search

zce / vue-devtools

An electron devtools extension for debugging Vue.js applications.
MIT License
61 stars 23 forks source link

chore(deps): update dependency electron to v22 [security] #76

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate logo banner

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 8.2.0 -> 22.3.25 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-4075

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-4077

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-4076

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

Non-Impacted Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-15096

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-15174

Impact

The will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites.

Patches

Workarounds

Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

For more information

If you have any questions or comments about this advisory:

CVE-2020-15215

Impact

Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nativeWindowOpen: true are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

Patches

This has been fixed in the following versions:

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2021-39184

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29247

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29257

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

CVE-2023-29198

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2023-39956

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2023-5217

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-44402

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Release Notes

electron/electron (electron) ### [`v22.3.25`](https://togithub.com/electron/electron/releases/tag/v22.3.25): electron v22.3.25 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.24...v22.3.25) ### Release Notes for v22.3.25 #### Other Changes - Security: backported fix for CVE-2023-5217. [#​40026](https://togithub.com/electron/electron/pull/40026) ### [`v22.3.24`](https://togithub.com/electron/electron/releases/tag/v22.3.24): electron v22.3.24 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.23...v22.3.24) ### Release Notes for v22.3.24 #### Other Changes - Security: backported fix for CVE-2023-4572. [#​39689](https://togithub.com/electron/electron/pull/39689) - Security: backported fix for CVE-2023-4762. [#​39758](https://togithub.com/electron/electron/pull/39758) - Security: backported fix for CVE-2023-4863. [#​39827](https://togithub.com/electron/electron/pull/39827) ### [`v22.3.23`](https://togithub.com/electron/electron/releases/tag/v22.3.23): electron v22.3.23 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.22...v22.3.23) ### Release Notes for v22.3.23 #### Other Changes - Security: backported fix for CVE-2023-4427. - Security: backported fix for CVE-2023-4428. [#​39648](https://togithub.com/electron/electron/pull/39648) ### [`v22.3.22`](https://togithub.com/electron/electron/releases/tag/v22.3.22): electron v22.3.22 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.21...v22.3.22) ### Release Notes for v22.3.22 #### Fixes - Fixed decorations for tiled windows on Wayland. [#​39568](https://togithub.com/electron/electron/pull/39568) (Also in [24](https://togithub.com/electron/electron/pull/39567), [25](https://togithub.com/electron/electron/pull/39569), [26](https://togithub.com/electron/electron/pull/39571), [27](https://togithub.com/electron/electron/pull/39570)) #### Other Changes - Security: backported fix for CVE-2023-4355. - Security: backported fix for CVE-2023-4354. - Security: backported fix for CVE-2023-4353. - Security: backported fix for CVE-2023-4352. - Security: backported fix for CVE-2023-4351. [#​39559](https://togithub.com/electron/electron/pull/39559) ### [`v22.3.21`](https://togithub.com/electron/electron/releases/tag/v22.3.21): electron v22.3.21 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.18...v22.3.21) ### Release Notes for v22.3.21 #### Fixes - Fixed unnecessary package.json check on built-in modules. [#​39425](https://togithub.com/electron/electron/pull/39425) #### Other Changes - Security: backported fix for [`1444438`](https://togithub.com/electron/electron/commit/1444438). - Security: backported fix for CVE-2023-3732. - Security: backported fix for CVE-2023-3728. - Security: backported fix for CVE-2023-3730. [#​39269](https://togithub.com/electron/electron/pull/39269) ### [`v22.3.18`](https://togithub.com/electron/electron/releases/tag/v22.3.18): electron v22.3.18 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.17...v22.3.18) ### Release Notes for v22.3.18 #### Other Changes - Security: backported fix for CVE-2023-3422. - Security: backported fix for CVE-2023-3421. - Security: backported fix for CVE-2023-3420. - Security: backported fix for [`1454860`](https://togithub.com/electron/electron/commit/1454860). [#​38949](https://togithub.com/electron/electron/pull/38949) ### [`v22.3.17`](https://togithub.com/electron/electron/releases/tag/v22.3.17): electron v22.3.17 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.16...v22.3.17) ### Release Notes for v22.3.17 #### Other Changes - Security: backported fix for CVE-2023-3422. - Security: backported fix for CVE-2023-3421. - Security: backported fix for CVE-2023-3420. - Security: backported fix for [`1454860`](https://togithub.com/electron/electron/commit/1454860). [#​38949](https://togithub.com/electron/electron/pull/38949) ### [`v22.3.16`](https://togithub.com/electron/electron/releases/tag/v22.3.16): electron v22.3.16 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.15...v22.3.16) ### Release Notes for v22.3.16 #### Other Changes - Security: backported fix for CVE-2023-3215. - Security: backported fix for CVE-2023-3216. - Security: backported fix for [`1450536`](https://togithub.com/electron/electron/commit/1450536). - Security: backported fix for CVE-2023-0698. - Security: backported fix for CVE-2023-0932. [#​38789](https://togithub.com/electron/electron/pull/38789) ### [`v22.3.15`](https://togithub.com/electron/electron/releases/tag/v22.3.15): electron v22.3.15 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.14...v22.3.15) ### Release Notes for v22.3.15 #### Other Changes - Security: backported fix for CVE-2023-3215. - Security: backported fix for CVE-2023-3216. - Security: backported fix for [`1450536`](https://togithub.com/electron/electron/commit/1450536). - Security: backported fix for CVE-2023-0698. - Security: backported fix for CVE-2023-0932. [#​38789](https://togithub.com/electron/electron/pull/38789) ### [`v22.3.14`](https://togithub.com/electron/electron/releases/tag/v22.3.14): electron v22.3.14 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.13...v22.3.14) ### Release Notes for v22.3.14 #### Other Changes - Security: backported fix for CVE-2023-3215. - Security: backported fix for CVE-2023-3216. - Security: backported fix for [`1450536`](https://togithub.com/electron/electron/commit/1450536). - Security: backported fix for CVE-2023-0698. - Security: backported fix for CVE-2023-0932. [#​38789](https://togithub.com/electron/electron/pull/38789) ### [`v22.3.13`](https://togithub.com/electron/electron/releases/tag/v22.3.13): electron v22.3.13 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.12...v22.3.13) ### Release Notes for v22.3.13 #### Other Changes - Security: backported fix for [`1437346`](https://togithub.com/electron/electron/commit/1437346). - Security: backported fix for [`1439691`](https://togithub.com/electron/electron/commit/1439691). - Security: backported fix for CVE-2023-2724. - Security: backported fix for CVE-2023-2723. - Security: backported fix for [`1425115`](https://togithub.com/electron/electron/commit/1425115). - Security: backported fix for [`1431761`](https://togithub.com/electron/electron/commit/1431761). - Security: backported fix for CVE-2023-2725. - Security: backported fix for CVE-2023-2721. - Security: backported fix for [`1442263`](https://togithub.com/electron/electron/commit/1442263). [#​38332](https://togithub.com/electron/electron/pull/38332) - Security: backported fix for [`1447430`](https://togithub.com/electron/electron/commit/1447430). - Security: backported fix for CVE-2023-3079. [#​38653](https://togithub.com/electron/electron/pull/38653) - Security: backported fix for CVE-2023-2933. - Security: backported fix for CVE-2023-2932. - Security: backported fix for CVE-2023-2931. - Security: backported fix for [`1444195`](https://togithub.com/electron/electron/commit/1444195). - Security: backported fix for CVE-2023-2936. - Security: backported fix for CVE-2023-2935. - Security: backported fix for CVE-2023-2930. [#​38534](https://togithub.com/electron/electron/pull/38534) ### [`v22.3.12`](https://togithub.com/electron/electron/releases/tag/v22.3.12): electron v22.3.12 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.11...v22.3.12) ### Release Notes for v22.3.12 #### Other Changes - Security: backported fix for [`1423360`](https://togithub.com/electron/electron/commit/1423360). [#​38277](https://togithub.com/electron/electron/pull/38277) ### [`v22.3.11`](https://togithub.com/electron/electron/releases/tag/v22.3.11): electron v22.3.11 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.10...v22.3.11) ### Release Notes for v22.3.11 #### Other Changes - Security: backported fix for [`1423360`](https://togithub.com/electron/electron/commit/1423360). [#​38277](https://togithub.com/electron/electron/pull/38277) ### [`v22.3.10`](https://togithub.com/electron/electron/releases/tag/v22.3.10): electron v22.3.10 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.9...v22.3.10) ### Release Notes for v22.3.10 #### Other Changes - Security: backported fix for CVE-2023-29469. [#​38274](https://togithub.com/electron/electron/pull/38274) ### [`v22.3.9`](https://togithub.com/electron/electron/releases/tag/v22.3.9): electron v22.3.9 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.8...v22.3.9) ### Release Notes for v22.3.9 #### Other Changes - Fixed drag-and-drop crash on Wayland. [#​38199](https://togithub.com/electron/electron/pull/38199) ### [`v22.3.8`](https://togithub.com/electron/electron/releases/tag/v22.3.8): electron v22.3.8 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.7...v22.3.8) ### Release Notes for v22.3.8 #### Fixes - Fixed crash when executing eval in the utility process. [#​38156](https://togithub.com/electron/electron/pull/38156) (Also in [23](https://togithub.com/electron/electron/pull/38040), [24](https://togithub.com/electron/electron/pull/38041), [25](https://togithub.com/electron/electron/pull/38039)) ### [`v22.3.7`](https://togithub.com/electron/electron/releases/tag/v22.3.7): electron v22.3.7 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.6...v22.3.7) ### Release Notes for v22.3.7 #### Fixes - Fixed an issue which made defaultFontFamily in webPreferences have no effect. [#​37970](https://togithub.com/electron/electron/pull/37970) (Also in [23](https://togithub.com/electron/electron/pull/37969), [24](https://togithub.com/electron/electron/pull/37968), [25](https://togithub.com/electron/electron/pull/37967)) - Fixed broken defaults in `shell.openExternal()` options. [#​38092](https://togithub.com/electron/electron/pull/38092) (Also in [23](https://togithub.com/electron/electron/pull/38091), [24](https://togithub.com/electron/electron/pull/38072), [25](https://togithub.com/electron/electron/pull/38071)) - Fixed the active background color for top-level menu items on Windows. [#​37991](https://togithub.com/electron/electron/pull/37991) (Also in [23](https://togithub.com/electron/electron/pull/37784), [24](https://togithub.com/electron/electron/pull/37785)) #### Other Changes - Security: backported fix for [`1360571`](https://togithub.com/electron/electron/commit/1360571). [#​38062](https://togithub.com/electron/electron/pull/38062) - Security: backported fix for [`1404790`](https://togithub.com/electron/electron/commit/1404790). [#​38064](https://togithub.com/electron/electron/pull/38064) - Security: backported fix for [`1417317`](https://togithub.com/electron/electron/commit/1417317). [#​37665](https://togithub.com/electron/electron/pull/37665) - Security: backported fix for [`1427388`](https://togithub.com/electron/electron/commit/1427388). [#​37983](https://togithub.com/electron/electron/pull/37983) - Security: backported fix for [`1428820`](https://togithub.com/electron/electron/commit/1428820). [#​38068](https://togithub.com/electron/electron/pull/38068) - Security: backported fix for CVE-2023-2033. [#​37980](https://togithub.com/electron/electron/pull/37980) - Security: backported fix for CVE-2023-2133. [#​38058](https://togithub.com/electron/electron/pull/38058) - Security: backported fix for CVE-2023-2134. [#​38056](https://togithub.com/electron/electron/pull/38056) - Security: backported fix for CVE-2023-2135. [#​38060](https://togithub.com/electron/electron/pull/38060) - Security: backported fix for CVE-2023-2136. [#​38066](https://togithub.com/electron/electron/pull/38066) ### [`v22.3.6`](https://togithub.com/electron/electron/releases/tag/v22.3.6): electron v22.3.6 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.5...v22.3.6) ### Release Notes for v22.3.6 #### Fixes - Fixed recommended `node-gyp` version in `node.h` error. [#​37942](https://togithub.com/electron/electron/pull/37942) (Also in [23](https://togithub.com/electron/electron/pull/37941), [24](https://togithub.com/electron/electron/pull/37927), [25](https://togithub.com/electron/electron/pull/37926)) - Security: Fixed an issue with Content-Security-Policy not being correctly enforced when sandbox: false and contextIsolation: false. (CVE-2023-23623). [#​37843](https://togithub.com/electron/electron/pull/37843) (Also in [24](https://togithub.com/electron/electron/pull/37839)) #### Other Changes - Fixed a memory leak in v8.serialize() when running Node.js within Electron. [#​37774](https://togithub.com/electron/electron/pull/37774) (Also in [23](https://togithub.com/electron/electron/pull/37030)) - Security: backported fix for CVE-2023-1810. [#​37850](https://togithub.com/electron/electron/pull/37850) - Security: backported fix for CVE-2023-1811. [#​37848](https://togithub.com/electron/electron/pull/37848) ### [`v22.3.5`](https://togithub.com/electron/electron/releases/tag/v22.3.5): electron v22.3.5 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.4...v22.3.5) ### Release Notes for v22.3.5 #### Fixes - Fixed an issue where calling `port.postMessage` in `MessagePortMain` with some invalid parameters could cause a crash. [#​37725](https://togithub.com/electron/electron/pull/37725) (Also in [23](https://togithub.com/electron/electron/pull/37724), [24](https://togithub.com/electron/electron/pull/37726)) - Fixed canceling of bluetooth requests when no devices are returned. [#​37739](https://togithub.com/electron/electron/pull/37739) (Also in [23](https://togithub.com/electron/electron/pull/37720), [24](https://togithub.com/electron/electron/pull/37717)) #### Other Changes - Security: backported fix for [`1412991`](https://togithub.com/electron/electron/commit/1412991). [#​37659](https://togithub.com/electron/electron/pull/37659) - Security: backported fix for [`1418734`](https://togithub.com/electron/electron/commit/1418734). [#​37661](https://togithub.com/electron/electron/pull/37661) - Security: backported fix for CVE-2023-1214. [#​37654](https://togithub.com/electron/electron/pull/37654) - Security: backported fix for CVE-2023-1217. [#​37652](https://togithub.com/electron/electron/pull/37652) - Security: backported fix for CVE-2023-1218. [#​37650](https://togithub.com/electron/electron/pull/37650) - Security: backported fix for CVE-2023-1219. [#​37669](https://togithub.com/electron/electron/pull/37669) - Security: backported fix for CVE-2023-1529. [#​37694](https://togithub.com/electron/electron/pull/37694) - Security: backported fix for CVE-2023-1530. [#​37698](https://togithub.com/electron/electron/pull/37698) - Security: backported fix for CVE-2023-1531. [#​37696](https://togithub.com/electron/electron/pull/37696) - Security: backported fix for CVE-2023-1532. [#​37693](https://togithub.com/electron/electron/pull/37693) - Security: backported fix for CVE-2023-1534. [#​37691](https://togithub.com/electron/electron/pull/37691) ### [`v22.3.4`](https://togithub.com/electron/electron/releases/tag/v22.3.4): electron v22.3.4 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.3...v22.3.4) ### Release Notes for v22.3.4 #### Fixes - Fixed an issue with potential dock icon duplication on macOS. [#​37623](https://togithub.com/electron/electron/pull/37623) (Also in [23](https://togithub.com/electron/electron/pull/37624), [24](https://togithub.com/electron/electron/pull/37625)) - Fixed issue with BrowserWindow not updating after call to previewFile. [#​37576](https://togithub.com/electron/electron/pull/37576) (Also in [23](https://togithub.com/electron/electron/pull/37577), [24](https://togithub.com/electron/electron/pull/37578)) - Improved error messages on `session.cookies.set` failure. [#​37595](https://togithub.com/electron/electron/pull/37595) (Also in [23](https://togithub.com/electron/electron/pull/37596), [24](https://togithub.com/electron/electron/pull/37597)) #### Other Changes - Security: backported fix for [`1415249`](https://togithub.com/electron/electron/commit/1415249). [#​37671](https://togithub.com/electron/electron/pull/37671) - Security: backported fix for [`1416916`](https://togithub.com/electron/electron/commit/1416916). [#​37657](https://togithub.com/electron/electron/pull/37657) - Security: backported fix for [`1417585`](https://togithub.com/electron/electron/commit/1417585). [#​37663](https://togithub.com/electron/electron/pull/37663) - Security: backported fix for CVE-2023-1213. [#​37656](https://togithub.com/electron/electron/pull/37656) - Security: backported fix for CVE-2023-1215. [#​37648](https://togithub.com/electron/electron/pull/37648) - Security: backported fix for CVE-2023-1220. [#​37667](https://togithub.com/electron/electron/pull/37667) ### [`v22.3.3`](https://togithub.com/electron/electron/releases/tag/v22.3.3): electron v22.3.3 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.2...v22.3.3) ### Release Notes for v22.3.3 #### Fixes - Fixed an issue where unhandled rejections could cause duplicate logs in some cases. [#​37502](https://togithub.com/electron/electron/pull/37502) (Also in [23](https://togithub.com/electron/electron/pull/37501), [24](https://togithub.com/electron/electron/pull/37500)) #### Other Changes - Security: backported fix for [`1414224`](https://togithub.com/electron/electron/commit/1414224). [#​37483](https://togithub.com/electron/electron/pull/37483) - Security: backported fix for CVE-2023-0928. [#​37481](https://togithub.com/electron/electron/pull/37481) - Security: backported fix for CVE-2023-0929. [#​37479](https://togithub.com/electron/electron/pull/37479) - Security: backported fix for CVE-2023-0931. [#​37477](https://togithub.com/electron/electron/pull/37477) - Security: backported fix for CVE-2023-0932. [#​37485](https://togithub.com/electron/electron/pull/37485) ### [`v22.3.2`](https://togithub.com/electron/electron/releases/tag/v22.3.2): electron v22.3.2 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.1...v22.3.2) ### Release Notes for v22.3.2 #### Fixes - Fixed an issue where `minWidth`/`minHeight` and `maxWidth`/`maxHeight` would not be enforced if the user set an `aspectRatio` on macOS. [#​37458](https://togithub.com/electron/electron/pull/37458) (Also in [23](https://togithub.com/electron/electron/pull/37457), [24](https://togithub.com/electron/electron/pull/37456)) - Fixed an issue where passing both `hasReply` and `actions` to a main process Notification on macOS resulted in the first action being obscured and unavailable. [#​37447](https://togithub.com/electron/electron/pull/37447) (Also in [23](https://togithub.com/electron/electron/pull/37448), [24](https://togithub.com/electron/electron/pull/37449)) - Fixed window could not go back to maximized state when restored on Linux. [#​37360](https://togithub.com/electron/electron/pull/37360) (Also in [23](https://togithub.com/electron/electron/pull/37359), [24](https://togithub.com/electron/electron/pull/37358)) #### Other Changes - Improved error messages for `contents.takeHeapSnapshot`. [#​37459](https://togithub.com/electron/electron/pull/37459) (Also in [23](https://togithub.com/electron/electron/pull/37460), [24](https://togithub.com/electron/electron/pull/37461)) ### [`v22.3.1`](https://togithub.com/electron/electron/releases/tag/v22.3.1): electron v22.3.1 [Compare Source](https://togithub.com/electron/electron/compare/v22.3.0...v22.3.1) ##### Release Notes for v22.3.1 ##### Other Changes - Security: backported fix for chromium:1408392. [#​37298](https://togithub.com/electron/electron/pull/37298) ##### Documentation - Documentation changes: [#​37289](https://togithub.com/electron/electron/pull/37289) ### [`v22.3.0`](https://togithub.com/electron/electron/releases/tag/v22.3.0): electron v22.3.0 [Compare Source](https://togithub.com/electron/electron/compare/v22.2.1...v22.3.0) ### Release Notes for v22.3.0 #### Features - Added several standard page size options to `webContents.print()`. [#​37263](https://togithub.com/electron/electron/pull/37263) (Also in [23](https://togithub.com/electron/electron/pull/37264), [24](https://togithub.com/electron/electron/pull/37265)) #### Fixes - Fixed a crash when `BrowserView`s are present and a user attempts to prevent `beforeunload` in the renderer process. [#​37266](https://togithub.com/electron/electron/pull/37266) (Also in [23](https://togithub.com/electron/electron/pull/37267), [24](https://togithub.com/electron/electron/pull/37268)) - Fixed an incorrect result returned when using secure as a cookies filter. [#​37247](https://togithub.com/electron/electron/pull/37247) (Also in [24](https://togithub.com/electron/electron/pull/37246)) #### Other Changes - Security: backported fix for CVE-2023-0696. [#​37192](https://togithub.com/electron/electron/pull/37192) ### [`v22.2.1`](https://togithub.com/electron/electron/releases/tag/v22.2.1): electron v22.2.1 [Compare Source](https://togithub.com/electron/electron/compare/v22.2.0...v22.2.1) ##### Release Notes for v22.2.1 ##### Features - Whole-program optimization is enabled by default in electron node headers config file. [#​37047](https://togithub.com/electron/electron/pull/37047) (Also in [21](https://togithub.com/electron/electron/pull/37048), [23](https://togithub.com/electron/electron/pull/37046)) ##### Fixes - Basic accessibility support is now enabled when macOS Voice Control is activated to allow for full voice control of Electron applications. [#​37146](https://togithub.com/electron/electron/pull/37146) (Also in [21](https://togithub.com/electron/electron/pull/37144), [23](https://togithub.com/electron/electron/pull/37145)) - Fixed audio worklet scripts failing to run when `nodeIntegrationInWorker: true`. [#​37102](https://togithub.com/electron/electron/pull/37102) (Also in [23](https://togithub.com/electron/electron/pull/37104)) ##### Documentation - Documentation changes: [#​37107](https://togithub.com/electron/electron/pull/37107) ### [`v22.2.0`](https://togithub.com/electron/electron/releases/tag/v22.2.0): electron v22.2.0 [Compare Source](https://togithub.com/electron/electron/compare/v22.1.0...v22.2.0) ### Release Notes for v22.0.0 #### Stack Upgrades - Chromium 108.0.5359.62. - [New in 108](https://developer.chrome.com/blog/new-in-chrome-108/) - [New in 107](https://developer.chrome.com/blog/new-in-chrome-107/) - Node v16.17.1. - [v16.17.1 release notes](https://nodejs.org/en/blog/release/v16.17.1/) - [v16.17.0 release notes](https://nodejs.org/en/blog/release/v16.17.0/) - V8 v10.8 #### Breaking Changes - Added WebContents `input-event` event. - Deprecated BrowserWindow `scroll-touch-*` events. [#​35531](https://togithub.com/electron/electron/pull/35531) - The deprecated `new-window` event has been removed. [#​34526](https://togithub.com/electron/electron/pull/34526) #### Features - Added `LoadBrowserProcessSpecificV8Snapshot` as a new fuse that will let the main/browser process load its v8 snapshot from a file at `browser_v8_context_snapshot.bin`. Any other process will use the same path as is used today. [#​35266](https://togithub.com/electron/electron/pull/35266) (Also in [20](https://togithub.com/electron/electron/pull/35694), [21](https://togithub.com/electron/electron/pull/35695)) - Added `WebContents.opener` to access window opener. - Added `webContents.fromFrame(frame)` to get the WebContents corresponding to a WebFrameMain instance. [#​35140](https://togithub.com/electron/electron/pull/35140) (Also in [21](https://togithub.com/electron/electron/pull/35819)) - Added `app.getSystemLocale()` method. [#​35697](https://togithub.com/electron/electron/pull/35697) (Also in [21](https://togithub.com/electron/electron/pull/35794)) - Added `contextBridge.exposeInIsolatedWorld(worldId, key, api)` to expose an API to an `isolatedWorld` within a renderer from a preload script. [#​34974](https://togithub.com/electron/electron/pull/34974) - Added `webContents.close()` method. [#​35509](https://togithub.com/electron/electron/pull/35509) - Added `webFrameMain.origin`. [#​35438](https://togithub.com/electron/electron/pull/35438) (Also in [19](https://togithub.com/electron/electron/pull/35624), [20](https://togithub.com/electron/electron/pull/35535), [21](https://togithub.com/electron/electron/pull/35534)) - Added an `app.getPreferredSystemLanguages()` API to return the user's system languages. [#​36291](https://togithub.com/electron/electron/pull/36291) (Also in [21](https://togithub.com/electron/electron/pull/36290)) - Added new UtilityProcess API to launch chromium child process with node integration. [#​36089](https://togithub.com/electron/electron/pull/36089) - Added new WebContents event `content-bounds-updated`. [#​35533](https://togithub.com/electron/electron/pull/35533) - Added new `WebContents.ipc` and `WebFrameMain.ipc` APIs. [#​34959](https://togithub.com/electron/electron/pull/34959) (Also in [21](https://togithub.com/electron/electron/pull/35231)) - Added support for Web Bluetooth pin pairing on Linux and Windows. [#​35416](https://togithub.com/electron/electron/pull/35416) (Also in [21](https://togithub.com/electron/electron/pull/35818)) - Added support for `navigator.mediaDevices.getDisplayMedia` via a new session handler, `ses.setDisplayMediaRequestHandler`. [#​30702](https://togithub.com/electron/electron/pull/30702) - Added support for `serialPort.forget()` as well as a new event `serial-port-revoked` emitted when a given origin is revoked. [#​36062](https://togithub.com/electron/electron/pull/36062) #### Fixes - Added support for Webauthn discoverable keys (aka resident keys), allowing users to authenticate without first having to select or type a username. [#​35374](https://togithub.com/electron/electron/pull/35374) - Enable crashpad for ELECTRON_RUN_AS_NODE processes on linux. [#​36483](https://togithub.com/electron/electron/pull/36483) - Fixed `click` event and tooltip of `Tray` not working on Linux. [#​36472](https://togithub.com/electron/electron/pull/36472) - Fixed an issue where frameless non-resizable windows showed a Windows 7 frame during startup. [#​36024](https://togithub.com/electron/electron/pull/36024) - Fixed an issue with incomplete EventEmitter object in sandboxed renderer preload script. [#​35522](https://togithub.com/electron/electron/pull/35522) - Fixed race condition during update on macOS that could result in TCC and Keychain errors. [#​36362](https://togithub.com/electron/electron/pull/36362) - Removed unneeded --turbo-profiling-input argument from mksnapshot_args. [#​36463](https://togithub.com/electron/electron/pull/36463) ##### Also in earlier versions... - Added a background to the WCO container to avoid rendering glitches. [#​35569](https://togithub.com/electron/electron/pull/35569) (Also in [19](https://togithub.com/electron/electron/pull/35610), [20](https://togithub.com/electron/electron/pull/35611), [21](https://togithub.com/electron/electron/pull/35612)) - Added support for Windows drop-down dialog extensions. [#​35618](https://togithub.com/electron/electron/pull/35618) (Also in [18](https://togithub.com/electron/electron/pull/35661), [19](https://togithub.com/electron/electron/pull/35660), [20](https://togithub.com/electron/electron/pull/35659), [21](https://togithub.com/electron/electron/pull/36027)) - Default margin has been added in the code. [#​36073](https://togithub.com/electron/electron/pull/36073) (Also in [21](https://togithub.com/electron/electron/pull/36072)) - Enable WCO maximize button when window enters tablet mode and is not already maximized. [#​35617](https://togithub.com/electron/electron/pull/35617) (Also in [19](https://togithub.com/electron/electron/pull/35677), [20](https://togithub.com/electron/electron/pull/35663), [21](https://togithub.com/electron/electron/pull/35664)) - Fixed `uv_os_gethostname` failing on Windows 7. [#​35702](https://togithub.com/electron/electron/pull/35702) (Also in [19](https://togithub.com/electron/electron/pull/35703), [20](https://togithub.com/electron/electron/pull/35705), [21](https://togithub.com/electron/electron/pull/35704)) - Fixed a bug where calling `atob` in the renderer process could fail under some circumstances. [#​35415](https://togithub.com/electron/electron/pull/35415) (Also in [19](https://togithub.com/electron/electron/pull/35444), [20](https://togithub.com/electron/electron/pull/35445), [21](https://togithub.com/electron/electron/pull/35443)) - Fixed a crash that occured when loading non-standard schemes from iframes. [#​35485](https://togithub.com/electron/electron/pull/35485) (Also in [21](https://togithub.com/electron/electron/pull/35517)) - Fixed a crash when switching origins with emulation settings set. [#​35466](https://togithub.com/electron/electron/pull/35466) (Also in [21](https://togithub.com/electron/electron/pull/35488)) - Fixed a drag-and-drop issue on macOS where items would be incorrectly moved instead of copied in some contexts. [#​35976](https://togithub.com/electron/electron/pull/35976) (Also in [20](https://togithub.com/electron/electron/pull/35978), [21](https://togithub.com/electron/electron/pull/35977)) - Fixed a potential crash on WebWorker destruction. [#​35422](https://togithub.com/electron/electron/pull/35422) (Also in [19](https://togithub.com/electron/electron/pull/35490), [20](https://togithub.com/electron/electron/pull/35491), [21](https://togithub.com/electron/electron/pull/35492)) - Fixed a potential issue when calling `webContents.printToPDF()`. [#​36065](https://togithub.com/electron/electron/pull/36065) (Also in [21](https://togithub.com/electron/electron/pull/36064)) - Fixed a potential memory leak. [#​35964](https://togithub.com/electron/electron/pull/35964) (Also in [21](https://togithub.com/electron/electron/pull/35965)) - Fixed an edge case in `app.isInApplicationsFolder()` which would return false incorrectly in some cases. [#​35636](https://togithub.com/electron/electron/pull/35636) (Also in [19](https://togithub.com/electron/electron/pull/35729), [20](https://togithub.com/electron/electron/pull/35731), [21](https://togithub.com/electron/electron/pull/35730)) - Fixed an issue where DevTools could not be docked with Windows Control Overlay enabled. [#​35754](https://togithub.com/electron/electron/pull/35754) (Also in [19](https://togithub.com/electron/electron/pull/35763), [20](https://togithub.com/electron/electron/pull/35764), [21](https://togithub.com/electron/electron/pull/35765)) - Fixed an issue where WCO could occlude DevTools opened in any non-detached mode. [#​35209](https://togithub.com/electron/electron/pull/35209) (Also in [18](https://togithub.com/electron/electron/pull/35307), [19](https://togithub.com/electron/electron/pull/35308), [20](https://togithub.com/electron/electron/pull/35309), [21](https://togithub.com/electron/electron/pull/35688)) - Fixed an issue where `screen.getCursorScreenPoint()` crashed on Wayland when it was called before a `BrowserWindow` had been created. [#​35503](https://togithub.com/electron/electron/pull/35503) (Also in [21](https://togithub.com/electron/electron/pull/35575)) - Fixed an issue where `serialPort.open()` failed with `NetworkError: Failed to open serial port.`. [#​35306](https://togithub.com/electron/electron/pull/35306) (Also in [21](https://togithub.com/electron/electron/pull/35339)) - Fixed an issue where app.relaunch loses args when execPath is specified. [#​35108](https://togithub.com/electron/electron/pull/35108) (Also in [19](https://togithub.com/electron/electron/pull/35252), [20](https://togithub.com/electron/electron/pull/35253), [21](https://togithub.com/electron/electron/pull/35254)) - Fixed an issue where calling `app.dock.setIcon(/path/t/icon)` would crash when called before the `ready` event on `app`. [#​36293](https://togithub.com/electron/electron/pull/36293) (Also in [20](https://togithub.com/electron/electron/pull/36292), [21](https://togithub.com/electron/electron/pull/36294)) - Fixed an issue where frameless resizable windows showed Window 7 style frames while opening. [#​35189](https://togithub.com/electron/electron/pull/35189) (Also in [18](https://togithub.com/electron/electron/pull/35477), [19](https://togithub.com/electron/electron/pull/35351), [20](https://togithub.com/electron/electron/pull/35352), [21](https://togithub.com/electron/electron/pull/35353)) - Fixed an issue where frameless windows with `roundedCorners: false` couldn't enter fullscreen without crashing. [#​35421](https://togithub.com/electron/electron/pull/35421) (Also in [19](https://togithub.com/electron/electron/pull/35456), [20](https://togithub.com/electron/electron/pull/35455), [21](https://togithub.com/electron/electron/pull/35454)) - Fixed an issue where part of the BrowserView could be cut off when calling `setBounds` on some windows. [#​34713](https://togithub.com/electron/electron/pull/34713) (Also in [19](https://togithub.com/electron/electron/pull/35495), [20](https://togithub.com/electron/electron/pull/35494), [21](https://togithub.com/electron/electron/pull/35502)) - Fixed an issue where some options were incorrectly ignored when using `webContents.printToPDF()`. [#​35993](https://togithub.com/electron/electron/pull/35993) (Also in [21](https://togithub.com/electron/electron/pull/35992)) - Fixed crash in renderer when resuming system from sleep. [#​35322](https://togithub.com/electron/electron/pull/35322) (Also in [18](https://togithub.com/electron/electron/pull/35340), [19](https://togithub.com/electron/electron/pull/35337), [20](https://togithub.com/electron/electron/pull/35338), [21](https://togithub.com/electron/electron/pull/35336)) - Fixed enable promise support with webFrameMain.executeJavaScript. [#​35292](https://togithub.com/electron/electron/pull/35292) (Also in [20](https://togithub.com/electron/electron/pull/35358), [21](https://togithub.com/electron/electron/pull/35359)) - Fixed issue with history.back() in sandboxed iframes affecting parent browsing context. [#​35420](https://togithub.com/electron/electron/pull/35420) (Also in [19](https://togithub.com/electron/electron/pull/35621), [20](https://togithub.com/electron/electron/pull/35622), [21](https://togithub.com/electron/electron/pull/35623)) - Fixed on-screen-keyboard not hiding on input rendered in webview is blurred. [#​35983](https://togithub.com/electron/electron/pull/35983) (Also in [20](https://togithub.com/electron/electron/pull/35981), [21](https://togithub.com/electron/electron/pull/35982)) - Fixed session.getBlobData never resolves with blob sizes > 65536. [#​35277](https://togithub.com/electron/electron/pull/35277) (Also in [19](https://togithub.com/electron/electron/pull/35600), [20](https://togithub.com/electron/electron/pull/35601), [21](https://togithub.com/electron/electron/pull/35602)) - Fixed spurious promise rejection in `webContents.loadURL` when navigating to a hash. [#​36151](https://togithub.com/electron/electron/pull/36151) (Also in [20](https://togithub.com/electron/electron/pull/36149), [21](https://togithub.com/electron/electron/pull/36150)) - Fixed undefined details.requestingUrl from session.setPermissionCheckHandler. [#​35281](https://togithub.com/electron/electron/pull/35281) (Also in [20](https://togithub.com/electron/electron/pull/35408), [21](https://togithub.com/electron/electron/pull/35409)) - Fixed v8 flags and desktop name in package.json does not hornored when running local app using electron cli. [#​36049](https://togithub.com/electron/electron/pull/36049) (Also in [20](https://togithub.com/electron/electron/pull/36048), [21](https://togithub.com/electron/electron/pull/36050)) - Fixed: If a custom Electron build contains an electron.d.ts file, it is now being used. [#​33979](https://togithub.com/electron/electron/pull/33979) (Also in [20](https://togithub.com/electron/electron/pull/35823), [21](https://togithub.com/electron/electron/pull/35822)) - Picture-In-Picture mode no longer becomes a red rectangle on hover. [#​35034](https://togithub.com/electron/electron/pull/35034) (Also in [19](https://togithub.com/electron/electron/pull/35400), [20](https://togithub.com/electron/electron/pull/35402), [21](https://togithub.com/electron/electron/pull/35401)) - Provided display_id for desktopCapturer on Linux. [#​33861](https://togithub.com/electron/electron/pull/33861) (Also in [19](https://togithub.com/electron/electron/pull/35835), [20](https://togithub.com/electron/electron/pull/35834), [21](https://togithub.com/electron/electron/pull/35836)) - Removed support for `nodeIntegrationInWorker` in Service Workers and Shared Workers owing to sandboxing policies. [#​36010](https://togithub.com/electron/electron/pull/36010) (Also in [21](https://togithub.com/electron/electron/pull/36009)) - Usage of `safeStorage` now consistently uses the correct service name on macOS regardless of timing with browser window construction. [#​34683](https://togithub.com/electron/electron/pull/34683) (Also in [19](https://togithub.com/electron/electron/pull/35795), [20](https://togithub.com/electron/electron/pull/35796)) - You can now import the built-in electron module via ESModule loaders, i.e. `import('electron')` and `import 'electron'` now work natively. [#​35957](https://togithub.com/electron/electron/pull/35957) (Also in [20](https://togithub.com/electron/electron/pull/35956), [21](https://togithub.com/electron/electron/pull/35958)) - Fixed a typo in the section on debugging with VSCode. [#​35256](https://togithub.com/electron/electron/pull/35256) (Also in [19](https://togithub.com/electron/electron/pull/35284), [20](https://togithub.com/electron/electron/pull/35286), [21](https://togithub.com/electron/electron/pull/35285)) #### Other Changes - Backported fix for chromium:1352405. [#​36458](https://togithub.com/electron/electron/pull/36458) - Bumps the minimum required version of Node.js needed to install Electron to 12.20.55. [#​35301](https://togithub.com/electron/electron/pull/35301) - Enabled out-of-process iframe printing to PDF with `webContents.printToPDF().`. [#​36095](https://togithub.com/electron/electron/pull/36095) - Fixed `win.getBrowserViews()` not being updated when a BrowserView was moved to a different window. [#​35511](https://togithub.com/electron/electron/pull/35511) - Fixed an issue where some spellcheck functionality would incorrectly throw errors on macOS. [#​35514](https://togithub.com/electron/electron/pull/35514) (Also in [21](https://togithub.com/electron/electron/pull/35679)) - Modified the WCO maximized button style to match Windows 11 more closely. [#​35370](https://togithub.com/electron/electron/pull/35370) (Also in [20](https://togithub.com/electron/electron/pull/35968), [21](https://togithub.com/electron/electron/pull/35970)) - Updated `common.gypi` for native modules to support C++17 features in V8. [#​36369](https://togithub.com/electron/electron/pull/36369) (Also in [20](https://togithub.com/electron/electron/pull/36382), [21](https://togithub.com/electron/electron/pull/36383)) #### Documentation - Documentation changes: - [#​35283](https://togithub.com/electron/electron/pull/35283) - [#​35324](https://togithub.com/electron/el