Update dependency electron to v11 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	10.1.4 -> 11.5.0

GitHub Vulnerability Alerts

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

• Uses remote
• Calls webContents.sendToFrame
• Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

• 9.4.0
• 10.2.0
• 11.1.0
• 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

CVE-2021-39184

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

• 15.0.0-alpha.10
• 14.0.0
• 13.3.0
• 12.1.0
• 11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at [email protected].

---

Release Notes

electron/electron

v11.5.0

Compare Source

Release Notes for v11.5.0

Other Changes

• Security: Backported fix for 1227933. #​30614 (Also in 12)
• Security: Backported fix for 1231134. #​30761
• Security: Backported fix for 1233564. #​30755
• Security: Backported fix for 1234009. #​30751
• Security: Backported fix for 1234764. #​30659 (Also in 12)

End of Support for 11.x.y

Electron 11.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v11.4.12

Compare Source

Release Notes for v11.4.12

Fixes

• Security: backported fix for https://crbug.com/1204814. #​30399

v11.4.11

Compare Source

Release Notes for v11.4.11

Other Changes

• Security: backported fix for 1205059,1196302. #​30267
• Security: backported fix for CVE-2021-30541. #​30200
• Security: backported fix for CVE-2021-30560. #​30183
• Security: backported fix for CVE-2021-30562. #​30196
• Security: backported fix for CVE-2021-30563. #​30199
• Security: backported fix for CVE-2021-30568. #​30228
• Security: backported fix for CVE-2021-30569. #​30296
• Security: backported fix for CVE-2021-30572. #​30262
• Security: backported fix for CVE-2021-30573. #​30253

v11.4.10

Compare Source

Release Notes for v11.4.10

Other Changes

• Backported fix for chromium:1211215. #​29785
• Security: backported fix for CVE-2021-30522. #​29879
• Security: backported fix for CVE-2021-30523. #​29877
• Security: backported fix for CVE-2021-30547. #​29790
• Security: backported fix for CVE-2021-30553. #​29819
• Security: backported fix for CVE-2021-30554. #​29823
• Security: backported fix for chromium:1194689. #​29817
• Security: backported fix for chromium:1209558. #​29815

v11.4.9

Compare Source

Release Notes for v11.4.9

Fixes

• Fixed potential corruption of piped response data when using interceptHttpProtocol/registerHttpProtocol. #​29667 (Also in 12, 13, 14)
• Security: backported fix for CVE-2021-30551. #​29780

Other Changes

• Security: backported fix for CVE-2021-30544. #​29777
• Security: backported fix for CVE-2021-30548. #​29787

v11.4.8

Compare Source

Release Notes for v11.4.8

Fixes

• Fixed will-resize and will-move events not scaling the emitted newBounds rectangle to the appropriate Windows display scale factor. #​29225 (Also in 12, 13)
• Fixed drag and drop not working correctly for some x11 window managers. #​29271 (Also in 12)
• Fixed packaged apps allowing --require in NODE_OPTIONS on Windows. #​29419

Other Changes

• Fixed using custom v8 snapshots on Apple Silicon. #​29347 (Also in 12, 13)
• Security: backported fixes for CVE-2021-30518, CVE-2021-30516, CVE-2021-30515, CVE-2021-30513, CVE-2021-30512, CVE-2021-30510, CVE-2021-30508. #​29250

v11.4.7

Compare Source

Release Notes for v11.4.7

Fixes

• Fixed an incorrect warning about enableRemoteModule being issued when the option was undefined (and thus defaulting to false). #​29023
• Fixed an issue where events on webview elements were missing properties if contextIsolation was enabled. #​29150 (Also in 10)
• Fixed corner radius for vibrancy view in macOS 11. #​29072 (Also in 12, 13)

