fix(deps): update dependency electron-updater to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron-updater (source)	^4.6.5 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2024-39698

Observations

The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell (process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe):

https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41

Because of the surrounding shell, a first pass by cmd.exe expands any environment variable found in command-line above.

Exploitation

This creates a situation where verifySignature() can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid.

Impact

This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.).

Patch

This vulnerability was patched in #​8295, by comparing the path in the output of Get-AuthenticodeSignature with the intended one. The patch is available starting from 6.3.0-alpha.6.

---

Release Notes

electron-userland/electron-builder (electron-updater)

v6.3.0

Compare Source

Minor Changes

• #​8095 53cec79b Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

Patch Changes

• #​8108 3d4cc7ae Thanks @​beyondkmp! - feat: add minimumSystemVersion in electron updater

• #​8304 1ac86c9e Thanks @​mmaietta! - chore: update pnpm to 9.4.0

• #​8323 fa3275c0 Thanks @​mmaietta! - chore(deps): update dependency typescript to v5.5.3

• #​8135 c2392de7 Thanks @​mmaietta! - fix: unstable hdiutil retry mechanism

• #​8295 ac2e6a25 Thanks @​mmaietta! - fix: verify LiteralPath of update file during windows signature verification

• #​8311 35a0784e Thanks @​rastiqdev! - fix(rpm-updater): stop uninstalling app before update

• #​8227 48c59535 Thanks @​rotu! - fix(docs): update autoupdate docs noting that channels work with Github

• #​8110 fa7982f1 Thanks @​mmaietta! - chore: entering alpha release stage

• Updated dependencies [3d4cc7ae, 1ac86c9e, ad668ae1, 445911a7, 140e2f0e, fa7982f1]:

  • builder-util-runtime@​9.2.5

v6.2.1

Compare Source

Patch Changes

• #​8091 e2a181d9 Thanks @​mmaietta! - fix(mac): revert autoupdate for mac differential

v6.2.0

Compare Source

Minor Changes

• #​7709 79df5423 Thanks @​beyondkmp! - feat: adding differential downloader for updates on macOS

v6.1.9

Compare Source

Patch Changes

• #​8051 48603ba0 Thanks @​mmaietta! - fix: auto-update powershell script requires reset of PSModulePath

• #​8057 ccbb80de Thanks @​mmaietta! - chore: upgrading connected dependencies (typescript requires higher eslint version)

• Updated dependencies [ccbb80de]:

  • builder-util-runtime@​9.2.4

v6.1.8

Compare Source

Patch Changes

• #​7950 03c94516 Thanks @​bronsonmock! - feat(nsis): add option to disable differential download

v6.1.7

Compare Source

Patch Changes

• Updated dependencies [db424e8e, db424e8e]:
  • builder-util-runtime@​9.2.3

v6.1.6

Compare Source

Patch Changes

• Updated dependencies [549d07b0]:
  • builder-util-runtime@​9.2.2

v6.1.5

Compare Source

Patch Changes

• #​7767 21f3069c Thanks @​jackple! - fix: When error code is ENOENT, try to use electron.shell.openPath to run installer on Windows

v6.1.4

Compare Source

Patch Changes

• #​7666 441da40d Thanks @​sethjray! - fix: check null for isCustomChannel in GitHubProvider.ts

v6.1.3

Compare Source

Patch Changes

• #​7637 b3dfe64b Thanks @​mmaietta! - fix: trigger app.relaunch() if isForceRunAfter = true for (beta) deb and rpm updaters

• #​7633 531a6309 Thanks @​s00d! - fix: change typed-emitter to tiny-typed-emitter to remove rxjs dependency

v6.1.2

Compare Source

Patch Changes

• #​7628 98f535e1 Thanks @​mmaietta! - fix: removing stdio from spawnSync to fix crash on rpm/deb updaters

v6.1.1

Compare Source

Patch Changes

• #​7597 cd15e161 Thanks @​marcuskirsch! - fix: default file name of update.${fileExtension} for downloaded files in private repositories.

v6.1.0

Compare Source

Minor Changes

• #​7533 4786d415 Thanks @​vitto-moz! - feat: nsis install method - exposed as public to avoid quit the app for the install

Patch Changes

• #​7544 dab3aeba Thanks @​NoahAndrews! - Fix differential downloads when the server compresses the blockmap file HTTP response

• Updated dependencies [dab3aeba]:

  • builder-util-runtime@​9.2.1

v6.0.4

Compare Source

Patch Changes

• #​7542 9123e31e Thanks @​ganthern! - fix: handle errors on responses in differential download (#​2398)

v6.0.3

Compare Source

Patch Changes

• #​7524 1a134800 Thanks @​NoahAndrews! - Fixed error handling when launching updater (fixes NSIS updates when isAdminRightsRequired is incorrectly set to false)

v6.0.2

Compare Source

Patch Changes

• #​7508 d4c90b67 Thanks @​NoahAndrews! - Removed DefinitelyTyped dependencies from production dependencies list

v6.0.1

Compare Source

Patch Changes

• #​7503 a2ab1ff3 Thanks @​mmaietta! - fix: NsisUpdater - only resolving true if pid !== undefined

v6.0.0

Compare Source

Major Changes

• #​7032 caa32e07 Thanks @​kidonng! - fix: use appropriate electron-updater cache directory on macOS

Minor Changes

• #​7060 1d130012 Thanks @​mmaietta! - feat: Introducing deb and rpm auto-updates as beta feature

• #​7337 9c0c4228 Thanks @​beyondkmp! - feat: Provide a custom verify function interface to enable nsis signature verification alternatives instead of powershell

Patch Changes

• #​7380 7862e388 Thanks @​beyondkmp! - fix: add reject in handleError in Windows verifySignature function

• #​7230 346af1d4 Thanks @​jeremyspiegel! - fix: support powershell constrained language mode

• #​7394 1bbcfb3d Thanks @​ganthern! - fix: inherit stdio for updated processes (#​7393)

• #​7306 01c67910 Thanks @​mmaietta! - chore: Update dependencies per audit/outdated

• #​7213 17863671 Thanks @​mmaietta! - chore(deps): Updating dependencies and fixing pnpm audit with dependency overrides

• Updated dependencies [cc1ddabd, 93930cf0, 01c67910, 53327d51]:

  • builder-util-runtime@​9.2.0

v5.3.0

Compare Source

Minor Changes

• #​7136 4d989a8a Thanks @​shenglianlee! - feat: non-silent mode allow not to run the app when the installation is complete

v5.2.4

Compare Source

Patch Changes

• #​7117 0c528411 Thanks @​mmaietta! - feat: allow dev update config to be forced for testing auto-updater flow

v5.2.3

Compare Source

Patch Changes

• #​7099 cd21b091 Thanks @​alefoll! - fix(docs): improve downloadUpdate typing to match the doc

• Updated dependencies [1023a93e]:

  • builder-util-runtime@​9.1.1

v5.2.2

Compare Source

Patch Changes

• Updated dependencies [e7179b57]:
  • builder-util-runtime@​9.1.0

v5.2.1

Compare Source

Patch Changes

• #​6998 d6115bc5 Thanks @​matejkriz! - fix(electron-updater): fix backward compatibility for GitHub provider without channels

• #​6995 c9f0da51 Thanks @​panther7! - Fix installDir definition #​6907

v5.2.0

Compare Source

Minor Changes

• #​6907 e7f28677 Thanks @​panther7! - Add installDir property for NsisUpdater. Now is it posible change install folder from AppUpdater.

v5.1.0

Compare Source

Minor Changes

• #​6941 14503ceb Thanks @​ezekg! - Upgrade Keygen publisher/updater integration to API version v1.1.

Patch Changes

• #​6975 8279d053 Thanks @​ezekg! - Fix artifact conflicts for Keygen provider when multiple artifacts share the same filename across products.

• Updated dependencies [adeaa347]:

  • builder-util-runtime@​9.0.3

v5.0.6

Compare Source

Patch Changes

• #​6909 0b6db59e Thanks @​ezekg! - Pin Keygen publisher/updater integration to API version v1.0.

v5.0.5

Compare Source

Patch Changes

• #​6889 869ec27f Thanks @​mmaietta! - fix: moving typed-emitter from devDependency to dependencies

v5.0.4

Compare Source

Patch Changes

• #​6822 bfe29a5e Thanks @​RoikkuTo! - fix: Unable to find latest version on GitHub

• #​6825 db075480 Thanks @​Nokel81! - Added types for AppUpdater's events

v5.0.3

Compare Source

Patch Changes

• #​6810 817e68ba Thanks @​blakebyrnes! - fix: github provider prerelease check incorrectly casts undefined to String. Resolves #​6809

• Updated dependencies [7af4c226]:

  • builder-util-runtime@​9.0.2

v5.0.2

Compare Source

Patch Changes

• 9a7ed436 - chore: updating dependency tree

• Updated dependencies [9a7ed436]:

  • builder-util-runtime@​9.0.1

v5.0.1

Compare Source

Patch Changes

• #​6743 27f18aa1 Thanks @​YanDevDe! - fix: Updater "Error: Could not connect to the server." in macOS. Don't close server directly at quitAndInstall #​6743

v5.0.0

Compare Source

Major Changes

• #​6556 a138a86f Thanks @​mmaietta! - Breaking changes
  Removing Bintray support since it was sunset. Ref: https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/
  Fail-fast for windows signature verification failures. Adding -LiteralPath to update file path to disregard injected wildcards
  Force strip path separators for backslashes on Windows during update process
  Force authentication for local mac squirrel update server

  Fixes:
  fix(nsis): Adding --INPUTCHARSET to makensis. (#​4898 #​6232 #​6259)

  Adding additional details to error console logging

• #​6575 5e381c55 Thanks @​devinbinnie! - fix: Allow disabling of webinstaller files to avoid confusion with actual installers

• #​6576 53467c72 Thanks @​devinbinnie! - fix: Update certificate validation on Windows to check full DN

Minor Changes

• #​6505 1de0adbd Thanks @​KenCorma! - feat(updater): Add Channel Support for Github with PreRelease

Patch Changes

• #​6594 edc4b030 Thanks @​mmaietta! - fix(updater): Replacing fs/promises with fs-extra to support legacy versions of Electron that use node 12 and below. Fixes: #​6000

• #​6587 8746f910 Thanks @​devinbinnie! - fix: fixes for server auth for MacUpdater

• #​6589 633ee5dc Thanks @​devinbinnie! - - Removed backtick escaping for Windows code signing as it is unnecessary for Powershell and can cause the script to attempt to access the wrong file
  • Updated the proxy filename to be more secure (512-bit string)

• #​6616 86e6d150 Thanks @​mmaietta! - fix(updater): Remove checks for app-update.yml when auto-updates are not supported

• Updated dependencies [a138a86f]:

  • builder-util-runtime@​9.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: eslint-plugin-vue@7.11.1
npm error Found: eslint@8.1.0
npm error node_modules/eslint
npm error   dev eslint@"^8.1.0" from the root project
npm error   peer eslint@"^6.0.0 || ^7.0.0 || ^8.0.0" from @typescript-eslint/eslint-plugin@5.2.0
npm error   node_modules/@typescript-eslint/eslint-plugin
npm error     dev @typescript-eslint/eslint-plugin@"^5.2.0" from the root project
npm error   5 more (@typescript-eslint/experimental-utils, eslint-utils, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@"^6.2.0 || ^7.0.0" from eslint-plugin-vue@7.11.1
npm error node_modules/eslint-plugin-vue
npm error   dev eslint-plugin-vue@"^7.11.1" from the root project
npm error
npm error Conflicting peer dependency: eslint@7.32.0
npm error node_modules/eslint
npm error   peer eslint@"^6.2.0 || ^7.0.0" from eslint-plugin-vue@7.11.1
npm error   node_modules/eslint-plugin-vue
npm error     dev eslint-plugin-vue@"^7.11.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-12-03T17_43_37_491Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-12-03T17_43_37_491Z-debug-0.log