Skip to content

fix(deps): bump electron to 41.0.0, tar to 7.5.11, form-data to 4.0.6#8

Open
BBridgeers wants to merge 1 commit into
AlexandrosGounis:mainfrom
BBridgeers:security/bump-deps-cve
Open

fix(deps): bump electron to 41.0.0, tar to 7.5.11, form-data to 4.0.6#8
BBridgeers wants to merge 1 commit into
AlexandrosGounis:mainfrom
BBridgeers:security/bump-deps-cve

Conversation

@BBridgeers

Copy link
Copy Markdown

Automated dependency bump to address disclosed CVEs in 3 packages.

Summary

Bumps electron from 38.4.041.0.0 (direct devDep), and tar from 6.2.17.5.11 + form-data from 4.0.54.0.6 (transitive, via yarn resolutions). No application code changes.

Advisories patched (21 total)

electron@38.4.0 → 41.0.0 (13 advisories)

HIGH (4):

MODERATE (9): Out-of-bounds read in IPC, HTTP Response Header Injection, AppleScript injection, download save dialog UAF, named window.open spoofing, registry key path injection, incorrect origin for iframe permissions, service worker IPC spoofing, nodeIntegrationInWorker scoping.

tar@6.2.1 → 7.5.11 (6 HIGH advisories)

form-data@4.0.5 → 4.0.6 (1 HIGH advisory)

Approach

electron bumped directly in devDependencies. tar and form-data are transitive dependencies resolved via yarn resolutions field in package.json. The lockfile was regenerated.

Detected by osv-scanner.


Filed by Hermes.

Addresses 21 advisories across 3 packages:

electron@38.4.0 → 41.0.0 (13 advisories):
- HIGH: Use-after-free in offscreen child window paint callback (GHSA-532v-xpq5-8h95)
- HIGH: Use-after-free in WebContents fullscreen/pointer-lock callback (GHSA-8337-3p73-46f4)
- HIGH: Renderer command-line switch injection (GHSA-9wfr-w7mm-pc7f)
- HIGH: Use-after-free in PowerMonitor (GHSA-jjp3-mq3x-295m)
- MODERATE: Out-of-bounds read in second-instance IPC (GHSA-3c8v-cfp5-9885)
- MODERATE: HTTP Response Header Injection (GHSA-4p4r-m79c-wq3v)
- + 7 more moderate advisories

tar@6.2.1 → 7.5.11 (6 HIGH advisories):
- GHSA-34x7-hfp2-rc4v: Arbitrary File Creation via Hardlink Path Traversal
- GHSA-83g3-92jg-28cx: Arbitrary File Read/Write via Hardlink Target Escape
- GHSA-8qq5-rm4j-mr97: Arbitrary File Overwrite via Symlink Poisoning
- GHSA-9ppj-qmqm-q256: Symlink Path Traversal via Drive-Relative Linkpath
- GHSA-qffp-2rhf-9h96: Hardlink Path Traversal via Drive-Relative Linkpath
- GHSA-r6q2-hw4h-h46w: Race Condition via Unicode Ligature Collisions

form-data@4.0.5 → 4.0.6 (1 HIGH advisory):
- GHSA-hmw2-7cc7-3qxx: CRLF injection via unescaped multipart field names

Fix: direct devDep bump for electron, yarn resolutions for transitive tar/form-data.
No application code changes.

---
Filed by Hermes.

@AlexandrosGounis AlexandrosGounis left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @BBridgeers, thank you for improving PDFx!

While the suggested electron upgrades are great and much needed, there are a few things we need to take care of before merging:

  • let's use pinned versions in resolutions in package.json, matching the rest of the dependencies
  • please remove the package-lock.json file as that will collide with yarn.lock. Feel free to use npm locally, however, our official package manager is yarn which produces a yarn.lock. Please ensure that the yarn.lock is properly updated after applying the electron updates
  • nit-picky: there's a minor one-character change in package.json's description, could we please revert that?

We definitely want to update to the latest Electron version, thank you so much for opening this pull request and more importantly, thank you for your time and effort.

Comment thread package.json
Comment on lines +59 to +61
"resolutions": {
"tar": "^7.5.11",
"form-data": "^4.0.6"

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please use specific pinned versions? This is the strategy we follow for all dependencies to minimize point-release bugs.

Comment thread package.json
"productName": "PDFx",
"version": "2026.6.1-beta.0",
"description": "PDFX a backwards-compatible PDF extension for multi-document files, with a minimal viewer",
"description": "PDFX \u2014 a backwards-compatible PDF extension for multi-document files, with a minimal viewer",

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit-picky: this looks like a leftover of some tooling, we don't need to touch this line, a character is easier to read and as valid as \u2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants