Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update electron and electron-build version to 28.2.2 and 24.9.1 respectively #186

Merged
merged 4 commits into from Feb 12, 2024
Merged

Update electron and electron-build version to 28.2.2 and 24.9.1 respectively #186

merged 4 commits into from Feb 12, 2024

Conversation

valefar-on-discord
Copy link
Contributor

@valefar-on-discord valefar-on-discord commented Feb 11, 2024
edited

Updating electron and electron-build to the current latest, 28.2.2 and 24.9.1

There were breaking changes introduced with v20 of electron where renderers are sandboxed by default

Given that the application was not sandboxed originally, I have two paths forward:

  1. Keep the application non-sandboxed as is and ignore commit 01345ea which will drastically reduce the complexity of this PR
  2. Enable sandbox and migrate the logic in preload to the main process as recommended to take advantage of the security benefits: https://www.electronjs.org/blog/breach-to-barrier
    • This has one unexpected change: The function to verify an address isAddress was not originally a Promise but expected a return value. It is now a Two-way IPC request which requires a Promise: https://www.electronjs.org/docs/latest/tutorial/ipc
    • shellOpenExternal was not used so I removed it

After doing a few rounds of testing the only graphical regression I noticed was specific to the recently added Online alert pulsing animation where the box-shadow was no longer rounded. Minimal but easy enough to update.

I didn't notice any other regressions with my testing.

Note: I am updating package.json but I will not commit yarn.lock and this will need to be updated separately or appended to this PR. This is because the amount of changes to that file are non-trivial and me committing it would open the application to a potential dependency injection attack if not thoroughly investigated. Upgrading to yarn v4 would remove this attack vector: yarnpkg/berry#4136

For now I feel it is best to continue having the primary contributors the only trusted individuals to update that file until yarn is updated.

Fixes #181

@remyroy
Copy link
Member

remyroy commented Feb 11, 2024

That is a very nice improvement! Let me check that in details in the coming days.

@remyroy
Copy link
Member

remyroy commented Feb 12, 2024

I like path 2 which is what you took with 01345ea.

I'm not fully aware of the potential dependency injection attack, but I would love to explore the option to upgrade to yarn v4 to mitigate this. I'm guessing updating to yarn v4 would need its own PR.

@remyroy remyroy self-requested a review February 12, 2024 19:58
remyroy
remyroy approved these changes Feb 12, 2024
View reviewed changes
Copy link
Member

@remyroy remyroy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great PR. Thanks again for this work. It is much appreciated.

@remyroy
Copy link
Member

remyroy commented Feb 12, 2024

It even fixed an unreported bug 😉

@remyroy remyroy merged commit 1340328 into stake-house:main Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@remyroy remyroy remyroy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update electron package to v26+
2 participants
@valefar-on-discord @remyroy