MQTT-Explorer
MQTT-Explorer copied to clipboard
[Security] Bump electron from 8.2.3 to 9.0.5
Bumps electron from 8.2.3 to 9.0.5.
Release notes
Sourced from electron's releases.
electron v9.0.5
Release Notes for v9.0.5
Fixes
- Fixed "Paste and Match Style" shortcut on macOS to match OS's "Option-Shift-Command-V". #24185
- Fixed "null path-to-app" in test-app when Electron's path contains spaces or special characters. #24232
- Fixed an error when calling
dialog.showCertificateTrustDialog
with noBrowserWindow
. #24121- Fixed an issue where
shutdown
would be emitted both on app and system shutdown on macOS. #24141- Fixed an issue where
withFileTypes
was not supported as an option tofs.readdir
orfs.readdirSync
under asar. #24108- Fixed an issue which would cause streaming protocol responses to stall in some cases. #24082
- Fixed an issue with click events not being emitted on macOS for Trays with context menus set. #24236
- Fixed delayed execution of some Node.js callbacks in the main process. #24178
- Fixed tray menu showing in taskbar on Windows. #24193
- Fixed window titlebar not responding to pen on Windows 10. #24103
Other Changes
- Fixed issue with some IMEs on windows (for ex: Zhuyin) don't terminate after pressing shift. #24059
- Fixed mac app store rejection notice for invalid symbolic link in bundle. #24238
- Updated Chromium to 83.0.4103.119. #24234
Documentation
- Documentation changes: #24177
electron v9.0.4
Release Notes for v9.0.4
Fixes
- Added missing support for
isComposing
KeyboardEvent property. #23996- Enable NTLM v2 for POSIX platforms and added --disable-ntlm-v2 switch to disable it. #23934
- Fix: Allow windows behind macOS elements if "frame" is false. #24033
- Fixed
chrome://media-internals
andchrome://webrtc-internals
pages not loading. #24058- Fixed a crash that could occur when using the
ipcRenderer
module after blink had released the context. Instead, a JS exception will be thrown. #23978- Fixed an issue where
rmdir
andrmdirSync
work withoriginal-fs
in an asar context. #23956- Fixed no
session
in webContents of type remote. #24065- Fixed: On some Windows machines, especially Windows Insider builds, Electron would crash silently during startup. #24039
Other Changes
- Updated Chromium to 83.0.4103.104. #24068
- [a11y] fix incorrect position and size reported for grouped items in a listbox. #24060
- [a11y] fix incorrect selection item count for listbox with grouped items. #24061
electron v9.0.3
Release Notes for v9.0.3
Features
Commits
28350b4
Bump v9.0.531e8b9f
build: remove dead symlink from MAS build (#24158) (#24238)06902de
fix: emit click events with tray context menu (#24236)f92b42e
chore: bump chromium in DEPS to 83.0.4103.119 (#24234)3704dc9
fix: isTrustedSender() in test-app (#24232)d321e29
chore: bump chromium to 83.0.4103.118 (9-x-y) (#24219)305d755
chore: bump chromium in DEPS to 83.0.4103.115 (#24210)5d18005
chore: bump chromium in DEPS to 83.0.4103.114 (#24198)ee27523
fix: do not use CONTEXT_MENU flag for tray menu (reland) (#24193)368f583
fix: volume key globalShortcut deregistration (#24155)- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language -
@dependabot badge me
will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Context isolation bypass via leaked cross-context objects in Electron
Impact
Apps using
contextIsolation
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
... (truncated)
Affected versions: [">= 8.0.0 < 8.2.4"]
We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Context isolation bypass via Promise in Electron
Impact
Apps using
contextIsolation
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
... (truncated)
Affected versions: [">= 8.0.0 < 8.2.4"]
We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Context isolation bypass via contextBridge in Electron
Impact
Apps using both
contextIsolation
andcontextBridge
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
... (truncated)
Affected versions: [">= 8.0.0 < 8.2.4"]
We've just been alerted that this update fixes a security vulnerability:
Sourced from The GitHub Security Advisory Database.
Arbitrary file read via window-open IPC in Electron
Impact
The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Workarounds
Ensure you are calling
event.preventDefault()
on allnew-window
events where theurl
oroptions
is not something you expect.Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
... (truncated)
Affected versions: [">= 8.0.0 < 8.2.4"]