Update iohook and Electron versions

[ferothefox]

Hi, I work on MechaKeys, which is similar to MechvibesPlusPlus, and it looks like you use iohook as your core library for mouse and keyboard detection. Your app currently uses the wilix-team iohook library, which has been abandoned and is unmaintained. This is a security risk for you and your users, who are using a version of Electron that's four years old by now.

We realize the security risk is too great for apps that are built entirely around tracking keyboard and mice activity, so we have an open-source and maintained version of iohook at our company repo: https://github.com/robolab-io/iohook, which supports Electron >=22 and Node 18. We're progressively notifying other projects that use an outdated iohook to switch as soon as possible. You can check the Actions tab to see our CI pipelines in action.

I began some work on migrating your app to work with Electron's new standards and security practices, as a lot of methods have been deprecated or reworked. In particular I had to add a patch to our fork in order to support using iohook in the preloader/renderer process. Native modules that aren't context-aware (like the current version of iohook) aren't supported past Electron 14, see Electron's reasoning: electron/electron#18397. Additionally, some changes regarding sandboxing means that it's impossible to use remote.getGlobal in the preload process. Doing so always returns undefined. To mitigate this, I attempted to replace globals with IPC. Unfortunately this is more trouble than it's worth - you'd need to rearchitect your entire app as putting all of the functionality in preload is incredibly insecure and ripe for issues.

This PR is unfinished (and will likely stay unfinished, depending on my schedule), but here's a rundown of the timeline to bring a better, faster, and more secure experience to your users.

Suggested Timeline

Core fixes

• Migrate from @wilix-team/iohook to @mechakeys/iohook
• Upgrade Electron to version 25, which takes advantage of all of its latest security fixes, performance enhancements, and new features

Performance, footprint

• Rewrite filesystem logic (loading soundpacks, getting custom pack directory) to be self-contained functions
• Move UI logic and rendering out of preload. Ideally, you should migrate to a library React or Vue, which will make managing state much easier. By keeping your UI, iohook, and fs in the same file, you'll run into UI freeze-ups if you're doing a lot of work.
• Use Electron build for more reliable autoupdate handling. You can automate the entire update checking and installation process
• Remove jquery usage (this is a given if using a UI library). jquery is inefficient and large
• Remove unused and antiquated libraries (express, electron-compile, node-fetch) (contributes to mem and storage usage)

[NotLazy]

I'd like to ask you a couple things. I'm the current, active maintainer of the original Mechvibes.

Firstly, how would you recommend handling audio if we were to update electron? howler only works in the renderer process, and better alternatives don't exist for handling audio in main.js especially cross platform. My search for alternatives essentially yielded tools which use other programs under the hood, such as Windows Media Player or afplay. My concern with keeping it in a browser window would be potentially added latency for ipc to communicate. Testing would be needed to judge and measure the exact effects.

Secondly, you recommend vuejs while telling us to remove jquery due to size reasons, but according to your source, jquery adds 85.1kb (which, mechvibes' only weighs in at 69.4kb according to github) while vuejs adds 98.8kb. React definitely could be a solution here, coming in at only 6.4kb but react has a much steeper learning curve than jquery, and I'd suspect react would result in larger source code files in comparison, which might outweigh the results of switching to react.

Edit: So I went ahead and tested the delay implications of using ipc to transmit to browser window. At worst I saw a 0.29s delay, and at best I saw a 0.001s delay. This test was conducted manually without updating electron and without updating iohook, using the Date built-in to measure the difference between the seconds and milliseconds immediately when the keydown event is fired by iohook and then again immediately when the ipc event is received by the browser window.