electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard
verified publisher icon electron-userland

Problematic package: malept/flatpak-bundler

Open Stanzilla opened this issue 1 year ago • 3 comments

  • Electron-Builder Version: v25.0.5
  • Node Version: 20
  • Electron Version: 32
  • Electron Type (current, beta, nightly):
  • Target:

electron-builder currently bundles https://github.com/malept/flatpak-bundler which is an outdated fork of an outdated lib. The main problem is that it uses the tmp package https://www.npmjs.com/package/tmp at a version that had breaking changes (2.0.1) that were reverted in 2.0.2. This causes a problem for Windows user accounts that have single quotes in them, which is allowed.

I'm not sure what the best way to fix this is, maybe force the latest version of tmp inside of electron-builder

Stanzilla avatar Sep 02 '24 19:09 Stanzilla

Forcing the latest version inside of electron-builder only does a local change AFAIK, it does not get published as part of the electron-builder package (right?) since electron-builder doesn't package in dependencies and the dependency resolution occurs on your local device during yarn/npm install

I think a PR in flatpak-bundler needs to occur before this can be resolved in electron-builder

mmaietta avatar Sep 03 '24 18:09 mmaietta

Forcing the latest version inside of electron-builder only does a local change AFAIK, it does not get published as part of the electron-builder package (right?) since electron-builder doesn't package in dependencies and the dependency resolution occurs on your local device during yarn/npm install

I think a PR in flatpak-bundler needs to occur before this can be resolved in electron-builder

I'm not sure how that works exactly, alternative would be a fork or to vendor the lib I guess? The repo looks abandoned sadly.

Stanzilla avatar Sep 03 '24 19:09 Stanzilla

Hmmm it seems the package we leverage is https://www.npmjs.com/package/tmp-promise?activeTab=dependencies v3.0.2, which then pulls from ^0.2.0 semver of tmp package https://github.com/benjamingr/tmp-promise/blob/master/package.json#L31. I don't see any mention of v2.0.1 anywhere in their packages. We could try forcing the dependency version within electron-builder, but not sure if that'd have breaking changes

mmaietta avatar Sep 05 '24 19:09 mmaietta

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Mar 27 '25 00:03 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity.

github-actions[bot] avatar Apr 27 '25 00:04 github-actions[bot]

It certainly has been frustrating whenever I try to check out my project on Windows.

LauraWebdev avatar Apr 30 '25 14:04 LauraWebdev