chore(deps): update dependency electron to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
electron	8.5.5 -> 9.4.0

GitHub Vulnerability Alerts

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

• Uses remote
• Calls webContents.sendToFrame
• Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

• 9.4.0
• 10.2.0
• 11.1.0
• 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

---

Release Notes

electron/electron

v9.4.0

Compare Source

Release Notes for v9.4.0

Fixes

• Added Electron DLLs like libGLESv2.dll to symbol server. #​26967 (Also in 10, 11, 12)
• Fixed systemPreferences.effectiveAppearance returning systemPreferences.getAppLevelAppearance(). #​26881 (Also in 10, 11, 12)
• Fixed an issue where event.reply could sometimes not deliver a reply to an IPC message when cross-site iframes were present. #​26928 (Also in 10, 11, 12)
• Fixed an issue where some buttons were un-clickable in some BrowserViews with draggable regions enabled. #​26745 (Also in 10, 11)
• Fixed an issue whereby a corrupted async_hooks stack would crash the renderer when throwing some errors in the renderer process. #​26748 (Also in 10, 11)
• Fixed an occasional crash on Windows related to NativeViewHost::SetParentAccessible. #​26950 (Also in 10, 11, 12)
• Fixed usage of --disable-dev-shm-usage for apps using --no-sandbox on linux. #​26806

Other Changes

• Backported the fix to CVE-2020-16024: Heap buffer overflow in UI. #​26831
• Security: backport fix for 1150649. #​26897
• Security: backported fix for 1137603. #​26893
• Security: backported fix for 1141350. #​26895
• Security: backported the fix to CVE-2020-16014: Use after free in PPAPI. #​26856
• Security: backported the fix to CVE-2020-16015: Insufficient data validation in WASM. #​26859
• Security: backported the fix to CVE-2020-16022: Insufficient policy enforcement in networking. #​26861

v9.3.5

Compare Source

Release Notes for v9.3.5

Fixes

• Fixed <webview> render-process-gone event dispatch. #​26576
• Fixed LC_ALL environment variable getting changed in Electron. #​26508 (Also in 10, 11)
• Fixed debug.log files being created under working directory on windows. #​26267 (Also in 10)
• Fixed draggable regions stops working when devtools is opened on macOS. #​26506 (Also in 10, 11)

Other Changes

• Backported the fix to CVE-2020-16017: Browser UAF when detaching a provisional frame. #​26477
• Fixed value of getSystemVersion() on Big Sur. #​26430
• Security: backported fix for 1143772. #​26400
• Security: backported fix for 1144489. #​26397
• Security: backported fix for chromium:1133527. #​26412
• Security: backported fix for chromium:1137608. #​26409
• Security: backported fix for chromium:1139398. #​26406

Unknown

• Re-enable Rosetta on Apple Silicon devices. #​26572 (Also in 7.3, 8, 10, 11)

v9.3.4

Compare Source

Release Notes for v9.3.4

Fixes

• Fixed an issue where Hover Text on macOS Catalina did not work without VoiceOver also being enabled. #​26244 (Also in 10, 11)
• Fixed an issue where draggable regions did not work exclusively on BrowserViews. #​26261 (Also in 10, 11)
• Fixed an issue where draggable regions were not properly updated on BrowserViews when a containing BrowserWindow was resized. #​26322 (Also in 10, 11)
• Fixed calling app.commandLine.appendSwitch('lang') not changing app's locale. #​26242 (Also in 10, 11)

Other Changes

• Improved performance of takeHeapSnapshot(). #​26228
• Security: backported fix for 1100470, 1125337. #​26210
• Security: backported fix for 1128657. #​26197
• Security: backported fix for 1133983. #​26204
• Security: backported fix for 1135018. #​26194
• Security: backported fix for 1135857. #​26191
• Security: backported fix for chromium:1117258. #​26200
• Security: backported fix for chromium:1132111. #​26207
• Security: backported fix for chromium:1137630. #​26213

v9.3.3

Compare Source

Release Notes for v9.3.3

Fixes

• Browser views will properly resize within windows. #​26034 (Also in 10, 11)
• Fix: gdi printing in silent printing mode. #​25724 (Also in 10, 11)
• Fixed NativeImage.getScaleFactors() always returning the same value. #​25904 (Also in 10, 11)
• Fixed a crash in printing on Windows. #​26066 (Also in 10, 11)
• Fixed an issue where Windows notifications with timeoutType of 'never' did not work properly. #​25862 (Also in 10, 11)
• Fixed an issue where Save as PDF from PDF Viewer Print dialog failed and sometimes crashed. #​26067 (Also in 10, 11)
• Fixed an issue where frameless windows showed window controls after being in simple fullscreen mode on macOS. #​26128 (Also in 10, 11)
• Fixed an issue where some Node.js module API calls hung in the renderer process after reloads when render process reuse was enabled. #​25924 (Also in 10, 11)
• Fixed an issue where the PDF annotations button existed in a broken state. #​26004
• Fixed bug that meant require.resolve paths option was ignored. #​26035 (Also in 10, 11)
• Fixed maximized frameless window bleeding to other monitors. #​25980 (Also in 8, 10, 11)
• Fixed memory leak on macOS when using dialog.showMessageBox API. #​26098 (Also in 8, 10, 11)

Other Changes

• Backported fix for CVE-2020-15999. #​26069
• Backported the fix to CVE-2020-15969: Use after free in WebRTC. #​25854
• Security: backported fix for 1111149. #​25638
• Security: backported fix for 1113558. #​25859
• Security: backported fix for 1121414. #​25911
• Security: backported fix for 1121836. #​25641
• Security: backported fix for 1125635, 1115901. #​25857
• Security: backported fix for 1126249. #​25645
• Security: backported the fix to a heap-use-after-free in content::WebContentsImpl::SetNotWaitingForResponse. #​25896

v9.3.2

Compare Source

Release Notes for v9.3.2

Fixes

• Fixed CORS not being disabled by webSecurity: false. #​25505 (Also in 9, 10, 11)
• Fixed ready-to-show event not emitted on some machines. #​25490 (Also in 9, 10, 11)
• Fixed a crash in app.importCertificate() on Linux. #​25538 (Also in 9, 10, 11)
• Fixed a crash when closing window in an event listener after exiting fullscreen on macOS. #​25605 (Also in 9, 10, 11)
• Fixed an issue that could cause a normally-exiting process to fail with an "illegal access" message and exit code 7. #​25502 (Also in 8, 9, 10, 11)
• Fixed an issue where an error would be displayed when using webContents.print() if no default was set and no device name provided. #​25607 (Also in 9, 10, 11)
• Fixed crash when application launched from UNUserNotificationCenter notification (via a native node module). #​25739 (Also in 9, 10, 11)
• Fixed crashes caused by attempting to modify destroyed views. #​25609 (Also in 9, 10, 11)
• Fixed memory leak when creating "Services" menu. #​25689 (Also in 9, 10, 11)
• Fixed unsubscribe from observers when window is closing. #​25586 (Also in 9, 10, 11)
• Updated Node root certs to use NSS 3.56. #​25364 (Also in 8, 9, 10, 11)

Other Changes

• Added V8 crash message and location information to crashReport parameters. #​24864 (Also in 9, 10)
• Added a small console hint to console to help debug renderer crashes. #​25473 (Also in 9, 10, 11)
• Fixed resource leak in worker threads. #​25663 (Also in 9, 10, 11)
• Security: backported fix for 1100136. #​25658
• Security: backported fix for 1106612. #​25656
• Security: backported fix for 1114636. #​25643

Unknown

• Fixed extension background page devtools not being openable. #​25567 (Also in 9, 10, 11)

v9.3.1

Compare Source

Release Notes for v9.3.1

Fixes

• Added missing module delay loads on windows to reduce per process reference set impact. #​25437 (Also in 9, 10, 11)
• Fixed a crash in the renderer process when invoking the Badging API. #​25371 (Also in 9, 10, 11)
• Fixed a memory leak in net.request(). #​25382
• Fixed multiple dock icons being left in system when calling dock.show/hide on macOS. #​25301 (Also in 8, 9, 10, 11)

Other Changes

• Security: backported fix for 1081874. #​25389
• Security: backported fix for 1098860. #​25289
• Security: backported fix for 1111737. #​25391
• Security: backported fix for 1122684. #​25390

Unknown

• Added support for some chrome.management APIs. #​25344 (Also in 9, 10, 11)

v9.3.0

Compare Source

Release Notes for v9.3.0

Features

• Added back a previously broken visibleOnFullScreen option for setVisibleOnAllWorkspaces. #​25126
• Added the currencyCode field that Apple's StoreKit in-app-purchasing library provides but has not been added to the Product object that inAppPurchase.getProducts returns. #​25085

Fixes

• Fixed powerMonitor not emitting suspend/resume events on some Windows machines. #​25165
• Fixed an issue where filters set in dialogs on macOS would have nondeterministic ordering. #​25194
• Fixed an issue where notifications with a reply button could potentially be destroyed too early when a user clicked on the notification body before replying. #​25101
• Fixed frameless window's size being changed when restored from minimized state. #​25045
• Fixed network permission error when there are multiple WebContents sharing same session are created with web security disabled. #​25179
• Fixed node's TLS stack not allowing renegotiation. #​25041
• Fixed the following issues for frameless when maximized on Windows * fix unreachable task bar when auto hidden with position top
• fix 1px extending to secondary monitor
• fix 1px overflowing into taskbar at certain resolutions
• fix white line on top of window under 4k resolutions. #​25218
• Fixed window size being changed after unmaximizing. #​25133

Unknown

• Fixed not working WebSQLDatabase in extension background pages. #​25070

v9.2.1

Compare Source

Release Notes for v9.2.1

Fixes

• fix loading shared worker scripts over custom protocol
• fix crash when loading worker scripts with nodeIntegration enabled. #​24750
• Fixed a crash that could occur when using in-memory sessions. #​25002
• Fixed an issue where some Node.js methods would not work with URL instances constructed in the renderer process. #​24862
• Fixed an issue where the Save button did not function in PDF previews. #​24996
• Fixed inactive windows having active titlebar on Windows. #​24873
• Fixed missing guid parameter in Linux crash reports. #​24898
• Increased maximum length for crash keys from 127B to 20KB. #​24854
• [a11y] fix an issue where voiceover doesn't read the first item selected from a ARIA combobox. #​25004

Other Changes

• Backported the fix to CVE-2020-6532: Use after free in SCTP. #​24887
• Backported the fix to CVE-2020-6537: Type Confusion in V8. #​24885
• Resolve network issues that prevented RTC calls from being connected due to network IP address changes and ICE. (Chromium issue 1113227). #​24997

Unknown

• Fixed issues with CORS when making requests from extensions. #​24915

v9.2.0

Compare Source

Release Notes for v9.2.0

Features

• Added new worldSafeExecuteJavaScript webPreference to ensure that the return values from webFrame.executeJavaScript are world safe when context isolation is enabled. #​24712 (Also in 10)

Fixes

• Fixed a crash that could happen when using hookWindowMessage on Windows. #​24769 (Also in 10)
• Fixed an issue where suspend/resume were emitted twice on macOS. #​24845 (Also in 8, 10)
• Fixed crash when navigating from a page with webview that has inherited zoom level. #​24764 (Also in 8, 10)
• Save crash reports locally when uploadToServer: false on linux. #​24788 (Also in 10)
• Fixed an a11y regression where children reported an index in parent greater than the parent child count. #​24765

v9.1.2

Compare Source

Release Notes for v9.1.2

Fixes

• Fix: remove unnecessary corner mask overriding to increase window resize performance. #​24702
• Fixed an issue where VoiceOver was unable to navigate from the top-level window back into the web contents. #​24699
• Protocol response streams are now destroyed if the request is aborted. #​24657

Other Changes

• Improved the performance of sending JS primitives over the context bridge. #​24746

v9.1.1

Compare Source

Release Notes for v9.1.1

Fixes

• Fixed a termination crash on Web Workers with Node.js integration enabled. #​24464
• Fixed an issue where webContents.print() would sometimes hang with invalid settings. #​24508
• Fixed an issue where cpu and heap profiling in Node.js did not work properly with --cpu-prof, --heap-prof, and related CLI flags. #​24541
• Fixed an issue where macOS window vibrancy active state did not always match the active state of the window. #​24533
• Fixed broken --trace-sync-io flag in Node.js. #​24648
• Fixed clipboard.readBuffer returning incorrect value. #​24469
• Fixed potentially invalid duplex mode settings on Linux. #​24547

Other Changes

• Fix: DCHECK failure in value.IsHeapObject() in objectsdebug.cc. (Chromium security issue 1084820). #​24566
• Fix: XSS on chrome://histograms/ with a compromised renderer. (Chromium security issue 1073409). #​24625
• Fix: crash when executing debugger.sendCommand. (Chromium security issue 1016278). #​24620
• Fix: heap-use-after-free in content::NavigationRequest::OnWillProcessResponseProcessed. (Chromium security issue 1090543). #​24569
• Fix: heap-use-after-free in ui::AXTreeSerializerblink (Chromium security issue 1065122). #​24557
• Fix: iframe in victim page can detect Scroll To Text Fragment activation. (Chromium security issue 1042986). #​24624
• Fix: integer overflow in GrTextBlob::Make. (Chromium security issue 1080481). #​24586
• Fix: javascript URI sandbox flags aren't propagated in a blank string case. (Chromium security issue 1074340). #​24621
• Fix: memcpy-param-overlap in AudioBuffer::copyFromChannel. (Chromium security issue 1081722). #​24582
• Fix: remove leaks of post-redirect URL for <script> in the CSP reports and stacktraces of errors (Chromium security issue 1074317). #​24560
• Fix: update webrtc root certificate. (Chromium security issue 978779). #​24617
• Fix: upgrade SQLite to 3.32.1. (Chromium security issue 1087629). #​24554
• Fix: use-after-free in devtools console. (Chromium security issue 986051). #​24614
• Fix: use-of-uninitialized-value in amr_read_header. (Chromium security issue 1065731). #​24594
• Fix: usrsctp is called with pointer as network address. (Chromium security issue 1076703). #​24563

Documentation

• Documentation changes: #​24516

v9.1.0

Compare Source

Release Notes for v9.1.0

Features

• Added support for MessagePort in the main process. #​24323
• Added support for suspend and resume events to Windows. #​24283
• Added support for suspend and resume events to macOS. #​24294
• Expose sessionId associated with a target from debugger module. #​24398
• Implemented systemPreferences.getMediaAccessStatus() on Windows. #​24312

Fixes

• Fixed an intermittent high-CPU usage problem caused a system clock issue during sleep. #​24415
• Fixed an issue where some old notifications were not properly removed from the Notification Center on macOS. #​24406
• Fixed bug on macOS where the main window could be targeted for a focus event when it was disabled behind a modal. #​24354

v9.0.5

Compare Source

Release Notes for v9.0.5

Fixes

• Fixed "Paste and Match Style" shortcut on macOS to match OS's "Option-Shift-Command-V". #​24185
• Fixed "null path-to-app" in test-app when Electron's path contains spaces or special characters. #​24232
• Fixed an error when calling dialog.showCertificateTrustDialog with no BrowserWindow. #​24121
• Fixed an issue where shutdown would be emitted both on app and system shutdown on macOS. #​24141
• Fixed an issue where withFileTypes was not supported as an option to fs.readdir or fs.readdirSync under asar. #​24108
• Fixed an issue which would cause streaming protocol responses to stall in some cases. #​24082
• Fixed an issue with click events not being emitted on macOS for Trays with context menus set. #​24236
• Fixed delayed execution of some Node.js callbacks in the main process. #​24178
• Fixed tray menu showing in taskbar on Windows. #​24193
• Fixed window titlebar not responding to pen on Windows 10. #​24103

Other Changes

• Fixed issue with some IMEs on windows (for ex: Zhuyin) don't terminate after pressing shift. #​24059
• Fixed mac app store rejection notice for invalid symbolic link in bundle. #​24238
• Updated Chromium to 83.0.4103.119. #​24234

Documentation

• Documentation changes: #​24177

v9.0.4

Compare Source

Release Notes for v9.0.4

Fixes

• Added missing support for isComposing KeyboardEvent property. #​23996
• Enable NTLM v2 for POSIX platforms and added --disable-ntlm-v2 switch to disable it. #​23934
• Fix: Allow windows behind macOS elements if "frame" is false. #​24033
• Fixed chrome://media-internals and chrome://webrtc-internals pages not loading. #​24058
• Fixed a crash that could occur when using the ipcRenderer module after blink had released the context. Instead, a JS exception will be thrown. #​23978
• Fixed an issue where rmdir and rmdirSync work with original-fs in an asar context. #​23956
• Fixed no session in webContents of type remote. #​24065
• Fixed: On some Windows machines, especially Windows Insider builds, Electron would crash silently during startup. #​24039

Other Changes

• Updated Chromium to 83.0.4103.104. #​24068
• [a11y] fix incorrect position and size reported for grouped items in a listbox. #​24060
• [a11y] fix incorrect selection item count for listbox with grouped items. #​24061

v9.0.3

Compare Source

Release Notes for v9.0.3

Features

• V8CacheOptions is a new webpreference option to enforce code caching policy. #​23868

Fixes

• Fixed disabling color correct rendering with --disable-color-correct-rendering. #​23900
• Fixed the acceptLanguages argument being ignored in session.setUserAgent(). #​23962
• Restored old implementation of Linux Tray icons to fix a collection of issues where the tray icon wouldn't appear, would be the wrong size or would randomly disappear. #​23926

Other Changes

• Updated Chromium to 83.0.4103.99. #​23967

v9.0.2

Compare Source

Release Notes for v9.0.2

Fixes

• Fixed crash when navigating between origins in a child window with nativeWindowOpen and contextIsolation enabled. #​23895
• Fixed tray menu on Windows not keyboard navigable. #​23880

v9.0.1

Compare Source

Release Notes for v9.0.1

Features

• EnableWebSQL is a new webpreference option to enable/disable websql api. #​23580

Fixes

• Don't ignore the referrer header in net.request. #​23685
• Fixed GTK dark theme setting not respected in Electron on Linux. #​23712
• Fixed process.windowsStore returning undefined in AppX packages. #​23801
• Fixed a bezeling issue on vibrant non-frameless BrowserWindows. #​23810
• Fixed an issue where nativeImages might throw conversion errors in the renderer process. #​23796
• Fixed an issue where window.location properties would throw an error for windows opened with window.open. #​23805
• Fixed an issue where some logging would double-print. #​23689
• Fixed an issue where the 'about' role had on effect on Windows menus. #​23715
• Fixed an issue with volume-related globalShortcut registration. #​23824
• Fixed an occasional menu crash on macOS Catalina when menu is closing. #​23808

Other Changes

• Improved error logging on moveItemToTrash failures on macOS. #​23628
• Updated Chromium to 83.0.4103.94. #​23875

v9.0.0

Compare Source

Release Notes for 9.0.0

Stack Upgrades

• Chromium v83.0.4103.50
  • v81 blog post
  • v82 was skipped
  • v83 blog post
• Node v12.14.1
  • v12.13.1 release notes
  • v12.14.0 release notes
  • v12.14.1 release notes
• V8 8.3
  • v8.1 blog post
  • v8.3 blog post

Breaking Changes

• Changed the default value of app.allowRendererProcessReuse to true. This will prevent loading of non-context-aware native modules in renderer processes. (See #​18397 for more information on this change.) #​22401
• Removed deprecated <webview>.getWebContents(). #​20986
• Removed the deprecated 'setLayoutZoomLevelLimits' method. #​21383
• IPC between main and renderer processes now uses the Structured Clone Algorithm. #​20214
• Split shell.openItem(path) into synchronous and asynchronous methods. #​20682

Features

• Added fullScreen property support for BrowserWindows. #​23330
• Added session.listWordsInSpellCheckerDictionary API to list custom words in the dictionary. #​22128
• Added session.removeWordFromSpellCheckerDictionary API to remove custom words in the dictionary. #​22368
• Added session.serviceWorkerContext API to access basic service worker info and receive console logs from service workers. #​22313
• Added a new force parameter to app.focus() on macOS to allow apps to forcefully take focus. #​23447
• Added chrome.i18n extension API. #​22570
• Added chrome.tabs.connect extension API for background pages. #​22549
• Added support for property access to some getter/setter pairs on BrowserWindow. #​23208
• Added support for the chrome.extension.getBackgroundPage API when building with enable_electron_extensions. #​22177
• Allow an optional callback parameter for WebFrame.executeJavaScript* methods, which is called synchronously unless the target context is paused. #​22501
• Restored support for pdfium-based PDF viewer. #​22131

Fixes

• Don't allow window to go behind menu bar on mac. #​22828
• Fixed webRequest module not working with file:// protocol. #​22919
• Fixed webRequest not working for CORS requests. #​22468
• Fixed win.setMenuBarVisibility(false) not hiding menu bar. #​23263
• Fixed an issue where changing theme on macOS would break window maximizability state. #​22724
• Fixed crash in network service process when using protocol.registerSchemeAsPrivileged api. #​22917
• Fixed crash that could occur when calling session.fromPartition inside the ready event. #​23472
• Fixed incorrect hit testing on top of ::after element with layoutNG. #​23190
• Fixed missing debug symbols for crashpad handler on macOS. #​23573
• Fixed possible freeze on window with disabled background throttling. #​22852
• Fixed the print button functionality in the PDF viewer extension. #​23173
• Limited manipulation of custom spellchecker dictionary words to persistent sessions. #​22683
• Removed extraneous crashpad_handler binary from the Linux distribution files. #​23575
• crashReporter is now explicitly initialized only in the main process, and implicitly initialized in other child processes. This fixes an issue preventing the crash reporter from functioning in sandboxed renderers on Linux. #​23461
• Fixed broken Views API builds. #​22642

Performance

• Improved window events handler efficiency on Linux. #​23260
• Made setting window icons slightly faster on Linux. #​22736

---

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by WhiteSource Renovate. View repository job log here.