Update dependency electron to v9.4.0 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	9.0.5 -> 9.4.0

GitHub Vulnerability Alerts

CVE-2020-15174

Impact

The will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites.

Patches

• 11.0.0-beta.1
• 10.0.1
• 9.3.0
• 8.5.1

Workarounds

Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

For more information

If you have any questions or comments about this advisory:

• Email us at security@electronjs.org

CVE-2020-15215

Impact

Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nativeWindowOpen: true are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 11.0.0-beta.6
• 10.1.2
• 9.3.1
• 8.5.2

For more information

If you have any questions or comments about this advisory:

• Email us at security@electronjs.org

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

• Uses remote
• Calls webContents.sendToFrame
• Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

• 9.4.0
• 10.2.0
• 11.1.0
• 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

---

Release Notes

electron/electron

### [`v9.4.0`](https://togithub.com/electron/electron/releases/v9.4.0) [Compare Source](https://togithub.com/electron/electron/compare/v9.3.5...v9.4.0) ### Release Notes for v9.4.0 #### Fixes - Added Electron DLLs like libGLESv2.dll to symbol server. [#​26967](https://togithub.com/electron/electron/pull/26967) (Also in [10](https://togithub.com/electron/electron/pull/26964), [11](https://togithub.com/electron/electron/pull/26965), [12](https://togithub.com/electron/electron/pull/26966)) - Fixed `systemPreferences.effectiveAppearance` returning `systemPreferences.getAppLevelAppearance()`. [#​26881](https://togithub.com/electron/electron/pull/26881) (Also in [10](https://togithub.com/electron/electron/pull/26882), [11](https://togithub.com/electron/electron/pull/26878), [12](https://togithub.com/electron/electron/pull/26879)) - Fixed an issue where `event.reply` could sometimes not deliver a reply to an IPC message when cross-site iframes were present. [#​26928](https://togithub.com/electron/electron/pull/26928) (Also in [10](https://togithub.com/electron/electron/pull/26927), [11](https://togithub.com/electron/electron/pull/26926), [12](https://togithub.com/electron/electron/pull/26925)) - Fixed an issue where some buttons were un-clickable in some BrowserViews with draggable regions enabled. [#​26745](https://togithub.com/electron/electron/pull/26745) (Also in [10](https://togithub.com/electron/electron/pull/26744), [11](https://togithub.com/electron/electron/pull/26528)) - Fixed an issue whereby a corrupted `async_hooks` stack would crash the renderer when throwing some errors in the renderer process. [#​26748](https://togithub.com/electron/electron/pull/26748) (Also in [10](https://togithub.com/electron/electron/pull/26747), [11](https://togithub.com/electron/electron/pull/26424)) - Fixed an occasional crash on Windows related to NativeViewHost::SetParentAccessible. [#​26950](https://togithub.com/electron/electron/pull/26950) (Also in [10](https://togithub.com/electron/electron/pull/26949), [11](https://togithub.com/electron/electron/pull/26951), [12](https://togithub.com/electron/electron/pull/26952)) - Fixed usage of --disable-dev-shm-usage for apps using --no-sandbox on linux. [#​26806](https://togithub.com/electron/electron/pull/26806) #### Other Changes - Backported the fix to CVE-2020-16024: Heap buffer overflow in UI. [#​26831](https://togithub.com/electron/electron/pull/26831) - Security: backport fix for [`1150649`](https://togithub.com/electron/electron/commit/1150649). [#​26897](https://togithub.com/electron/electron/pull/26897) - Security: backported fix for [`1137603`](https://togithub.com/electron/electron/commit/1137603). [#​26893](https://togithub.com/electron/electron/pull/26893) - Security: backported fix for [`1141350`](https://togithub.com/electron/electron/commit/1141350). [#​26895](https://togithub.com/electron/electron/pull/26895) - Security: backported the fix to CVE-2020-16014: Use after free in PPAPI. [#​26856](https://togithub.com/electron/electron/pull/26856) - Security: backported the fix to CVE-2020-16015: Insufficient data validation in WASM. [#​26859](https://togithub.com/electron/electron/pull/26859) - Security: backported the fix to CVE-2020-16022: Insufficient policy enforcement in networking. [#​26861](https://togithub.com/electron/electron/pull/26861) ### [`v9.3.5`](https://togithub.com/electron/electron/releases/v9.3.5) [Compare Source](https://togithub.com/electron/electron/compare/v9.3.4...v9.3.5) ### Release Notes for v9.3.5 #### Fixes - Fixed `` `render-process-gone` event dispatch. [#​26576](https://togithub.com/electron/electron/pull/26576) - Fixed `LC_ALL` environment variable getting changed in Electron. [#​26508](https://togithub.com/electron/electron/pull/26508) (Also in [10](https://togithub.com/electron/electron/pull/26550), [11](https://togithub.com/electron/electron/pull/26551)) - Fixed debug.log files being created under working directory on windows. [#​26267](https://togithub.com/electron/electron/pull/26267) (Also in [10](https://togithub.com/electron/electron/pull/26266)) - Fixed draggable regions stops working when devtools is opened on macOS. [#​26506](https://togithub.com/electron/electron/pull/26506) (Also in [10](https://togithub.com/electron/electron/pull/26394), [11](https://togithub.com/electron/electron/pull/26395)) #### Other Changes - Backported the fix to CVE-2020-16017: Browser UAF when detaching a provisional frame. [#​26477](https://togithub.com/electron/electron/pull/26477) - Fixed value of `getSystemVersion()` on Big Sur. [#​26430](https://togithub.com/electron/electron/pull/26430) - Security: backported fix for [`1143772`](https://togithub.com/electron/electron/commit/1143772). [#​26400](https://togithub.com/electron/electron/pull/26400) - Security: backported fix for [`1144489`](https://togithub.com/electron/electron/commit/1144489). [#​26397](https://togithub.com/electron/electron/pull/26397) - Security: backported fix for chromium:[`1133527`](https://togithub.com/electron/electron/commit/1133527). [#​26412](https://togithub.com/electron/electron/pull/26412) - Security: backported fix for chromium:[`1137608`](https://togithub.com/electron/electron/commit/1137608). [#​26409](https://togithub.com/electron/electron/pull/26409) - Security: backported fix for chromium:[`1139398`](https://togithub.com/electron/electron/commit/1139398). [#​26406](https://togithub.com/electron/electron/pull/26406) #### Unknown - Re-enable Rosetta on Apple Silicon devices. [#​26572](https://togithub.com/electron/electron/pull/26572) (Also in [7.3](https://togithub.com/electron/electron/pull/26571), [8](https://togithub.com/electron/electron/pull/26573), [10](https://togithub.com/electron/electron/pull/26569), [11](https://togithub.com/electron/electron/pull/26570)) ### [`v9.3.4`](https://togithub.com/electron/electron/releases/v9.3.4) [Compare Source](https://togithub.com/electron/electron/compare/v9.3.3...v9.3.4) ### Release Notes for v9.3.4 #### Fixes - Fixed an issue where Hover Text on macOS Catalina did not work without VoiceOver also being enabled. [#​26244](https://togithub.com/electron/electron/pull/26244) (Also in [10](https://togithub.com/electron/electron/pull/26245), [11](https://togithub.com/electron/electron/pull/26246)) - Fixed an issue where draggable regions did not work exclusively on `BrowserViews`. [#​26261](https://togithub.com/electron/electron/pull/26261) (Also in [10](https://togithub.com/electron/electron/pull/26260), [11](https://togithub.com/electron/electron/pull/26259)) - Fixed an issue where draggable regions were not properly updated on BrowserViews when a containing `BrowserWindow` was resized. [#​26322](https://togithub.com/electron/electron/pull/26322) (Also in [10](https://togithub.com/electron/electron/pull/26321), [11](https://togithub.com/electron/electron/pull/26320)) - Fixed calling `app.commandLine.appendSwitch('lang')` not changing app's