Documentation

• Documentation changes: #​29147

v11.4.6

Compare Source

Release Notes for v11.4.6

Fixes

• Fixed <webview> focus / blur events not working with contextIsolation enabled. #​29027 (Also in 10, 12, 13)
• Fixed an issue where drag regions on macOS would be offset incorrectly when no drag regions were set,. #​29018 (Also in 12, 13)

v11.4.5

Compare Source

Release Notes for v11.4.5

Fixes

• Allow Node.js to manage microtasks queue by using explicit microtasks policy before calling uv_run(). #​28974 (Also in 12, 13)
• Fixed an issue where some Node.js modules would hang on page reload on Windows. #​28336 (Also in 12, 13)
• Fixed an issue where windows in simpleFullscreen mode were not properly resizing when display metrics changed. #​28870 (Also in 12, 13)
• Fixed the window-all-closed event being emitted while the last BrowserWindow was still in the process of being closed. #​28912 (Also in 12, 13)

Other Changes

• Security: backported fix for 1161379, 1186641. #​28801
• Security: backported fix for CVE-2021-21214. #​28934
• Security: backported fix for CVE-2021-21215 and CVE-2021-21216. #​28948
• Security: backported fix to CVE-2021-21207. #​28930
• Security: backported fix to CVE-2021-21223. #​28813
• Security: backported fix to CVE-2021-21227. #​28862
• Security: backported fix to CVE-2021-21230. #​28902
• Security: backported fix to CVE-2021-21231. #​28905
• Security: backported fix to CVE-2021-21233. #​28873

v11.4.4

Compare Source

Release Notes for v11.4.4

Fixes

• Fixed an issue where multiple calls to window.setFullScreen could cause problems. #​28773 (Also in 12, 13)
• Fixed an issue where some dialogs would stop working on macOS if window.hide() was called while they were open. #​28696 (Also in 12, 13)
• Fixed crash on m1 mac. #​28745
• No longer set backgroundColor in default-app when opening custom files / URLs. #​28843 (Also in 10, 12, 13)

Other Changes

• Security: Backported fix for chromium:1195333. #​28724
• Security: Backported fix to CVE-2021-21199. #​28704
• Security: Backported fix to CVE-2021-21201. #​28760
• Security: Backported fix to CVE-2021-21202. #​28779
• Security: Backported fix to chromium:1190525. #​28738
• Security: Backported the fix to CVE-2021-21195. #​28697
• Security: backported fix for 1192552. #​28819
• Security: backported fix for CVE-2021-21194. #​28702
• Security: backported fix for CVE-2021-21206. #​28689
• Security: backported fix for CVE-2021-21222. #​28816
• Security: backported fix for CVE-2021-21226. #​28807
• Security: backported fix to CVE-2021-21198. #​28797
• Security: backported fix to CVE-2021-21225. #​28810
• Security: backported fix to chromium:1155297. #​28822
• Security: backported fix to chromium:1161847. #​28799
• Security: backported fix to chromium:1184441. #​28796

v11.4.3

Compare Source

Release Notes for v11.4.3

Fixes

• Fixed a bug where, when a JumpList task description exceeded 260 characters, the JumpList was empty, despite valid entries. #​28524 (Also in 12, 13)
• Fixed a network process crash that could happen when using setCertificateVerifyProc with many concurrent verification requests. #​28470 (Also in 12, 13)
• Fixed failing to request file:// resources when web security is disabled. #​28589 (Also in 12, 13)
• Support wasm-eval csp behind WebAssemblyCSP flag. #​28576 (Also in 12, 13)
• Transparent windows cannot be maximized using the Windows system menu or by double clicking the title bar. #​28635 (Also in 12, 13)

Other Changes

• Security: backported fix for chromium:1196683. #​28639

v11.4.2

Compare Source

Release Notes for v11.4.2

Fixes

• Fixed an issue where the thumbar disappeared after win.hide() on Windows. #​28391 (Also in 10, 12, 13)
• Fixed bug where TouchBarPopover and TouchBarGroup were no longer rendering. #​28412 (Also in 12)
• Fixed crash when exiting app with active nodejs worker_threads. #​28471
• Fixed service worker not working with custom protocol. #​28353 (Also in 12, 13)

