Update dependency electron-packager to v17 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
electron-packager	^5.0.2 → ^17.0.0

GitHub Vulnerability Alerts

CVE-2016-10534

Affected versions of electron-packager configure the generated application to disable SSL certificate verification by default.

This could allow an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one.

This only affects users using the electron-packager CLI. The strict-ssl option defaults to true for the node.js API.

Recommendation

1. Update to version 7.0.0 or later.
2. Delete the electron-download cache folder, which is by default located at ~/.electron.

---

Release Notes

electron/electron-packager (electron-packager)

v17.1.2: 17.1.2

Compare Source

What's Changed

• chore: proper npm and Xcode capitalization by @​friederbluemle in #​1438
• fix: ensure logs are quiet when quiet flag is passed by @​MarshallOfSound in #​1440
• chore: update galactus by @​MarshallOfSound in #​1441
• fix(targets): linux/ia32 official support was removed in Electron 19 by @​malept in #​1449
• chore: bump @​electron/universal from 1.3.3 to 1.3.4 by @​dependabot in #​1451
• docs: use tsdoc @link syntax for .d.ts comments by @​erickzhao in #​1450
• build: update got to clean up yarn audit by @​MarshallOfSound in #​1456
• chore: bump @​electron/osx-sign from 1.0.1 to 1.0.4 by @​dependabot in #​1457
• chore: bump json5 from 1.0.1 to 1.0.2 by @​dependabot in #​1465
• chore: bump @​electron/asar from 3.2.2 to 3.2.3 by @​dependabot in #​1469
• chore: set @​wg-ecosystem as CODEOWNERS by @​dsanders11 in #​1471
• build: bump dependencies to clean yarn audit by @​MarshallOfSound in #​1473
• build: update GitHub actions workflows by @​dsanders11 in #​1475
• chore: bump http-cache-semantics from 4.1.0 to 4.1.1 by @​dependabot in #​1476
• chore: bump eslint-plugin-ava from 12.0.0 to 13.2.0 by @​dependabot in #​1322
• chore: bump fs-extra from 10.1.0 to 11.1.0 by @​dependabot in #​1455
• chore: bump sinon from 14.0.1 to 15.0.1 by @​dependabot in #​1461
• chore: bump eslint-plugin-import from 2.26.0 to 2.27.5 by @​dependabot in #​1468
• docs: update links in README.md by @​dsanders11 in #​1474
• docs: update required version of Nodejs from 10.0 to 14.17.5 in README.md by @​xupea in #​1483
• chore: bump sinon from 15.0.1 to 15.0.3 by @​dependabot in #​1491
• build: use CircleCI cimg/node images by @​dsanders11 in #​1506
• chore: bump actions/checkout from 3.3.0 to 3.5.2 by @​dependabot in #​1498
• chore: bump fs-extra from 11.1.0 to 11.1.1 by @​dependabot in #​1488
• chore: bump @​electron/asar from 3.2.3 to 3.2.4 by @​dependabot in #​1494
• chore: bump sinon from 15.0.3 to 15.0.4 by @​dependabot in #​1504
• build: update electron/electron-quick-start branch to main by @​dsanders11 in #​1505
• chore: bump @​electron/notarize from 1.2.3 to 1.2.4 by @​dependabot in #​1518
• chore: bump @​electron/universal from 1.3.4 to 1.4.1 by @​dependabot in #​1525
• chore: bump plist from 3.0.6 to 3.1.0 by @​dependabot in #​1530
• fix(docs): add osx-universal flag to usage.txt by @​erickzhao in #​1533
• chore: bump actions/setup-node from 3.6.0 to 3.7.0 by @​dependabot in #​1529
• chore: bump actions/checkout from 3.5.2 to 3.5.3 by @​dependabot in #​1514
• docs: clarify CLI usage by @​erickzhao in #​1534
• chore: bump word-wrap from 1.2.3 to 1.2.4 by @​dependabot in #​1536
• ci: use action-semantic-pull-request by @​dsanders11 in #​1535
• fix: prune electron-nightly even if in dependencies by @​erickzhao in #​1538
• ci: make canary run --arch=universal on macOS by @​erickzhao in #​1539
• test: set cacheRoot on checksum download by @​erickzhao in #​1540
• chore: bump rcedit from 3.0.1 to 3.0.2 by @​dependabot in #​1541
• ci: use electronjs/node orb by @​dsanders11 in #​1546
• chore: bump actions/setup-node from 3.7.0 to 3.8.0 by @​dependabot in #​1545
• ci: fix publish documentation workflow by @​dsanders11 in #​1547
• fix(osx-sign): bump osx-sign to 1.0.5 by @​VerteDinde in #​1549
• chore: 17.1.2 by @​VerteDinde in #​1550

