chore(deps): update dependency electron to v18.3.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	18.0.1 -> 18.3.7

GitHub Vulnerability Alerts

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

• 21.0.0-beta.1
• 20.0.1
• 19.0.11
• 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

---

Release Notes

electron/electron

v18.3.7: electron v18.3.7

Compare Source

Release Notes for v18.3.7

Fixes

• Fixed WCO not responding to touch events on windows. #​35177 (Also in 19, 20)
• Fixed webContents.getUserAgent() incorrectly returning an empty string unless previously set. #​35130 (Also in 17, 19, 20)
• Fixed an issue in which calling setBounds() after e.preventDefault in a 'will-move' or 'will-resize' event wouldn't change the window's shape until the mouse button was released. #​35082 (Also in 19, 20)
• Fixed context menu not showing all items on macOS when dock is not hidden. #​35198 (Also in 19)
• None. #​35171 (Also in 19, 20)

Other Changes

• Fixed page size always being restricted to 4k on Linux arm64. #​35184
• Security: backported fix for CVE-2022-2478. #​35099
• Security: backported fix for chromium:1334864. #​35097

v18.3.6: electron v18.3.6

Compare Source

Release Notes for v18.3.6

Fixes

• Fixed a crash when calling BrowserWindow.setEnabled(). #​34973 (Also in 19, 20)
• Fixed a potential crash when changing window settings after initializing WCO with an invalid titleBarStyle. #​34873 (Also in 17, 19, 20)
• Fixed alwaysOnTop BrowserWindow option for X11 Linux. #​34911 (Also in 19, 20)
• Fixed an issue where BrowserWindows on macOS were incorrectly marked as resizable. #​34907 (Also in 19, 20)
• Fixed an issue where Windows Control Overlay buttons did not respect maximizable/minimizable/closable states of a BrowserWindow. #​34720 (Also in 17, 19, 20)
• Fixed an issue where calling BrowserWindow.setRepresentedFilename on macOS with titlebarStyle: 'hiddenInset' or titlebarStyle: 'hidden' inadvertently moves the traffic light location. #​34847 (Also in 19, 20)
• Fixed an issue where some BrowserWindows opened from new links wouldn't properly load URLs. #​34910 (Also in 19)
• Fixed an issue where the minimize button with WCO enabled would incorrectly be highlighted in some cases. #​34838 (Also in 17, 19, 20)
• Fixed an issue with background colors being improperly applied to BrowserViews on Windows. #​33478 (Also in 16)
• Fixed empty app_id when running under wayland. #​34877 (Also in 19, 20)
• Fixed missing Sec-CH-UA headers and empty navigator.userAgentData. #​34758 (Also in 17, 19, 20)
• Fixed symbol generation on 32-bit Windows release builds. #​35096 (Also in 19, 20)
• Prevent brief display of "Ozone X11" in window title on Linux. #​34943

Other Changes

• Backported fix for CVE-2022-2294. #​34882
• Security: backported fix for 1287804. #​35102
• Security: backported fix for 1333333. #​34689
• Security: backported fix for 1335054. #​34687
• Security: backported fix for 1335458. #​34685
• Security: backported fix for 1336014. #​35004
• Security: backported fix for 1339844. #​35002
• Security: backported fix for 1340335. #​35000
• Security: backported fix for 1340654. #​34998
• Security: backported fix for CVE-2022-2162. #​34714
• Security: backported fix for CVE-2022-2295. #​34881

v18.3.5: electron v18.3.5

Compare Source

Release Notes for v18.3.5

Fixes

• Fixed a performance problem in crashReporter.start() on macOS. #​34640 (Also in 17, 19, 20)
• Fixed an error where setWindowOpenHandler() would crash if the callback threw an error. #​34627 (Also in 19, 20)
• Fixed an issue where calling w.setWindowButtonVisibility(true) immediately after exiting fullscreen fails to show window buttons. #​34673 (Also in 19, 20)
• Fixed an issue where draggable regions were not recalculated when BrowserView bounds changed on Windows. #​34610 (Also in 19, 20)

Other Changes

• Backported fix for CVE-2022-2010. #​34540
• Fixed an issue where BrowserViews didn't always visually update after call to setBounds. #​34641 (Also in 19, 20)
• On Linux, changed the libgdk-pixbuf dependency to be dynamically linked rather than statically linked. #​34601 (Also in 19, 20)
• Security: Backported fix for CVE-2022-1867. #​34631
• Security: backported fix for 1228661. #​34569
• Security: backported fix for 1306751. #​34560
• Security: backported fix for 1314310. #​34558
• Security: backported fix for 1316578. #​34568
• Security: backported fix for 1317673. #​34566
• Security: backported fix for 1318610. #​34556
• Security: backported fix for 1321078. #​34692

v18.3.4: electron v18.3.4

Compare Source

Release Notes for v18.3.4

Fixes

• Fixed an issue where normal bounds would not be appropriately updated if the user minimized with the minimize button. #​34485 (Also in 19, 20)
• Fixed an issue where passing { name: 'All Files', extensions: ['*'] } in the filters param of open or save dialogs on Linux would disallow choosing files without an extension. #​34518 (Also in 19, 20)

Other Changes

• Backported fix for CVE-2022-2011. #​34537
• Security: backported fix for 1227995. #​34562
• Security: backported fix for 1320024. #​34554
• Security: backported fix for 1324864, 1218100. #​34534

v18.3.3: electron v18.3.3

Compare Source

Release Notes for v18.3.3

Fixes

• Fixed a crash when loading a same-origin URL after a render process crash. #​34430 (Also in 19, 20)
• Fixed potential crash in WebFrameMain when performing a cross-origin navigation. #​34415 (Also in 19, 20)

v18.3.2: electron v18.3.2

Compare Source

Release Notes for v18.3.2

Fixes

• Fixed an issue where pressing escape would not un-fullscreen on Windows or Linux in some circumstances. #​34361 (Also in 19)
• Fixed an issue where zombie windows can be created if window.close() is called during a fullscreen transition. #​34392 (Also in 17, 19, 20)

Other Changes

• Enable 16k page sizes support for linux arm64. #​34385

v18.3.1: electron v18.3.1

Compare Source

Release Notes for v18.3.1

Fixes

• Fixed crash when calling navigator.serial.getPorts(). #​34327 (Also in 17, 19)

Other Changes

• Added a TRACE call named crash_reporter::Start under the electron category for crash_reporter::Start(). #​34325 (Also in 17, 19)

v18.3.0: electron v18.3.0

Compare Source

Release Notes for v18.3.0

Fixes

• Fixed a crash when calling loadExtension on an extension directory that's missing a manifest file. #​34304 (Also in 16, 17, 19)
• Fixed an issue where bounds changes were incorrectly delayed in the case where a window was moved or resized and event.preventDefault was called in either will-resize or will-move on Windows. #​34284 (Also in 16, 17, 19)
• Fixed an issue where running second instances of the same application would cause a deadlock on Windows. #​34295 (Also in 19)
• Fixed potential crash with WebFrameMain when navigating between cross-origin websites. #​34293 (Also in 19)
• Fixed service worker registration with custom protocols. #​34291 (Also in 19)

v18.2.4: electron v18.2.4

Compare Source

Release Notes for v18.2.4

Fixes

• Fixed an issue where tray items wouldn't highlight in some scenarios on macOS. #​34207 (Also in 16, 17, 19)
• Fixed crash on startup on old Ubuntu versions. #​34155
• SIGUSR1 is no longer handled when the node_cli_inspect fuse is disabled. #​34180 (Also in 16, 17)

Other Changes

• Backported fix for chromium:1320614. #​34202
• Updated Chromium to 100.0.4896.160. #​34171

v18.2.3: electron v18.2.3

Compare Source

Release Notes for v18.2.3

Fixes

• Fixed a crash in safeStorage on Linux. #​34148 (Also in 19)
• Fixed building node modules with Visual Studio 2017. #​34110 (Also in 19)

v18.2.2: electron v18.2.2

Compare Source

Release Notes for v18.2.2

Fixes

• Fixed a crash on Windows when opening apps in multiple, separate user sessions. #​34161 (Also in 19)
• Fixed an OSR crash happening when input select items were rendered. #​34092 (Also in 17, 19)
• Fixed an issue where calling SetLoginItemSettings() could potentially cause network volumes to be incorrectly mounted. #​34106 (Also in 17, 19)
• Fixed crash on startup due to missing gtk symbol on older distros. #​34150 (Also in 19)

Other Changes

• Backported fix for CVE-2022-1485. #​34052
• Backported fix for CVE-2022-1497. #​34072

v18.2.0: electron v18.2.0

Compare Source

Release Notes for v18.2.0

Features

• Fixed an issue where the PDF Viewer would fail if a user attempted to reload. #​33711 (Also in 19)

Fixes

• Fixed an issue with the app.requestSingleInstanceLock() API where it would sometimes hang. #​33778

Other Changes

• Fixed child_process.spawn ENOENT error with cwd option. #​33871 (Also in 16, 17, 19)
• Updated Chromium to 100.0.4896.143. #​33948

v18.1.0: electron v18.1.0

Compare Source

Release Notes for v18.1.0

Features

• Enabled systemPreferences.subscribe{Local|Workspace}Notification to take a null value for the event parameter. #​33771

Fixes

• Fixed crash when img without alt is shown with accessibility features enabled. #​33843 (Also in 19)
• Fixed crash when opening gtk file dialogs due to mismatched versions. #​33812 (Also in 19)

Other Changes

• Updated Chromium to 100.0.4896.127. #​33730

v18.0.4: electron v18.0.4

Compare Source

Release Notes for v18.0.4

Fixes

• Apply senderFrame details to ipcMain port event. #​33782 (Also in 16, 17)
• Fixed an issue where Escape keyboard events would not be properly propagated to the parent window after entering fullscreen and then exiting it again on Windows. #​33787
• Fixed the built-in PDF renderer. #​33664
• shell.openExternal() now reports more detailed errors on Windows. #​33659 (Also in 15, 16, 17, 19)
• shell.openExternal() now reports more detailed errors on Windows. #​33705 (Also in 15, 16, 17, 19)

Other Changes

• Backported fix for chromium:1297731, b/218211225. #​33708

v18.0.3: electron v18.0.3

Compare Source

Release Notes for v18.0.3

Other Changes

• Updated Chromium to 100.0.4896.75. #​33619

v18.0.2: electron v18.0.2

Compare Source

Release Notes for v18.0.2

Fixes

• Fixed a potential crash in Browser.getFocusedWindow() when child windows are closed. #​33538 (Also in 17)
• Fixed an issue where the the window bounds would incorrectly change if BrowserWindow.unmaximize was called on a window whose user bounds were maximized. #​33550 (Also in 16, 17)
• Fixed behavior of BrowserWindow.maximize on macOS for not shown windows. #​33537 (Also in 15, 16)
• Fixed incorrect return value of app.requestSingleInstanceLock() when setting non-existent user data folder. #​33592 (Also in 16, 17, 19)
• Fixed issues with frameless window animations and styling. #​33610 (Also in 19)
• Fixed potential crash while generating accessibility trees for certain images. #​33616 (Also in 19)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.