Documentation

• Documentation changes: #​28364

v11.4.1

Compare Source

Release Notes for v11.4.1

Fixes

• Fixed desktopCapturer.getSources() promise result sometimes never resolving. #​28282 (Also in 10, 12, 13)
• Fixed an issue where the drag regions in BrowserViews on macOS could be off in their y-axis. #​28297 (Also in 10, 12, 13)
• Fixed context menus not being positioned correctly when near the edge of the screen. #​28278 (Also in 12, 13)
• Fixed intensive I/O from asar files causing ERR_FILE_NOT_FOUND after a while. #​28201 (Also in 12, 13)
• Fixed issue where window.open() would not return an object with a location.href setter when contextIsolation is enabled and nativeWindowOpen is disabled. #​28161 (Also in 10, 12)
• URLS passed to shell.openExternal on windows are now correctly URI encoded. This was already occurring on macOS and Linux. #​28340 (Also in 10, 12, 13)

Other Changes

• Security: Backported fix to CVE-2021-21174. #​28233
• Security: Backported the fix to CVE-2021-21169. #​28236
• Security: backported fix for CVE-2021-21166. #​28132
• Security: backported fix for CVE-2021-21172. #​28294
• Security: backported fix for CVE-2021-21175. #​28247
• Security: backported fix for CVE-2021-21179. #​28249
• Security: backported fix for chromium:1167357. #​28198

Documentation

• Documentation changes: #​28212

v11.4.0

Compare Source

Release Notes for v11.4.0

Features

• Added support for the des-ede3 cipher in node crypto. #​27993 (Also in 12)

Fixes

• Colors returned from systemPreferences.getAccentColor(), getSystemColor and getColor are now correctly converted into the devices color space. Previously the color would have been subtly incorrect. #​28171 (Also in 12, 13)
• Fixed a potential crash when resetting BrowserViews. #​27948 (Also in 10, 12)
• Fixed an issue where BrowserViews could have mismatched draggable regions to their bounds. #​27987 (Also in 10, 12)
• Fixed an issue where win.capturePage() never called back after calling hide() for a hidden window on some platforms. #​28074 (Also in 12, 13)
• Fixed an issue where libuv might hang with multiple subframes when nodeIntegrationInSubframes is enabled. #​27880 (Also in 10, 12)
• Fixed an out-of-bounds access in WebContents.sendInputEvent. #​27853 (Also in 10, 12)
• Fixed background color not being applied for child windows created by native window.open path. #​27944 (Also in 10, 12)
• Fixed crash when calling getBackgroundColor on a transparent window with no assigned background color. #​28186 (Also in 12, 13)
• Fixed native window.open() to not use windowName/frameName as title by default. #​27813 (Also in 10, 12)
• Fixed navigator.bluetooth.requestDevice crash. #​27941 (Also in 12)
• Fixed warning when worldSafeExecuteJavaScript is disabled. #​27968 (Also in 10, 12)

Other Changes

• Backported fix for CVE-2020-27844. #​28101
• Fixed native module compilation with AsyncCleanupHooks on windows. #​28108 (Also in 12, 13)
• Security: backported fix for 1180871. #​28046
• Security: backported fix for CVE-2021-21160. #​28093
• Security: backported fix for CVE-2021-21162. #​28091
• Security: backported fix for CVE-2021-21165. #​28089
• Security: backported fix for CVE-2021-21181. #​28097
• Security: backported fix for CVE-2021-21193. #​28165
• Security: backported fix to 1177593. #​28050

v11.3.0

Compare Source

Release Notes for v11.3.0

Features

• Added allowFileAccess option to loadExtension() API. #​27703 (Also in 12)
• Added win.setTopBrowserView() so that BrowserViews can be raised. #​27712 (Also in 10, 12)

