electron/electron/compare/v4.0.1...v5.0.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.
You can always request more updates by clicking
Bump nowin your Dependabot dashboard.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.