[PR #1404] [MERGED] chore(deps): update dependency electron to v37.3.1 [security] #9238

Closed
opened 2026-04-23 08:50:03 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/1404
Author: @renovate[bot]
Created: 9/4/2025
Status: Merged
Merged: 9/4/2025
Merged by: @kolaente

Base: mainHead: renovate/npm-electron-vulnerability


📝 Commits (1)

  • ff4f274 chore(deps): update dependency electron to v37.3.1 [security]

📊 Changes

2 files changed (+6 additions, -6 deletions)

View changed files

📝 desktop/package.json (+1 -1)
📝 desktop/pnpm-lock.yaml (+5 -5)

📄 Description

This PR contains the following updates:

Package Change Age Confidence
electron 37.3.0 -> 37.3.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-55305

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 38.0.0-beta.6
  • 37.3.1
  • 36.8.1
  • 35.7.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org


Release Notes

electron/electron (electron)

v37.3.1: electron v37.3.1

Compare Source

Release Notes for v37.3.1

Fixes

  • Fixed an issue where shell.openPath was not non-blocking as expected. #​48088 (Also in 36, 38)
  • Fixed an issue where windows opened with window.open would never be offscreen. #​48070 (Also in 38)
  • Fixed potential deadlock inside app.getLoginItemSettings on macOS. #​48096 (Also in 36)

Other Changes

  • Updated Chromium to 138.0.7204.235. #​48066

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/1404 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 9/4/2025 **Status:** ✅ Merged **Merged:** 9/4/2025 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `renovate/npm-electron-vulnerability` --- ### 📝 Commits (1) - [`ff4f274`](https://github.com/go-vikunja/vikunja/commit/ff4f27407235342b3e7c17ea0f6a0c6e52f3a2c1) chore(deps): update dependency electron to v37.3.1 [security] ### 📊 Changes **2 files changed** (+6 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `desktop/package.json` (+1 -1) 📝 `desktop/pnpm-lock.yaml` (+5 -5) </details> ### 📄 Description This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [electron](https://redirect.github.com/electron/electron) | [`37.3.0` -> `37.3.1`](https://renovatebot.com/diffs/npm/electron/37.3.0/37.3.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/electron/37.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/electron/37.3.0/37.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2025-55305](https://redirect.github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg) ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) --- ### Release Notes <details> <summary>electron/electron (electron)</summary> ### [`v37.3.1`](https://redirect.github.com/electron/electron/releases/tag/v37.3.1): electron v37.3.1 [Compare Source](https://redirect.github.com/electron/electron/compare/v37.3.0...v37.3.1) ### Release Notes for v37.3.1 #### Fixes - Fixed an issue where `shell.openPath` was not non-blocking as expected. [#&#8203;48088](https://redirect.github.com/electron/electron/pull/48088) <span style="font-size:small;">(Also in [36](https://redirect.github.com/electron/electron/pull/48087), [38](https://redirect.github.com/electron/electron/pull/48089))</span> - Fixed an issue where windows opened with `window.open` would never be offscreen. [#&#8203;48070](https://redirect.github.com/electron/electron/pull/48070) <span style="font-size:small;">(Also in [38](https://redirect.github.com/electron/electron/pull/48026))</span> - Fixed potential deadlock inside `app.getLoginItemSettings` on macOS. [#&#8203;48096](https://redirect.github.com/electron/electron/pull/48096) <span style="font-size:small;">(Also in [36](https://redirect.github.com/electron/electron/pull/48095))</span> #### Other Changes - Updated Chromium to 138.0.7204.235. [#&#8203;48066](https://redirect.github.com/electron/electron/pull/48066) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/go-vikunja/vikunja). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45MS4xIiwidXBkYXRlZEluVmVyIjoiNDEuOTEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-23 08:50:03 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#9238