locale. [#​26242](https://togithub.com/electron/electron/pull/26242) (Also in [10](https://togithub.com/electron/electron/pull/26241), [11](https://togithub.com/electron/electron/pull/26226)) #### Other Changes - Improved performance of `takeHeapSnapshot()`. [#​26228](https://togithub.com/electron/electron/pull/26228) - Security: backported fix for [`1100470`](https://togithub.com/electron/electron/commit/1100470), [`1125337`](https://togithub.com/electron/electron/commit/1125337). [#​26210](https://togithub.com/electron/electron/pull/26210) - Security: backported fix for [`1128657`](https://togithub.com/electron/electron/commit/1128657). [#​26197](https://togithub.com/electron/electron/pull/26197) - Security: backported fix for [`1133983`](https://togithub.com/electron/electron/commit/1133983). [#​26204](https://togithub.com/electron/electron/pull/26204) - Security: backported fix for [`1135018`](https://togithub.com/electron/electron/commit/1135018). [#​26194](https://togithub.com/electron/electron/pull/26194) - Security: backported fix for [`1135857`](https://togithub.com/electron/electron/commit/1135857). [#​26191](https://togithub.com/electron/electron/pull/26191) - Security: backported fix for chromium:[`1117258`](https://togithub.com/electron/electron/commit/1117258). [#​26200](https://togithub.com/electron/electron/pull/26200) - Security: backported fix for chromium:[`1132111`](https://togithub.com/electron/electron/commit/1132111). [#​26207](https://togithub.com/electron/electron/pull/26207) - Security: backported fix for chromium:[`1137630`](https://togithub.com/electron/electron/commit/1137630). [#​26213](https://togithub.com/electron/electron/pull/26213) ### [`v9.3.3`](https://togithub.com/electron/electron/releases/v9.3.3) [Compare Source](https://togithub.com/electron/electron/compare/v9.3.2...v9.3.3) ### Release Notes for v9.3.3 #### Fixes - Browser views will properly resize within windows. [#​26034](https://togithub.com/electron/electron/pull/26034) (Also in [10](https://togithub.com/electron/electron/pull/26033), [11](https://togithub.com/electron/electron/pull/25956)) - Fix: gdi printing in silent printing mode. [#​25724](https://togithub.com/electron/electron/pull/25724) (Also in [10](https://togithub.com/electron/electron/pull/25740), [11](https://togithub.com/electron/electron/pull/25744)) - Fixed NativeImage.getScaleFactors() always returning the same value. [#​25904](https://togithub.com/electron/electron/pull/25904) (Also in [10](https://togithub.com/electron/electron/pull/25905), [11](https://togithub.com/electron/electron/pull/25903)) - Fixed a crash in printing on Windows. [#​26066](https://togithub.com/electron/electron/pull/26066) (Also in [10](https://togithub.com/electron/electron/pull/26064), [11](https://togithub.com/electron/electron/pull/26062)) - Fixed an issue where Windows notifications with timeoutType of 'never' did not work properly. [#​25862](https://togithub.com/electron/electron/pull/25862) (Also in [10](https://togithub.com/electron/electron/pull/25926), [11](https://togithub.com/electron/electron/pull/25902)) - Fixed an issue where `Save as PDF` from PDF Viewer Print dialog failed and sometimes crashed. [#​26067](https://togithub.com/electron/electron/pull/26067) (Also in [10](https://togithub.com/electron/electron/pull/26013), [11](https://togithub.com/electron/electron/pull/26012)) - Fixed an issue where frameless windows showed window controls after being in simple fullscreen mode on macOS. [#​26128](https://togithub.com/electron/electron/pull/26128) (Also in [10](https://togithub.com/electron/electron/pull/26126), [11](https://togithub.com/electron/electron/pull/26127)) - Fixed an issue where some Node.js module API calls hung in the renderer process after reloads when render process reuse was enabled. [#​25924](https://togithub.com/electron/electron/pull/25924) (Also in [10](https://togithub.com/electron/electron/pull/25923), [11](https://togithub.com/electron/electron/pull/25922)) - Fixed an issue where the PDF annotations button existed in a broken state. [#​26004](https://togithub.com/electron/electron/pull/26004) - Fixed bug that meant require.resolve paths option was ignored. [#​26035](https://togithub.com/electron/electron/pull/26035) (Also in [10](https://togithub.com/electron/electron/pull/25944), [11](https://togithub.com/electron/electron/pull/25945)) - Fixed maximized frameless window bleeding to other monitors. [#​25980](https://togithub.com/electron/electron/pull/25980) (Also in [8](https://togithub.com/electron/electron/pull/25979), [10](https://togithub.com/electron/electron/pull/25977), [11](https://togithub.com/electron/electron/pull/25978)) - Fixed memory leak on macOS when using `dialog.showMessageBox` API. [#​26098](https://togithub.com/electron/electron/pull/26098) (Also in [8](https://togithub.com/electron/electron/pull/26100), [10](https://togithub.com/electron/electron/pull/26097), [11](https://togithub.com/electron/electron/pull/26099)) #### Other Changes - Backported fix for CVE-2020-15999. [#​26069](https://togithub.com/electron/electron/pull/26069) - Backported the fix to CVE-2020-15969: Use after free in WebRTC. [#​25854](https://togithub.com/electron/electron/pull/25854) - Security: backported fix for [`1111149`](https://togithub.com/electron/electron/commit/1111149). [#​25638](https://togithub.com/electron/electron/pull/25638) - Security: backported fix for [`1113558`](https://togithub.com/electron/electron/commit/1113558). [#​25859](https://togithub.com/electron/electron/pull/25859) - Security: backported fix for [`1121414`](https://togithub.com/electron/electron/commit/1121414). [#​25911](https://togithub.com/electron/electron/pull/25911) - Security: backported fix for [`1121836`](https://togithub.com/electron/electron/commit/1121836). [#​25641](https://togithub.com/electron/electron/pull/25641) - Security: backported fix for [`1125635`](https://togithub.com/electron/electron/commit/1125635), [`1115901`](https://togithub.com/electron/electron/commit/1115901). [#​25857](https://togithub.com/electron/electron/pull/25857) - Security: backported fix for [`1126249`](https://togithub.com/electron/electron/commit/1126249). [#​25645](https://togithub.com/electron/electron/pull/25645) - Security: backported the fix to a heap-use-after-free in content::WebContentsImpl::SetNotWaitingForResponse. [#​25896](https://togithub.com/electron/electron/pull/25896) ### [`v9.3.2`](https://togithub.com/electron/electron/releases/v9.3.2) [Compare Source](https://togithub.com/electron/electron/compare/v9.3.1...v9.3.2) ### Release Notes for v9.3.2 #### Fixes - Fixed CORS not being disabled by `webSecurity: false`. [#​25505](https://togithub.com/electron/electron/pull/25505) (Also in [9](https://togithub.com/electron/electron/pull/25505), [10](https://togithub.com/electron/electron/pull/25503), [11](https://togithub.com/electron/electron/pull/25504)) - Fixed `ready-to-show` event not emitted on some machines. [#​25490](https://togithub.com/electron/electron/pull/25490) (Also in [9](https://togithub.com/electron/electron/pull/25490), [10](https://togithub.com/electron/electron/pull/25476), [11](https://togithub.com/electron/electron/pull/25471)) - Fixed a crash in `app.importCertificate()` on Linux. [#​25538](https://togithub.com/electron/electron/pull/25538) (Also in [9](https://togithub.com/electron/electron/pull/25538), [10](https://togithub.com/electron/electron/pull/25536), [11](https://togithub.com/electron/electron/pull/25537)) - Fixed a crash when closing window in an event listener after exiting fullscreen on macOS. [#​25605](https://togithub.com/electron/electron/pull/25605) (Also in [9](https://togithub.com/electron/electron/pull/25605), [10](https://togithub.com/electron/electron/pull/25604), [11](https://togithub.com/electron/electron/pull/25524)) - Fixed an issue that could cause a normally-exiting process to fail with an "illegal access" message and exit code 7. [#​25502](https://togithub.com/electron/electron/pull/25502) (Also in [8](https://togithub.com/electron/electron/pull/25501), [9](https://togithub.com/electron/electron/pull/25502), [10](https://togithub.com/electron/electron/pull/25458), [11](https://togithub.com/electron/electron/pull/25459)) - Fixed an issue where an error would be displayed when using `webContents.print()` if no default was set and no device name provided. [#​25607](https://togithub.com/electron/electron/pull/25607) (Also in [9](https://togithub.com/electron/electron/pull/25607), [10](https://togithub.com/electron/electron/pull/25606), [11](https://togithub.com/electron/electron/pull/25562)) - Fixed crash when application launched from `UNUserNotificationCenter` notification (via a native node module). [#​25739](https://togithub.com/electron/electron/pull/25739) (Also in [9](https://togithub.com/electron/electron/pull/25739), [10](https://togithub.com/electron/electron/pull/25737), [11](https://togithub.com/electron/electron/pull/25738)) - Fixed crashes caused by attempting to modify destroyed views. [#​25609](https://togithub.com/electron/electron/pull/25609) (Also in [9](https://togithub.com/electron/electron/pull/25609), [10](https://togithub.com/electron/electron/pull/25511), [11](https://togithub.com/electron/electron/pull/25509)) - Fixed memory leak when creating "Services" menu. [#​25689](https://togithub.com/electron/electron/pull/25689) (Also in [9](https://togithub.com/electron/electron/pull/25689), [10](https://togithub.com/electron/electron/pull/25687), [11](https://togithub.com/electron/electron/pull/25688)) - Fixed unsubscribe from observers when window is closing. [#​25586](https://togithub.com/electron/electron/pull/25586) (Also in [9](https://togithub.com/electron/electron/pull/25586), [10](https://togithub.com/electron/electron/pull/25584), [11](https://togithub.com/electron/electron/pull/25585)) - Updated Node root certs to use NSS 3.56. [#​25364](https://togithub.com/electron/electron/pull/25364) (Also in [8](https://togithub.com/electron/electron/pull/25363), [9](https://togithub.com/electron/electron/pull/25364), [10](https://togithub.com/electron/electron/pull/25361), [11](https://togithub.com/electron/electron/pull/25362)) #### Other Changes - Added V8 crash message and location information to crashReport parameters. [#​24864](https://togithub.com/electron/electron/pull/24864) (Also in [9](https://togithub.com/electron/electron/pull/24864), [10](https://togithub.com/electron/electron/pull/24866)) - Added a small console hint to console to help debug renderer crashes. [#​25473](https://togithub.com/electron/electron/pull/25473) (Also in [9](https://togithub.com/electron/electron/pull/25473), [10](https://togithub.com/electron/electron/pull/25472), [11](https://togithub.com/electron/electron/pull/25474)) - Fixed resource leak in worker threads. [#​25663](https://togithub.com/electron/electron/pull/25663) (Also in [9](https://togithub.com/electron/electron/pull/25663), [10](https://togithub.com/electron/electron/pull/25662), [11](https://togithub.com/electron/electron/pull/25661)) - Security: backported fix for [`1100136`](https://togithub.com/electron/electron/commit/1100136). [#​25658](https://togithub.com/electron/electron/pull/25658) - Security: backported fix for [`1106612`](https://togithub.com/electron/electron/commit/1106612). [#​25656](https://togithub.com/electron/electron/pull/25656) - Security: backported fix for [`1114636`](https://togithub.com/electron/electron/commit/1114636). [#​25643](https://togithub.com/electron/electron/pull/25643) #### Unknown - Fixed extension background page devtools not being openable. [#​25567](https://togithub.com/electron/electron/pull/25567) (Also in [9](https://togithub.com/electron/electron/pull/25567), [10](https://togithub.com/electron/electron/pull/25566), [11](https://togithub.com/electron/electron/pull/25366)) ### [`v9.3.1`](https://togithub.com/electron/electron/releases/v9.3.1) [Compare Source](https://togithub.com/electron/electron/compare/v9.3.0...v9.3.1) ### Release Notes for v9.3.1 #### Fixes - Added missing module delay loads on windows to reduce per process reference set impact. [#​25437](https://togithub.com/electron/electron/pull/25437) (Also in [9](https://togithub.com/electron/electron/pull/25437), [10](https://togithub.com/electron/electron/pull/25435), [11](https://togithub.com/electron/electron/pull/25436)) - Fixed a crash in the renderer process when invoking the Badging API. [#​25371](https://togithub.com/electron/electron/pull/25371) (Also in [9](https://togithub.com/electron/electron/pull/25371), [10](https://togithub.com/electron/electron/pull/25369), [11](https://togithub.com/electron/electron/pull/25370)) - Fixed a memory leak in net.request(). [#​25382](https://togithub.com/electron/electron/pull/25382) - Fixed multiple dock icons being left in system when calling dock.show/hide on macOS. [#​25301](https://togithub.com/electron/electron/pull/25301) (Also in [8](https://togithub.com/electron/electron/pull/25302), [9](https://togithub.com/electron/electron/pull/25301), [10](https://togithub.com/electron/electron/pull/25299), [11](https://togithub.com/electron/electron/pull/25300)) #### Other Changes - Security: backported fix for [`1081874`](https://togithub.com/electron/electron/commit/1081874). [#​25389](https://togithub.com/electron/electron/pull/25389) - Security: backported fix for [`1098860`](https://togithub.com/electron/electron/commit/1098860). [#​25289](https://togithub.com/electron/electron/pull/25289) - Security: backported fix for [`1111737`](https://togithub.com/electron/electron/commit/1111737). [#​25391](https://togithub.com/electron/electron/pull/25391) - Security: backported fix for [`1122684`](https://togithub.com/electron/electron/commit/1122684). [#​25390](https://togithub.com/electron/electron/pull/25390) #### Unknown - Added support for some `chrome.management` APIs. [#​25344](https://togithub.com/electron/electron/pull/25344) (Also in [9](https://togithub.com/electron/electron/pull/25344), [10](https://togithub.com/electron/electron/pull/25345), [11](https://togithub.com/electron/electron/pull/25342)) ### [`v9.3.0`](https://togithub.com/electron/electron/releases/v9.3.0) [Compare Source](https://togithub.com/electron/electron/compare/v9.2.1...v9.3.0) ### Release Notes for v9.3.0 #### Features - Added back a previously broken `visibleOnFullScreen` option for `setVisibleOnAllWorkspaces`. [#​25126](https://togithub.com/electron/electron/issues/25126) - Added the `currencyCode` field that Apple's StoreKit in-app-purchasing library provides but has not been added to the `Product` object that `inAppPurchase.getProducts` returns. [#​25085](https://togithub.com/electron/electron/issues/25085) #### Fixes - Fixed `powerMonitor` not emitting `suspend`/`resume` events on some Windows machines. [#​25165](https://togithub.com/electron/electron/issues/25165) - Fixed an issue where filters set in dialogs on macOS would have nondeterministic ordering. [#​25194](https://togithub.com/electron/electron/issues/25194) - Fixed an issue where notifications with a reply button could potentially be destroyed too early when a user clicked on the notification body before replying. [#​25101](https://togithub.com/electron/electron/issues/25101) - Fixed frameless window's size being changed when restored from minimized state. [#​25045](https://togithub.com/electron/electron/issues/25045) - Fixed network permission error when there are multiple WebContents sharing same session are created with web security disabled. [#​25179](https://togithub.com/electron/electron/issues/25179) - Fixed node's TLS stack not allowing renegotiation. [#​25041](https://togithub.com/electron/electron/issues/25041) - Fixed the following issues for frameless when maximized on Windows \* fix unreachable task bar when auto hidden with position top - fix 1px extending to secondary monitor - fix 1px overflowing into taskbar at certain resolutions - fix white line on top of window under 4k resolutions. [#​25218](https://togithub.com/electron/electron/issues/25218) - Fixed window size being changed after unmaximizing. [#​25133](https://togithub.com/electron/electron/issues/25133) #### Unknown - Fixed not working `WebSQLDatabase` in extension background pages. [#​25070](https://togithub.com/electron/electron/issues/25070) ### [`v9.2.1`](https://togithub.com/electron/electron/releases/v9.2.1) [Compare Source](https://togithub.com/electron/electron/compare/v9.2.0...v9.2.1) ### Release Notes for v9.2.1 #### Fixes - fix loading shared worker scripts over custom protocol - fix crash when loading worker scripts with nodeIntegration enabled. [#​24750](https://togithub.com/electron/electron/issues/24750) - Fixed a crash that could occur when using in-memory sessions. [#​25002](https://togithub.com/electron/electron/issues/25002) - Fixed an issue where some Node.js methods would not work with URL instances constructed in the renderer process. [#​24862](https://togithub.com/electron/electron/issues/24862) - Fixed an issue where the Save button did not function in PDF previews. [#​24996](https://togithub.com/electron/electron/issues/24996) - Fixed inactive windows having active titlebar on Windows. [#​24873](https://togithub.com/electron/electron/issues/24873) - Fixed missing `guid` parameter in Linux crash reports. [#​24898](https://togithub.com/electron/electron/issues/24898) - Increased maximum length for crash keys from 127B to 20KB. [#​24854](https://togithub.com/electron/electron/issues/24854) - [a11y] fix an issue where voiceover doesn't read the first item selected from a ARIA combobox. [#​25004](https://togithub.com/electron/electron/issues/25004) #### Other Changes - Backported the fix to CVE-2020-6532: Use after free in SCTP. [#​24887](https://togithub.com/electron/electron/issues/24887) - Backported the fix to CVE-2020-6537: Type Confusion in V8. [#​24885](https://togithub.com/electron/electron/issues/24885) - Resolve network issues that prevented RTC calls from being connected due to network IP address changes and ICE. (Chromium issue [`1113227`](https://togithub.com/electron/electron/commit/1113227)). [#​24997](https://togithub.com/electron/electron/issues/24997) #### Unknown - Fixed issues with CORS when making requests from extensions. [#​24915](https://togithub.com/electron/electron/issues/24915) ### [`v9.2.0`](https://togithub.com/electron/electron/releases/v9.2.0) [Compare Source](https://togithub.com/electron/electron/compare/v9.1.2...v9.2.0) ### Release Notes for v9.2.0 #### Features - Added new `worldSafeExecuteJavaScript` webPreference to ensure that the return values from `webFrame.executeJavaScript` are world safe when context isolation is enabled. [#​24712](https://togithub.com/electron/electron/pull/24712) (Also in [10](https://togithub.com/electron/electron/pull/24711)) #### Fixes - Fixed a crash that could happen when using `hookWindowMessage` on Windows. [#​24769](https://togithub.com/electron/electron/pull/24769) (Also in [10](https://togithub.com/electron/electron/pull/24768)) - Fixed an issue where suspend/resume were emitted twice on macOS. [#​24845](https://togithub.com/electron/electron/pull/24845) (Also in [8](https://togithub.com/electron/electron/pull/24844), [10](https://togithub.com/electron/electron/pull/24843)) - Fixed crash when navigating from a page with webview that has inherited zoom level. [#​24764](https://togithub.com/electron/electron/pull/24764) (Also in [8](https://togithub.com/electron/electron/pull/24766), [10](https://togithub.com/electron/electron/pull/24763)) - Save crash reports locally when uploadToServer: false on linux. [#​24788](https://togithub.com/electron/electron/pull/24788) (Also in [10](https://togithub.com/electron/electron/pull/24787)) - Fixed an a11y regression where children reported an index in parent greater than the parent child count. [#​24765](https://togithub.com/electron/electron/pull/24765) ### [`v9.1.2`](https://togithub.com/electron/electron/releases/v9.1.2) [Compare Source](https://togithub.com/electron/electron/compare/v9.1.1...v9.1.2) ### Release Notes for v9.1.2 #### Fixes - Fix: remove unnecessary corner mask overriding to increase window resize performance. [#​24702](https://togithub.com/electron/electron/issues/24702) - Fixed an issue where VoiceOver was unable to navigate from the top-level window back into the web contents. [#​24699](https://togithub.com/electron/electron/issues/24699) - Protocol response streams are now destroyed if the request is aborted. [#​24657](https://togithub.com/electron/electron/issues/24657) #### Other Changes - Improved the performance of sending JS primitives over the context bridge. [#​24746](https://togithub.com/electron/electron/issues/24746) ### [`v9.1.1`](https://togithub.com/electron/electron/releases/v9.1.1) [Compare Source](https://togithub.com/electron/electron/compare/v9.1.0...v9.1.1) ### Release Notes for v9.1.1 #### Fixes - Fixed a termination crash on Web Workers with Node.js integration enabled. [#​24464](https://togithub.com/electron/electron/issues/24464) - Fixed an issue where `webContents.print()` would sometimes hang with invalid settings. [#​24508](https://togithub.com/electron/electron/issues/24508) - Fixed an issue where cpu and heap profiling in Node.js did not work properly with `--cpu-prof`, `--heap-prof`, and related CLI flags. [#​24541](https://togithub.com/electron/electron/issues/24541) - Fixed an issue where macOS window vibrancy active state did not always match the active state of the window. [#​24533](https://togithub.com/electron/electron/issues/24533) - Fixed broken `--trace-sync-io` flag in Node.js. [#​24648](https://togithub.com/electron/electron/issues/24648) - Fixed clipboard.readBuffer returning incorrect value. [#​24469](https://togithub.com/electron/electron/issues/24469) - Fixed potentially invalid duplex mode settings on Linux. [#​24547](https://togithub.com/electron/electron/issues/24547) #### Other Changes - Fix: DCHECK failure in value.IsHeapObject() in objectsdebug.cc. (Chromium security issue [`1084820`](https://togithub.com/electron/electron/commit/1084820)). [#​24566](https://togithub.com/electron/electron/issues/24566) - Fix: XSS on chrome://histograms/ with a compromised renderer. (Chromium security issue [`1073409`](https://togithub.com/electron/electron/commit/1073409)). [#​24625](https://togithub.com/electron/electron/issues/24625) - Fix: crash when executing `debugger.sendCommand`. (Chromium security issue [`1016278`](https://togithub.com/electron/electron/commit/1016278)). [#​24620](https://togithub.com/electron/electron/issues/24620) - Fix: heap-use-after-free in content::NavigationRequest::OnWillProcessResponseProcessed. (Chromium security issue [`1090543`](https://togithub.com/electron/electron/commit/1090543)). [#​24569](https://togithub.com/electron/electron/issues/24569) - Fix: heap-use-after-free in ui::AXTreeSerializerblink (Chromium security issue [`1065122`](https://togithub.com/electron/electron/commit/1065122)). [#​24557](https://togithub.com/electron/electron/issues/24557) - Fix: iframe in victim page can detect Scroll To Text Fragment activation. (Chromium security issue [`1042986`](https://togithub.com/electron/electron/commit/1042986)). [#​24624](https://togithub.com/electron/electron/issues/24624) - Fix: integer overflow in GrTextBlob::Make. (Chromium security issue [`1080481`](https://togithub.com/electron/electron/commit/1080481)). [#​24586](https://togithub.com/electron/electron/issues/24586) - Fix: javascript URI sandbox flags aren't propagated in a blank string case. (Chromium security issue [`1074340`](https://togithub.com/electron/electron/commit/1074340)). [#​24621](https://togithub.com/electron/electron/issues/24621) - Fix: memcpy-param-overlap in AudioBuffer::copyFromChannel. (Chromium security issue [`1081722`](https://togithub.com/electron/electron/commit/1081722)). [#​24582](https://togithub.com/electron/electron/issues/24582) - Fix: remove leaks of post-redirect URL for ` Githubissues.

Githubissues is a development platform for aggregating issues.