Skip to content

chore(deps): update dependency electron to v38 [security]#48

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-electron-vulnerability
Open

chore(deps): update dependency electron to v38 [security]#48
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-electron-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Oct 5, 2023
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
electron 6.0.038.8.6 age confidence

Arbitrary file read via window-open IPC in Electron

CVE-2020-4075 / GHSA-f9mq-jph6-9mhm

More information

Details

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions
  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Context isolation bypass via contextBridge in Electron

CVE-2020-4077 / GHSA-h9jc-284h-533g

More information

Details

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions
  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Context isolation bypass via leaked cross-context objects in Electron

CVE-2020-4076 / GHSA-m93v-9qjc-3g79

More information

Details

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions
  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
Non-Impacted Versions
  • 9.0.0-beta.*
For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Context isolation bypass via Promise in Electron

CVE-2020-15096 / GHSA-6vrv-94jv-crrg

More information

Details

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions
  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
  • 6.1.11
For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 6.8 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

IPC messages delivered to the wrong frame in Electron

CVE-2020-26272 / GHSA-hvf8-h2qh-37m9

More information

Details

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler
Patches

This has been fixed in the following versions:

  • 9.4.0
  • 10.2.0
  • 11.1.0
  • 12.0.0-beta.9
Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API

CVE-2021-39184 / GHSA-mpjm-v997-c4h4

More information

Details

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0
Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Renderers can obtain access to random bluetooth device without permission in Electron

CVE-2022-21718 / GHSA-3p22-ghq8-v749

More information

Details

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6
Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 3.4 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

CVE-2022-29247 / GHSA-mq8j-3h7h-p8g7

More information

Details

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5
Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 2.2 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

AutoUpdater module fails to validate certain nested components of the bundle

CVE-2022-29257 / GHSA-77xc-hjv8-ww97

More information

Details

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0
Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Exfiltration of hashed SMB credentials on Windows via file:// redirect

CVE-2022-36077 / GHSA-p2jh-44qj-pf2v

More information

Details

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron context isolation bypass via nested unserializable return value

CVE-2023-29198 / GHSA-p7v2-p9m8-qqg7

More information

Details

Impact

Apps using contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

This issue is exploitable under either of two conditions:

  • If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned.
  • If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed.

The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions.

Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron.

Fixed Versions
  • 25.0.0-alpha.2
  • 24.0.1
  • 23.2.3
  • 22.3.6
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.0 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

CVE-2023-39956 / GHSA-7x97-j373-85x5

More information

Details

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron affected by libvpx's heap buffer overflow in vp8 encoding

CVE-2023-5217 / GHSA-qqvq-6xgj-jw8g

More information

Details

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

ASAR Integrity bypass via filetype confusion in electron

CVE-2023-44402 / GHSA-7m48-wc93-9g85

More information

Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 22.3.24
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron vulnerable to Heap Buffer Overflow in NativeImage

CVE-2024-46993 / GHSA-6r2x-8pq8-9489

More information

Details

Impact

The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.

Workaround

There are no app-side workarounds for this issue. You must update your Electron version to be protected.

Patches
  • v28.3.2
  • v29.3.3
  • v30.0.3
For More Information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron has ASAR Integrity Bypass via resource modification

CVE-2025-55305 / GHSA-vmqv-hx8q-j7mg

More information

Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 38.0.0-beta.6
  • 37.3.1
  • 36.8.1
  • 35.7.5
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

CVE-2026-34767 / GHSA-4p4r-m79c-wq3v

More information

Details

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions
  • 41.0.3
  • 40.8.3
  • 39.8.3
  • 38.8.6
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

electron/electron (electron)

v38.8.6: electron v38.8.6

Compare Source

Release Notes for v38.8.6

[!WARNING]
Electron 38.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #​50157 (Also in 39, 40, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #​50177 (Also in 39, 40, 41)
  • Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #​50130 (Also in 39, 40, 41)
  • Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #​50151 (Also in 39, 40, 41)

v38.8.4: electron v38.8.4

Compare Source

Release Notes for v38.8.4

Fixes

  • Fixed memory leak when setting icons on Linux/GTK. #​49897 (Also in 39, 40, 41)

v38.8.2: electron v38.8.2

Compare Source

Release Notes for v38.8.2

Other Changes

v38.8.1: electron v38.8.1

Compare Source

Release Notes for v38.8.1

Fixes

  • Fixed an issue whereby a duplicate "Toggle Full Screen" menu item appeared in the View menu on macOS. #​49596 (Also in 39, 40, 41)
  • Fixed dock menu items not respecting enabled and checked properties on macOS. #​49627 (Also in 39, 40, 41)

v38.8.0: electron v38.8.0

Compare Source

Release Notes for v38.8.0

Fixes

  • Fixed an issue where menu-did-close was not emitted properly for some application menus. #​49094 (Also in 39, 40)
  • Fixed an issue where systemPreferences.getAccentColor inverted the color. #​49066 (Also in 37, 39)

