fix(deps): bump electron to 41.0.0, tar to 7.5.11, form-data to 4.0.6#8
Open
BBridgeers wants to merge 1 commit into
Open
fix(deps): bump electron to 41.0.0, tar to 7.5.11, form-data to 4.0.6#8BBridgeers wants to merge 1 commit into
BBridgeers wants to merge 1 commit into
Conversation
Addresses 21 advisories across 3 packages: electron@38.4.0 → 41.0.0 (13 advisories): - HIGH: Use-after-free in offscreen child window paint callback (GHSA-532v-xpq5-8h95) - HIGH: Use-after-free in WebContents fullscreen/pointer-lock callback (GHSA-8337-3p73-46f4) - HIGH: Renderer command-line switch injection (GHSA-9wfr-w7mm-pc7f) - HIGH: Use-after-free in PowerMonitor (GHSA-jjp3-mq3x-295m) - MODERATE: Out-of-bounds read in second-instance IPC (GHSA-3c8v-cfp5-9885) - MODERATE: HTTP Response Header Injection (GHSA-4p4r-m79c-wq3v) - + 7 more moderate advisories tar@6.2.1 → 7.5.11 (6 HIGH advisories): - GHSA-34x7-hfp2-rc4v: Arbitrary File Creation via Hardlink Path Traversal - GHSA-83g3-92jg-28cx: Arbitrary File Read/Write via Hardlink Target Escape - GHSA-8qq5-rm4j-mr97: Arbitrary File Overwrite via Symlink Poisoning - GHSA-9ppj-qmqm-q256: Symlink Path Traversal via Drive-Relative Linkpath - GHSA-qffp-2rhf-9h96: Hardlink Path Traversal via Drive-Relative Linkpath - GHSA-r6q2-hw4h-h46w: Race Condition via Unicode Ligature Collisions form-data@4.0.5 → 4.0.6 (1 HIGH advisory): - GHSA-hmw2-7cc7-3qxx: CRLF injection via unescaped multipart field names Fix: direct devDep bump for electron, yarn resolutions for transitive tar/form-data. No application code changes. --- Filed by Hermes.
AlexandrosGounis
requested changes
Jul 4, 2026
AlexandrosGounis
left a comment
Owner
There was a problem hiding this comment.
Hi @BBridgeers, thank you for improving PDFx!
While the suggested electron upgrades are great and much needed, there are a few things we need to take care of before merging:
- let's use pinned versions in
resolutionsin package.json, matching the rest of the dependencies - please remove the
package-lock.jsonfile as that will collide withyarn.lock. Feel free to usenpmlocally, however, our official package manager isyarnwhich produces ayarn.lock. Please ensure that theyarn.lockis properly updated after applying the electron updates - nit-picky: there's a minor one-character change in
package.json's description, could we please revert that?
We definitely want to update to the latest Electron version, thank you so much for opening this pull request and more importantly, thank you for your time and effort.
Comment on lines
+59
to
+61
| "resolutions": { | ||
| "tar": "^7.5.11", | ||
| "form-data": "^4.0.6" |
Owner
There was a problem hiding this comment.
Could you please use specific pinned versions? This is the strategy we follow for all dependencies to minimize point-release bugs.
| "productName": "PDFx", | ||
| "version": "2026.6.1-beta.0", | ||
| "description": "PDFX — a backwards-compatible PDF extension for multi-document files, with a minimal viewer", | ||
| "description": "PDFX \u2014 a backwards-compatible PDF extension for multi-document files, with a minimal viewer", |
Owner
There was a problem hiding this comment.
nit-picky: this looks like a leftover of some tooling, we don't need to touch this line, a — character is easier to read and as valid as \u2014
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated dependency bump to address disclosed CVEs in 3 packages.
Summary
Bumps
electronfrom38.4.0→41.0.0(direct devDep), andtarfrom6.2.1→7.5.11+form-datafrom4.0.5→4.0.6(transitive, via yarn resolutions). No application code changes.Advisories patched (21 total)
electron@38.4.0 → 41.0.0 (13 advisories)
HIGH (4):
MODERATE (9): Out-of-bounds read in IPC, HTTP Response Header Injection, AppleScript injection, download save dialog UAF, named window.open spoofing, registry key path injection, incorrect origin for iframe permissions, service worker IPC spoofing, nodeIntegrationInWorker scoping.
tar@6.2.1 → 7.5.11 (6 HIGH advisories)
form-data@4.0.5 → 4.0.6 (1 HIGH advisory)
Approach
electronbumped directly indevDependencies.tarandform-dataare transitive dependencies resolved via yarnresolutionsfield inpackage.json. The lockfile was regenerated.Detected by osv-scanner.
Filed by Hermes.