chore(deps): update dependency electron to v23.3.13 [security]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	`23.2.0` -> `23.3.13`

GitHub Vulnerability Alerts

CVE-2023-29198

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

25.0.0-alpha.2
24.0.1
23.2.3
22.3.6

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2023-39956

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

Your app is launched with an attacker-controlled working directory
The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

26.0.0-beta.13
25.5.0
24.7.1
23.3.13
22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Release Notes

electron/electron (electron)

### [`v23.3.13`](https://togithub.com/electron/electron/releases/tag/v23.3.13): electron v23.3.13 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.12...v23.3.13) ### Release Notes for v23.3.13 #### End of Support for 23.x.y Electron 23.x.y has reached end-of-support as per the project's [support policy](https://www.electronjs.org/docs/latest/tutorial/electron-timelines#version-support-policy). Developers and applications are encouraged to upgrade to a newer version of Electron. ### [`v23.3.12`](https://togithub.com/electron/electron/releases/tag/v23.3.12): electron v23.3.12 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.11...v23.3.12) ### Release Notes for v23.3.12 #### Other Changes - Fixed a crash while screen sharing on Wayland with PipeWire. [#39274](https://togithub.com/electron/electron/pull/39274) - Security: backported fix for CVE-2023-3732. - Security: backported fix for CVE-2023-3728. - Security: backported fix for CVE-2023-3730. [#39268](https://togithub.com/electron/electron/pull/39268) ### [`v23.3.11`](https://togithub.com/electron/electron/releases/tag/v23.3.11): electron v23.3.11 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.10...v23.3.11) ### Release Notes for v23.3.11 #### Fixes - Fixed a crash when listing desktop capture sources on Wayland with PipeWire. [#39116](https://togithub.com/electron/electron/pull/39116) (Also in [24](https://togithub.com/electron/electron/pull/39050), [25](https://togithub.com/electron/electron/pull/39051), [26](https://togithub.com/electron/electron/pull/39049)) ### [`v23.3.10`](https://togithub.com/electron/electron/releases/tag/v23.3.10): electron v23.3.10 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.9...v23.3.10) ### Release Notes for v23.3.10 #### Other Changes - Security: backported fix for CVE-2023-3422. - Security: backported fix for CVE-2023-3421. - Security: backported fix for CVE-2023-3420. - Security: backported fix for [`1454860`](https://togithub.com/electron/electron/commit/1454860). [#38948](https://togithub.com/electron/electron/pull/38948) ### [`v23.3.9`](https://togithub.com/electron/electron/releases/tag/v23.3.9): electron v23.3.9 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.8...v23.3.9) ### Release Notes for v23.3.9 #### Fixes - Fixed `preload` script may not run in some child windows opened by `window.open`. [#38933](https://togithub.com/electron/electron/pull/38933) (Also in [24](https://togithub.com/electron/electron/pull/38932), [25](https://togithub.com/electron/electron/pull/38931), [26](https://togithub.com/electron/electron/pull/38930)) - Fixed minimize button to be visible when all buttons reenabled. [#38880](https://togithub.com/electron/electron/pull/38880) (Also in [24](https://togithub.com/electron/electron/pull/38881), [25](https://togithub.com/electron/electron/pull/38879)) ### [`v23.3.8`](https://togithub.com/electron/electron/releases/tag/v23.3.8): electron v23.3.8 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.7...v23.3.8) ### Release Notes for v23.3.8 #### Other Changes - Security: backported fix for CVE-2023-3215. - Security: backported fix for CVE-2023-3216. - Security: backported fix for [`1450536`](https://togithub.com/electron/electron/commit/1450536). [#38788](https://togithub.com/electron/electron/pull/38788) ### [`v23.3.7`](https://togithub.com/electron/electron/releases/tag/v23.3.7): electron v23.3.7 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.6...v23.3.7) ### Release Notes for v23.3.7 #### Fixes - Fixed visibility of menu bar when exiting full screen. [#38680](https://togithub.com/electron/electron/pull/38680) (Also in [24](https://togithub.com/electron/electron/pull/38681), [25](https://togithub.com/electron/electron/pull/38682), [26](https://togithub.com/electron/electron/pull/38683)) #### Other