New Contributors

• @​friederbluemle made their first contribution in #​1438
• @​dsanders11 made their first contribution in #​1471
• @​xupea made their first contribution in #​1483

Full Changelog: electron/packager@v17.1.1...v17.1.2

v17.1.1

Compare Source

What's Changed

• fix: allow packaging twice simultaneously by @​MarshallOfSound in #​1439

Full Changelog: electron/packager@v17.1.0...v17.1.1

v17.1.0

Compare Source

What's Changed

• refactor: migrate from electron-notarize to @​electron/notarize by @​MarshallOfSound in #​1433
• feat: New lifecycle hooks: afterAsar, afterComplete, afterCopyExtraResources, beforeAsar, beforeCopy, beforeCopyExtraResources by @​erikian in #​1297
• feat: add new afterFinalizePackageTargets hook by @​MarshallOfSound in #​1437

New Contributors

• @​erikian made their first contribution in #​1297

Full Changelog: electron/packager@v17.0.0...v17.1.0

v17.0.0: 17.0.0

Compare Source

Changed

• BREAKING: Replaced electron-osx-sign with @electron/osx-sign. The accepted properties on the osxSign options object are now slightly different. Please see the migration guide for more information on these changes. (#​1428)
• Replaced asar with @electron/asar. The configuration options are unchanged. This migration is purely cosmetic. (#​1431)

v16.0.0: 16.0.0

Compare Source

Fixed

• Properly import info logger (#​1405)

Added

• Node 16 & 18 support (#​1399)

Changed

• Bump got to 2.0.0 (#​1397)

Removed

• Node 12 support (#​1399)

v15.5.2: 15.5.2

Compare Source

Fixed

• Package should not log info on --quiet flag
• Ignore node_gyp_bins directory if it exists

v15.5.1

Compare Source

v15.5.0: 15.5.0

Compare Source

Added

• New universal architecture supported when packaging for macOS to generate a universal app
• osxUniveral option to allow providing options to @electron/universal when packaging a universal app

v15.4.0: 15.4.0

Compare Source

Added

• extendHelperInfo option to allow extending helper app Info.plist files (#​1233)
• Automatically insert ElectronAsarIntegrity into Info.plist files (#​1279)

Fixed

• Compatibility with electron-notarize@^1.1.0 (#​1278)

v15.3.0: 15.3.0

Compare Source

Added

• Bundled app validation to ensure that both package.json and the main entry point exist (#​1257)
• Support for customizing Windows targets on darwin/arm64 (#​1260)
• Support for customizing Windows targets on WSL without Wine installed (#​1260)

v15.2.0: 15.2.0

Compare Source

Added

• Upgrade electron-osx-sign to 0.5.0 which adds a new option, entitlementsForFile (#​1189)

Fixed

• Add package manager lockfiles to default ignore list (#​1182)
• Allow checking official builds against prerelease versions (#​1191)

v15.1.0: 15.1.0

Compare Source

Added

• add darwin/arm64 and mas/arm64 as official platform/arch combinations (#​1168)

Fixed

• TypeScript: ensure OsxNotarizeOptions definition contains credentials (#​1167)

v15.0.0: 15.0.0

Compare Source

Added

• mac: app API key notarization (#​1127)
• TypeScript definition (#​1131)

Changed

• Replace cross-zip with extract-zip (#​1139)

Removed

• Node < 10 support (#​1122)

v14.2.1: 14.2.1

Compare Source

Fixed

• mac: don't fail if the icon path doesn't exist (#​1101)
• win32: correctly catch missing wine exceptions (#​1117)

v14.2.0: 14.2.0

Compare Source

Added

• electronZipDir option (#​1094)

v14.1.1: 14.1.1

Compare Source

Fixed

• Regression that caused the symlink test on Windows to not work as intended (#​1071)
• Always initialize proxy support when running the CLI (#​1077)
• Clarify the error message when infer cannot find a package.json file (#​1079)
• Handle a missing inferred app version better (#​1079)

Chores

• Upgrade electron-notarize to ^0.2.0 (#​1069)

v14.1.0: 14.1.0

Compare Source

Added

• (darwin/mas only) usageDescription option (#​1049)
• Support for official win32/arm64 builds (#​1053)

v14.0.6: 14.0.6

Compare Source

Fixed

• Send the properly formatted options from the CLI to electron-osx-sign (#​1047)

v14.0.5: 14.0.5

Compare Source

Fixed

• ensure that CFBundleExecutable and friends are correct for helper apps (#​1046)

v14.0.4: 14.0.4

Compare Source

Fixed

• Packaging apps based on Electron >= 6.0.0 correctly renames and packages the new
  Electron GPU Helper bundles (#​1036)

v14.0.3: 14.0.3

Compare Source

Fixed

• Packaging Electron 6 based apps now correctly renames and packages the new Electron Helper bundles (#​1033)

v14.0.2: 14.0.2

Compare Source

Fixed

• Warn Windows 7 users of the unzip dependencies (#​1030)

v14.0.1: 14.0.1

Compare Source

Changed

• Upgrade fs-extra to ^8.1.0 (#​993)

Fixed

• Host info shows OS release

v14.0.0: 14.0.0

Compare Source

Added

• Ignore system junk files by default (#​1005)

Fixed

• Handle inference when electron-prebuilt-compile points to a non-version (#​978)

Changed

• Replace extract-zip with cross-zip - on macOS/Linux, the zip binary is required; on Windows,
  a relatively recent Powershell and .NET runtime is required, see cross-zip for details (#​984)
• Convert from electron-download to @electron/get (#​1002). Drops support for versions of Electron
  < 1.3.2, plus all of the download options have changed, notably:
  • cache is now cacheRoot
  • strictSSL is now rejectUnauthorized
  • The mirror URL string is now a set of options defined by mirrorOptions
  • quiet is removed as the default downloader no longer has a progress bar
• Linux/ia32 support for Electron >= 4 is downgraded to a warning from @electron/get (#​1016)

v13.1.1: 13.1.1

Compare Source

Fixed

• Linux/ia32 is no longer officially supported for Electron >= 4 (#​957)

v13.1.0: 13.1.0

Compare Source

Added

• Support for inferring version from Electron nightlies (#​931)

Fixed

• Infer versions from electron-prebuilt-compile better (#​932)
• Upgrade asar to ^1.0.0, which removes a vulnerable transitive dependency (#​952)

v13.0.1: 13.0.1

Compare Source

Fixed

• Ensure relative out dirs are correctly ignored when copying (#​919)

v13.0.0: 13.0.0

Compare Source

Added

• prebuiltAsar option to specify a prebuilt ASAR file (#​823)
• support for macOS Mojave app notarization (#​899)

Changed

• Dropped support for running on Node < 6.0. (#​900)

Removed

• Deprecated target arch APIs (#​915)
• The callback version of the API (use nodeify if you need that syntax style) (#​916)

v12.2.0: 12.2.0

Compare Source

Added

• darwinDarkModeSupport option to support macOS Mojave dark mode for older Electron versions (#​893)

Fixed

• Don't handle EH/NP Helpers if they don't exist (#​894)

v12.1.2: 12.1.2

Compare Source

Fixed

• Prune user-namespaced modules (#​889)

v12.1.1: 12.1.1

Compare Source

Changed

• Host arch utilities moved to electron-download. This is not a breaking change, as the existing API
  has been kept the same.

Deprecated

• hostArch and unameArch in electron-packager/targets, replaced with host and uname in
  electron-download/lib/arch, respectively

v12.1.0: 12.1.0

Compare Source

Added

• --version shows the Packager/Node versions & host platform/arch (#​841)

Fixed

• mips64el arch is only available with Electron 1.8.x (#​843)
• better detection of node modules (#​847)

v12.0.2: 12.0.2

Compare Source

Fixed

• Support for Node 10 via the CLI (#​835)

v12.0.1: 12.0.1

Compare Source

Fixed

• Upgraded galactus to ^0.2.1 to fix a bug with relative paths

v12.0.0: 12.0.0

Compare Source

Changed

• prune exclusively utilizes the galactus module for pruning devDependencies, instead of
  depending on package managers (#​819)
• electron-packager is no longer ignored by default (#​819)
• A warning is emitted when an Electron module is a production dependency (#​819)

Removed

• packageManager option (#​819)

v11.2.1: 11.2.1

Compare Source

Fixed

• Don't handle EH/NP Helpers if they don't exist (Backport of #​894)

v11.2.0: 11.2.0

Compare Source

Added

• Utility function to execute hooks serially (#​814)

v11.1.0: 11.1.0

Compare Source

Added

• Support for MAS Login Helper (Electron 2.0.0-beta.1 and above) (#​807)

v11.0.1: 11.0.1

Compare Source

Fixed

• rcedit module updated to 1.0.0, which fixes some bugs (#​804)
• --help prints usage to stdout (#​805)

v11.0.0: 11.0.0

Compare Source

Added

• linux platform, mips64el arch builds (Electron 1.8.2-beta.5 and above) (#​800)

Changed

• all or platform=linux, arch=all now include arch=mips64el if the Electron version specified
  is 1.8.2-beta.5 or above (#​800)

v10.1.2: 10.1.2

Compare Source

Fixed

• overwrite: true when no platform/arch is specified (#​794)

v10.1.1: 10.1.1

Compare Source

Fixed

• ARM detection with prebuilt armv7l Node.js (#​783)
• Don't create yarn.lock when pruning with Yarn (#​784)

v10.1.0: 10.1.0

Compare Source

Added

• Option to set the executable name separate from the app name (#​758)

Fixed

• mz dependency (#​759)

v10.0.0: 10.0.0

Compare Source

Changed

• Switch from minimist to yargs-parser (#​732)
• Electron Packager only officially supports Node versions that are supported by the
  NodeJS team (#​747)
• Refactor to use Promises internally. This has the side effect of somewhat parallelizing building two or more targets at once and/or two or more functions for a given hook, via Promise.all (#​753)

v9.1.0: 9.1.0

Compare Source

Added

• hostArch() and allOfficialArchsForPlatformAndVersion() (#​727)

Changed

• CLI arguments with nonstandard argument values emit warnings (#​722)

Deprecated

• In the CLI, --tmpdir=false has been deprecated in favor of --no-tmpdir (#​722)

v9.0.1: 9.0.1

Compare Source

Fixed

• Inferring win32metadata.CompanyName from author in package.json when it's an Object (#​718)

v9.0.0: 9.0.0

Compare Source

Added

• API hook for afterPrune (#​677)
• Package manager-agnostic pruning support (set packageManager to false) (#​690)
• linux platform, arm64 arch builds (Electron 1.8.0 and above) (#​711)

Changed

• Promise support for packager - function returns a Promise instead of the return value of the
  callback (#​658)
• win32metadata.CompanyName defaults to author name from nearest package.json (#​667)
• win32metadata.FileDescription defaults to productName or name from
  nearest package.json (#​667)
• win32metadata.OriginalFilename defaults to renamed .exe (#​667)
• win32metadata.ProductName defaults to productName or name from nearest package.json (#​667)
• win32metadata.InternalName defaults to productName or name from
  nearest package.json (#​667)
• Warn when downloading from the official Electron releases and the arch/platform combination
  specified is invalid (#​562)
• Do not error out immediately if a download.mirror is specified and an unofficial arch/platform
  is specified (#​670)
• Allow spaces when specifying archs/platforms as a string, rather than an array (#​487)
• The extraResource option works on all target platforms (#​637)
• all or platform=linux, arch=all now include arch=arm64 if the Electron version specified is
  1.8.0 or above (#​711)

Fixed

• common.warning for codesigning (#​694)

Removed

• version is removed in favor of electronVersion (CLI: --electron-version) (#​665)
• version-string is removed in favor of win32metadata (#​668)
• Options set via the JavaScript API formatted in kebab-case (i.e., with hyphens) are removed in
  favor of their camelCase variants, per JavaScript naming standards (#​669)

v8.7.2: 8.7.2

Compare Source

Fixed

• Stop yarn creating .bin folders when pruning (#​678)

v8.7.1: 8.7.1

Compare Source

Fixed

• Usage docs for win32metadata.application-manifest and win32metadata.requested-execution-level

v8.7.0: 8.7.0

Compare Source

Added

• packageManager (--package-manager via CLI) option (#​618)
• win32metadata.application-manifest option (#​610)
• win32metadata.requested-execution-level option (#​610)

Fixed

• Support for extract-zip >= 1.6.1

v8.6.0: 8.6.0

Compare Source

Added

• Limited support for electron-prebuilt-compile (#​608)

Changed

• Options formatted in kebab-case (i.e., with hyphens) are available in camelCase, per JavaScript naming standards (#​580)
• rcedit upgraded to 0.8.0

Deprecated

• Options formatted in kebab-case (i.e., with hyphens) are deprecated in favor of their camelCase variants, per JavaScript naming standards (#​580)

v8.5.2: 8.5.2

Compare Source

Fixed

• Prepend all warning messages with "WARNING:" (#​593)
• Ignore the generated temporary directory on Linux (#​596)
• Prevent app names from ending in " Helper" (#​600)

v8.5.1: 8.5.1

Compare Source

Fixed

• Show CLI option when showing option deprecation message (#​560)

v8.5.0: 8.5.0

Compare Source

Added

• electronVersion (--electron-version via CLI) option (#​547)

Deprecated

• version is deprecated in favor of electronVersion (--electron-version via CLI) (#​547)

v8.4.0: 8.4.0

Compare Source

Added

• quiet option (#​541)

Fixed

• Better type checking when validating arch/platform (#​534)

v8.3.0: 8.3.0

Compare Source

Changed

• Upgrade to electron-osx-sign 0.4.x (#​384)

Fixed

• Clarify symlink error message for Windows

v8.2.0: 8.2.0

Compare Source

Added

• Allow extend-info to specify an object instead of a filename (#​510)

Fixed

• Retrieving metadata from package.json by upgrading get-package-info (#​505)
• Typo when using extend-info (#​510)

v8.1.0: 8.1.0

Compare Source

Added

• .o and .obj files are ignored by default (#​491)
• Electron downloads are now checked against their published checksums (#​493)
• Documentation for download.quiet option to enable/disable progress bar (#​494)
• The build-version property, when unspecified, now defaults to the
  app-version property value on Windows (#​501)

v8.0.0: 8.0.0

Compare Source

Added

• win32metadata option (#​331, #​463)
• linux platform, armv7l arch support (#​106, #​474)

Changed

• all now includes the linux platform, armv7l arch combination
• Default the platform option to the host platform (#​464)
• Default the arch option to the host arch (#​36, #​464)
• Default the prune option to true (#​235, #​472)

Fixed

• Allow scoped package names as Electron app names - invalid characters are replaced with
  hyphens (#​308, #​455)

Deprecated

• version-string is deprecated in favor of win32metadata (#​331, #​463)

Removed

• asar-unpack is removed in favor of asar.unpack
• asar-unpack-dir is removed in favor of asar.unpackDir
• cache is removed in favor of download.cache
• strict-ssl is removed in favor of download.strictSSL

v7.7.0: 7.7.0

Compare Source

Added

• The package.json version property is the default app version if --app-version is unspecified (#​449)

Changed

• [darwin/mas] Explicitly disallow osx-sign.binaries (#​459)

v7.6.0: 7.6.0

Compare Source

Added

• [API] hook for afterCopy (#​448)
• [darwin/mas] Documentation for protocol and protocol-name options (#​121, #​450)

Changed

• [CLI] Minimum Node version is enforced (#​454)

Fixed

• [CLI] ensure --out has either a string or null value (#​442)
• Use get-package-info (again) to support finding prebuilt in parent directories (#​445)

v7.5.1: 7.5.1

Compare Source

Fixed

• Resolve to absolute path when inferring app name/Electron version (#​440)

v7.5.0: 7.5.0

Compare Source

Added

• Support the new electron package name (#​435)

v7.4.0: 7.4.0

Compare Source

Added

• Basic debugging messages via the debug module - see CONTRIBUTING.md for usage (#​433)

Changed

• Clearer error message when inferring the app name and/or Electron version fails

Fixed

• (Test) apps named "Electron" can be packaged successfully (#​415)

v7.3.0: 7.3.0

Compare Source

Added

• asar options can be specified as an Object (via the API) or with dot notation (via the CLI) -
  see the respective docs for details (#​353, #​417)

Deprecated

• asar-unpack is deprecated in favor of asar.unpack (#​417)
• asar-unpack-dir is deprecated in favor of asar.unpackDir (#​417)

v7.2.0: 7.2.0

Compare Source

Added

• derefSymlinks option (#​410)

Fixed

• Clarified message when wine is not found (#​357)

v7.1.0: 7.1.0

Compare Source

Added

• afterExtract hook (#​354, #​403)

v7.0.4: 7.0.4

Compare Source

Fixed

• Clarified app name/Electron version error message (#​390)

v7.0.3: 7.0.3

Compare Source

Changed

• [contributors] Code contributions need to be validated in "strict" mode (#​342, #​351)

Fixed

• CLI output truncated when using Node 6 (and possibly earlier) (#​381)

v7.0.2: 7.0.2

Compare Source

Fixed

• The default .git ignore only ignores that directory (#​344)
• Specifying the download.strictSSL CLI parameter no longer triggers a deprecation warning for
  strict-ssl (#​349)

v7.0.1: 7.0.1

Compare Source

Fixed

• Not specifying strict-ssl CLI parameter no longer triggers a deprecation warning (#​335)

v7.0.0: 7.0.0

Compare Source

Added

• Add download parameter (#​320)

Changed

• Dropped support for running on Node < 4.0. (#​319)

Fixed

• strict-ssl (and by extension, download.strictSSL) defaults to true, as documented (#​320)

Deprecated

• cache is deprecated in favor of download.cache (#​320)
• strict-ssl is deprecated in favor of download.strictSSL (#​320)

Removed

• [win32] version-string.FileVersion and version-string.ProductVersion are replaced by
  favor of app-version and build-version, respectively (#​327)
• [win32] version-string.LegalCopyright is replaced by app-copyright (#​327)

v6.0.2: 6.0.2

Compare Source

Changed

• [win32] rcedit dependency updated to 0.5.x. The DLL mentioned in the 6.0.1 release notes
  is no longer required.

v6.0.1: 6.0.1

Compare Source

Changed

• [win32] rcedit dependency updated to 0.4.x
• API documentation moved from readme.md to docs/api.md (#​296)

Fixed

• [darwin/mas] The OSX icon is properly replaced when Electron ≥ 0.37.4 is used (#​301)
• default_app.asar is deleted during packaging (necessary when Electron ≥ 0.37.4 is used).
  The default_app folder is still deleted for older Electron versions (#​298, #​311)

v6.0.0: 6.0.0

Compare Source

Added

• Add support for a new target platform, Mac App Store (mas), including signing OS X apps
  (#​223, #​278)
• Add app-copyright parameter (#​223)
• Add tmpdir parameter to specify a custom temp directory (#​230); set to false to disable
  using a temporary directory at all (#​251, #​276)
• Add NEWS.md, a human-readable list of changes in each version (since 5.2.0) (#​263)

Changed

• **The GitHub repository has been moved into an organization,
  [electron-userland](https://redirect.github.com/ele

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.