electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard

Published 20 hours ago verified publisher icon electron-userland

Security Advisory requires updating dependency to newest build of update-notifier

Open thewriteway opened this issue 1 year ago • 2 comments

  • Electron-Builder Version: "23.3.3":
  • Node Version: "18.7.0":
  • Electron-updater Version: "5.2.1":
electron-builder  >=5.6.1
    Depends on vulnerable versions of update-notifier
    node_modules/electron-builder

thewriteway avatar Aug 08 '22 09:08 thewriteway

The current package dependency is "update-notifier": "^5.1.0"

The vulnerability with that version is shown here: https://snyk.io/test/npm/update-notifier/5.1.0

The newest build of update-notifier is now on 6.0.2

Is it possible to align electron-builder with the new dependency version?

thewriteway avatar Aug 08 '22 09:08 thewriteway

Same issue #7006. In my opinion, it seems to be the best solution to update update-notifier's version. However, it was changed to pure esm module after v6. I think it requires not only dependency updates but also some modifications if there is any confilct.

cjeonguk avatar Aug 10 '22 14:08 cjeonguk

The pure ESM module screws up electron-builder, so I've found a potential replacement: simple-update-notifier. Going to see if that can work for us

mmaietta avatar Aug 19 '22 15:08 mmaietta