Changes - Security: backported fix for [`1439691`](https://togithub.com/electron/electron/commit/1439691). - Security: backported fix for CVE-2023-2724. - Security: backported fix for [`1425115`](https://togithub.com/electron/electron/commit/1425115). - Security: backported fix for [`1431761`](https://togithub.com/electron/electron/commit/1431761). - Security: backported fix for CVE-2023-2725. - Security: backported fix for CVE-2023-2721. - Security: backported fix for [`1442263`](https://togithub.com/electron/electron/commit/1442263). [#38331](https://togithub.com/electron/electron/pull/38331) - Security: backported fix for [`1447430`](https://togithub.com/electron/electron/commit/1447430). - Security: backported fix for CVE-2023-3079. [#38652](https://togithub.com/electron/electron/pull/38652) - Security: backported fix for CVE-2023-2933. - Security: backported fix for CVE-2023-2932. - Security: backported fix for CVE-2023-2931. - Security: backported fix for [`1444195`](https://togithub.com/electron/electron/commit/1444195). - Security: backported fix for CVE-2023-2936. - Security: backported fix for CVE-2023-2935. - Security: backported fix for CVE-2023-2934 - Security: backported fix for CVE-2023-2930. [#38533](https://togithub.com/electron/electron/pull/38533) ### [`v23.3.6`](https://togithub.com/electron/electron/releases/tag/v23.3.6): electron v23.3.6 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.5...v23.3.6) ### Release Notes for v23.3.6 #### Fixes - Fixed an issue where `` popups are positions incorrectly in `BrowserView`s. [#38607](https://togithub.com/electron/electron/pull/38607) (Also in [24](https://togithub.com/electron/electron/pull/38608), [25](https://togithub.com/electron/electron/pull/38609), [26](https://togithub.com/electron/electron/pull/38610)) - Fixed potential issues when minimizing parent windows with non-modal children on macOS. [#38507](https://togithub.com/electron/electron/pull/38507) (Also in [24](https://togithub.com/electron/electron/pull/38508), [25](https://togithub.com/electron/electron/pull/38509)) #### Other Changes - Improved error message when `contentTracing.stopRecording()` fails because no trace was in progress. [#38518](https://togithub.com/electron/electron/pull/38518) (Also in [24](https://togithub.com/electron/electron/pull/38520), [25](https://togithub.com/electron/electron/pull/38519)) ### [`v23.3.5`](https://togithub.com/electron/electron/releases/tag/v23.3.5): electron v23.3.5 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.4...v23.3.5) ### Release Notes for v23.3.5 #### Fixes - Fixed an issue where `getNormalBounds()` returns incorrect bounds for transparent maximized windows on Windows. [#38347](https://togithub.com/electron/electron/pull/38347) (Also in [24](https://togithub.com/electron/electron/pull/38349), [25](https://togithub.com/electron/electron/pull/38348)) #### Other Changes - Security: backported fix for [`1423360`](https://togithub.com/electron/electron/commit/1423360). [#38276](https://togithub.com/electron/electron/pull/38276) ### [`v23.3.4`](https://togithub.com/electron/electron/releases/tag/v23.3.4): electron v23.3.4 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.3...v23.3.4) ### Release Notes for v23.3.4 #### Fixes - Fixed an issue where `getNormalBounds()` returns incorrect bounds for transparent maximized windows on Windows. [#38347](https://togithub.com/electron/electron/pull/38347) (Also in [24](https://togithub.com/electron/electron/pull/38349), [25](https://togithub.com/electron/electron/pull/38348)) #### Other Changes - Security: backported fix for [`1423360`](https://togithub.com/electron/electron/commit/1423360). [#38276](https://togithub.com/electron/electron/pull/38276) ### [`v23.3.3`](https://togithub.com/electron/electron/releases/tag/v23.3.3): electron v23.3.3 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.2...v23.3.3) ### Release Notes for v23.3.3 #### Fixes - Fixed an issue where `BrowserWindow.isMaximized()` could incorrectly return true for minimized or fullscreened windows on macOS. [#38306](https://togithub.com/electron/electron/pull/38306) (Also in [24](https://togithub.com/electron/electron/pull/38308), [25](https://togithub.com/electron/electron/pull/38307)) - Fixed an issue where `BrowserWindow.isVisible()` would incorrectly return `true` for minimized windows on