Skip to content

chore(deps): update dependency electron to v28 [security] #519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency electron to v28 [security] #519

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jun 30, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 25.9.8 -> 28.3.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-46993

Impact

The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.

Workaround

There are no app-side workarounds for this issue. You must update your Electron version to be protected.

Patches

  • v28.3.2
  • v29.3.3
  • v30.0.3

For More Information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Release Notes

electron/electron (electron)

v28.3.2: electron v28.3.2

Compare Source

Release Notes for v28.3.2

Fixes

  • Fixed an issue where console.log() in AudioWorkletGlobalScope produced incorrect output. #​41895
  • Rename patches/devtools_frontend to patches/devtools-frontend. #​42212

Other Changes

v28.3.1: electron v28.3.1

Compare Source

Release Notes for v28.3.1

Fixes

  • Fixed an issue on Windows where silent printing resulted in comically tiny renderer output. #​41837 (Also in 29, 30)

Other Changes

v28.3.0: electron v28.3.0

Compare Source

Release Notes for v28.3.0

Features

  • Added proxy configuring support for requests made with net module from utility process. #​41744 (Also in 29, 30)

Fixes

  • Fixed a bug where a window with maximization disabled and WCO enabled would still show its maximization button. #​41806

Other Changes

v28.2.10: electron v28.2.10

Compare Source

Release Notes for v28.2.10

Fixes

  • Fixed crash in Notification::Close() under libnotify 0.8.x with portal environment. #​41709 (Also in 29, 30)
  • Fixed usage of Storage.{get|set|clear}Cookies via the Chrome DevTools Protocol. #​41738 (Also in 29, 30)

Other Changes

Documentation

v28.2.9: electron v28.2.9

Compare Source

Release Notes for v28.2.9

Fixes

  • Fixed shell.showItemInFolder not opening Windows Explorer if the passed path contains forward slashes. #​41670 (Also in 29, 30)
  • Fixed an issue where the serial-port-added event improperly respected filters set by serial.requestPort(). #​41637 (Also in 29, 30)

Other Changes

v28.2.8: electron v28.2.8

Compare Source

Release Notes for v28.2.8

Other Changes

v28.2.7: electron v28.2.7

Compare Source

Release Notes for v28.2.7

Fixes

  • Fixed chrome://process-internals failing to load. #​41541 (Also in 29, 30)
  • Fixed an issue where user-did-{resign|become}-active were not emitted properly on macOS. #​41526 (Also in 29, 30)

Other Changes

v28.2.6: electron v28.2.6

Compare Source

Release Notes for v28.2.6

Fixes

  • Fixed a crash that can result from some kinds of dynamic imports. #​41491
  • Fixed an issue where webContents.print(options) failed if options was not passed or undefined is passed. #​41478 (Also in 29, 30)
  • Fixed saving traces from devtools performance panel. #​41492

Other Changes

v28.2.5: electron v28.2.5

Compare Source

Release Notes for v28.2.5

Other Changes

v28.2.4: electron v28.2.4

Compare Source

Release Notes for v28.2.4

Fixes

  • CSS style -webkit-app-region: drag; has no effect in full screen mode. #​41330 (Also in 27, 29)

Other Changes

v28.2.3: electron v28.2.3

Compare Source

Release Notes for v28.2.3

Fixes

  • Fixed a crash that started occurring sporadically with some types of macOS window close. #​41298 (Also in 29)
  • Fixed an issue where webContents.printToPDF could fail when certain combinations of margins and pageSize values are passed. #​41267 (Also in 29)
  • Fixed an issue where crashes in node::Environment destruction potentially wouldn't be propagated to the NodeService exit handler. #​41302 (Also in 27, 29)
  • Fixed an issue where zoom level settings did not persist per-session for webviews. #​41268 (Also in 27)

Other Changes

  • Updated Chromium to 120.0.6099.283. #​41262

v28.2.2: electron v28.2.2

Compare Source

Release Notes for v28.2.2

Fixes

  • Fixed an issue where select-usb-device did not respect the filter option in navigator.usb.requestDevice(). #​41198 (Also in 27, 29)

