[Security] Bump electron from 1.7.6 to 2.0.18

[dependabot-preview[bot]]

Bumps electron from 1.7.6 to 2.0.18. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Critical severity vulnerability that affects electron A remote code execution vulnerability has been discovered which affects Electron apps that use custom protocol handlers. This vulnerability affects Microsoft Windows. Linux and macOS are not affected.

Affected versions: >= 1.7.0 < 1.7.11

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects electron Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

Affected versions: >= 1.7 < 1.7.12

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects electron Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.

Affected versions: < 1.8.2-beta5

Sourced from The Node Security Working Group.

Command Injection [electron] A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15).

Affected versions: >=1.7.0 <1.7.16 || >=1.8.0 <1.8.8 || >=2.0.0 <2.0.8 || >=3.0.0-beta.1 <3.0.0-beta.7

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects electron Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.

Affected versions: >= 1.7.0 < 1.7.8

Release notes

Sourced from electron's releases.

electron v2.0.18

Security

• Patched the FileReader vulnerability found in Google Chrome: https://electronjs.org/blog/filereader-fix

Bug Fixes/Changes

• build: ensure index.json is actually valid JSON before uploading (backport: 2-0-x). #16748

• chore: disable get/setLoginItemSettings specs. #16842

electron v2.0.17

Bug Fixes/Changes

• [security] Fixed vulnerability that allowed Node to be re-enabled in child Windows. blog post.

• chore: update release scripts for cleanup. #16136

• fix: move open handling to web-contents.js. #16630

electron v2.0.16

Bug Fixes/Changes

• chore: bump libcc submodule to daf9bdcdfdfd6bad258b5e1e48b2e17d06c1a987. #16112

• chore: add additional logging for release upload failures. #16127

electron v2.0.15

Bug Fixes/Changes

• fix: schedule a paint after browserview's background is set. #15796

• fix: enable webview in sandbox renderer (#13435). #13555

• fix: allow 2 threads for CreateIoCompletionPort on single-core to prevent busy looping (#15975). #16013

• chore: bump libcc submodule to ebe1313308aa95c71f23b2725efd091b8ece05ff. #15946

• chore: bump libcc submodule. #16035

electron v2.0.14

Fixes

• Fixed Electron not being visible when launching in development mode on node v11. #15513
• Fixed window close crash that was happening on macos 10.9. #15729

Documentation

... (truncated)

Commits

• 7a5cb9f Bump v2.0.18
• cfc32ca Revert "Bump v2.0.18"
• 4681dcb Bump v2.0.18
• d70279f chore: bump libcc submodule to 1f6a271a1a6cb167f08686f7ddc6bc858fea4879 (#17266)
• d173f31 chore: disable get/setLoginItemSettings specs (#16842)
• a9d4b27 build: ensure index.json is actually valid JSON before uploading (backport: 2...
• 888216f Bump v2.0.17
• 0309654 fix: move open handling to web-contents.js (#16630)
• 2950119 chore: update release scripts for cleanup (#16136)
• b9aed81 Bump v2.0.16
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by electron-nightly, a new releaser for electron since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.