fix(deps): update electron-updater to 6.3.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron-updater (source)	6.1.8 -> 6.3.0

GitHub Vulnerability Alerts

CVE-2024-39698

Observations

The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe):

https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41

Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above.

Exploitation

This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid.

Impact

This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.).

Patch

This vulnerability was patched in #​8295, by comparing the path in the output of Get-AuthenticodeSignature with the intended one. The patch is available starting from 6.3.0-alpha.6.

---

Release Notes

electron-userland/electron-builder (electron-updater)

v6.3.0

Compare Source

Minor Changes

• #​8095 53cec79b Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

Patch Changes

• #​8108 3d4cc7ae Thanks @​beyondkmp! - feat: add minimumSystemVersion in electron updater

• #​8304 1ac86c9e Thanks @​mmaietta! - chore: update pnpm to 9.4.0

• #​8323 fa3275c0 Thanks @​mmaietta! - chore(deps): update dependency typescript to v5.5.3

• #​8135 c2392de7 Thanks @​mmaietta! - fix: unstable hdiutil retry mechanism

• #​8295 ac2e6a25 Thanks @​mmaietta! - fix: verify LiteralPath of update file during windows signature verification

• #​8311 35a0784e Thanks @​rastiqdev! - fix(rpm-updater): stop uninstalling app before update

• #​8227 48c59535 Thanks @​rotu! - fix(docs): update autoupdate docs noting that channels work with Github

• #​8110 fa7982f1 Thanks @​mmaietta! - chore: entering alpha release stage

• Updated dependencies [3d4cc7ae, 1ac86c9e, ad668ae1, 445911a7, 140e2f0e, fa7982f1]:

  • builder-util-runtime@9.2.5

v6.2.1

Compare Source

Patch Changes

• #​8091 e2a181d9 Thanks @​mmaietta! - fix(mac): revert autoupdate for mac differential

v6.2.0

Compare Source

Minor Changes

• #​7709 79df5423 Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

v6.1.9

Compare Source

Patch Changes

• #​8051 48603ba0 Thanks @​mmaietta! - fix: auto-update powershell script requires reset of PSModulePath

• #​8057 ccbb80de Thanks @​mmaietta! - chore: upgrading connected dependencies (typescript requires higher eslint version)

• Updated dependencies [ccbb80de]:

  • builder-util-runtime@9.2.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @typescript-eslint/eslint-plugin@7.8.0
npm error Found: eslint@9.2.0
npm error node_modules/eslint
npm error   peer eslint@"^7.5.0 || ^8.0.0 || ^9.0.0" from @babel/eslint-parser@7.24.5
npm error   node_modules/@babel/eslint-parser
npm error     dev @babel/eslint-parser@"^7.24.5" from the root project
npm error   peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/eslint-utils@4.4.0
npm error   node_modules/@eslint-community/eslint-utils
npm error     @eslint-community/eslint-utils@"^4.4.0" from @typescript-eslint/utils@7.8.0
npm error     node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/utils
npm error       @typescript-eslint/utils@"7.8.0" from @typescript-eslint/eslint-plugin@7.8.0
npm error       node_modules/@typescript-eslint/eslint-plugin
npm error         peer @typescript-eslint/eslint-plugin@"^7.0.0" from eslint-config-airbnb-typescript@18.0.0
npm error         node_modules/eslint-config-airbnb-typescript
npm error         2 more (eslint-plugin-jest, the root project)
npm error       1 more (@typescript-eslint/type-utils)
npm error     @eslint-community/eslint-utils@"^4.2.0" from eslint@9.2.0
npm error     4 more (@typescript-eslint/utils, @typescript-eslint/utils, ...)
npm error   5 more (eslint-config-erb, eslint-config-prettier, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@"^8.56.0" from @typescript-eslint/eslint-plugin@7.8.0
npm error node_modules/@typescript-eslint/eslint-plugin
npm error   peer @typescript-eslint/eslint-plugin@"^7.0.0" from eslint-config-airbnb-typescript@18.0.0
npm error   node_modules/eslint-config-airbnb-typescript
npm error     dev eslint-config-airbnb-typescript@"^18.0.0" from the root project
npm error   peerOptional @typescript-eslint/eslint-plugin@"^6.0.0 || ^7.0.0" from eslint-plugin-jest@28.5.0
npm error   node_modules/eslint-plugin-jest
npm error     dev eslint-plugin-jest@"^28.5.0" from the root project
npm error   1 more (the root project)
npm error
npm error Conflicting peer dependency: eslint@8.57.1
npm error node_modules/eslint
npm error   peer eslint@"^8.56.0" from @typescript-eslint/eslint-plugin@7.8.0
npm error   node_modules/@typescript-eslint/eslint-plugin
npm error     peer @typescript-eslint/eslint-plugin@"^7.0.0" from eslint-config-airbnb-typescript@18.0.0
npm error     node_modules/eslint-config-airbnb-typescript
npm error       dev eslint-config-airbnb-typescript@"^18.0.0" from the root project
npm error     peerOptional @typescript-eslint/eslint-plugin@"^6.0.0 || ^7.0.0" from eslint-plugin-jest@28.5.0
npm error     node_modules/eslint-plugin-jest
npm error       dev eslint-plugin-jest@"^28.5.0" from the root project
npm error     1 more (the root project)
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-11-05T00_51_51_403Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-11-05T00_51_51_403Z-debug-0.log

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.