Other Changes

v28.2.1: electron v28.2.1

Compare Source

Release Notes for v28.2.1

Fixes

  • Apply module search paths restriction on worker and child process. #​41137 (Also in 27, 29)
  • Fixed a potential async_hooks crash when listening for the restore event on Windows after minimizing a maximized BrowserWindow. #​41145 (Also in 27, 29)
  • Fixed an issue where Request objects did not correctly copy headers into fetches. #​41103
  • Fixed an issue where non-modal windows with vibrancy could have incorrectly rounded corners on Sonoma. #​41036 (Also in 27, 29)
  • Fixed an issue where the printBackground option in webContents.printToPDF did not work as expected. #​41179 (Also in 29)
  • Fixed forked child process not able to send IPC message under some cases on macOS. #​41101 (Also in 26, 27, 29)
  • Fixed on-screen-keyboard not hiding for webviews under some cases. #​41150 (Also in 27, 29)

Other Changes

v28.2.0: electron v28.2.0

Compare Source

Release Notes for v28.2.0

Features

  • Added net module to utility process. #​40967 (Also in 27, 29)

Fixes

  • Fixed session.fromPartition() key lookup bug. #​41083 (Also in 29)
  • Fixed a potential crash when calling dialog.showMessageBoxSync. #​41042 (Also in 27, 29)
  • Fixed a potential renderer crash when inspecting elements. #​40981
  • Fixed macOS bug that causes window maximize button to be disabled in full-screen mode. #​41028 (Also in 27, 29)

Other Changes

  • Updated Chromium to 120.0.6099.227. #​41075

v28.1.4: electron v28.1.4

Compare Source

Release Notes for v28.1.4

Fixes

  • Fixed an issue where inAppPurchase.getProducts and inAppPurchase.purchasedProduct did not resolve as expected. #​40956 (Also in 27, 29)

Other Changes

v28.1.3: electron v28.1.3

Compare Source

Release Notes for v28.1.3

Fixes

  • Fixed a crash resultant from trying to listen to power-related events before the ready event was emitted on Linux. #​40924 (Also in 26, 27, 29)

v28.1.2: electron v28.1.2

Compare Source

Release Notes for v28.1.2

Fixes

  • Fixed a partition alloc ref count check for higher MacOS versions. #​40765 (Also in 29)
  • Fixed default protocol handler behavior on Windows. #​40909
  • Fixed the enabled/disabled behavior of the maximize/fullscreen button of macOS windows. #​40896 (Also in 27, 29)
  • Unset all Node envs in node process when parent is a foreign process. #​40880 (Also in 26, 27, 29)

Other Changes

  • Updated Chromium to 120.0.6099.199. #​40762

v28.1.1: electron v28.1.1

Compare Source

Release Notes for v28.1.1

Fixes

  • Fixed incorrect title bar shown on frameless transparent windows. #​40867 (Also in 27, 29)

v28.1.0: electron v28.1.0

Compare Source

Release Notes for v28.1.0

Features

  • Added an option in protocol.registerSchemesAsPrivileged to allow V8 code cache in custom schemes. #​40709 (Also in 27)

Fixes

  • Fixed documentation of the default --inspect port. #​40743 (Also in 27)
  • Prevent node mode to be used as script runner by other apps on macOS. #​40710 (Also in 26, 27)

Other Changes

v28.0.0: electron v28.0.0

Compare Source

Release Notes for 28.0.0

Stack Upgrades

Breaking Changes

  • The BrowserWindow.getTrafficLightPosition() and BrowserWindow.setTrafficLightPosition() methods have been removed. #​39479
  • The app.runningUnderRosettaTranslation() method has been removed. #​39956
  • The ipcRenderer.sendTo() method has been removed. #​39087
  • The scroll-touch-{begin,end,edge} events have been removed. #​39814
  • Setting backgroundThrottling to false will disable frames throttling in the BrowserWindow for all WebContents displayed by it. #​38924

Features

Additions
  • Enabled ESM support. #​37535
  • The UtilityProcess API now supports ESM entrypoints. #​40047
  • Added several properties to the display object including detected, maximumCursorSize, and nativeOrigin. #​40554
  • Added support for ELECTRON_OZONE_PLATFORM_HINT environment variable on Linux. #​39792

In addition to enabling ESM support in Electron itself, Electron Forge also supports using ESM to package, build and develop Electron applications. You can find this support in Forge v7.0.0 or higher: https://github.com/electron/forge/releases/tag/v7.0.0

  • Added API to help apps know when to avoid semitransparent backgrounds. #​39631 (Also in 26, 27)
  • Added getWebRTCUDPPortRange and setWebRTCUDPPortRange APIs to specify UDP port range for WebRTC. #​39046
  • Added keyboardLock to ses.setPermissionRequestHandler(handler). #​40460 (Also in 26, 27)
  • Added mouse-enter and mouse-leave Tray events for Windows. #​40072
  • Added a generateTaggedPDF option to webContents.printToPDF() to allow generating tagged (accessible) PDFs. #​39563
  • Added a tabbingIdentifier property to BrowserWindow. #​39980 (Also in 26, 27)
  • Added middle click mouse event to tray icon. #​39926
  • Added several properties to the display object including detected, maximumCursorSize, and nativeOrigin. #​40554
  • Added support for ELECTRON_OZONE_PLATFORM_HINT environment variable on Linux. #​39792
  • Added support for chrome.scripting extension APIs. #​39395 (Also in 25, 26, 27)
  • Added support for several more extensions manifest keys including host_permissions, author, and short_name. #​39599 (Also in 26, 27)
  • Added the ability to send HTTP headers with webContents.downloadURL(). #​39455 (Also in 25, 26, 27)
  • Changed systemPreferences.getColor(name) to return an RGBA hex value (#RRGGBBAA) instead of a plain RGB (#RRGGBB) value. #​38960
  • Honor XDG dark theme preferences on Linux. #​38977 (Also in 25, 26, 27)
  • Improved compatibility with CommonJS modules in sandboxed preload scripts by passing dummy module.exports. #​39484
Improvements
  • Improved fork() and execve() performance for child_process API on Linux. #​39253
  • Fixed resizing performance issue on macOS. #​40586 (Also in 26, 27)
  • Fixed opaque window performance regression on DWM. #​39895 (Also in 27)
  • Re-enabled partition alloc on macOS. #​40230
Removed/Deprecated
  • The app.runningUnderRosettaTranslation property has been deprecated. #​39897 (Also in 25, 26, 27)
  • The gpu-process-crashed event on app has been deprecated. #​40195
  • The renderer-process-crashed event on app and crashed event on WebContents and <webview> have been deprecated. #​40089

Fixes

  • Fixed an issue that prevented MessagePorts from being garbage collected when not referenced. #​40201
  • Fixed app incorrectly activating panel windows on macOS Sonoma. #​40465
  • Fixed file paths passed to shell.showItemInFolder not being escaped in Linux. #​40562
  • Fixed loading nested ESM dependencies in node_modules. Support the throwIfNoEntry option in fs.statSync/fs.lstatSync in asar files. #​40224
  • Fixed same-party cookie functionality for first party sets. #​40526
  • Use activateIgnoringOtherApps for focusing non-panels on macOS. #​40621
Also in earlier versions...
  • Fixed Windows Mica / Acrylic background material effects on frameless windows. #​39708 (Also in 27)
  • Fixed BrowserView.setBounds() calls not painting view in new bounds in some cases. #​39994 (Also in 25, 26, 27)
  • Fixed app.runningUnderARM64Translation() always returning true on ARM64. #​39920 (Also in 25, 26, 27)
  • Fixed will-navigate not being emitted when pressing links in chrome: pages. #​40525 (Also in 27)
  • Fixed a webContents.capturePage() issue that caused an empty image to be returned for fully-occluded windows on Linux and Windows. #​40185 (Also in 25, 26, 27)
  • Fixed a potential issue with async_hook corruption in some error contexts. #​40594 (Also in 26, 27)
  • Fixed an error changing file format in dialog.showOpenDialog on macOS. #​40346 (Also in 27)
  • Fixed an error where listening to certain chrome.tabs events would throw incorrectly. #​39729 (Also in 25, 26, 27)
  • Fixed an issue where BrowserWindows could crash on macOS with frame: false and roundedCorners: false when going fullscreen. #​39747 (Also in 25, 26, 27)
  • Fixed an issue where WebViews could sometimes crash on unload. #​40445 (Also in 26, 27)
  • Fixed an issue where Windows Toast notifications weren't properly dismissed from the Action Center on notification.close() if they'd previously been dismissed. #​40243 (Also in 26, 27)
  • Fixed an issue where BrowserViews that had their bounds set prior to being added to a BrowserWindow could have unexpected incorrect offsets. #​39605 (Also in 25, 26, 27)
  • Fixed an issue where chrome://gpu failed to load. #​39556 (Also in 25, 26, 27)
  • Fixed an issue where navigator.keyboard.lock() did not work per latest expected behavior. #​40389 (Also in 26, 27)
  • Fixed an issue where webContents.print could fail when options is a frozen object. #​39985 (Also in 25, 26, 27)
  • Fixed an issue where accelerators representing DOM keys were not correctly converted in webContents.sendInputEvent(). #​39776 (Also in 25, 26, 27)
  • Fixed an issue where calling loadURL during some webContents url loading events could crash. #​40143 (Also in 24, 25, 26, 27)
  • Fixed an issue where calling show() on a child BrowserWindow would show all other children attached to the same parent on macOS. #​40062 (Also in 24, 25, 26, 27)
  • Fixed an issue where certain properties of chrome.tabs Tab objects were not properly considered privileged. #​39595 (Also in 25, 26, 27)
  • Fixed an issue where child windows opened when the parent window is already fullscreen did not respect the child windows' fullscreenability and resizability settings. #​39620 (Also in 24, 25, 26, 27)
  • Fixed an issue where closing and opening a minimized DevTools window would not work as expected. #​40091 (Also in 25, 26, 27)
  • Fixed an issue where pressing the escape key did not exit PDF presentation mode. #​39616 (Also in 25, 26, 27)
  • Fixed an issue where the Node.js assert module did not work in the renderer process. #​39540 (Also in 24, 25, 26, 27)
  • Fixed an issue where using webcrypto.subtle.importKey() could error and fail if SharedArrayBuffers are not defined. #​40070 (Also in 27)
  • Fixed an issue where vibrant windows incorrectly have square corners when they're modals on macOS. #​39979 (Also in 25, 26, 27)
  • Fixed an issue with applying vibrancy on non-transparent windows on macOS. #​40109 (Also in 27)
  • Fixed an issue with webContents interaction with fullscreen and WCO on macOS. #​40219 (Also in 25, 26, 27)
  • Fixed an unexpectedly thrown error in some unsupported chrome extensions. #​40514 (Also in 26, 27)
  • Fixed crash on shutdown in TLS sockets with Node.js HTTP/2 connections. #​39928 (Also in 25, 26, 27)
  • Fixed decorations for tiled windows on Wayland. #​39523 (Also in 22, 24, 25, 26, 27)
  • Fixed deprecated gpu-process-crashed / renderer-process-crashed events being emitted twice and with incorrect arguments. #​40090 (Also in 22, 24, 25, 26, 27)
  • Fixed devtools to allow restoring saved dock state on Windows. #​39734 (Also in 25, 26, 27)
  • Fixed how screen readers are detected on Windows to reduce false positives. #​39988 (Also in 27)
  • Fixed issue where titlebar would be transparent for transparent windows that are fullscreen. #​39759 (Also in 25, 26, 27)
  • Fixed launch failure with child_process.spawn() on windows affected by launching store applications. #​40101 (Also in 25, 26, 27)
  • Fixed missing type for Electron.TitleBarOverlay. #​39799 (Also in 26, 27)
  • Fixed problem with bounds of maximized window when toggling BrowserWindow.setResizable(). #​40582 (Also in 26, 27)
  • Fixed problem with promise resolved to early when browser initiated in-page navigation. #​39597 (Also in 25, 26, 27)
  • Fixed redundant permission dialogs while screen sharing on Wayland. #​40192 (Also in 26, 27)
  • Fixed regeneration of thumbnail toolbar buttons after restarting Explorer on Windows. #​39551 (Also in 24, 25, 26)
  • Fixed rendering on Linux due to broken shader cache compilation with driver updates. #​40450 (Also in 27)
  • Fixed window size constraints not working on macOS. #​39975 (Also in 27)
  • Functions called over the contextBridge are now called with the expected receiver (this). #​40263 (Also in 27)
  • Support Region Capture API with tab MediaStream. #​39074 (Also in 25, 26, 27)
  • Fixed build failure when PDF viewer is disabled. #​39990 (Also in 25, 26, 27)
  • Fixed build failure when enable_electron_extensions=false. #​40032 (Also in 25, 26, 27)

Notices

End of Support for 25.x.y

Electron 25.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v27.3.11: electron v27.3.11

Compare Source

Release Notes for v27.3.11

27-x-y end of support

Electron 27.x.y has reached end-of-support as per the project's support policy.
Developers and applications are encouraged to upgrade to a newer version of Electron.

Other Changes

v27.3.10: electron v27.3.10

Compare Source

Release Notes for v27.3.10

Other Changes

v27.3.9: electron v27.3.9

Compare Source

Release Notes for v27.3.9

Other Changes

v27.3.8: electron v27.3.8

Compare Source

Release Notes for v27.3.8

Other Changes

v27.3.7: electron v27.3.7

Compare Source

Release Notes for v27.3.7

Other Changes

v27.3.6: electron v27.3.6

Compare Source

Release Notes for v27.3.6

Other Changes

v27.3.5: electron v27.3.5

Compare Source

Release Notes for v27.3.5

Other Changes

v27.3.4: electron v27.3.4

Compare Source

Release Notes for v27.3.4

Other Changes

v27.3.3: electron v27.3.3

Compare Source

Release Notes for v27.3.3

Fixes

  • CSS style -webkit-app-region: drag; has no effect in full screen mode. #​41331 (Also in 28, 29)
  • Fixed an issue where crashes in node::Environment destruction potentially wouldn't be propagated to the NodeService exit handler. #​41300 (Also in 28, 29)
  • Fixed an issue where zoom level settings did not persist per-session for webviews. #​41269 (Also in 28)

Other Changes

v27.3.2: electron v27.3.2

Compare Source

Release Notes for v27.3.2

Fixes

  • Fixed an issue where select-usb-device did not respect the filter option in navigator.usb.requestDevice(). #​41196 (Also in 28, 29)

Other Changes

v27.3.1: electron v27.3.1

Compare Source

Release Notes for v27.3.1

Fixes

  • Apply module search paths restriction on worker and child process. #​41139 (Also in 28, 29)
  • Fixed a potential async_hooks crash when listening for the restore even

@renovate renovate bot added dependencies Pull requests that update a dependency file security labels Jun 30, 2025
@renovate renovate bot changed the title chore(deps): update dependency electron to v28 [security] chore(deps): update dependency electron to v28 [security] - autoclosed Jun 30, 2025
@renovate renovate bot closed this Jun 30, 2025
@renovate renovate bot deleted the renovate/npm-electron-vulnerability branch June 30, 2025 23:01
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2025
@renovate renovate bot changed the title chore(deps): update dependency electron to v28 [security] - autoclosed chore(deps): update dependency electron to v28 [security] Jul 1, 2025
@renovate renovate bot reopened this Jul 1, 2025
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 9baeb08 to b53949a Compare July 1, 2025 08:34
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant