chore(deps): update dependency electron to v41 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
electron	^28.0.0 → ^41.0.0

GitHub Vulnerability Alerts

CVE-2025-55305

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

• 38.0.0-beta.6
• 37.3.1
• 36.8.1
• 35.7.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

---

Release Notes

electron/electron (electron)

v41.2.1: electron v41.2.1

Compare Source

Release Notes for v41.2.1

Fixes

• Added missing metadata fields to contentTracing traces. #​51021 ^{(Also in 42)}
• Changed the kResizeThreshold to trigger the resize on corners. #​51002 ^{(Also in 42)}
• Fixed fs.stat on files inside asar archives returning undefined for blksize and blocks instead of numeric values. #​50876 ^{(Also in 40, 42)}
• Fixed a crash when rendering PDFs when Site Isolation is disabled. #​50845 ^{(Also in 42)}
• Fixed a memory leak where Menu items were not cleaned up after Menu.setApplicationMenu was called repeatedly. #​50830 ^{(Also in 40, 42)}
• Fixed an issue where DevTools would re-attach to the window when opened after previously being detached. #​50816 ^{(Also in 39, 40, 42)}
• Fixed an issue where setSimpleFullScreen on macOS would exit when web content called requestFullscreen(). #​50985 ^{(Also in 40, 42)}
• Fixed an issue where closing devtools immediately after focus caused a crash. #​51037 ^{(Also in 42)}
• Fixed an issue where webContents.print() would ignore pageSize / mediaSize when silent was true. #​50856 ^{(Also in 42)}
• Fixed aspect ratio min/max size clamping to correctly account for extraSize on macOS. #​50835 ^{(Also in 40, 42)}
• Fixed crash when app.setPath('sessionData') was called with a non-existent directory. #​50958 ^{(Also in 42)}
• Fixed resize hit targets for frameless windows on Windows. Resize targets now start at the side and bottom edges of the window and extend outward when frame: false, matching the behavior for windows with frames. #​50863 ^{(Also in 42)}
• Fixed the crash keys being lost and the crash reporter hanging on macOS when many dynamic crash keys were registered. #​50837 ^{(Also in 40, 42)}
• Moved Electron-specific help menu links to the default app only; unpackaged apps will no longer see these items in their default menu. #​50859 ^{(Also in 40, 42)}

Other Changes

• Backported fix for none. #​50880
• Backported upstream fixes for two edge cases in the WebNN TFLite graph builder. #​50983
• Backported upstream v8 fixes for a maglev use-count accounting issue and an inspector InspectedContext lifetime issue. #​50991
• Updated Chromium to 146.0.7680.188. #​50787
• Updated Node.js to v24.14.1. #​50478

v41.2.0: electron v41.2.0

Compare Source

Release Notes for v41.2.0

Features

• Added allowExtensions privilege to protocol.registerSchemesAsPrivileged() to enable Chrome extensions on custom protocols. #​50529 ^{(Also in 40, 42)}

Fixes

• BrowserWindow now enforces min/max size constraints on window creation, even if they conflict with the requested width and height. #​50753 ^{(Also in 42)}
• Fixed a regression on Linux where transparent frameless windows would have visible borders. Also fixed a longstanding issue where transparent windows on Linux could show smeared and glitched content as windows moved around. #​50605
• Fixed an intermittent Invoke in DisallowJavascriptExecutionScope crash on application quit when a WebContents (or other JS-emitting native object) is garbage-collected during shutdown. #​50694 ^{(Also in 40, 42)}
• Fixed an issue on macOS where show/hide events and WebContents visibility state could be reported incorrectly when multiple WebContentsViews were attached to a window. #​50715 ^{(Also in 40, 42)}
• Fixed an issue where concurrent getFileHandle requests on the same path could stall indefinitely. #​50670 ^{(Also in 40, 42)}
• Fixed an issue where margins did not look as expected when printing in silent mode. #​50652 ^{(Also in 42)}
• Fixed an issue where the webContents.print() callback may not fire correctly in some cases. #​50604 ^{(Also in 42)}
• Fixed the appearance of maximized windows on GNOME in Wayland, especially when non-default GTK themes like Breeze are set. #​50645 ^{(Also in 42)}
• Removed "representedObject is not a WeakPtrToElectronMenuModelAsNSObject" logging when interacting with macOS menus. #​50613 ^{(Also in 42)}

Other Changes

• Updated Chromium to 146.0.7680.179. #​50616

v41.1.1: electron v41.1.1

Compare Source

Release Notes for v41.1.1

Fixes

• Fixed a crash when calling contentTracing.getTraceBufferUsage() while a trace session is active. #​50594 ^{(Also in 39, 40, 42)}
• Fixed printing on Linux failing with "Invalid printer settings". #​50486 ^{(Also in 42)}

Other Changes

• Enabled profile-guided optimization for V8 builtins in release builds, improving JavaScript builtin performance (Array, String, RegExp, etc.). #​50574 ^{(Also in 40, 42)}

v41.1.0: electron v41.1.0

Compare Source

Release Notes for v41.1.0

Features

• Added nativeTheme.shouldDifferentiateWithoutColor on macOS. #​50408 ^{(Also in 42)}
• Notes: Added support for the urgency option in Notifications on Windows. #​50382 ^{(Also in 42)}

Fixes

• Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #​50483 ^{(Also in 40)}
• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50492 ^{(Also in 39, 40, 42)}
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50501 ^{(Also in 39, 40, 42)}
• Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #​50506 ^{(Also in 40, 42)}
• Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #​50519 ^{(Also in 40)}

Other Changes

• Updated Chromium to 146.0.7680.166. #​50458

v41.0.4: electron v41.0.4

Compare Source

Release Notes for v41.0.4

Fixes

• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #​50399 ^{(Also in 39, 40, 42)}
• Fixed improper focus tracking in BaseWindow on MacOS. #​50340 ^{(Also in 39, 40, 42)}
• Fixed logic bug that rendered certain window types un-resizable on MAS builds. #​50354 ^{(Also in 40, 42)}
• Fixed utilityProcess exit event reporting incorrect exit codes on Windows when the exit code has the high bit. #​50386 ^{(Also in 40, 42)}
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #​50343 ^{(Also in 39, 40, 42)}
• Improved the appearance of shadows and borders on frameless windows on Wayland. #​50213

Other Changes

• Added support for using a proxy during yarn install. #​50350 ^{(Also in 39, 40, 42)}
• Updated Chromium to 146.0.7680.153. #​50346

v41.0.3: electron v41.0.3

Compare Source

Release Notes for v41.0.3

Fixes

• Added additional ASAR support to additional fs copy methods. #​50286 ^{(Also in 39, 40, 42)}
• Fixed an issue where some DevTools functionality didn't work as expected. #​50276 ^{(Also in 40, 42)}
• Fixed user resizing of transparent windows on win32 platform. #​50298 ^{(Also in 39, 40, 42)}

Other Changes

• Updated Chromium to 146.0.7680.80. #​50262

Documentation

• Documentation changes: #​50293

v41.0.2: electron v41.0.2

Compare Source

Release Notes for v41.0.2

Other Changes

• Backported fix for b/491421267. #​50234

v41.0.1: electron v41.0.1

Compare Source

Release Notes for v41.0.1

Fixes

• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #​50217 ^{(Also in 39, 40)}
• Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #​50209 ^{(Also in 39, 40)}
• Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #​50191 ^{(Also in 39, 40)}

Other Changes

• Updated Chromium to 146.0.7680.72. #​50196

v41.0.0: electron v41.0.0

Compare Source

Release Notes for v41.0.0

Stack Upgrades

• Chromium 146.0.7680.65
  • New in 146
  • New in 145
• Node v24.14.0
  • Node 24.14.0 blog post
• V8 14.6

Breaking Changes

• Fixed an issue where cookie changed events weren't properly emitted in all cases. #​49631

For breaking changes inherited via Chromium, see blog post

Features

Additions

• Added --disable-geolocation command-line flag for macOS apps to disable location services. #​45934
• Added NV12 support for import shared texture. #​48922 ^{(Also in 40)}
• Added webContents.getOrCreateDevToolsTargetId(). #​50176
• Added a disclaim option to the UtilityProcess API to allow for TCC disclaiming on macOS. #​49693 ^{(Also in 39, 40)}
• Added a reason property to the Notification 'closed' event on Windows to allow developers to know the reason the Notification was dismissed. #​50029 ^{(Also in 40)}
• Added additional defence against privileged user modifications to ASAR Integrity protected applications on macOS. #​48587
• Added an usePrinterDefaultPageSize option to webContents.print() to allow using the printer's default page size. #​49812
• Added bypassCustomProtocolHandlers option to net.request. #​47331 ^{(Also in 38, 39, 40)}
• Added support for MSIX auto-updating. #​49586 ^{(Also in 39, 40)}
• Added support for WebSocket authentication through the login event on webContents. #​48512 ^{(Also in 39, 40)}
• Added support for --experimental-transform-types. #​49882 ^{(Also in 39, 40)}
• Added support for long-animation-frame script attribution (via --enable-features=AlwaysLogLOAFURL). #​49773 ^{(Also in 39, 40)}
• Added support to import external shared texture as VideoFrame. #​47317 ^{(Also in 40)}
• Added the ability to disable auto-focusing of WebContents on navigation using webPreferences.focusOnNavigation. #​49511 ^{(Also in 40)}
• Enable wasm trap handlers behind WasmTrapHandlers fuse. #​49839
• On Wayland (Linux), frameless windows now have GTK drop shadows and extended resize boundaries. To create fully frameless windows with no decorations, set hasShadow: false in the window constructor. #​49885

Improvements

• Extended actions support for Windows notifications to include buttons, select dropdowns, and replies. #​49787 ^{(Also in 40)}
• Refactored our MSIX updater code to use an upstream Chromium pattern and eliminates the need for special exception handling build flags. #​49686 ^{(Also in 39, 40)}
• Updated nativeImage.createFromNamedImage to support SF Symbol names. #​48203 ^{(Also in 39, 40)}

Removed/Deprecated

• DevTools errors are no longer printed to console. #​49292 ^{(Also in 40)}

Fixes

• Fixed CSS selector syntax in default app styles to properly apply animations to hero icons. #​50033
• Fixed ID of tray icons on Linux. #​48675
• Fixed an issue that caused the RGBAF16 shared texture format to have a keyed mutex on Windows. #​49876
• Fixed an issue where Squirrel.Mac's auto updater would fail to install new updates if the targetBundleURL was either not set or contained special characters. #​49978
• Fixed an issue where some shell functionality may not work on Linux if the target window is already open. #​49594
• Fixed build failure when printing is disabled. #​50077
• Fixed several issues with consistent window sizing and resizing on Linux when CSD is in use (e.g. on GNOME/Wayland) and added support for creating content-sized windows. #​49835
• Fixed window sizing on Linux when min/max size constraints are set or resizable is false. Windows no longer shrink below the requested max size or grow taller when resizability is disabled. #​49971
• Global shortcuts can now be registered more reliably on Wayland using the globalShortcut API. #​50051

Also in earlier versions...

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #​50155 ^{(Also in 38, 39, 40)}
• Addressed upstream Chromium shift to enable CoreAudio Tap API for audio capture used in electron's desktopCapturer (🍏 macOS). #​49739 ^{(Also in 39, 40)}
• Allow dynamically updating menu item labels, sublabels, and icons. #​49972 ^{(Also in 40)}
• Corrected the appearance of tiled windows on GNOME (when frame: true), and removed resize handles from tiled edges. #​48765 ^{(Also in 38, 39, 40)}
• Fix: ESM-from-CJS import when CJK characters are in path. #​48855 ^{(Also in 39, 40)}
• Fixed globalShortcut not working on Wayland with GlobalShortcutsPortal feature enabled. #​49871 ^{(Also in 40)}
• Fixed setRepresentedFilename() not setting AXDocument accessibility attribute on macOS. #​49346 ^{(Also in 39, 40)}
• Fixed a Windows notification issue where clicking a native notification would result in an application hang on certain Windows environments. #​49106 ^{(Also in 39, 40)}
• Fixed a crash that could occur when using the File System Access API. #​49636 ^{(Also in 39, 40)}
• Fixed a macOS crash when creating a new tab from the tab overview. #​49933 ^{(Also in 40)}
• Fixed a potential race condition crash when opening DevTools. #​49406 ^{(Also in 39, 40)}
• Fixed an application crash on MacOS where the menu observer was not being properly removed before garbage collection. #​49658 ^{(Also in 40)}
• Fixed an application crash when clicking or hovering over the native MacOS "Window" menu. Reverts #​48598. #​48794 ^{(Also in 37, 38, 39, 40)}
• Fixed an error on debug symbol upload by moving dsym.zip to use tar.xz compression. #​48941 ^{(Also in 40)}
• Fixed an issue in chrome://accessibility. #​49561 ^{(Also in 39, 40)}
• Fixed an issue on Windows and Linux where no cookie encryption key provider was passed into the network service when cookie encryption was enabled. #​49371 ^{(Also in 40)}
• Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #​50006 ^{(Also in 39, 40)}
• Fixed an issue that menu items on macOS could not be disabled under all circumstances. #​48795 ^{(Also in 37, 38, 39, 40)}
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #​50137 ^{(Also in 40)}
• Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #​50023 ^{(Also in 39, 40)}
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #​50154 ^{(Also in 38, 39, 40)}
• Fixed an issue where menu-did-close was not emitted properly for some application menus. #​49075 ^{(Also in 38, 39, 40)}
• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #​50134 ^{(Also in 38)}
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #​50105 ^{(Also in 39, 40)}
• Fixed an issue where shell.writeShortcutLink was throwing TypeError: Insufficient number of arguments when called with just [(path, options)]. #​49503 ^{(Also in 39, 40)}
• Fixed an issue where alt+space triggered th system context menu even if an accelerator was registered for the hotkey combination. #​49642 ^{(Also in 39, 40)}
• Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #​50085 ^{(Also in 39, 40)}
• Fixed an issue where frameless windows had resize issues in Mac App Store builds. #​49857 ^{(Also in 39, 40)}
• Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #​50132 ^{(Also in 38, 39, 40)}
• Fixed an issue where making a window fullscreen on Windows, minimizing it and then restoring it broke previous fullscreen state. #​49891 ^{(Also in 40)}
• Fixed an issue where malformed custom toastXml could cause a Notification crash. #​49953 ^{(Also in 40)}
• Fixed an issue where menu item accelerators stopped working after the item's enabled property was toggled on macOS. #​49591 ^{(Also in 39, 40)}
• Fixed an issue where menu item enabled state wasn't updated during key equivalent dispatch when the menu was closed on macOS. #​49890 ^{(Also in 39, 40)}
• Fixed an issue where native modules would either crash or not compile for MacOS 12. #​49703 ^{(Also in 40)}
• Fixed an issue where no cookie encryption provider was passed into the network service when cookie encryption was enabled. #​49348 ^{(Also in 40)}
• Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #​50148 ^{(Also in 38, 39, 40)}
• Fixed an issue where pressing AltGr could activate or focus the menu bar. #​49916 ^{(Also in 39, 40)}
• Fixed an issue where some packages weren't correctly filtered on macOS in dialogs. #​49470 ^{(Also in 38, 39, 40)}
• Fixed an issue where role-based menu items were incorrectly returning null for their accelerator property. #​49668 ^{(Also in 39, 40)}
• Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #​49911 ^{(Also in 39, 40)}
• Fixed an issue where some apps would throw an exception on launch. #​48973 ^{(Also in 39, 40)}
• Fixed an issue where the close callback param for menu.popup would fire when any arbitrary submenu of the given menu closed, and not the menu itself. #​49017 ^{(Also in 38, 39, 40)}
• Fixed an issue whereby a duplicate "Toggle Full Screen" menu item appeared in the View menu on macOS. #​49598 ^{(Also in 38, 39, 40)}
• Fixed crash in platform_util::Beep() on Linux. #​49483 ^{(Also in 39, 40)}
• Fixed crash on windows when UTF-8 is in path. #​48898 ^{(Also in 38, 39, 40)}
• Fixed crash when attempting to resolve modules during process exit. #​49090 ^{(Also in 40)}
• Fixed crash when creating event object for ipc events. #​48987 ^{(Also in 39, 40)}
• Fixed crash when reading system certificates via nodejs tls module. #​49028 ^{(Also in 39, 40)}
• Fixed dock menu items not respecting enabled and checked properties on macOS. #​49625 ^{(Also in 38, 39, 40)}
• Fixed drag regions in child windows. #​49231 ^{(Also in 40)}
• Fixed draggable regions not updating position when DevTools is docked to the left or right in a frameless window. #​49848 ^{(Also in 39, 40)}
• Fixed draw smoothing round corner issue. #​48769 ^{(Also in 40)}
• Fixed memory leak when setting icons on Linux/GTK. #​49895 ^{(Also in 38, 39, 40)}
• Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #​49996 ^{(Also in 39, 40)}
• Fixed menus to correctly emit menu-will-close event when closed after any submenu has been open. #​49964 ^{(Also in 40)}
• Fixed oom crash when optimizing certain wasm functions involving large phi nodes. #​48791 ^{(Also in 38, 39, 40)}
• Fixed rendering glitches on macOS. #​49621 ^{(Also in 40)}
• Fixed shutdown crash on windows when hidden titlebar is enabled. #​50055 ^{(Also in 39, 40)}
• Fixed squirrel.mac stacked update behavior to old staged updates. #​49639 ^{(Also in 39, 40)}
• Fixed startup crash when V8 sandbox is disabled. #​49504 ^{(Also in 40)}
• Fixed the cookie encryption logic to use the old os_crypt sync implementation present in M142. #​49382 ^{(Also in 40)}
• Fixed the issue where the parent window leave disabled after the modal window call show() multiple time. #​48977 ^{(Also in 38, 39, 40)}
• Fixed the issue where the parent window remained interactive after the modal window was opened. #​48770 ^{(Also in 38, 39, 40)}
• Made toplevel icon Wayland protocol work. #​49290 ^{(Also in 39, 40)}
• Reenable V8 trap handlers for wasm in browser and utility process, improves runtime execution of wasm. #​48788 ^{(Also in 39, 40)}
• Requests sent via net are now capable of having their headers modified to use reserved headers via webRequest. #​49226 ^{(Also in 39, 40)}
• Restored window's canHide property. #​47970 ^{(Also in 37, 38, 39)}
• Reverted AltGr key fix that caused menu bar to no longer show on Windows. #​50111 ^{(Also in 39, 40)}
• Windows: Calling window.setFocusable(true) will no longer cause a window to lose focus. #​45640 ^{(Also in 39, 40)}

Other Changes

• Backported fix for 4835695. #​49789
• Fixed crash in platform_util::Beep() on Linux. #​49865 ^{(Also in 40)}
• Fixed devtools element panel flickering when with node inspection. #​49027 ^{(Also in 39, 40)}

Documentation

• Documentation change
  • #​48813
  • #​48877
  • #​49948

Notices

End of Support for 38.x.y

Electron 38.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v40.9.1: electron v40.9.1

Compare Source

Release Notes for v40.9.1

v40.8.5: electron v40.8.5

Compare Source

Release Notes for v40.8.5

Fixes

• Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #​50484 ^{(Also in 41)}
• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50491 ^{(Also in 39, 41, 42)}
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50500 ^{(Also in 39, 41, 42)}
• Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #​50505 ^{(Also in 41, 42)}
• Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #​50518

Other Changes

• Backported fix for chromium:475877320. #​50438

v40.8.4: electron v40.8.4

Compare Source

Release Notes for v40.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #​50467 ^{(Also in 38, 39, 41)}
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #​50401 ^{(Also in 39, 41, 42)}
• Fixed improper focus tracking in BaseWindow on MacOS. #​50337 ^{(Also in 39, 41, 42)}
• Fixed logic bug that rendered certain window types un-resizable on MAS builds. #​50355 ^{(Also in 41, 42)}
• Fixed utilityProcess exit event reporting incorrect exit codes on Windows when the exit code has the high bit. #​50387 ^{(Also in 41, 42)}
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #​50344 ^{(Also in 39, 41, 42)}

Other Changes

• Added support for using a proxy during yarn install. #​50352 ^{(Also in 39, 41, 42)}
• Backported fix for 4859353. #​50441
• Backported fix for 4893813. #​50449
• Backported fixes for 4847510, 4871177. #​50460

v40.8.3: electron v40.8.3

Compare Source

Release Notes for v40.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #​50287 ^{(Also in 39, 41, 42)}
• Fixed an issue where some DevTools functionality didn't work as expected. #​50275 ^{(Also in 41, 42)}
• Fixed user resizing of transparent windows on win32 platform. #​50301 ^{(Also in 39, 41, 42)}

[v40.8.2](https://redirect.github.com/electron/electron/releases