Bump electron from 28.3.3 to 40.0.0 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: electron.

Updates electron from 28.3.3 to 40.0.0

Release notes

Sourced from electron's releases.

electron v40.0.0

Release Notes for v40.0.0

Stack Upgrades

• Chromium 144.0.7559.60
  • New in 144
  • New in 143
• Node v24.11.1
  • Node 24.11.1 blog post
• V8 14.4

Breaking Changes

• Deprecated clipboard API access from renderer processes #48923
• Fixed an error on debug symbol upload by moving dsym.zip to use tar.xz compression. #48952

Features

Additions

• Added "memory-eviction" as a possible reason for a child process to exit. #48362
• Added RGBAF16 output format with scRGB HDR color space support to Offscreen Rendering. #48265 (Also in 39)
• Added app.isHardwareAccelerationEnabled(). #47614 (Also in 37, 38, 39)
• Added bypassCustomProtocolHandlers option to net.request. #48883 (Also in 38, 39)
• Added methods to enable more granular accessibility support management. #48042 (Also in 37, 38, 39)
• Added support for WebSocket authentication through the login event on webContents. #49064 (Also in 39)
• Added support to import external shared texture as VideoFrame. #48831
• Added the ability to retrieve the system accent color on Linux using systemPreferences.getAccentColor. #48027 (Also in 39)
• Allowed for persisting File System API grant status within a given session. #48170 (Also in 37, 38, 39)
• Automatically focus DevTools when element is inspected or breakpoint is triggered. #46386 (Also in 37, 38, 39)

Improvements

• Enables resetting accent color to follow system accent settings if a previous color has been set via window.setAccentColor(null). #48274 (Also in 38, 39)
• Support dynamic ESM imports in non-context isolated preloads. #48375 (Also in 37, 38, 39)
• Updated nativeImage.createFromNamedImage to support SF Symbol names. #48772 (Also in 39)

Fixes

• Added support for --no-stdio-init to be used when nul device is disabled on windows. #47870
• Fixed an issue on Windows and Linux where no cookie encryption key provider was passed into the network service when cookie encryption was enabled. #49375
• Fixed an issue where no cookie encryption provider was passed into the network service when cookie encryption was enabled. #49350
• Fixed crash when attempting to resolve modules during process exit. #49104
• Fixed drag regions in child windows. #49312
• Fixed draw smoothing round corner issue. #48782
• Fixed the cookie encryption logic to use the old os_crypt sync implementation present in M142. #49384
• Fixed visual artifacts while resizing a window on Windows. #49191

Also in earlier versions...

• AccentColor set distinguishes the frame. #48405 (Also in 37, 38, 39)
• Corrected the appearance of tiled windows on GNOME (when frame: true), and removed resize handles from tiled edges. #48835 (Also in 38, 39)
• Fix: ESM-from-CJS import when CJK characters are in path. #48862 (Also in 39)

... (truncated)

Commits

• 35b8855 chore: empty commit to release stable 40.0.0 (#49404)
• 7872c33 fix: revert os_crypt async cookie provider implementation (#49384)
• 9c753c3 docs: remove stale example and standardize DevTools capitalization (#49387)
• 8b2a991 docs: improve build-tools instructions (#49385)
• c897602 refactor: add static ReplyChannel::SendError() helper (#49372)
• 8cc201e chore: bump chromium to 144.0.7559.60 (40-x-y) (#49380)
• ba26a5d chore: bump chromium to 144.0.7559.59 (40-x-y) (#49330)
• df4d0be fix: fix cookie encryption provider loading on Windows and Linux (#49375)
• 9c4e03f build: roll build-tools SHA to 4430e4a (#49366)
• 05b4b57 feat: support WebSocket authentication handling (#49064)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

High-level PR Summary

This PR upgrades the electron dependency from version 28.3.3 to 40.0.0, which is a major version bump spanning 12 major versions. The upgrade includes significant stack updates (Chromium 144, Node v24.11.1, V8 14.4) and contains breaking changes such as deprecated clipboard API access from renderer processes and changes to debug symbol compression. This is an automated dependency update by Dependabot for security and compatibility purposes.

⏱️ Estimated Review Time: 5-15 minutes

💡 Review Order Suggestion

Order	File Path
1	package.json

---

Summary by cubic

Upgrade Electron from 28.x to 40.0.0 to adopt Chromium 144 and Node 24, bringing security and performance updates. This modernizes the desktop runtime with minimal code changes expected, but some areas need verification.

• Migration
  • Rebuild any native modules for the new Electron/Node ABI (e.g., run electron-rebuild).
  • Audit renderer clipboard usage; move access to the main process or expose via contextBridge (renderer clipboard API is deprecated).
  • Run the full desktop test suite on macOS, Windows, and Linux to catch cookie/session and window behavior changes.

^{Written for commit b68b2c2. Summary will update on new commits.}

[codeant-ai]

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

[orange-pro-ai]

AI Analysis Initiated 🤖

Thank you for your contribution! I will now analyze the following 1 file(s) for code quality:

• package.json

Details will be posted in the 'Checks' tab shortly.

[bdiff]

Please see the diff results of BDiff here.

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
electron @ 40.0.0 package.json				🔗

Installation is not linked with SafeDep Tenant. Click here to optionally link your GitHub App installation with SafeDep Tenant.

_{This report is generated by SafeDep Github App}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	electron@​28.3.3 ⏵ 40.0.0	+1	+2	+1	+1

View full report

[kilo-code-bot]

WARNING: Major version update to Electron 40

Updating Electron from v28 to v40 is a significant version jump that may introduce breaking changes. Ensure electron-builder (^24.9.1) is compatible with Electron 40, and thoroughly test the application after this update.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
package.json	43	Major version update to Electron 40

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
package.json	44	electron-builder version may not be compatible with Electron 40

Files Reviewed (1 files)

• package.json - 1 issues

Fix these issues in Kilo Cloud

[recurseml]

Review by RecurseML

🔍 Review performed on 6c2e85f..b68b2c2

✨ No bugs found, your code is sparkling clean

✅ Files analyzed, no issues (1)

• package.json

[cubic-dev-ai]

No issues found across 1 file

[llamapreview]

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Approve with suggestions.

This PR upgrades Electron from 28.3.3 to 40.0.0, a major version jump spanning 12 releases with breaking changes that require careful migration planning, testing, and documentation updates.

🌟 Strengths

• Keeps dependencies up-to-date for security, compatibility, and modern feature access.
• Automated update reduces manual maintenance overhead.

Priority	File	Category	Impact Summary	Anchors
P2	package.json	Architecture	Major upgrade risks breaking API changes and runtime failures.	path:src/main/preload.ts
P2	package.json	Documentation	README badge outdated, misleading contributors about runtime version.	path:README.md
P2	package.json	Architecture	Build tool compatibility with Electron 40 needs verification.	path:vite.config.ts
P2	package.json	Testing	Lack of test updates risks undetected regressions.
P2	package.json	Performance	Possible performance regressions from Chromium and Node upgrades.

🔍 Notable Themes

• Holistic Migration Approach: The upgrade impacts API usage, build tools, testing, and documentation, requiring a coordinated effort to ensure stability.
• Testing as Risk Mitigation: Extensive cross-platform and functional testing is critical to catch regressions introduced by such a significant dependency change.

---

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

[llamapreview]

P2 | Confidence: High

Analysis of the Electron major version upgrade:

• Architecture Impact: Upgrading from Electron 28.3.3 to 40.0.0 involves significant breaking changes, including deprecated clipboard API access in renderer processes and Node.js runtime updates, which could break existing functionality if not migrated properly.
• Documentation Issue: The README badge indicates Electron-28.x, creating inconsistency with the upgraded version, potentially misleading contributors.
• Build Tool Compatibility: Potential incompatibility with vite-plugin-electron or other build tools, requiring verification and updates to ensure smooth builds.
• Testing Gap: Absence of test updates or execution risks undetected regressions across platforms and features.
• Performance Considerations: The upgrade to Chromium 144 and Node 24 may introduce performance changes that need monitoring for the chat application's use case.