Update iohook and Electron versions #13
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi, I work on MechaKeys, which is similar to MechvibesPlusPlus, and it looks like you use iohook as your core library for mouse and keyboard detection. Your app currently uses the wilix-team iohook library, which has been abandoned and is unmaintained. This is a security risk for you and your users, who are using a version of Electron that's four years old by now.
We realize the security risk is too great for apps that are built entirely around tracking keyboard and mice activity, so we have an open-source and maintained version of iohook at our company repo: https://github.com/robolab-io/iohook, which supports Electron >=22 and Node 18. We're progressively notifying other projects that use an outdated iohook to switch as soon as possible. You can check the Actions tab to see our CI pipelines in action.
I began some work on migrating your app to work with Electron's new standards and security practices, as a lot of methods have been deprecated or reworked. In particular I had to add a patch to our fork in order to support using iohook in the preloader/renderer process. Native modules that aren't context-aware (like the current version of iohook) aren't supported past Electron 14, see Electron's reasoning: electron/electron#18397. Additionally, some changes regarding sandboxing means that it's impossible to use remote.getGlobal in the preload process. Doing so always returns undefined. To mitigate this, I attempted to replace globals with IPC. Unfortunately this is more trouble than it's worth - you'd need to rearchitect your entire app as putting all of the functionality in preload is incredibly insecure and ripe for issues.
This PR is unfinished (and will likely stay unfinished, depending on my schedule), but here's a rundown of the timeline to bring a better, faster, and more secure experience to your users.
Suggested Timeline
Core fixes
Performance, footprint