[HOLD for payment 2022-10-26] [$250] Upgrade electron

[flodnv]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Problem

The version of electron in package.json is really outdated, and now has a vulnerability.

Solution

Let's update to the latest if possible, or at least to 18.3.12.

[melvin-bot]

Triggered auto assignment to @NicMendonca (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @parasharrajat (External)

[melvin-bot]

Triggered auto assignment to @puneetlath (External), see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[NicMendonca]

Job post: https://www.upwork.com/jobs/~01b1a7d6d830a2580c

[smrutiparida]

Proposal:

The Electron is upgraded to 20.2.0 locally without any breaking changes.

There are 3 breaking changes introduced in 20.2.0. They are

Breaking Changes

1. Removed the skip-taskbar feature on Linux. #35156

Not used in the codebase

2. Renderers are now sandboxed by default unless nodeIntegration: true or sandbox: false is specified. #35125

Since we don't initialize nodeIntegration in our main.js, we can continue to use BrowserWindow with new default values. Or else can initialize the default values for nodeIntegration and sandbox

`return app.whenReady()
    .then(() => {
        const browserWindow = new BrowserWindow({
            backgroundColor: '#FAFAFA',
            width: 1200,
            height: 900,
            webPreferences: {
                preload: `${__dirname}/contextBridge.js`,
                contextIsolation: true,
            },
            titleBarStyle: 'hidden',
            nodeIntegration: false,
            sandbox: true,
        });`

3. Added safeguards when building native modules with nan. Use node-gyp >=8.4.0 and electron-rebuild >=3.2.9 for when rebuilding native modules. #35160

We already use the node-gyp 9.0.0 and do not use electron-rebuild

###Test suite result

The change should work. If we do not wish to upgrade to 20.0.0 then we can also do step wise upgrade to 18.3.6 easily.

[melvin-bot]

@puneetlath, @parasharrajat, @NicMendonca Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[flodnv]

@parasharrajat thoughts on the proposal?

[parasharrajat]

Reviewing...

[parasharrajat]

@smrutiparida Proposal looks good to me. It might be good to upgrade the electron-reloader as well.

cc: @flodnv

🎀 👀 🎀 C+ reviewed

[puneetlath]

Proposal seems good to me too 👍🏾

[melvin-bot]

📣 @smrutiparida You have been assigned to this job by @puneetlath!
Please apply to this job in Upwork and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[smrutiparida]

I have applied to this job on upwork now.

[roryabraham]

Heads up! We just added live-reload to the main process of Electron on dev. Please make sure that we don't break that.

[parasharrajat]

@NicMendonca Based on #11324 (comment), It seems @smrutiparida is still not hired on Upwork. Could you please check that? Thank you.

[Luke9389]

Hey folks, it looks like we're on electron 18.3.15 already

[puneetlath]

Oh yeah. Thanks @Luke9389. Looks like we did that here: #11531

@NicMendonca let's go ahead and pay @smrutiparida and @parasharrajat out since they did the work. And then let's close this issue and the PR since they are no longer needed.

[parasharrajat]

PR is trying to upgrade to v20 of electron.

[puneetlath]

Ah, good point. It looks like we've been waiting for @smrutiparida for almost a week now to update their PR. If we don't hear back in the next day, let's just close this out, since the security hole has already been resolved.

[Luke9389]

My two cents is that we should close this, because we've already dealt with the security problem. Now we're just upgrading for the sake of upgrading (which we generally don't do without a demonstration of some material benefit).

[puneetlath]

That makes sense to me. @NicMendonca let's pay @smrutiparida and @parasharrajat out and close.

[flodnv]

I think we should upgrade to 19.0.15...?

[roryabraham]

Alternatively, let's just update to the latest stable release 21.0.1?

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.2.17-4 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• [No QA] Updating electron #11836

If no regressions arise, payment will be issued on 2022-10-26. 🎊

[NicMendonca]

@smrutiparida paid!

@parasharrajat please accept the job offer when you get a sec. Thanks!

[parasharrajat]

There is some issue on Upwork side, I will try to do it asap.

[NicMendonca]

@parasharrajat I'll set this one to weekly too!

[puneetlath]

Were we able to get the payment situation figured out?

[parasharrajat]

I have accepted the offer.

[NicMendonca]

@parasharrajat paid! Thanks!