Skip to content

fix(deps): update dependency electron to v35 [security] #1921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency electron to v35 [security] #1921

wants to merge 1 commit into from
+10 −17

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 4, 2025

This PR contains the following updates:

Package Change Age Confidence
electron ^31.7.7 -> ^35.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-55305

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 38.0.0-beta.6
  • 37.3.1
  • 36.8.1
  • 35.7.5

For more information

If you have any questions or comments about this advisory, email us at [email protected]

Release Notes

electron/electron (electron)

v35.7.5: electron v35.7.5

Compare Source

Release Notes for v35.7.5

[!WARNING]
Electron 35.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

Fixes

  • Fixed an issue where shell.openPath was not non-blocking as expected. #​48079 (Also in 36, 37, 38)

v35.7.4: electron v35.7.4

Compare Source

Release Notes for v35.7.4

  • Fix ffmpeg generation on Windows non-x64

v35.7.2: electron v35.7.2

Compare Source

Release Notes for v35.7.2

Fixes

  • Fixed an issue where printing PDFs with webContents.print({ silent: true }) would fail. #​47645 (Also in 36, 37)

v35.7.0: electron v35.7.0

Compare Source

Release Notes for v35.7.0

Other Changes

v35.6.0: electron v35.6.0

Compare Source

Release Notes for v35.6.0

Features

  • Added support for --no-experimental-global-navigator flag. #​47416 (Also in 36, 37)
  • Added support for customizing system accent color and highlighting of active window border. #​47539 (Also in 36, 37)

Fixes

  • Fixed a potential crash using session.clearData in some circumstances. #​47410 (Also in 36, 37)
  • Fixed an error when importing electron for the first time from an ESM module loaded by a CJS module in a packaged app. #​47344 (Also in 36, 37)
  • Fixed an issue where calling Fetch.continueResponse via debugger with WebContentsView could cause a crash. #​47443 (Also in 36, 37)
  • Fixed an issue where utility processes could leak file handles. #​47542 (Also in 36, 37)
  • Partially fixes an issue with printing a PDF via webContents.print() where the callback would not be called. #​47399 (Also in 36, 37)

Other Changes

v35.5.1: electron v35.5.1

Compare Source

Release Notes for v35.5.1

Fixes

  • Fixed addChildView() crashes when adding a closed WebContentsView. #​47339
  • Fixed crash in autoUpdater on macOS when zip extraction failed. #​47299 (Also in 34, 36, 37)
  • Fixed crash when pausing in loops due to missing context when desugared. #​47286

Other Changes

v35.5.0: electron v35.5.0

Compare Source

Release Notes for v35.5.0

Features

  • Added innerWidth and innerHeight options for window.open. #​47045 (Also in 36, 37)
  • Added sublabel functionality for menus on macOS >= 14.4. #​47041 (Also in 36, 37)
  • Added support for screen.dipToScreenPoint(point) and screen.screenToDipPoint(point) on Linux X11. #​47124 (Also in 36, 37)
  • Added support for node option --experimental-network-inspection. #​47029 (Also in 36, 37)

Fixes

  • Fixed a possible crash in shell.readShortcutLink. #​47226 (Also in 36)
  • Fixed an issue where protected transparent windows inappropriately showed a titlebar after visibility change. #​47265 (Also in 36, 37)
  • Fixed an issue where the 'suspend' and 'resume' events could be emitted in duplicate. #​47190 (Also in 36, 37)
  • Fixed an issue where the backgroundMaterial feature did not work in a frameless window on initial window creation. #​47236 (Also in 36)
  • Fixed opening package paths as directory when treatPackageAsDirectory is enabled on macOS. #​47110 (Also in 36, 37)
  • Fixed regression with directory selection in macOS dialogs. #​47276 (Also in 36, 37)

Other Changes

v35.4.0: electron v35.4.0

Compare Source

Release Notes for v35.4.0

Features

  • Added support for system-context-menu on Linux. #​46977 (Also in 36)

Fixes

  • Fixed a possible crash using the WebView tag and calling focus. #​47035 (Also in 36, 37)
  • Fixed an issue where the window flickers with either a light or dark color before loading the desired background color. #​47052 (Also in 36, 37)
  • Fixed crash in xdg portal version detection on startup. #​47025 (Also in 36, 37)
  • Restored previous window-hiding behavior of win.setContentProtected() on Windows. #​47034 (Also in 36, 37)

Other Changes

v35.3.0: electron v35.3.0

Compare Source

Release Notes for v35.3.0

Fixes

  • Fixed a crash that could occur when opening some dialogs as windows are closing on macOS. #​46953 (Also in 36, 37)
  • Fixed an issue where transparent child windows on macOS were rendering a grey block as opposed to their correct contents. #​46889 (Also in 36, 37)
  • Fixed display id validation errors on certain versions of windows 10. #​46873
  • Fixed log files written to the current working directory on Windows. #​46911 (Also in 36, 37)
  • Fixed xdg portal version detection for file dialogs on linux. #​46936 (Also in 36, 37)

Other Changes

  • Added support for --js-flags=--perf-prof on macOS. #​46877 (Also in 36)

v35.2.2: electron v35.2.2

Compare Source

Release Notes for v35.2.2

Fixes

  • Fixed electron.shell.openExternal and electron.shell.openPath to honor user-defined system defaults on Linux. #​46789 (Also in 33, 34, 36)
  • Fixed a possible crash when using navigator.bluetooth.requestDevice and the select-bluetooth-device event. #​46784 (Also in 34, 36)
  • Fixed a potential crash when closing a window with child windows. #​46774 (Also in 34, 36)
  • Fixed build error with enable_electron_extensions=false. #​46840 (Also in 34, 36)
  • Fixed crash when renderer process crashes while webview is reloading. #​46769 (Also in 34, 36)
  • Fixed documentation to mark Window.autoHideMenuBar as supported on Linux and Windows. #​46829 (Also in 34, 36)
  • Fixed the visibleOnAllWorkspaces property on Linux. #​46861
  • Fixed the border style of windows with vibrancy on macOS. #​46772 (Also in 36)
  • Fixed the issue where maximizing and restoring the window does not respect the corner radius settings, and the corner radius is incorrect in fullscreen mode. #​46847 (Also in 36)

v35.2.1: electron v35.2.1

Compare Source

Release Notes for v35.2.1

Fixes

  • Fixed Minimize menu button to follow set window minimizability on Windows. #​46715 (Also in 34, 36)
  • Fixed a potential crash in utilityProcess.postMessage when calling with an invalid transferable. #​46666 (Also in 36)
  • Fixed case where file dialog filters would get mixed up, if a * filter was included. #​46721 (Also in 34, 36)
  • Fixed crash on reconversion with google IME and editcontext on macOS. #​46700 (Also in 34, 36)
  • Microtasks are no longer (incorrectly) run by serializing values, including when sending IPC. #​46684 (Also in 34, 36)

v35.2.0: electron v35.2.0

Compare Source

Release Notes for v35.2.0

Features

  • Added nativeTheme.shouldUseDarkColorsForSystemIntegratedUI to distinguish system and app theme. #​46599 (Also in 36)

Fixes

  • Fixed ElectronAccessibilityUI bug. #​46591 (Also in 33, 34, 36)
  • Fixed a possible BrowserWindow crash caused by closing a parent window with focus or blur events. #​46581 (Also in 34, 36)
  • Fixed an error when calling window.emit('close') after toggling fullscreen mode. #​46620 (Also in 36)
  • Fixed an inverted conditional in the above PR that caused broken window borders in some circumstances on Wayland. #​46644 (Also in 33, 34, 36)
  • Fixed an issue where badly formatted switches could cause crashes in app.commandLine functions. #​46631 (Also in 36)
  • Fixed an issue with --inspect-brk failing in packaged apps. #​46583 (Also in 36)
  • Fixed an issue with the assert Node.js module in the renderer process. #​46632 (Also in 36)
  • Fixed several paint and white flash issues on macOS. #​46628 (Also in 36)

Other Changes

  • Fixed an issue where printing from the renderer process crashes the main process when no printers are installed in the system or there's not a default printer. #​46616 (Also in 34, 36)
  • Updated Chromium to 134.0.6998.205. #​46655

v35.1.5: electron v35.1.5

Compare Source

Release Notes for v35.1.5

Fixes

  • Fixed a potential crash in parentPort. #​46495 (Also in 34, 36)