Windows. [#38315](https://togithub.com/electron/electron/pull/38315) (Also in [24](https://togithub.com/electron/electron/pull/38313), [25](https://togithub.com/electron/electron/pull/38314)) - Fixed an issue where accessing `BrowserWindow.id` threw an error after the window was destroyed. [#38309](https://togithub.com/electron/electron/pull/38309) (Also in [24](https://togithub.com/electron/electron/pull/38310), [25](https://togithub.com/electron/electron/pull/38311)) - Fixed an issue where calling `win.minimize()` directly after calling `win.maximize()`, and then calling `win.isMaximized()` incorrectly returns `true`. [#38344](https://togithub.com/electron/electron/pull/38344) (Also in [24](https://togithub.com/electron/electron/pull/38343), [25](https://togithub.com/electron/electron/pull/38345)) #### Other Changes - Security: backported fix for CVE-2023-29469. [#38273](https://togithub.com/electron/electron/pull/38273) ### [`v23.3.2`](https://togithub.com/electron/electron/releases/tag/v23.3.2): electron v23.3.2 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.1...v23.3.2) ### Release Notes for v23.3.2 #### Fixes - Ensured that Electron's custom `AXManualAccessibility` attribute works as expected in all relevant protocol methods. [#38225](https://togithub.com/electron/electron/pull/38225) (Also in [24](https://togithub.com/electron/electron/pull/38224), [25](https://togithub.com/electron/electron/pull/38223)) - Fixed an issue where default background color for windows might be incorrect. [#38159](https://togithub.com/electron/electron/pull/38159) (Also in [24](https://togithub.com/electron/electron/pull/38158), [25](https://togithub.com/electron/electron/pull/38157)) ### [`v23.3.1`](https://togithub.com/electron/electron/releases/tag/v23.3.1): electron v23.3.1 [Compare Source](https://togithub.com/electron/electron/compare/v23.3.0...v23.3.1) ### Release Notes for v23.3.1 #### Fixes - Fixed an perceived failure when when using Accessibility attribute `AXManualAccessibility` to enable a11y features in Electron. [#38151](https://togithub.com/electron/electron/pull/38151) (Also in [24](https://togithub.com/electron/electron/pull/38147)) ### [`v23.3.0`](https://togithub.com/electron/electron/releases/tag/v23.3.0): electron v23.3.0 [Compare Source](https://togithub.com/electron/electron/compare/v23.2.4...v23.3.0) ### Release Notes for v23.3.0 #### Features - Added httpOnly to the cookie filter. [#38043](https://togithub.com/electron/electron/pull/38043) (Also in [24](https://togithub.com/electron/electron/pull/37365)) #### Fixes - Fixed broken defaults in `shell.openExternal()` options. [#38091](https://togithub.com/electron/electron/pull/38091) (Also in [22](https://togithub.com/electron/electron/pull/38092), [24](https://togithub.com/electron/electron/pull/38072), [25](https://togithub.com/electron/electron/pull/38071)) - Fixed crash when executing eval in the utility process. [#38040](https://togithub.com/electron/electron/pull/38040) (Also in [24](https://togithub.com/electron/electron/pull/38041), [25](https://togithub.com/electron/electron/pull/38039)) #### Other Changes - Backported fix for [`1408315`](https://togithub.com/electron/electron/commit/1408315). [#38011](https://togithub.com/electron/electron/pull/38011) - Security: backported fix for [`1360571`](https://togithub.com/electron/electron/commit/1360571). [#38061](https://togithub.com/electron/electron/pull/38061) - Security: backported fix for [`1404790`](https://togithub.com/electron/electron/commit/1404790). [#38063](https://togithub.com/electron/electron/pull/38063) - Security: backported fix for [`1427388`](https://togithub.com/electron/electron/commit/1427388). [#37982](https://togithub.com/electron/electron/pull/37982) - Security: backported fix for [`1428820`](https://togithub.com/electron/electron/commit/1428820). - Security: backported fix for CVE-2023-2133. - Security: backported fix for CVE-2023-2134. - Security: backported fix for CVE-2023-2136. - Security: backported fix for CVE-2023-2135. [#38083](https://togithub.com/electron/electron/pull/38083) - Security: backported fix for [`1428820`](https://togithub.com/electron/electron/commit/1428820). [#38067](https://togithub.com/electron/electron/pull/38067) - Security: backported fix for CVE-2023-2033. [#37981](https://togithub.com/electron/electron/pull/37981) - Security: backported fix for