Fixes

• Backported fix for https://crbug.com/1125165. #​27558
• Fixed OS-level shortcuts on macOS (e.g. Ctrl + F2, ⌘ + ~). #​27787 (Also in 12)
• Fixed SVG content with filter sometimes not being rendered. #​27699
• Fixed a crash when calling crypto.createDiffieHellman() with certain parameters. #​27766 (Also in 12)
• Fixed a memory leak when creating BrowserWindows. #​27640 (Also in 12)
• Fixed an erroneous enableBlinkFeatures warning shown webviews which enabled no Blink features. #​27789 (Also in 10, 12)
• Fixed an issue where deleted download directories would be sometimes recreated by the operating system. #​27808 (Also in 10, 12)
• Fixed an occasional white flicker present when rendering BrowserViews in close succession. #​27659 (Also in 10, 12)
• Fixed crash when destroying WebContents in the crashed event. #​27757 (Also in 10, 12)
• Fixed memory leak when sending non-primitives over the context bridge. #​27638 (Also in 10, 12)
• Fixed native window freeze on Windows when Electron app is sent to tray and external display changes. #​27669 (Also in 12)
• Fixed svg with filter content not being rendered. #​27635

Other Changes

• Fixed crash when loading wasm modules in child node process with mac arm64 > 11.2. #​27684 (Also in 12)
• Fixed slow child process spawning on macOS Big Sur. #​27654 (Also in 10, 12)
• Reverted posix_spawn change in libuv that affected child process spawning on macOS Big Sur. #​27809 (Also in 10, 12)
• Security: backported fix for 1138143. #​27780
• Security: backported fix for 1155974. #​27779
• Security: backported fix for 1166504. #​27778
• Security: backported fix for 1170657. #​27781
• Security: backported fix for 1171954. #​27777
• Security: backported fix for 1172192. #​27776
• Security: backported fix for 1177341. #​27750
• Security: backported fix for chromium:1162942. #​27614
• Security: backported fix for https://crbug.com/1161705. #​27609

Documentation

• Documentation changes: #​27817

v11.2.3

Compare Source

Release Notes for v11.2.3

Fixes

• Backported fix for https://crbug.com/952922. #​27584
• Fixed crash when extension fails to load. #​27588 (Also in 10, 12)

Other Changes

• Security: Addressed Chromium CVE-2021-21148 with backported fix for chromium:1170176, chromium:961059. #​27624

v11.2.2

Compare Source

Release Notes for v11.2.2

Fixes

• Fixed CSP with unsafe-eval detection with Trusted Types. #​27469 (Also in 9, 10, 12)
• Fixed <webview> not working with Trusted Types. #​27464 (Also in 9, 10, 12)
• Fixed regression that crashed Electron when processing an invalid icon. #​27478 (Also in 12)
• None. #​27509 (Also in 12)

Other Changes

• Backported the fix to CVE-2020-16044. #​27491
• Backported the fix to CVE-2021-21118 from V8. #​27415
• Backported the fix to a UAF in Mojo (1162198). #​27401
• Backported the fix to chromium:1153329. #​27494
• Security: backported fix for CVE-2021-21122. #​27406

v11.2.1

Compare Source

Release Notes for v11.2.1

Fixes

• Apps requesting the CAMERA_PAN_TILT_ZOOM permission will have the permission request handler called with a permission string of "media" instead of "font-access". #​27423
• Fixed crash when a keyboard event immediately precedes calling browserWindow.close() on Windows. #​27357 (Also in 10, 12)
• Fixed shutdown crash when quitting with in-progress downloads. #​27419 (Also in 10, 12)
• Increase stack size on windows x64 to 8MB. #​27385 (Also in 10, 12)
• Updated the ICU time zone database to the latest 2020f version. #​27369

Other Changes

• Backported the fix to CVE-2021-21120 from sqlite. #​27424
• Backported the fix to chromium:1160534. #​27443
• Backported the fixes to the save file dialog related CVE-2021-21123, CVE-2021-21129, CVE-2021-21130, CVE-2021-21131, CVE-2021-21141. #​27437
• Security: backported fix for chromium:1161654. #​27411

v11.2.0

Compare Source

Release Notes for v11.2.0

Features

• Made win.setAspectRatio() work on Windows. #​27203 (Also in 12)

Fixes

• Fixed a crash that could occur on app quit when using the remote module. #​27069 (Also in 12)
• Fixed an issue where BrowserViews couldn't be effectively reparented. #​27219 (Also in 12)
• Fixed an issue where non-draggable regions on BrowserViews could have incorrectly calculated bounds. #​27183 (Also in 10, 12)
• Fixed an issue where some draggable regions were not clickable when loaded into BrowserViews on Windows. #​27178 (Also in 10, 12)
• Fixed the pretty-print JavaScript feature in DevTools not functioning correctly. #​27102

Other Changes

• Updated Chromium to 87.0.4280.141. #​27213

Unknown

• Fixed chrome.webRequest extensions API not intercepting any requests. #​27096 (Also in 10, 12)

v11.1.1

Compare Source

Release Notes for v11.1.1

Fixes

• Fixed protocol methods not being accessible via remote.protocol. #​27044 (Also in 12)
• Fixed readdir/readdirSync (w/ withFileTypes) failing on a deep directory within archive. #​27010 (Also in 12)
• Fixed a memory leak in desktopCapturer.getSources. #​27056 (Also in 10, 12)
• Fixed an issue where SIGINT was improperly handled in Node.js processes. #​26972 (Also in 10, 12)
• Fixed an issue where renderer process stack traces were broken with contextIsolation enabled. #​26997 (Also in 12)
• Fixed an issue where some async_hooks were not properly emitted after an error in the renderer process. #​26991 (Also in 12)
• Fixed an issue whereby remote.screen EventEmitter methods are undefined in the renderer. #​26989 (Also in 12)

v11.1.0

Compare Source

Release Notes for v11.1.0

Fixes

• Added Electron DLLs like libGLESv2.dll to symbol server. #​26965 (Also in 9, 10, 12)
• Fixed an issue that a message box in GTK contains no buttons. #​26916 (Also in 10, 12)
• Fixed an issue where event.reply could sometimes not deliver a reply to an IPC message when cross-site iframes were present. #​26926 (Also in 9, 10, 12)
• Fixed an occasional crash on Windows related to NativeViewHost::SetParentAccessible. #​26951 (Also in 9, 10, 12)

v11.0.5

Compare Source

Release Notes for v11.0.5

Fixes

• Fixed "screen" methods to be reassignable again. #​26873 (Also in 12)
• Fixed systemPreferences.effectiveAppearance returning systemPreferences.getAppLevelAppearance(). #​26878 (Also in 9, 10, 12)
• Fixed callbacks passed via the remote module not being released after all references are dropped. #​26836 (Also in 12)
• Fixed uncaught promise rejection when creating webContents with javascript disabled. #​26870 (Also in 10, 12)

Other Changes

• Updated Chromium to 87.0.4280.88. #​26817

v11.0.4

Compare Source

Release Notes for v11.0.4

Fixes

• Added default Bluetooth permission strings to info.plist. #​26768 (Also in 12)
• Fixed an issue where IsMaximized would incorrectly return false for some windows on Windows. #​26780 (Also in 12)
• Fixed an issue where draggable regions did not work exclusively on BrowserViews on Windows. #​26774 (Also in 12)
• Fixed an issue where draggable regions in BrowserWindow causes BrowserView to become draggable in non-correspondent places. #​26754 (Also in 10, 12)
• Fixed import of unpacked node modules. #​26751 (Also in 12)

v11.0.3

Compare Source

Release Notes for v11.0.3

Fixes

• Fixed <webview> render-process-gone event dispatch. #​26578
• Fixed contentTracing.stopRecording() not rejecting when there is no trace in progress. #​26655 (Also in 12)
• Fixed screen methods not being accessible via remote.screen. #​26660
• Fixed a crash when calling webContents.fromId with an unknown ID. #​26652

v11.0.2

Compare Source

Release Notes for v11.0.2

Fixes

• Fixed LC_ALL environment variable getting changed in Electron. #​26551 (Also in 9, 10)
• Fixed an issue where some buttons were un-clickable in some BrowserViews with draggable regions enabled. #​26528
• Fixed detection of launch on login items
  • Fixed detection of enabled state set by TaskManager. #​26538
• Stopped using private API CTFontDescriptorIsSystemUIFont in MAS build. #​26574

Other Changes

• Updated Chromium to 87.0.4280.67. #​26565

Unknown

• Re-enable Rosetta on Apple Silicon devices. #​26570 (Also in 7.3, 8, 9, 10)

v11.0.1

Compare Source

Release Notes for v11.0.1

Fixes

• Fixed an Uncaught TypeError when opening DevTools. #​26514
• Removed private API usage that was blocking Mac App Store releases. #​26513

v11.0.0

Compare Source

Release Notes for v11.0.0

Stack Upgrades

• Chromium 87.0.4280.47
  • v87 blog post
  • v86 blog post
• Node v12.18.3
  • v12.18.3 release notes
  • v12.18.2 release notes
  • v12.18.1 release notes
  • v12.18.0 release notes
  • v12.17.0 release notes
• V8 v8.7
  • v8.7 blog post
  • v8.6 blog post

Breaking Changes

• Removed experimental APIs: BrowserView.{destroy, fromId, fromWebContents, getAllViews} and the id property of BrowserView. #​23578

Features

Additions

• Added new experimental apple silicon (darwin arm64) builds. #​24545
• Added new app.runningUnderRosettaTranslation property to detect when running under rosetta on Apple silicon. #​26492
• Added V8 crash message and location information to crashReport parameters. #​24771 (Also in 10)
• Added a small console hint to console to help debug renderer crashes. #​25474 (Also in 9, 10)
• Added new system-context-menu event to allow preventing and overriding the system context menu. #​25835
• Added webContents.forcefullyCrashRenderer() to forcefully terminate a renderer process to assist with recovering a hung renderer. #​25756
• Added app.getApplicationInfoForProtocol() API that returns detailed information about the app that handles a certain protocol. #​24112
• Added name to app.getAppMetrics() output. #​24359
• Added utility-process-gone event to app. #​24367
• Added visualEffectState option to BrowserWindows to allow customization of vibrancy effect state on macOS. #​25083
• Added app.createThumbnailFromPath() API that returns a preview image of a file given its file path and a maximum thumbnail size. #​24802
• Added back a previously broken visibleOnFullScreen option for setVisibleOnAllWorkspaces. #​24956
• Added desktopCapturer.getMediaSourceIdForWebContents(), can be used with getUserMedia to get a stream for a WebContent. #​22701
• Added did-become-active event on Mac for observing any application activation. #​23872
• Added new worldSafeExecuteJavaScript webPreference to ensure that the return values from webFrame.executeJavaScript are world safe when context isolation is enabled. #​24114 (Also in 9, 10)
• Added optional parameter to specify monospaced font types for macOS tray titles. #​25059
• Added support for suspend and resume events to Windows. #​24251 (Also in 8, 9, 10)
• Added support for suspend and resume events to macOS. #​24254 (Also in 8, 9, 10)
• Added the currencyCode field that Apple's StoreKit in-app-purchasing library provides but has not been added to the Product object that inAppPurchase.getProducts returns. #​25058
• Added 'resized' (Windows/macOS) and 'moved' (Windows) events to BrowserWindow. #​26454

Improvements

• Improved the performance of sending JS primitives over the context bridge. #​24531 (Also in 9, 10)
• Improved the performance of sending wide objects over the context bridge. #​24671
• Improved the default REPL experience when running Electron with the --interactive flag. #​24204
• Improved performance of takeHeapSnapshot(). #​26230
• Changed app.getLoginItemSettings() and app.setLoginItemSettings() API to factor in startup approval keys when determining whether an application is able to launch on login. #​24494
• Expose sessionId associated with a target from debugger module. #​24170 (Also in [8](https://togithub.com/electron/electron/pull

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.