Unknown

v35.1.4: electron v35.1.4

Compare Source

Release Notes for v35.1.4

Fixes

  • Fix: don't copy 'package.json's out of ASAR file. #​46478 (Also in 36)
  • Fixed a bug that could cause some maximized windows on Linux to report an incorrect window state. #​46464 (Also in 34, 36)
  • Fixed a possible crash using Node.js on some arm32 devices. #​46461 (Also in 36)
  • Fixed crash on application exit with pending app.getGPUInfo promise. #​46470 (Also in 34, 36)

v35.1.3: electron v35.1.3

Compare Source

Release Notes for v35.1.3

Fixes

  • Fixed a crash that could occur when dragging and dropping files into the browser. #​46311 (Also in 36)
  • Fixed an issue where context-menu event weren't emitted as expected on Windows in draggable regions. #​46334 (Also in 34, 36)
  • Fixed an issue where calling UtilityProcess.fork prior to the app ready event would cause a crash. #​46403 (Also in 34, 36)
  • Fixed flickering and ghosting artifacts in transparent windows on macOS. #​46392 (Also in 36)
  • Fixed memory leak in AutofillPopupView. #​46413 (Also in 34, 36)
  • Fixed the issue where rounded corners disappear momentarily when closing on Windows 11. #​46408 (Also in 36)
  • When a menu item on macOS is disabled (enabled = false), it is now greyed out. #​46341 (Also in 34, 36)

Other Changes

  • Updated Chromium to 134.0.6998.179. #​46313

v35.1.2: electron v35.1.2

Compare Source

Release Notes for v35.1.2

Fixes

  • Fixed an issue where navigationHistory.restore() failed to restore the userAgent if it was overridden. #​46300 (Also in 34, 36)

Other Changes

v35.1.1: electron v35.1.1

Compare Source

Release Notes for v35.1.1

Fixes

  • Fixed build failure when building with printing disabled. #​46285 (Also in 34, 36)

v35.1.0: electron v35.1.0

Compare Source

Release Notes for v35.1.0

Features

  • Added ffmpeg.dll to delay load configuration. #​46172 (Also in 34, 36)

Fixes

  • Fixed NODE_OPTIONS parsing for child processes on macOS. #​46244 (Also in 34, 36)
  • Fixed a crash seen on Linux when calling webContents.print(). #​46147 (Also in 36)
  • Fixed an issue where system-context-menu incorrectly fired for all regions in frameless windows. #​46178 (Also in 33, 34, 36)
  • Fixed an issue where webContents.printToPDF() didn't work as expected with cross-process subframes. #​46257 (Also in 34, 36)
  • Fixed an issue where the resizing border didn't work as expected on Wayland windows. #​46224 (Also in 33, 34, 36)
  • Fixed an issue with token formatting for tokens received after calling pushNotifications.registerForAPNSNotifications(). #​46148 (Also in 34, 36)
  • Fixed crash on Linux when PipeWire screenshare source selection is cancelled. #​46234 (Also in 36)
  • Fixed crash with out-of-bounds string read when parsing NODE_OPTIONS. #​46248 (Also in 34, 36)

Other Changes

  • Improved performance of desktopCapturer.getSources when not requesting thumbnails on macOS. #​46249 (Also in 34, 36)
  • Updated Chromium to 134.0.6998.165. #​46196

v35.0.3: electron v35.0.3

Compare Source

Release Notes for v35.0.3

Fixes

  • Fixed an issue where snapped windows in Windows may sometimes be improperly restored. #​46040 (Also in 33, 34, 36)
  • Fixed incorrect titlebar in file save dialogs. #​46074 (Also in 33, 34, 36)

Documentation

v35.0.2: electron v35.0.2

Compare Source

Release Notes for v35.0.2

Fixes

  • Fixed an issue where Web Workers crashed on unhandled rejections. #​46020 (Also in 34, 36)
  • Fixed an issue where packages could be mistakenly not found in asar. #​46022 (Also in 36)
  • Fixed title changes to not occur while navigating within a page. #​46035 (Also in 34, 36)

Other Changes

  • Fixed an issue where Electron could fail to load on some older Linux distributions. #​45983 (Also in 34, 36)
  • Updated Chromium to 134.0.6998.88. #​45972

v35.0.1: electron v35.0.1

Compare Source

Release Notes for v35.0.1

Fixes

  • Fixed an issue where Node.js OOM errors terminate the process directly without raising an OOM exception. #​45911 (Also in 36)
  • Fixed an issue where setContentProtection(true) was reverted when a given window was hidden. #​45889 (Also in 34)
  • Fixed invalid memory access in pdf viewer which lead to random crashes. #​45879 (Also in 34)
  • Improved webContents loading time when resolving fonts for uncommon scripts. #​45918 (Also in 34, 36)

Other Changes

v35.0.0: electron v35.0.0

Compare Source

Release Notes for v35.0.0

Stack Upgrades

Breaking Changes

  • Added excludeUrls to webRequest filter and deprecated the use of empty arrays in urls property. #​45678
  • Added fromVersionID on ServiceWorkers to get an instance of ServiceWorkerMain. #​45341
  • Deprecated getPreloads and setPreloads on Session. #​45329
  • Fixed file chooser dialogs for flaptak applications. #​44426 (Also in 34)
  • Moved 'console-message' arguments into event object. #​43617
  • The systemPreferences.isAeroGlassEnabled() API has been deprecated and will be removed without replacement. #​45554

Features

Additions
  • Added APIs to manage shared dictionaries for compression efficiency using Brotli or ZStandard. The new APIs are session.getSharedDictionaryUsageInfo(), session.getSharedDictionaryInfo(options), session.clearSharedDictionaryCache(), and session.clearSharedDictionaryCacheForIsolationKey(options). #​44750 (Also in 33, 34)
  • Added NSPrefersDisplaySafeAreaCompatibilityMode = false to Info.plist to remove "Scale to fit below built-in camera." from app options. #​45357 (Also in 33, 34)
  • Added ServiceWorkerMain class to interact with service workers in the main process. #​45341
    • Added running-status-changed event on ServiceWorkers to indicate when a service worker's running status has changed.
    • Added startWorkerForScope on ServiceWorkers to start a worker that may have been previously stopped.
  • Added WebFrameMain.collectJavaScriptCallStack() for accessing the JavaScript call stack of unresponsive renderers. #​44204 (Also in 33, 34)
  • Added contextBridge.executeInMainWorld to safely execute code across world boundaries. #​45330
  • Added frame to 'console-message' event. #​43617
  • Added query-session-end event and improved session-end events on Windows. #​44598
  • Added view.getVisible(). #​45409 (Also in 34)
  • Added webContents.navigationHistory.restore(index, entries) API that allows restoration of navigation history. #​45583 (Also in 34)
  • Added optional animation parameter to BrowserWindow.setVibrancy. #​35987
  • Added permission support for document.executeCommand("paste"). #​45471 (Also in 33, 34)
  • Added support for roundedCorners BrowserWindow constructor option on Windows. #​45740 (Also in 34)
  • Added support for service worker preload scripts. #​45408
  • Support Portal's globalShortcuts. Electron must be run with --enable-features=GlobalShortcutsPortal in order to have the feature working. #​45297
Improvements
  • Performance improvements when processing microtasks. #​44439 (Also in 32, 33, 34)
  • Redesigned preload script APIs by introducing registerPreloadScript, unregisterPreloadScript, getPreloadScripts on Session.#​45329
Removed/Deprecated
  • Removed 240 FPS limit when use shared texture OSR. #​45781

