Update dependency electron-updater to v6.3.0 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron-updater (source)	6.1.4 -> 6.3.0

GitHub Vulnerability Alerts

CVE-2024-39698

Observations

The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe):

https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41

Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above.

Exploitation

This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid.

Impact

This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.).

Patch

This vulnerability was patched in #​8295, by comparing the path in the output of Get-AuthenticodeSignature with the intended one. The patch is available starting from 6.3.0-alpha.6.

---

Release Notes

electron-userland/electron-builder (electron-updater)

### [`v6.3.0`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#630) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.2.1...electron-updater@6.3.0) ##### Minor Changes - [#​8095](https://redirect.github.com/electron-userland/electron-builder/pull/8095) [`53cec79b`](https://redirect.github.com/electron-userland/electron-builder/commit/53cec79bdc3f56c9371bdfb7901e97650d9ac4bc) Thanks [@​beyondkmp](https://redirect.github.com/beyondkmp)! - feat: adding differential downloader for updates on macOS ##### Patch Changes - [#​8108](https://redirect.github.com/electron-userland/electron-builder/pull/8108) [`3d4cc7ae`](https://redirect.github.com/electron-userland/electron-builder/commit/3d4cc7ae01c4f6154d6ea59726578b1ff99b9daf) Thanks [@​beyondkmp](https://redirect.github.com/beyondkmp)! - feat: add `minimumSystemVersion` in electron updater - [#​8304](https://redirect.github.com/electron-userland/electron-builder/pull/8304) [`1ac86c9e`](https://redirect.github.com/electron-userland/electron-builder/commit/1ac86c9ea277a89611d415eb7f2ef70441b0eb28) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - chore: update pnpm to 9.4.0 - [#​8323](https://redirect.github.com/electron-userland/electron-builder/pull/8323) [`fa3275c0`](https://redirect.github.com/electron-userland/electron-builder/commit/fa3275c05b334f59453d04551fffa24bfa558e48) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - chore(deps): update dependency typescript to v5.5.3 - [#​8135](https://redirect.github.com/electron-userland/electron-builder/pull/8135) [`c2392de7`](https://redirect.github.com/electron-userland/electron-builder/commit/c2392de71a8f7abc092a00452eac63dd24b34e88) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - fix: unstable hdiutil retry mechanism - [#​8295](https://redirect.github.com/electron-userland/electron-builder/pull/8295) [`ac2e6a25`](https://redirect.github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - fix: verify LiteralPath of update file during windows signature verification - [#​8311](https://redirect.github.com/electron-userland/electron-builder/pull/8311) [`35a0784e`](https://redirect.github.com/electron-userland/electron-builder/commit/35a0784eb4cffc2fcbf33ec58fefbacf8e8e5125) Thanks [@​rastiqdev](https://redirect.github.com/rastiqdev)! - fix(rpm-updater): stop uninstalling app before update - [#​8227](https://redirect.github.com/electron-userland/electron-builder/pull/8227) [`48c59535`](https://redirect.github.com/electron-userland/electron-builder/commit/48c59535f84cd16fb2e44d71f6b75c25c739b993) Thanks [@​rotu](https://redirect.github.com/rotu)! - fix(docs): update autoupdate docs noting that channels work with Github - [#​8110](https://redirect.github.com/electron-userland/electron-builder/pull/8110) [`fa7982f1`](https://redirect.github.com/electron-userland/electron-builder/commit/fa7982f19feddcb9479ff83af8db1974aea1f8d6) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - chore: entering alpha release stage - Updated dependencies \[[`3d4cc7ae`](https://redirect.github.com/electron-userland/electron-builder/commit/3d4cc7ae01c4f6154d6ea59726578b1ff99b9daf), [`1ac86c9e`](https://redirect.github.com/electron-userland/electron-builder/commit/1ac86c9ea277a89611d415eb7f2ef70441b0eb28), [`ad668ae1`](https://redirect.github.com/electron-userland/electron-builder/commit/ad668ae14ef60fb91dd74aa71562f2fd68fbaa48), [`445911a7`](https://redirect.github.com/electron-userland/electron-builder/commit/445911a75f9efd6fe61e586ebed6a210d0efcd41), [`140e2f0e`](https://redirect.github.com/electron-userland/electron-builder/commit/140e2f0eb0df79c2a46e35024e96d0563355fc89), [`fa7982f1`](https://redirect.github.com/electron-userland/electron-builder/commit/fa7982f19feddcb9479ff83af8db1974aea1f8d6)]: - builder-util-runtime@9.2.5 ### [`v6.2.1`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#621) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.2.0...electron-updater@6.2.1) ##### Patch Changes - [#​8091](https://redirect.github.com/electron-userland/electron-builder/pull/8091) [`e2a181d9`](https://redirect.github.com/electron-userland/electron-builder/commit/e2a181d9fe3fbdd84690359e275daaef24584729) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - fix(mac): revert autoupdate for mac differential ### [`v6.2.0`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#620) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.1.9...electron-updater@6.2.0) ##### Minor Changes - [#​7709](https://redirect.github.com/electron-userland/electron-builder/pull/7709) [`79df5423`](https://redirect.github.com/electron-userland/electron-builder/commit/79df54238621fbe48ba20444129950ba2dc49983) Thanks [@​beyondkmp](https://redirect.github.com/beyondkmp)! - feat: adding differential downloader for updates on macOS ### [`v6.1.9`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#619) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.1.8...electron-updater@6.1.9) ##### Patch Changes - [#​8051](https://redirect.github.com/electron-userland/electron-builder/pull/8051) [`48603ba0`](https://redirect.github.com/electron-userland/electron-builder/commit/48603ba09dc7103849a2975799c19068fd08fc07) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - fix: auto-update powershell script requires reset of `PSModulePath` - [#​8057](https://redirect.github.com/electron-userland/electron-builder/pull/8057) [`ccbb80de`](https://redirect.github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e) Thanks [@​mmaietta](https://redirect.github.com/mmaietta)! - chore: upgrading connected dependencies (typescript requires higher eslint version) - Updated dependencies \[[`ccbb80de`](https://redirect.github.com/electron-userland/electron-builder/commit/ccbb80dea4b6146ea2d2186193a1f307096e4d1e)]: - builder-util-runtime@9.2.4 ### [`v6.1.8`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#618) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.1.7...electron-updater@6.1.8) ##### Patch Changes - [#​7950](https://redirect.github.com/electron-userland/electron-builder/pull/7950) [`03c94516`](https://redirect.github.com/electron-userland/electron-builder/commit/03c94516ef3b1b31b2f5b7bcdb9c6d3753d36b8d) Thanks [@​bronsonmock](https://redirect.github.com/bronsonmock)! - feat(nsis): add option to disable differential download ### [`v6.1.7`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#617) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.1.6...electron-updater@6.1.7) ##### Patch Changes - Updated dependencies \[[`db424e8e`](https://redirect.github.com/electron-userland/electron-builder/commit/db424e8e876e6ac1985668bf78bd52a02824dd7f), [`db424e8e`](https://redirect.github.com/electron-userland/electron-builder/commit/db424e8e876e6ac1985668bf78bd52a02824dd7f)]: - builder-util-runtime@9.2.3 ### [`v6.1.6`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#616) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.1.5...electron-updater@6.1.6) ##### Patch Changes - Updated dependencies \[[`549d07b0`](https://redirect.github.com/electron-userland/electron-builder/commit/549d07b0a04b8686cf4998dc102edad390ddd09a)]: - builder-util-runtime@9.2.2 ### [`v6.1.5`](https://redirect.github.com/electron-userland/electron-builder/blob/HEAD/packages/electron-updater/CHANGELOG.md#615) [Compare Source](https://redirect.github.com/electron-userland/electron-builder/compare/electron-updater@6.1.4...electron-updater@6.1.5) ##### Patch Changes - [#​7767](https://redirect.github.com/electron-userland/electron-builder/pull/7767) [`21f3069c`](https://redirect.github.com/electron-userland/electron-builder/commit/21f3069cb6dcad30959af4bfd8f3014133a3dfde) Thanks [@​jackple](https://redirect.github.com/jackple)! - fix: When error code is ENOENT, try to use electron.shell.openPath to run installer on Windows

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.