CVE-2023-2133. [#38057](https://togithub.com/electron/electron/pull/38057) - Security: backported fix for CVE-2023-2136. [#38065](https://togithub.com/electron/electron/pull/38065) ### [`v23.2.4`](https://togithub.com/electron/electron/releases/tag/v23.2.4): electron v23.2.4 [Compare Source](https://togithub.com/electron/electron/compare/v23.2.3...v23.2.4) ### Release Notes for v23.2.4 #### Fixes - Fixed an issue on Linux where menus would not open after resizing/maximizing/unmaximizing a window. [#37908](https://togithub.com/electron/electron/pull/37908) (Also in [24](https://togithub.com/electron/electron/pull/37906), [25](https://togithub.com/electron/electron/pull/37905)) - Fixed an issue which made defaultFontFamily in webPreferences have no effect. [#37969](https://togithub.com/electron/electron/pull/37969) (Also in [22](https://togithub.com/electron/electron/pull/37970), [24](https://togithub.com/electron/electron/pull/37968), [25](https://togithub.com/electron/electron/pull/37967)) ### [`v23.2.3`](https://togithub.com/electron/electron/releases/tag/v23.2.3): electron v23.2.3 [Compare Source](https://togithub.com/electron/electron/compare/v23.2.2...v23.2.3) ### Release Notes for v23.2.3 #### Fixes - Added about panel for menu role `about` on Linux as well. [#37874](https://togithub.com/electron/electron/pull/37874) (Also in [24](https://togithub.com/electron/electron/pull/37872), [25](https://togithub.com/electron/electron/pull/37873)) - Fixed an issue on macOS where entering fullscreen with the `Fn+F` system shortcut would fail or create strange window side effects. [#37822](https://togithub.com/electron/electron/pull/37822) (Also in [24](https://togithub.com/electron/electron/pull/37823)) - Fixed an issue where certain buttons in the PDF viewer didn't work. [#37919](https://togithub.com/electron/electron/pull/37919) (Also in [24](https://togithub.com/electron/electron/pull/37918), [25](https://togithub.com/electron/electron/pull/37920)) - Fixed recommended `node-gyp` version in `node.h` error. [#37941](https://togithub.com/electron/electron/pull/37941) (Also in [22](https://togithub.com/electron/electron/pull/37942), [24](https://togithub.com/electron/electron/pull/37927), [25](https://togithub.com/electron/electron/pull/37926)) - Fixed the active background color for top-level menu items on Windows. [#37784](https://togithub.com/electron/electron/pull/37784) (Also in [24](https://togithub.com/electron/electron/pull/37785)) - Security: Fixed an issue with Content-Security-Policy not being correctly enforced when sandbox: false and contextIsolation: false. (CVE-2023-23623). [#37844](https://togithub.com/electron/electron/pull/37844) (Also in [24](https://togithub.com/electron/electron/pull/37839)) #### Other Changes - Security: backported fix for CVE-2023-1810. [#37851](https://togithub.com/electron/electron/pull/37851) - Security: backported fix for CVE-2023-1811. [#37849](https://togithub.com/electron/electron/pull/37849) ### [`v23.2.2`](https://togithub.com/electron/electron/releases/tag/v23.2.2): electron v23.2.2 [Compare Source](https://togithub.com/electron/electron/compare/v23.2.1...v23.2.2) ### Release Notes for v23.2.2 #### Fixes - Fixed an issue where draggable regions incorrectly captured clicks in framed windows. [#37740](https://togithub.com/electron/electron/pull/37740) (Also in [24](https://togithub.com/electron/electron/pull/37741)) ### [`v23.2.1`](https://togithub.com/electron/electron/releases/tag/v23.2.1): electron v23.2.1 [Compare Source](https://togithub.com/electron/electron/compare/v23.2.0...v23.2.1) ### Release Notes for v23.2.1 #### Fixes - Fixed an issue where calling `port.postMessage` in `MessagePortMain` with some invalid parameters could cause a crash. [#37724](https://togithub.com/electron/electron/pull/37724) (Also in [22](https://togithub.com/electron/electron/pull/37725), [24](https://togithub.com/electron/electron/pull/37726)) - Fixed canceling of bluetooth requests when no devices are returned. [#37720](https://togithub.com/electron/electron/pull/37720) (Also in [24](https://togithub.com/electron/electron/pull/37717)) #### Other Changes - Security: backported fix for CVE-2023-1213. [#37708](https://togithub.com/electron/electron/pull/37708) - Updated Chromium to 110.0.5481.208. [#37645](https://togithub.com/electron/electron/pull/37645)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

sekwah41 / mobalytics-repackager