Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Advisory requires updating dependency to newest build of update-notifier #7052

Closed
thewriteway opened this issue Aug 8, 2022 · 3 comments · Fixed by #7078
Closed

Security Advisory requires updating dependency to newest build of update-notifier #7052

thewriteway opened this issue Aug 8, 2022 · 3 comments · Fixed by #7078

Comments

@thewriteway
Copy link

thewriteway commented Aug 8, 2022
edited
Loading

  • Electron-Builder Version: "23.3.3":
  • Node Version: "18.7.0":
  • Electron-updater Version: "5.2.1":
electron-builder  >=5.6.1
    Depends on vulnerable versions of update-notifier
    node_modules/electron-builder
@thewriteway thewriteway changed the title Security Advisory rRequires updating dependancy to newest build of update-notifier Security Advisory requires updating dependency to newest build of update-notifier Aug 8, 2022
@thewriteway
Copy link
Author

thewriteway commented Aug 8, 2022
edited
Loading

The current package dependency is "update-notifier": "^5.1.0"

The vulnerability with that version is shown here:
https://snyk.io/test/npm/update-notifier/5.1.0

The newest build of update-notifier is now on 6.0.2

Is it possible to align electron-builder with the new dependency version?

@cjeonguk
Copy link
Contributor

Same issue #7006. In my opinion, it seems to be the best solution to update update-notifier's version. However, it was changed to pure esm module after v6. I think it requires not only dependency updates but also some modifications if there is any confilct.

@mmaietta
Copy link
Collaborator

The pure ESM module screws up electron-builder, so I've found a potential replacement: simple-update-notifier. Going to see if that can work for us

@mmaietta mmaietta mentioned this issue Aug 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: replace update-notifier and update deps electron-userland/electron-builder
3 participants
@mmaietta @thewriteway @cjeonguk