Desktop: Remove libfuse2 dependency from AppImage by using modern runtime

[JGCarroll]

Re-creating #15032 to make it easier to review after the original suddenly ballooned in noise (sorry about that)

Original PR text:

This PR:

1. Upgrades Electron Builder to version 26.8
2. Instructs Electron Builder to use modern AppImage runtimes which don't have a hard dependency on libfuse2, which is being removed entirely in e.g., Fedora 44. (I believe) - meaning supporting these systems would become impossible.
3. Modifies the installation script to not check for libfuse2 when not required (the check could be removed entirely when/if this hits a stable release?)

Removing the libfuse2 requirement doesn't make this "self-contained" as people would call it, the requirement instead shifts elsewhere.
e.g., running on Fedora 43 in WSL2:

james@James-Desktop:~$ ./Joplin-3.6.7.AppImage
Error: No suitable fusermount binary found on the $PATH
Error: $FUSERMOUNT_PROG not set

Cannot mount AppImage, please check your FUSE setup.

which was resolved with sudo dnf install fuse fuse-libs - this doesn't mean that libfuse2 itself is being used however, the output above is distinctly different from the error messages before this commit (dlopen error on libfuse2 as opposed to a requirement for a fusermount binary). These tools are essential for a wide variety of other ecosystems (e.g., Flatpak) so can be assumed to be nearly universal.

Marking as draft to encourage some more rigorous testing and also because I need to figure out how to sign the SLA.

Unresolved issues from review in original PR:

depd resolution needs adjustment
https://github.com/laurent22/joplin/pull/15032/changes/BASE..6d8ca0fa21f9911664cd313dd0daea629257be71#r3040412718
(Assistance on that one appreciated!)

Second times the charm, hopefully

Test Plan

• The AppImage should be checked on a modern distribution to confirm that it works as expected - default configuration with no additional packages beyond what's available on a fresh install. Fedora 44 beta and Ubuntu 26.04 beta seem ideal, neither will have libfuse2 out of the box.

• The AppImage should be checked on a relatively older but still supported distribution, like Ubuntu 22.04 - default configuration with no additional packages beyond what's available on a fresh install.

• The AppImage should be checked on an EOL distribution (e.g., Ubuntu 16.04) - it's likely Electron itself will not work in an environment this old due to glibc & etc, however, we can potentially still gain some insight into libfuse2 vs fusermount even if the application itself won't run. This can be compared to a v3.5 AppImage to ensure no regression (if v3.5 runs at all).

• Although this shouldn't have any impact on the application functionality itself, to be thorough, exporting to PDF, opening the print menu, importing a .JEX file, and trying secondary windows seem like some ideal functionality tests where the application does open to ensure basic functionality is unaffected.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4626ee05-ff25-4158-9db6-3209b913ea55

📥 Commits

Reviewing files that changed from the base of the PR and between feb37bc and 215242f.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• Joplin_install_and_update.sh

---

📝 Walkthrough

Walkthrough

The installation script's libfuse2 dependency check is now conditional, performed only for Joplin versions 3.6.8 and earlier, whilst the desktop app's build configuration is updated with an electron-builder version upgrade and restructured Windows signing and Linux desktop entry settings.

Changes

Cohort / File(s)	Summary
Installation Script Joplin_install_and_update.sh	Modified libfuse2 dependency validation to execute conditionally based on version comparison instead of unconditionally; newer Joplin versions bypass the check entirely.
Desktop App Build Configuration packages/app-desktop/package.json	Upgraded electron-builder from 24.13.3 to 26.8.1; restructured Windows signing configuration from win.sign to win.signtoolOptions.sign; reorganised Linux desktop entry metadata under nested linux.desktop.entry object; added new build.toolsets.appimage version entry.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: removing libfuse2 dependency from AppImage by upgrading to modern runtimes, which is the primary focus of the PR.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale, implementation details, testing requirements, and linking to the original PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Pr Description Must Follow Guidelines	✅ Passed	The pull request description includes all required sections: problem description, solution explanation, and detailed test plan covering multiple distributions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the desktop build tooling to use a newer Electron Builder and configures AppImage packaging to use a modern runtime, aiming to remove the hard dependency on libfuse2 on newer Linux distributions. It also updates the Linux install/update script to only check for libfuse2 when downloading older AppImage releases that still require it.

Changes:

• Upgrade electron-builder to 26.8.1 (and associated dependency graph updates).
• Adjust Electron Builder config for Windows signing and Linux desktop entry generation; specify an AppImage toolset/runtime.
• Update the Linux install/update script to gate the libfuse2 dependency check based on the release version.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
yarn.lock	Updates lockfile to reflect the electron-builder upgrade and new transitive dependencies.
packages/app-desktop/package.json	Bumps electron-builder and updates build config (Windows signing options, Linux desktop entry, AppImage toolset).
package.json	Adjusts Yarn resolutions, notably removing depd@1.x overrides.
Joplin_install_and_update.sh	Moves the libfuse2 check behind a version gate intended to apply only to older releases.

[Copilot]

The version gate for the libfuse2 check is off by one: compareVersions returns 0 when versions are equal, so -le 0 will still enforce libfuse2 for release 3.6.8 even though the comment says versions below 3.6.8. This defeats the purpose of switching runtimes in 3.6.8+. Update the condition to only run the libfuse2 check when RELEASE_VERSION is strictly less than 3.6.8 (and consider adjusting the comment wording accordingly).

Suggested change

	## Check for libfuse2 for Joplin versions below 3.6.8, which transitioned to a new AppImage runtime without libfuse2 dependency
	if [[ $(compareVersions "$RELEASE_VERSION" "3.6.8") -le 0 ]]; then
	## Check for libfuse2 only for Joplin versions earlier than 3.6.8, which transitioned to a new AppImage runtime without libfuse2 dependency
	if [[ $(compareVersions "$RELEASE_VERSION" "3.6.8") -lt 0 ]]; then

[JGCarroll]

Checked the compareVersions function manually in Bash:

james@James-Desktop:~/joplin$ compareVersions 3.6.9 3.6.8
1
james@James-Desktop:~/joplin$ compareVersions 3.6.8 3.6.8
0
james@James-Desktop:~/joplin$ compareVersions 3.6.7 3.6.8
-1

Ideal logic (now that 3.6.8 is is already released) is:

if [[ $(compareVersions "$RELEASE_VERSION" "3.6.8") -le 0 ]]; then

so would update comments to reflect 3.6.9 instead

[Copilot]

Removing the depd@npm:^1.x resolution means the dependency graph can now pull in unpatched depd@1.1.2 (as seen in the updated yarn.lock). The depd 1.x line uses eval/new Function unless patched, which can conflict with the project's strict CSP in the desktop app (no unsafe-eval) and reintroduces the behavior the existing depd patches were meant to avoid. Consider restoring a resolution that applies the depd-npm-1.1.2-*.patch (or otherwise ensuring depd 1.x can’t be pulled in).

[JGCarroll]

@personalizedrefrigerator
I've rebuilt this in a fresh environment just now without any cached build artifacts,

1. Reverting this section entirely works fine in a clean build, and would mean I haven't touched anything, so would be my preferred option
2. I did try changing the patch to be instead be depd-npm-1.1.2-b0c8414da7.patch as you suggested in the other review, this patch doesn't cleanly apply and so won't build

Would it be best to just revert the 3 lines above for now and ignore the other patch file?

[personalizedrefrigerator]

Would it be best to just revert the 3 lines above for now and ignore the other patch file?

Yes. That should work!

[JGCarroll]

Looks like the CI is showing the error I had when I tried this yesterday now those patches are restored.

I'm tempted to think there might be a problem with Electron Builder itself, possibly a race condition of some sort?

(But at least it shows I wasn't entirely mad!)

⨯ production dependency not found parent=agentkeepalive dependency=depd version=^1.1.2
⨯ Production dependency depd not found for package agentkeepalive failedTask=build stackTrace=Error: Production dependency depd not found for package agentkeepalive

[personalizedrefrigerator]

Thanks for checking! Something else to try might be to replace the entire depd resolutions section with

    "depd": "patch:depd@npm%3A2.0.0#~/.yarn/patches/depd-npm-2.0.0-b6c51a4b43.patch",

Update: Possibly related: electron-userland/electron-builder#9641, electron-userland/electron-builder#9625

[JGCarroll]

Tried that tweak locally in a clean build, 3 failures during yarn dist, same as the error/CI above. Out of curiosity I limited the build to 1 CPU core (by removing the rest from the VM) - same error.

[personalizedrefrigerator]

I'm looking into this locally (Fedora 43 VM).

[personalizedrefrigerator]

Here's what seems to be happening:

• electron-builder detects that Joplin is using the Yarn package manager.
• yarn doesn't provide a CLI command to list all production-only dependencies recursively (see [Feature] yarn info - add possibility to list only production packages  yarnpkg/berry#5117), so electron-builder falls back to using NPM for detecting dependencies.
• This doesn't work, so electron-builder falls back to scanning node_modules and package.json.
  • This approach doesn't include logic to check the resolutions field in the toplevel package.json (presumably because resolutions is yarn-specific).

I was able to work around this by patching electron-builder's app-builder-lib. However, I'm now encountering build failures related to the deb step (specifically, fpm).

Update: Another problem: The built .AppImage is 2.5 GiB.
Update 2: The fpm and .AppImage size issues were caused by a development build of packages/onenote-converter. After rebuilding in release mode, the AppImage is only 204 MiB.

[JGCarroll]

I'm just here curious why the behaviour seems to be intermittent and sometimes builds fine and sometimes doesn't? I'd personally have expected it to be broken more consistently given the above, but the CI shows it failing on Windows/Mac yet working on Linux fine for example.

Thanks for the assist anyway! LMK if/when/how you want to merge those in here; meanwhile I'll test out the .AppImage itself on a few VM's tomorrow for the practical side of things.

Edit: Checked the CI below and it's because the ones that pass aren't running yarn dist to fail on, now I'm more confused why it randomly did work again for me earlier without patching app-builder-lib?

Edit 2: Your upgrade-electron-builder-try-2 branch works fine for me locally!

[personalizedrefrigerator]

I've opened a new pull request, with the patch: #15043

(Testing help would be appreciated!)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Joplin_install_and_update.sh`:
- Around line 182-197: The comment and the compareVersions check for
RELEASE_VERSION are inconsistent: decide whether version 3.6.8 requires
libfuse2; if 3.6.8 still requires libfuse2, update the comment to say "for
Joplin versions 3.6.8 and below" (or "up to and including 3.6.8"); if 3.6.8 does
NOT require libfuse2, change the comparison in the if that calls compareVersions
"$RELEASE_VERSION" "3.6.8" from -le 0 to -lt 0 so the check only runs for
versions strictly less than 3.6.8; ensure the comment and the condition
surrounding RELEASE_VERSION and compareVersions are aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 068afcb1-1eaa-4e93-ac9b-52088e4dbf55

📥 Commits

Reviewing files that changed from the base of the PR and between cb27561 and feb37bc.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• Joplin_install_and_update.sh
• package.json
• packages/app-desktop/package.json

💤 Files with no reviewable changes (1)

• package.json

[JGCarroll]

Closed in favour of #15043