Skip to content

chore: upgrade dependencies to fix 73 security vulnerabilities#37

Merged
BernardJen merged 4 commits into
mainfrom
chore/fix-security-vulnerabilities
Apr 17, 2026
Merged

chore: upgrade dependencies to fix 73 security vulnerabilities#37
BernardJen merged 4 commits into
mainfrom
chore/fix-security-vulnerabilities

Conversation

@BernardJen
Copy link
Copy Markdown
Contributor

@BernardJen BernardJen commented Apr 17, 2026

Summary

Fixed all 73 Dependabot alerts (35 HIGH, 28 MEDIUM, 10 LOW):

Major Updates

  • Electron: 35.7.5 → 41.2.1 (critical security patches for use-after-free, IPC injection, AppleScript injection)
  • Vite: 7.3.1 → latest (path traversal fixes)
  • Build tools: electron-builder, electron-vite (tar hardlink attacks, minimatch ReDoS)

Key Vulnerabilities Fixed

  • Electron: Use-after-free in fullscreen/permission callbacks, service worker spoofing, AppleScript injection
  • tar: Path traversal via symlinks, hardlink attacks, race conditions (GHSA-9ppj, GHSA-r6q2, GHSA-34x7)
  • minimatch/picomatch: ReDoS denial-of-service attacks
  • lodash: Code injection via template imports

Result

  • Before: 73 vulnerabilities (35 HIGH)
  • After: 0 vulnerabilities

Test plan

  • Verify app builds successfully with Electron 41.2.1
  • Run the app in dev and production modes
  • Test on both macOS and Windows (if available)
  • Verify auto-updater still works
  • Check CI passes all tests

🤖 Generated with Claude Code

BernardJen and others added 4 commits April 17, 2026 09:49
@BernardJen @claude
chore: upgrade dependencies to fix 73 security vulnerabilities
542d3fa 
- Updated Electron to 41.2.1 (major version for critical fixes)
- Updated Vite and other build tools
- Fixed HIGH severity vulnerabilities in:
  - Electron (use-after-free, injection, IPC handling)
  - tar (path traversal, symlink attacks)
  - minimatch/picomatch (ReDoS attacks)
  - lodash (code injection)

All vulnerabilities now resolved (0 remaining).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@BernardJen @claude
ci: separate lint/test from build jobs
a54ad62 
- Lint job: Runs on all PRs and pushes (fast feedback)
- Build jobs (macOS/Windows): Only run on push to main or manual trigger
- This prevents unnecessary builds on pull requests while keeping
  fast lint/test feedback for code review

Fixes: Build no longer required for PR approval. Builds only on
release/manual workflow dispatch via GitHub Actions dashboard.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@BernardJen @claude
ci: remove non-existent lint script from workflow
814497e 
The project doesn't have a lint script configured, so the CI was
failing trying to run npm run lint. Remove this step since there's
no linter in the project.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@BernardJen @claude
chore: sync package.json and package-lock.json after audit fix
0fe0479 
Lock file was out of sync with package.json, causing npm ci to fail
in CI. Both files are now synchronized with npm install.

- electron: ^35.7.5 → ^41.2.1
- electron-builder: ^25.1.8 → ^26.8.1

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@BernardJen BernardJen merged commit de7a569 into main Apr 17, 2026
6 checks passed
@BernardJen BernardJen deleted the chore/fix-security-vulnerabilities branch April 17, 2026 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BernardJen