Fixes

  • Fixed webContents.print() after switch to OOP printing on macOS and Linux. #​45285
  • Fixed an issue where the renderer process crashed when loading about:blank in subframes. #​45758
  • Fixed broken OOP window.print() on macOS/Linux. #​45259
  • Fixed desktopCapturer.getSources not returning electron windows on Windows. #​45000
  • Fixed spellcheck suggestions not correctly populating on Windows. #​45763
  • Optimized webFrame.getZoomLevel and webFrame.getZoomFactor APIs. #​45557
  • Re-enables the MacWebContentsOcclusion feature flag for Mac, with plans to make it enabled by default in a future release. #​45801
Also in earlier versions...
  • Addressed two possible crashes in the File System Access API. #​45261 (Also in 34)
  • Backported fix for a upstream bug that cause Offscreen Rendering to stutter. #​45660 (Also in 32, 33, 34)
  • Fixed WebFrameMain crash related to accessing speculative frames that have been destroyed. #​45686 (Also in 33, 34)
  • Fixed chrome.i18n extension API being unavailable in service workers. #​45031 (Also in 31, 32, 33, 34)
  • Fixed trace-startup not working on macOS. #​44257 (Also in 32, 33, 34)
  • Fixed v8.setHeapSnapshotNearHeapLimit api in main and utility process, along with support for --diagnostic-dir Node.js cli flag to specify the directory to save the heap snapshots. #​45632 (Also in 33, 34)
  • Fixed a bug where the default path didn't always correctly fill the Name field in KDialogs on Linux. #​45420 (Also in 34)
  • Fixed a crash that could occur in OSR on window close. #​45630 (Also in 34)
  • Fixed a crash that could occur when calling shell.readShortcutLink on Windows. #​44784 (Also in 33, 34)
  • Fixed a crash when calling shell.readShortcutLink caused by PKEY_AppUserModel_ToastActivatorCLSID sometimes being represented by a string uuid. #​45348 (Also in 33, 34)
  • Fixed a potential crash in chrome.tabs.update(). #​45302 (Also in 33, 34)
  • Fixed a potential crash when calling legacy getUserMedia with an invalid chromeMediaSourceId. #​45755 (Also in 34)
  • Fixed a potential issues permissions in the Pointer Lock API after focus loss and regain. #​45628 (Also in 34)
  • Fixed an issue where RTL tooltips could be incorrect when using WCO on Windows. #​45425 (Also in 33, 34)
  • Fixed an issue where Windows Control Overlay didn't work with some window configurations. #​45477 (Also in 33, 34)
  • Fixed an issue where EventSource was undefined in both renderer and worker processes when Node.js integration was enabled. #​44475 (Also in 32, 33, 34)
  • Fixed an issue where WebContentsViews were being improperly removed. #​44656 (Also in 31, 32, 33, 34)
  • Fixed an issue where contextmenu events wouldn't be correctly dispatched in draggable regions on Linux. #​45841 (Also in 34)
  • Fixed an issue where resize wasn't being emitted for single-pixel resizes on Windows. #​44700 (Also in 32, 33, 34)
  • Fixed an issue where a utilityProcess pid would not be undefined after exit. #​44677 (Also in 32, 33, 34)
  • Fixed an issue where buttons shown under the Window Controls Overlay API were missing tooltips. #​44721 (Also in 32, 33, 34)
  • Fixed an issue where closing a window after printing on Linux triggered a crash. #​44246 (Also in 31, 32, 33, 34)
  • Fixed an issue where drag-dropping two directories would cause getAsFileSystemHandle to never resolve. #​45256 (Also in 33, 34)
  • Fixed an issue where print scaling could be too small during silent print. #​45262 (Also in 34)
  • Fixed an issue where selection of multiple directories with the dialog module didn't work on Linux. #​45394 (Also in 34)
  • Fixed an issue where the exit event could be emitted twice from the utilityProcess. #​44243 (Also in 31, 32, 33, 34)
  • Fixed an issue where the webContents context-menu event was not emitted when using -webkit-app-region: drag. #​44761 (Also in 32, 33, 34)
  • Fixed an issue where the windows control overlay was unexpectedly visible in fullscreen on Linux. #​44621 (Also in 31, 32, 33, 34)
  • Fixed an issue where windows on Windows with backgroundMaterial lost effect on maximization. #​45525 (Also in 34)
  • Fixed an possible crash when using draggable regions and BaseWindows to get the context-menu event. #​44940 (Also in 32, 33, 34)
  • Fixed build failure when the PDF viewer is disabled. #​44960 (Also in 33, 34)
  • Fixed calling setAlwaysOnTop on a hidden window which is then shown with showInactive on Linux under X11. #​44078 (Also in 31, 32, 33, 34)
  • Fixed crash in gin::wrappable::secondweakcallback. #​45378 (Also in 33, 34)
  • Fixed crash in net api when utility process exits. #​44574 (Also in 32, 33, 34)
  • Fixed crash on startup with asan build on macOS. #​45569 (Also in [33](https://redirect.github.com/electron/e

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 4, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 4ff7a3a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from 9ee4073 to 4ff7a3a Compare September 10, 2025 02:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants