Update dependency electron-packager to v7 [SECURITY] by renovate[bot] · Pull Request #18 · robot-head/LaserDream

renovate · 2022-09-30T05:39:13Z

This PR contains the following updates:

Package	Change	Age	Confidence
electron-packager	`^5.0.2` → `^7.0.0`

SSL Validation Defaults to False in electron-packager

CVE-2016-10534 / GHSA-q43m-ffwr-rpcc

More information

Details

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Recommendation

Update to version 7.0.0 or later.
Delete the electron-download cache folder, which is by default located at ~/.electron.

Severity

Low

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

electron/electron-packager (electron-packager)

`v7.0.0`: 7.0.0

Compare Source

Added

Add download parameter (#320)

Changed

Dropped support for running on Node < 4.0. (#319)

Fixed

strict-ssl (and by extension, download.strictSSL) defaults to true, as documented (#320)

Deprecated

cache is deprecated in favor of download.cache (#320)
strict-ssl is deprecated in favor of download.strictSSL (#320)

Removed

[win32] version-string.FileVersion and version-string.ProductVersion are replaced by
favor of app-version and build-version, respectively (#327)
[win32] version-string.LegalCopyright is replaced by app-copyright (#327)

`v6.0.2`: 6.0.2

Compare Source

Changed

[win32] rcedit dependency updated to 0.5.x. The DLL mentioned in the 6.0.1 release notes
is no longer required.

`v6.0.1`: 6.0.1

Compare Source

Changed

[win32] rcedit dependency updated to 0.4.x
API documentation moved from readme.md to docs/api.md (#296)

Fixed

[darwin/mas] The OSX icon is properly replaced when Electron ≥ 0.37.4 is used (#301)
default_app.asar is deleted during packaging (necessary when Electron ≥ 0.37.4 is used).
The default_app folder is still deleted for older Electron versions (#298, #311)

`v6.0.0`: 6.0.0

Compare Source

Added

Add support for a new target platform, Mac App Store (mas), including signing OS X apps
(#223, #278)
Add app-copyright parameter (#223)
Add tmpdir parameter to specify a custom temp directory (#230); set to false to disable
using a temporary directory at all (#251, #276)
Add NEWS.md, a human-readable list of changes in each version (since 5.2.0) (#263)

Changed

The GitHub repository has been moved into an organization,
electron-userland
Allow the ignore parameter to take a function (#247)
[contributors] Update Standard (JavaScript coding standard) package to 5.4.x
[contributors] Add code coverage support via Coveralls (#257)
Better docs around contributing to the project (#258)
Ignore the directory specified by the out parameter by default (#255)
[darwin/mas] Add support for merging arbitrary plist files and adding arbitrary resource
files (#253)
Split out the code to sign OS X apps into a separate Node module,
electron-osx-sign (#223)
[darwin/mas] BREAKING: The sign parameter is now osx-sign (for better cross-platform
compatibility) and optionally takes several of the same sub-parameters as
electron-osx-sign (#286)

Deprecated

[win32] version-string.LegalCopyright is deprecated in favor of app-copyright (#268)

Fixed

[darwin/mas] Ensure CFBundleVersion and CFBundleShortVersionString are strings (#250)
[darwin/mas] Correctly set the helper bundle ID in all relevant plist files (#223)
[darwin/mas] OSX-specific binaries are correctly renamed to the application name (#244, #293)

If you are upgrading from ≤ 5.2.1 and building for a darwin target, you may experience problems. See #323 for details.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

pull-request-size Bot added the size/XS label Sep 30, 2022

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from faa247f to 624e8d4 Compare November 20, 2022 11:26

renovate Bot changed the title ~~Pin dependency electron-packager to v5.2.0 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Nov 20, 2022

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Mar 31, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 624e8d4 to 5904d41 Compare March 31, 2023 09:51

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 5904d41 to d1c045c Compare May 30, 2023 03:49