Other Changes

Unknown

  • Fixed an issue where some packages weren't correctly filtered on macOS in dialogs. #​49471 (Also in 39, 40, 41)

v38.7.2: electron v38.7.2

Compare Source

Release Notes for v38.7.2

Fixes

  • Fixed an issue where the close callback param for menu.popup would fire when any arbitrary submenu of the given menu closed, and not the menu itself. #​49047 (Also in 39, 40)
  • Fixed the issue where the parent window leave disabled after the modal window call show() multiple time. #​49020 (Also in 39, 40)

v38.7.1: electron v38.7.1

Compare Source

Release Notes for v38.7.1

Other Changes

v38.7.0: electron v38.7.0

Compare Source

Release Notes for v38.7.0

Features

  • Added app.isHardwareAccelerationEnabled(). #​48681 (Also in 37, 39)
  • Added bypassCustomProtocolHandlers option to net.request. #​48881 (Also in 39, 40)
  • Automatically focus DevTools when element is inspected or breakpoint is triggered. #​48701 (Also in 37, 39)
  • Enables resetting accent color to follow system accent settings if a previous color has been set via window.setAccentColor(null). #​48853 (Also in 39)

Fixes

  • Corrected the appearance of tiled windows on GNOME (when frame: true), and removed resize handles from tiled edges. #​48836 (Also in 39, 40)
  • Fix: ESM-from-CJS import when CJK characters are in path. #​48876 (Also in 39, 40)
  • Fixed an issue where calling webContents.openDevTools({ mode: 'detach' }) would cause a crash on Wayland. #​48926 (Also in 39)
  • Fixed crash on windows when UTF-8 is in path. #​48947 (Also in 39, 40)
  • Fixed oom crash when optimizing certain wasm functions involving large phi nodes. #​48817 (Also in 39, 40)
  • Fixed the issue where the parent window remained interactive after the modal window was opened. #​48866 (Also in 39, 40)
  • Restored window's canHide property. #​48900 (Also in 37, 39)

Other Changes

Unknown

  • Fixed an issue that menu items on macOS could not be disabled under all circumstances. #​48829 (Also in 39, 40)

v38.6.0: electron v38.6.0

Compare Source

Release Notes for v38.6.0

Fixes

  • Fixed an application crash when clicking or hovering over the native MacOS "Window" menu. Reverts #​48598. #​48801 (Also in 39, 40)
  • Fixed an issue on Wayland (Linux) where right-clicking in the titlebar could break mouse interactions. #​48757 (Also in 39, 40)
  • Fixed an issue that menu items on macOS could not be disabled under all circumstances. #​48710 (Also in 37, 39)
  • Fixed draw smoothing round corner issue. #​48780 (Also in 40)

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Oct 5, 2023
edited
Loading

⚠️ No Changeset found

Latest commit: b91f32c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate Bot deleted the renovate/npm-electron-vulnerability branch April 3, 2024 13:24
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 7d47bb3 to f37cfc3 Compare June 30, 2025 21:30
@renovate renovate Bot changed the title chore(deps): update dependency electron to v22 [security] chore(deps): update dependency electron to v28 [security] Jun 30, 2025
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from f37cfc3 to 9ca731d Compare August 10, 2025 14:40
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 9ca731d to d50784a Compare August 19, 2025 13:30
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from d50784a to 203289c Compare September 4, 2025 04:04
@renovate renovate Bot changed the title chore(deps): update dependency electron to v28 [security] chore(deps): update dependency electron to v35 [security] Sep 4, 2025
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 203289c to 0eb6a75 Compare September 25, 2025 20:54
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 0eb6a75 to f6a0de7 Compare October 21, 2025 17:06
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from f6a0de7 to 46e3cd4 Compare November 11, 2025 01:57
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 46e3cd4 to e1f9dfb Compare November 18, 2025 12:04
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from e1f9dfb to 4edc197 Compare December 31, 2025 14:13
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 4edc197 to ced36a0 Compare January 19, 2026 19:23
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from ced36a0 to 471c6f6 Compare February 2, 2026 18:10
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 471c6f6 to 886631d Compare February 12, 2026 09:57
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 886631d to e3fdfbc Compare March 5, 2026 14:56
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from e3fdfbc to 494a94b Compare March 13, 2026 17:00
@renovate renovate Bot changed the title chore(deps): update dependency electron to v35 [security] chore(deps): update dependency electron to v35 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency electron to v35 [security] - autoclosed chore(deps): update dependency electron to v35 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch 2 times, most recently from 66ba764 to 1da1bec Compare April 3, 2026 08:36
@renovate renovate Bot changed the title chore(deps): update dependency electron to v35 [security] chore(deps): update dependency electron to v38 [security] Apr 3, 2026
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 1da1bec to b91f32c Compare April 8, 2026 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants