Skip to content

Update dependency electron to v39 [SECURITY]#45

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-electron-vulnerability
Open

Update dependency electron to v39 [SECURITY]#45
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-electron-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Oct 5, 2023
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
electron 12.0.239.8.1 age confidence

GitHub Vulnerability Alerts

CVE-2021-39184

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29247

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29257

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

CVE-2024-46993

Impact

The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.

Workaround

There are no app-side workarounds for this issue. You must update your Electron version to be protected.

Patches

  • v28.3.2
  • v29.3.3
  • v30.0.3

For More Information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2025-55305

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 38.0.0-beta.6
  • 37.3.1
  • 36.8.1
  • 35.7.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2026-34767

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions

  • 41.0.3
  • 40.8.3
  • 39.8.3
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34766

Impact

The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.

The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34768

Impact

On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.

On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.

Workarounds

Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34770

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34769

Impact

An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.

Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.

Workarounds

Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.

Fixed Versions

  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

CVE-2026-34771

Impact

Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.

Workarounds

Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.

Fixed Versions

  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34772

Impact

Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.

Workarounds

Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.

Fixed Versions

  • 41.0.0-beta.7
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34773

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34775

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions

  • 41.0.0
  • 40.8.4
  • 39.8.4
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34774

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions

  • 41.0.0
  • 40.7.0
  • 39.8.1

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34777

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34776

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34778

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2026-34779

Impact

On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.

Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

CVE-2023-39956

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2023-5217

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-44402

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Release Notes

electron/electron (electron)

v39.8.1: electron v39.8.1

Compare Source

Release Notes for v39.8.1

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #​50156 (Also in 38, 40, 41)
  • Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #​50215 (Also in 40, 41)
  • Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #​50136 (Also in 40, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #​50174 (Also in 38, 40, 41)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #​50106 (Also in 40, 41)
  • Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #​50086 (Also in 40, 41)
  • Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #​50129 (Also in 38, 40, 41)
  • Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #​50147 (Also in 38, 40, 41)
  • Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #​50208 (Also in 40, 41)
  • Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #​50190 (Also in 40, 41)
  • Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #​49995 (Also in 40, 41)
  • Fixed shutdown crash on windows when hidden titlebar is enabled. #​50054 (Also in 40, 41)
  • Reverted AltGr key fix that caused menu bar to no longer show on Windows. #​50109 (Also in 40, 41)

Other Changes

v39.8.0: electron v39.8.0

Compare Source

Release Notes for v39.8.0

Features

  • Added support for --experimental-transform-types. #​49881 (Also in 40, 41)

Fixes

  • Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #​50004 (Also in 40, 41)
  • Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #​50021 (Also in 40, 41)
  • Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #​49910 (Also in 40, 41)

v39.7.0: electron v39.7.0

Compare Source

Release Notes for v39.7.0

Features

  • Added support for long-animation-frame script attribution (via --enable-features=AlwaysLogLOAFURL). #​49771 (Also in 40, 41)

Fixes

  • Fixed an issue where frameless windows had resize issues in Mac App Store builds. #​49861 (Also in 40, 41)
  • Fixed an issue where menu item enabled state wasn't updated during key equivalent dispatch when the menu was closed on macOS. #​49888 (Also in 40, 41)
  • Fixed an issue where pressing AltGr could activate or focus the menu bar. #​49914 (Also in 40, 41)
  • Fixed memory leak when setting icons on Linux/GTK. #​49896 (Also in 38, 40, 41)

v39.6.1: electron v39.6.1

Compare Source

Release Notes for v39.6.1

Fixes

  • Fixed draggable regions not updating position when DevTools is docked to the left or right in a frameless window. #​49846 (Also in 41)

v39.6.0: electron v39.6.0

Compare Source

Release Notes for v39.6.0

Features

  • Added a disclaim option to the UtilityProcess API to allow for TCC disclaiming on macOS. #​49696 (Also in 40, 41)

Fixes

  • Addressed upstream Chromium shift to enable CoreAudio Tap API for audio capture used in electron's desktopCapturer (🍏 macOS). #​49740 (Also in 41)

Other Changes

v39.5.2: electron v39.5.2

Compare Source

Release Notes for v39.5.2

Fixes

  • Fixed a crash that could occur when using the File System Access API. #​49634 (Also in 40, 41)
  • Fixed an issue where alt+space triggered th system context menu even if an accelerator was registered for the hotkey combination. #​49641 (Also in 40, 41)
  • Fixed an issue where role-based menu items were incorrectly returning null for their accelerator property. #​49670 (Also in 40, 41)
  • Fixed application input broken on certain wayland compositors when DND action was cancelled. #​49694
  • Fixed dock menu items not respecting enabled and checked properties on macOS. #​49626 (Also in 38, 40, 41)

Other Changes

  • Refactored our MSIX updater code to use an upstream Chromium pattern and eliminates the need for special exception handling build flags. #​49688 (Also in 40, 41)

Unknown

  • Fixed squirrel.mac stacked update behavior to old staged updates. #​49637 (Also in 40, 41)

v39.5.1: electron v39.5.1

Compare Source

Release Notes for v39.5.1

Fixes

v39.5.0: electron v39.5.0

Compare Source

Release Notes for v39.5.0

Features

  • Added support for MSIX auto-updating. #​49585 (Also in 40, 41)

Fixes

  • Fixed an issue where menu item accelerators stopped working after the item's enabled property was toggled on macOS. #​49593 (Also in 40, 41)
  • Fixed an issue whereby a duplicate "Toggle Full Screen" menu item appeared in the View menu on macOS. #​49597 (Also in 38, 40, 41)

v39.4.0: electron v39.4.0

Compare Source

Release Notes for v39.4.0

Fixes

  • Fixed an issue in chrome://accessibility. #​49559 (Also in 40, 41)
  • Fixed an issue where shell.writeShortcutLink was throwing TypeError: Insufficient number of arguments when called with just [(path, options)]. #​49502 (Also in 40, 41)
  • Fixed crash in platform_util::Beep() on Linux. #​49484 (Also in 40, 41)

Other Changes

Unknown

  • Fixed an issue where some packages weren't correctly filtered on macOS in dialogs. #​49472 (Also in 38, 40, 41)

v39.3.0: electron v39.3.0

Compare Source

Release Notes for v39.3.0

Features

  • Added support for WebSocket authentication through the login event on webContents. #​49065 (Also in 40)

Fixes

  • Fixed setRepresentedFilename() not setting AXDocument accessibility attribute on macOS. #​49418 (Also in 40)
  • Fixed a potential race condition crash when opening DevTools. #​49423 (Also in 40)
  • Fixed stack overflow when compiling deeply nested JS functions. #​49360
  • Made toplevel icon Wayland protocol work. #​49415 (Also in 40)
  • Requests sent via net are now capable of having their headers modified to use reserved headers via webRequest. #​49242 (Also in 40)

Other Changes

v39.2.7: electron v39.2.7

Compare Source

Release Notes for v39.2.7

Other Changes

  • Updated Chromium to 142.0.7444.235. #​49190

v39.2.6: electron v39.2.6

Compare Source

Release Notes for v39.2.6

Fixes

  • Fixed visual artifacts while resizing a window on Windows. #​49138

Other Changes

  • Updated Chromium to 142.0.7444.226. #​49137

v39.2.5: electron v39.2.5

Compare Source

Release Notes for v39.2.5

Fixes

  • Fixed a Windows notification issue where clicking a native notification would result in an application hang on certain Windows environments. #​49130 (Also in 40)
  • Fixed an issue where menu-did-close was not emitted properly for some application menus. #​49093 (Also in 38, 40)
  • Reduced amount of visual artifacts while resizing a window on Windows. #​49076

Other Changes

  • Fixed devtools element panel flickering when with node inspection. #​49044 (Also in 40)

v39.2.4: electron v39.2.4

Compare Source

Release Notes for v39.2.4

Fixes

  • Fixed an issue where the close callback param for menu.popup would fire when any arbitrary submenu of the given menu closed, and not the menu itself. #​49045 (Also in 38, 40)
  • Fixed crash when reading system certificates via nodejs tls module. #​49042 (Also in 40)
  • Fixed the issue where the parent window leave disabled after the modal window call show() multiple time. #​49019 (Also in 38, 40)

Other Changes

  • Updated Chromium to 142.0.7444.177. #​49037

v39.2.3: electron v39.2.3

Compare Source

Release Notes for v39.2.3

  • Updated Chromium to 142.0.7444.175.

v39.2.2: electron v39.2.2

Compare Source

Release Notes for v39.2.2

Fixes

  • Fixed crash when creating event object for IPC events. #​48992 (Also in 40)

v39.2.1: electron v39.2.1

Compare Source

Release Notes for v39.2.1

Fixes

  • Fixed an issue where some apps would throw an exception on launch. #​48975 (Also in 40)

v39.2.0: electron v39.2.0

Compare Source

Release Notes for v39.2.0

Features

  • Added app.isHardwareAccelerationEnabled(). #​48680 (Also in 37, 38)
  • Added bypassCustomProtocolHandlers option to net.request. #​48882 (Also in 38, 40)
  • Automatically focus DevTools when element is inspected or breakpoint is triggered. #​48702 (Also in 37, 38)
  • Enables resetting accent color to follow system accent settings if a previous color has been set via window.setAccentColor(null). #​48852 (Also in 38)
  • Updated nativeImage.createFromNamedImage to support SF Symbol names. #​48773 (Also in 40)

Fixes

  • Fixed crash on windows when UTF-8 is in path. #​48944 (Also in 38, 40)
  • Reenable V8 trap handlers for wasm in browser and utility process, improves runtime execution of wasm. #​48837 (Also in 40)
  • Restored window's canHide property. #​48901 (Also in 37, 38)
  • Windows: Calling window.setFocusable(true) will no longer cause a window to lose focus. #​48928 (Also in 40)

Other Changes

  • Updated Chromium to 142.0.7444.162. #​48899

v39.1.2: electron v39.1.2

Compare Source

Release Notes for v39.1.2

Fixes

  • Corrected the appearance of tiled windows on GNOME (when frame: true), and removed resize handles from tiled edges. #​48834 (Also in 38, 40)
  • Fix: ESM-from-CJS import when CJK characters are in path. #​48873
  • Fixed oom crash when optimizing certain wasm functions involving large phi nodes. #​48815 (Also in 38, 40)
  • Fixed the issue where the parent window remained interactive after the modal window was opened. #​48865 (Also in 40)

Other Changes

  • Updated Chromium to 142.0.7444.134. #​48818

Documentation

Unknown

  • Fixed an issue that menu items on macOS could not be disabled under all circumstances. #​48830 (Also in 38, 40)

v39.1.1: electron v39.1.1

Compare Source

Release Notes for v39.1.1

Fixes

  • Fixed an application crash when clicking or hovering over the native MacOS "Window" menu. Reverts #​48598. #​48800 (Also in 40)
  • Fixed draw smoothing round corner issue. #​48781 (Also in 40)

v39.1.0: electron v39.1.0

Compare Source

Release Notes for v39.1.0

Fixes

  • Fixed an issue on Wayland (Linux) where right-clicking in the titlebar could break mouse interactions. #​48758 (Also in 38, 40)
  • Fixed an issue that menu items on macOS could not be disabled under all circumstances. #​48711 (Also in 37, 38)
  • Fixed incorrect signal variable reference in nan-spec-runner that could cause install failures to go undetected. #​48709 (Also in 38)

Other Changes

v39.0.0: electron v39.0.0

Compare Source

Release Notes for v39.0.0

Stack Upgrades

Breaking Changes

  • Added colorSpace to offscreen shared texture info of webContents.on('paint') event.
    • Breaking Changed the signature of OffscreenSharedTexture to provide a unified handle that holds the native handle. #​47315
  • Fixed a spec compliance issue with window.open where it should always create a resizable popup window but did not. #​47540

For breaking changes inherited via Chromium, see blog post

Features

Additions
  • Added RGBAF16 output format with scRGB HDR color space support to Offscreen Rendering. #​48504
  • Added fileBacked and purgeable fields to process.getSystemMemoryInfo() for macOS. #​47628 (Also in 37, 38)
  • Added support for guid Tray constructor option on macOS to allow tray icons to maintain position across launches. #​47838 (Also in 36, 37, 38)
  • Added webFrameMain.fromFrameToken(processId, frameToken) to get a WebFrameMain instance from its frame token. #​47850 (Also in 38)
  • Added methods to enable more granular accessibility support management. #​48625
  • Added support for app.getRecentDocuments() on Windows and macOS. #​45839 (Also in 36, 37, 38)
  • Added support for USBDevice.configurations. #​47459
  • Added the ability to retrieve the system accent color on Linux using systemPreferences.getAccentColor. #​48628
  • Adds the ability to change window accent color on Windows after initial window initialization via {get|set}AccentColor. #​47741 (Also in [36](https://redirect.gith

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 8856797 to 341b53c Compare June 30, 2025 22:57
@renovate renovate bot changed the title Update dependency electron to v22 [SECURITY] Update dependency electron to v28 [SECURITY] Jun 30, 2025
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 341b53c to fe9a170 Compare August 10, 2025 14:46
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from fe9a170 to a661643 Compare August 19, 2025 17:41
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from a661643 to fdd7b20 Compare September 5, 2025 06:42
@renovate renovate bot changed the title Update dependency electron to v28 [SECURITY] Update dependency electron to v35 [SECURITY] Sep 5, 2025
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from fdd7b20 to d6c18a9 Compare September 25, 2025 13:58
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from d6c18a9 to ad9be40 Compare October 21, 2025 17:50
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from ad9be40 to 78fc7f4 Compare December 3, 2025 17:49
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 78fc7f4 to 471d43e Compare December 31, 2025 17:40
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 471d43e to ed6e122 Compare January 19, 2026 15:08
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from ed6e122 to e39382c Compare February 2, 2026 17:36
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from e39382c to 2225f3e Compare February 12, 2026 17:50
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 2225f3e to 06781cd Compare March 5, 2026 14:02
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 06781cd to 4bac8e9 Compare March 13, 2026 15:50
@renovate renovate bot changed the title Update dependency electron to v35 [SECURITY] Update dependency electron to v35 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-electron-vulnerability branch March 27, 2026 00:41
@renovate renovate bot changed the title Update dependency electron to v35 [SECURITY] - autoclosed Update dependency electron to v35 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch 2 times, most recently from 4bac8e9 to cc6d3cd Compare March 30, 2026 18:03
@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from cc6d3cd to f704944 Compare April 3, 2026 05:33
@renovate renovate bot changed the title Update dependency electron to v35 [SECURITY] Update dependency electron to v39 [SECURITY] Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants