Skip to content

[Snyk] Security upgrade electron from 21.2.2 to 21.3.4#14271

Merged
ctkochan22 merged 1 commit into
mainfrom
snyk-fix-6a5d76bb6e732b143bf2387a4099d5b5
Jan 17, 2023
Merged

[Snyk] Security upgrade electron from 21.2.2 to 21.3.4#14271
ctkochan22 merged 1 commit into
mainfrom
snyk-fix-6a5d76bb6e732b143bf2387a4099d5b5

Conversation

@MelvinBot

Copy link
Copy Markdown
Contributor

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3160315
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3160316
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3160318
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3160320
No No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Access Restriction Bypass
SNYK-JS-ELECTRON-3160326
No No Known Exploit
medium severity 529/1000
Why? Has a fix available, CVSS 6.3
Access Restriction Bypass
SNYK-JS-ELECTRON-3160338
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3177484
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3177485
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3180031
No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8
Use After Free
SNYK-JS-ELECTRON-3228698
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Access Restriction Bypass
🦉 Access Restriction Bypass

@MelvinBot MelvinBot requested a review from a team as a code owner January 13, 2023 07:14
@melvin-bot melvin-bot Bot requested review from ctkochan22 and removed request for a team January 13, 2023 07:15
@melvin-bot

melvin-bot Bot commented Jan 13, 2023

Copy link
Copy Markdown

@ctkochan22 Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

@ctkochan22 ctkochan22 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built desktop, everything looks good

@ctkochan22

ctkochan22 commented Jan 17, 2023

Copy link
Copy Markdown

Reviewer Checklist

  • I have verified the author checklist is complete (all boxes are checked off).
  • I verified the correct issue is linked in the ### Fixed Issues section above
  • I verified testing steps are clear and they cover the changes made in this PR
    • I verified the steps for local testing are in the Tests section
    • I verified the steps for Staging and/or Production testing are in the QA steps section
    • I verified the steps cover any possible failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
    • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I checked that screenshots or videos are included for tests on all platforms
  • I included screenshots or videos for tests on all platforms
  • I verified tests pass on all platforms & I tested again on:
    • Android / native
    • Android / Chrome
    • iOS / native
    • iOS / Safari
    • MacOS / Chrome / Safari
    • MacOS / Desktop
  • If there are any errors in the console that are unrelated to this PR, I either fixed them (preferred) or linked to where I reported them in Slack
  • I verified proper code patterns were followed (see Reviewing the code)
    • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick).
    • I verified that comments were added to code that is not self explanatory
    • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
    • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
    • I verified any copy / text that was added to the app is correct English and approved by marketing by adding the Waiting for Copy label for a copy review on the original GH to get the correct copy.
    • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
    • I verified the JSDocs style guidelines (in STYLE.md) were followed
  • If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
  • I verified that this PR follows the guidelines as stated in the Review Guidelines
  • I verified other components that can be impacted by these changes have been tested, and I retested again (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar have been tested & I retested again)
  • I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
  • I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
  • If a new component is created I verified that:
    • A similar component doesn't exist in the codebase
    • All props are defined accurately and each prop has a /** comment above it */
    • The file is named correctly
    • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
    • The only data being stored in the state is data necessary for rendering and nothing else
    • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
    • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
    • All JSX used for rendering exists in the render method
    • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
  • If any new file was added I verified that:
    • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
  • If a new CSS style is added I verified that:
    • A similar style doesn't already exist
    • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(themeColors.componentBG)
  • If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
  • If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
  • If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
  • I have checked off every checkbox in the PR reviewer checklist, including those that don't apply to this PR.

Screenshots/Videos

Web
Mobile Web - Chrome
Mobile Web - Safari
Desktop image
iOS
Android

@ctkochan22

Copy link
Copy Markdown

There is no checklist for the PR author

@ctkochan22 ctkochan22 merged commit 4378368 into main Jan 17, 2023
@ctkochan22 ctkochan22 deleted the snyk-fix-6a5d76bb6e732b143bf2387a4099d5b5 branch January 17, 2023 01:45
@ctkochan22

Copy link
Copy Markdown

Tested. PR author doesn't have a checklist this case

@github-actions

Copy link
Copy Markdown
Contributor

Performance Comparison Report 📊

Significant Changes To Duration

There are no entries

Meaningless Changes To Duration

Show entries
Name Duration
App start TTI 667.087 ms → 675.723 ms (+8.636 ms, +1.3%)
App start nativeLaunch 19.935 ms → 20.000 ms (+0.065 ms, ±0.0%)
App start regularAppStart 0.014 ms → 0.016 ms (+0.001 ms, +9.6%)
App start runJsBundle 183.750 ms → 183.563 ms (-0.188 ms, ±0.0%)
Open Search Page TTI 597.585 ms → 596.346 ms (-1.238 ms, ±0.0%)
Show details
Name Duration
App start TTI Baseline
Mean: 667.087 ms
Stdev: 31.022 ms (4.7%)
Runs: 612.4340199995786 617.9714310001582 621.7900940002874 630.731124999933 630.8195399995893 635.6445009997115 641.985485999845 642.3823039997369 644.6223619999364 652.8313509998843 657.8126389998943 659.2344070002437 659.7726260004565 659.9329669997096 661.3180520003662 663.4343299996108 665.8529399996623 669.3195259999484 672.0029429998249 676.5847100000829 682.0356259997934 682.8503989996389 685.8948950003833 686.061776000075 688.552233999595 690.3251130003482 697.7962779998779 699.5250140000135 716.4314120002091 732.877873999998 740.8719250001013

Current
Mean: 675.723 ms
Stdev: 25.949 ms (3.8%)
Runs: 622.1169539997354 640.7607530001551 642.3685119999573 643.9833960002288 647.2865960001945 649.8844469999894 652.9512740001082 659.5855559995398 661.6249320004135 663.4271069997922 664.2793429996818 666.6573010003194 667.7470559999347 674.8406859999523 678.7999059995636 680.276386000216 681.3889979999512 681.663142000325 682.7860279995948 683.0148870004341 684.3217150000855 686.5441479999572 686.6591069996357 687.9029160002246 687.9708569999784 696.9605430001393 708.5834999997169 717.3667519995943 732.8176809996367 737.1073770001531
App start nativeLaunch Baseline
Mean: 19.935 ms
Stdev: 1.605 ms (8.1%)
Runs: 17 17 18 18 18 18 19 19 19 19 19 19 19 19 19 20 20 21 21 21 21 21 21 21 21 22 22 22 22 22 23

Current
Mean: 20.000 ms
Stdev: 1.949 ms (9.7%)
Runs: 17 17 18 18 18 18 18 18 19 19 19 19 19 19 20 20 20 21 21 21 21 21 21 21 21 22 22 23 24 25
App start regularAppStart Baseline
Mean: 0.014 ms
Stdev: 0.001 ms (6.5%)
Runs: 0.012370000593364239 0.012980000115931034 0.013143000192940235 0.01318300049751997 0.013224000111222267 0.013427999801933765 0.013508999720215797 0.01355000026524067 0.013671999797224998 0.013916000723838806 0.013957000337541103 0.014161000028252602 0.014200999401509762 0.014282000251114368 0.014403999783098698 0.014444999396800995 0.01444500032812357 0.01444500032812357 0.014485999941825867 0.01460800040513277 0.0147299999371171 0.0148930000141263 0.01501499954611063 0.01501499954611063 0.015095999464392662 0.015178000554442406 0.015298999845981598 0.01534000039100647 0.015909000299870968 0.016276000067591667 0.016276000067591667

Current
Mean: 0.016 ms
Stdev: 0.001 ms (6.4%)
Runs: 0.013833999633789062 0.014688999392092228 0.0147299999371171 0.014770000241696835 0.014891999773681164 0.014932999387383461 0.014973999932408333 0.015137000009417534 0.015217999927699566 0.015217999927699566 0.015258999541401863 0.01534000039100647 0.015341000631451607 0.015381000004708767 0.015422000549733639 0.01550199929624796 0.015544000081717968 0.015625 0.015951000154018402 0.015990999527275562 0.015991000458598137 0.016154000535607338 0.01639800053089857 0.016886000521481037 0.016927000135183334 0.01696700043976307 0.017171000130474567 0.018147999420762062 0.018188999965786934
App start runJsBundle Baseline
Mean: 183.750 ms
Stdev: 18.123 ms (9.9%)
Runs: 152 155 156 157 158 166 168 169 174 174 174 176 178 179 181 181 183 187 187 190 191 194 196 197 198 199 203 204 206 213 215 219

Current
Mean: 183.563 ms
Stdev: 16.802 ms (9.2%)
Runs: 158 160 161 162 163 163 167 173 175 175 175 176 176 176 178 180 182 183 185 186 187 191 194 198 198 200 201 204 204 205 209 229
Open Search Page TTI Baseline
Mean: 597.585 ms
Stdev: 21.027 ms (3.5%)
Runs: 561.6269529992715 562.4486090000719 568.2668459992856 573.4364419998601 575.0423180004582 576.503744000569 578.6964109996334 582.1123449997976 584.6230060001835 587.4208990000188 589.7487789997831 590.7167969997972 592.1156009994447 592.1907970001921 593.8542070006952 594.7289629997686 594.9145920006558 595.2587890001014 595.4389650002122 595.7676600003615 598.3461510008201 604.0610360000283 606.1038819998503 613.9276539999992 614.5710040004924 617.8744310000911 620.6625570002943 620.8423669999465 627.1569419996813 629.3870860002935 635.9640299994498 648.9013669993728

Current
Mean: 596.346 ms
Stdev: 20.307 ms (3.4%)
Runs: 554.3784990003332 559.1035979995504 568.0412600003183 568.2571609998122 575.785074999556 577.3179930001497 579.3938389997929 579.4391689999029 579.650512999855 580.6081139994785 590.6125499997288 590.7801920007914 590.990601000376 591.1423340002075 592.8428150005639 595.2741289995611 596.3149820007384 598.0206300001591 598.593913000077 600.928874000907 600.9586600000039 601.1193850003183 601.7961839996278 603.7606609994546 609.0002439999953 615.512085000053 621.2263190001249 621.9262290000916 623.012085000053 624.2589519992471 624.3746339995414 631.1278480002657 633.8770759999752

@OSBotify

Copy link
Copy Markdown
Contributor

🚀 Deployed to staging by @ctkochan22 in version: 1.2.56-0 🚀

platform result
🤖 android 🤖 success ✅
🖥 desktop 🖥 success ✅
🍎 iOS 🍎 success ✅
🕸 web 🕸 success ✅

@OSBotify

Copy link
Copy Markdown
Contributor

🚀 Deployed to production by https://github.com/AndrewGable in version: 1.2.56-0 🚀

platform result
🤖 android 🤖 success ✅
🖥 desktop 🖥 success ✅
🍎 iOS 🍎 success ✅
🕸 web 🕸 success ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants