remyroy
commented
5 months ago That is a very nice improvement! Let me check that in details in the coming days.
Closed valefar-on-discord closed 5 months ago
remyroy
commented
5 months ago That is a very nice improvement! Let me check that in details in the coming days.
remyroy
commented
5 months ago I like path 2 which is what you took with 01345ea0ad0c30b5fddbe53b99a56a68987f9870.
I'm not fully aware of the potential dependency injection attack, but I would love to explore the option to upgrade to yarn v4 to mitigate this. I'm guessing updating to yarn v4 would need its own PR.
remyroy
commented
5 months ago It even fixed an unreported bug 😉
Updating electron and electron-build to the current latest, 28.2.2 and 24.9.1
There were breaking changes introduced with v20 of electron where renderers are sandboxed by default
Given that the application was not sandboxed originally, I have two paths forward:
isAddresswas not originally aPromisebut expected a return value. It is now a Two-way IPC request which requires aPromise: https://www.electronjs.org/docs/latest/tutorial/ipcshellOpenExternalwas not used so I removed itAfter doing a few rounds of testing the only graphical regression I noticed was specific to the recently added Online alert pulsing animation where the box-shadow was no longer rounded. Minimal but easy enough to update.
I didn't notice any other regressions with my testing.
Note: I am updating
package.jsonbut I will not commityarn.lockand this will need to be updated separately or appended to this PR. This is because the amount of changes to that file are non-trivial and me committing it would open the application to a potential dependency injection attack if not thoroughly investigated. Upgrading to yarn v4 would remove this attack vector: https://github.com/yarnpkg/berry/discussions/4136For now I feel it is best to continue having the primary contributors the only trusted individuals to update that file until yarn is updated.
Fixes #181