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] May 30, 2023

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jun 1, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from d1c045c to 23f4168 Compare June 1, 2023 17:47

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 23f4168 to aa884c1 Compare June 9, 2023 21:00

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Jun 9, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from aa884c1 to eb5ba11 Compare June 10, 2023 11:35

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jun 10, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from eb5ba11 to 5448137 Compare June 16, 2023 02:46

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Jun 16, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 5448137 to 4350416 Compare June 17, 2023 08:59

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jun 17, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 4350416 to 1d05e15 Compare June 20, 2023 20:53

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Jun 20, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 1d05e15 to 7b9a23b Compare June 22, 2023 20:56

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jun 22, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 7b9a23b to 6e7fd8e Compare June 30, 2023 17:52

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Jun 30, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 6e7fd8e to e40e09b Compare July 1, 2023 00:13

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jul 1, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from e40e09b to 6f9412e Compare July 7, 2023 11:55

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Jul 7, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 6f9412e to 7ceef31 Compare July 8, 2023 05:22

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jul 8, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 7ceef31 to 2981a5b Compare July 10, 2023 23:49

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from b0e38c0 to 0e2c4e7 Compare July 28, 2023 08:54

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Jul 28, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 0e2c4e7 to 28d85be Compare July 29, 2023 02:25

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Jul 29, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 28d85be to f6909b0 Compare August 2, 2023 02:20

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Aug 2, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from f6909b0 to 1a5a524 Compare August 5, 2023 05:19

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Aug 5, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 1a5a524 to e730796 Compare August 10, 2023 23:33

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Aug 10, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from e730796 to f51f24c Compare August 11, 2023 08:27

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Aug 11, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from f51f24c to 0f4fea0 Compare August 23, 2023 05:35

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Aug 23, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 0f4fea0 to 70f49aa Compare August 26, 2023 00:02

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Aug 26, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 70f49aa to c307164 Compare August 28, 2023 17:58

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Aug 28, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from c307164 to afc5d21 Compare August 29, 2023 02:47

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Aug 29, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from afc5d21 to ef4a46c Compare September 20, 2023 09:01

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Sep 20, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from ef4a46c to 0053250 Compare September 21, 2023 05:48

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Sep 21, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 0053250 to 8eefb1d Compare September 27, 2023 08:57

renovate Bot changed the title ~~Update dependency electron-packager to v7 [SECURITY]~~ Update dependency electron-packager to v17 [SECURITY] Sep 27, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 8eefb1d to 67c2f87 Compare September 28, 2023 05:17

renovate Bot changed the title ~~Update dependency electron-packager to v17 [SECURITY]~~ Update dependency electron-packager to v7 [SECURITY] Sep 28, 2023

renovate Bot force-pushed the renovate/npm-electron-packager-vulnerability branch from 67c2f87 to f7727ca Compare September 29, 2023 20:47

Update dependency electron-packager to v7 [SECURITY]

7b6256d

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency electron-packager to v7 [SECURITY]#18

Update dependency electron-packager to v7 [SECURITY]#18
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-electron-packager-vulnerability

renovate Bot commented Sep 30, 2022 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Sep 30, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

SSL Validation Defaults to False in electron-packager

Details

Recommendation

Severity

References

Release Notes

v7.0.0: 7.0.0

Added

Changed

Fixed

Deprecated

Removed

v6.0.2: 6.0.2

Changed

v6.0.1: 6.0.1

Changed

Fixed

v6.0.0: 6.0.0

Added

Changed

Deprecated

Fixed

v5.2.1

v5.2.0

v5.1.1

v5.1.0

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Sep 30, 2022 •

edited

Loading

`v7.0.0`: 7.0.0

`v6.0.2`: 6.0.2

`v6.0.1`: 6.0.1

`v6.0.0`: 6.0.0

`v5.2.1`

`v5.2.0`

`v5.1.1`

`v5.1.0`