Skip to content

chore(deps): update dependency electron to v40.8.5 [security]#1146

Merged
renovate-sh-app[bot] merged 1 commit intomainfrom
renovate/npm-electron-vulnerability
Apr 7, 2026
Merged

chore(deps): update dependency electron to v40.8.5 [security]#1146
renovate-sh-app[bot] merged 1 commit intomainfrom
renovate/npm-electron-vulnerability

Conversation

@renovate-sh-app
Copy link
Copy Markdown
Contributor

@renovate-sh-app renovate-sh-app bot commented Apr 3, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
electron 40.4.140.8.5 age confidence

Electron: Use-after-free in offscreen child window paint callback

CVE-2026-34774 / GHSA-532v-xpq5-8h95

More information

Details

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions
  • 41.0.0
  • 40.7.0
  • 39.8.1
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks

CVE-2026-34771 / GHSA-8337-3p73-46f4

More information

Details

Impact

Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.

Workarounds

Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: USB device selection not validated against filtered device list

CVE-2026-34766 / GHSA-9899-m83m-qhpj

More information

Details

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 3.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in download save dialog callback

CVE-2026-34772 / GHSA-9w97-2464-8783

More information

Details

Impact

Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.

Workarounds

Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.

Fixed Versions
  • 41.0.0-beta.7
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

CVE-2026-34769 / GHSA-9wfr-w7mm-pc7f

More information

Details

Impact

An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.

Workarounds

Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

CVE-2026-34780 / GHSA-jfqg-hf23-qpw2

More information

Details

Impact

Apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script.

Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected.

Workarounds

Do not pass VideoFrame objects across contextBridge. If an app needs to transfer video frame data, serialize it to an ArrayBuffer or ImageBitmap before bridging.

Fixed Versions
  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 8.3 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

CVE-2026-34779 / GHSA-5rqw-r77c-jp79

More information

Details

Impact

On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.

Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions
  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

CVE-2026-34768 / GHSA-jfqx-fxh3-c62j

More information

Details

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions
  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 3.9 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in PowerMonitor on Windows and macOS

CVE-2026-34770 / GHSA-jjp3-mq3x-295m

More information

Details

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 7.0 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Out-of-bounds read in second-instance IPC on macOS and Linux

CVE-2026-34776 / GHSA-3c8v-cfp5-9885

More information

Details

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

CVE-2026-34773 / GHSA-mwmh-mq4g-g6gr

More information

Details

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 4.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Incorrect origin passed to permission request handler for iframe requests

CVE-2026-34777 / GHSA-r5p7-gp4j-qhrx

More information

Details

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Service worker can spoof executeJavaScript IPC replies

CVE-2026-34778 / GHSA-xj5x-m3f3-5x3h

More information

Details

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions
  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

CVE-2026-34767 / GHSA-4p4r-m79c-wq3v

More information

Details

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions
  • 41.0.3
  • 40.8.3
  • 39.8.3
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

CVE-2026-34775 / GHSA-xwr5-m59h-vwqr

More information

Details

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions
  • 41.0.0
  • 40.8.4
  • 39.8.4
  • 38.8.6
For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Electron: Use-after-free in offscreen shared texture release() callback

CVE-2026-34764 / GHSA-8x5q-pvf5-64mp

More information

Details

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions
  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

electron/electron (electron)

v40.8.5: electron v40.8.5

Compare Source

Release Notes for v40.8.5

Fixes

  • Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #​50484 (Also in 41)
  • Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50491 (Also in 39, 41, 42)
  • Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50500 (Also in 39, 41, 42)
  • Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #​50505 (Also in 41, 42)
  • Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #​50518

Other Changes

  • Backported fix for chromium:475877320. #​50438

v40.8.4: electron v40.8.4

Compare Source

Release Notes for v40.8.4

Fixes

  • Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #​50467 (Also in 38, 39, 41)
  • Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #​50401 (Also in 39, 41, 42)
  • Fixed improper focus tracking in BaseWindow on MacOS. #​50337 (Also in 39, 41, 42)
  • Fixed logic bug that rendered certain window types un-resizable on MAS builds. #​50355 (Also in 41, 42)
  • Fixed utilityProcess exit event reporting incorrect exit codes on Windows when the exit code has the high bit. #​50387 (Also in 41, 42)
  • Fixed window freeze when failing to enter/exit fullscreen on macOS. #​50344 (Also in 39, 41, 42)

Other Changes

v40.8.3: electron v40.8.3

Compare Source

Release Notes for v40.8.3

Fixes

  • Added additional ASAR support to additional fs copy methods. #​50287 (Also in 39, 41, 42)
  • Fixed an issue where some DevTools functionality didn't work as expected. #​50275 (Also in 41, 42)
  • Fixed user resizing of transparent windows on win32 platform. #​50301 (Also in 39, 41, 42)

v40.8.2: electron v40.8.2

Compare Source

Release Notes for v40.8.2

Other Changes

  • Backported fix for b/491421267. #​50229
  • Fixed an issue where running app icons were not correctly retrieved on macOS Tahoe. #​50188

v40.8.1: electron v40.8.1

Compare Source

Release Notes for v40.8.1

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #​50158 (Also in 38, 39, 41)
  • Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #​50216 (Also in 39, 41)
  • Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #​50138 (Also in 39, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #​50162 (Also in 38, 39, 41)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #​50104 (Also in 39, 41)
  • Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #​50084 (Also in 39, 41)
  • Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #​50131 (Also in 38, 39, 41)
  • Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #​50149 (Also in 38, 39, 41)
  • Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #​50207 (Also in 39, 41)
  • Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #​50189 (Also in 39, 41)
  • Reverted AltGr key fix that caused menu bar to no longer show on Windows. #​50110 (Also in 39, 41)

Other Changes

  • Backported fix for chromium:485622239. #​50168

v40.8.0: electron v40.8.0

Compare Source

Release Notes for v40.8.0

Features

  • Added a reason property to the Notification 'closed' event on Windows to allow developers to know the reason the Notification was dismissed. #​50030 (Also in 41)

Fixes

  • Fixed shutdown crash on windows when hidden titlebar is enabled. #​50053 (Also in 39, 41)

Other Changes

  • Updated Chromium to 144.0.7559.236. #​50060

v40.7.0: electron v40.7.0

Compare Source

Release Notes for v40.7.0

Features

  • Added support for --experimental-transform-types. #​49883 (Also in 39, 41)

Fixes

  • Allow dynamically updating menu item labels, sublabels, and icons. #​49973 (Also in 41)
  • Fixed safeStorage failing to clean up legacy keychain entries when migrating to suffixed account names on macOS, and fixed first launch creating entries with the wrong (unsuffixed) account name. #​49817
  • Fixed a bug that cause offscreen rendering doesn't have valid screen info and unable to get valid result of related media queries.
    • Added webPreference.offscreen.deviceScaleFactor to allow user specify a value, instead of using user's primary display's value. #​49681
  • Fixed a macOS crash when creating a new tab from the tab overview. #​49934 (Also in 41)
  • Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #​50005 (Also in 39, 41)
  • Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #​50022 (Also in 39, 41)
  • Fixed an issue where malformed custom toastXml could cause a Notification crash. #​49952 (Also in 41)
  • Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #​49994 (Also in 41)
  • Fixed menus to correctly emit menu-will-close event when closed after any submenu has been open. #​49963 (Also in 41)

Other Changes

v40.6.1: electron v40.6.1

Compare Source

Release Notes for v40.6.1

Fixes

  • Fixed globalShortcut not working on Wayland with GlobalShortcutsPortal feature enabled. #​49870 (Also in 41)
  • Fixed an issue where making a window fullscreen on Windows, minimizing it and then restoring it broke previous fullscreen state. #​49892 (Also in 41)
  • Fixed an issue where menu item enabled state wasn't updated during key equivalent dispatch when the menu was closed on macOS. #​49889 (Also in 39, 41)
  • Fixed an issue where pressing AltGr could activate or focus the menu bar. #​49915 (Also in 39, 41)
  • Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #​49909 (Also in 41)
  • Fixed draggable regions not updating position when DevTools is docked to the left or right in a frameless window. #​49847 (Also in 39, 41)
  • Fixed memory leak when setting icons on Linux/GTK. #​49898 (Also in 38, 39, 41)
  • Fixed startup crash when V8 sandbox is disabled. #​49884 (Also in 41)

Other Changes

  • Fixed crash in platform_util::Beep() on Linux. #​49864 (Also in 41)
  • Updated Chromium to 144.0.7559.220. #​49869

v40.6.0: electron v40.6.0

Compare Source

Release Notes for v40.6.0

Features

  • Added the ability to disable auto-focusing of WebContents on navigation using webPreferences.focusOnNavigation. #​49512 (Also in 41)

Fixes

  • Fixed an issue where frameless windows had resize issues in Mac App Store builds. #​49856

v40.5.0: electron v40.5.0

Compare Source

Release Notes for v40.5.0

Features

  • Added support for long-animation-frame script attribution (via --enable-features=AlwaysLogLOAFURL). #​49772 (Also in 41)
  • Extended actions support for Windows notifications to include buttons, select dropdowns, and replies. #​49786 (Also in 41)

Fixes

  • Addressed upstream Chromium shift to enable CoreAudio Tap API for audio capture used in electron's desktopCapturer (🍏 macOS). #​49741 (Also in 39, 41)
  • Made pointer lock work on Wayland. #​49283

Other Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner April 3, 2026 06:08
@renovate-sh-app renovate-sh-app bot requested review from Llandy3d and e-fisher April 3, 2026 06:08
@e-fisher
Copy link
Copy Markdown
Collaborator

e-fisher commented Apr 3, 2026

bugbot run

cursor[bot]
cursor bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

@renovate-sh-app
chore(deps): update dependency electron to v40.8.5 [security]
dfc8831 
| datasource | package  | from   | to     |
| ---------- | -------- | ------ | ------ |
| npm        | electron | 40.4.1 | 40.8.5 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/npm-electron-vulnerability branch from 499263c to dfc8831 Compare April 4, 2026 03:09
@renovate-sh-app renovate-sh-app bot changed the title chore(deps): update dependency electron to v40.8.4 [security] chore(deps): update dependency electron to v40.8.5 [security] Apr 4, 2026
allansson
allansson approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@allansson allansson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work fine. If nothing else, we can always rollback.

@renovate-sh-app renovate-sh-app bot merged commit 9376504 into main Apr 7, 2026
17 checks passed
@renovate-sh-app renovate-sh-app bot deleted the renovate/npm-electron-vulnerability branch April 7, 2026 06:12
@k6-release-app k6-release-app bot mentioned this pull request Apr 3, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@allansson allansson allansson approved these changes

@e-fisher e-fisher Awaiting requested review from e-fisher e-fisher is a code owner automatically assigned from grafana/k6-studio

@Llandy3d Llandy3d Awaiting requested review from Llandy3d Llandy3d is a code owner automatically assigned from grafana/k6-studio

Assignees

No one assigned

Labels

automerge-security-update severity:HIGH update-minor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@e-fisher @allansson