Update to electron 25 #1543
Comments
What is the state of this project? There have not been any commits in 4 months, and the current default version of electron is EOL and has not received any security patches in 8 months. I can help test for obvious regressions and triage issues, but we still will need more maintainers/contributors to keep the project afloat. Keeping the project in its current state is potentially dangerous to users, but deprecating/shutting it down would be bad since many people rely on it, and it has over a thousand weekly downloads. |
Yeah I was looking into this project as a potential replacement for WebCatalog (which recently deprecated Linux support) but the lack of maintainership and the extremely poor security posture around Electron updates is concerning. At the VERY least Electron updates should be separated out to something separate (perhaps a separate repo) with automated updates (Renovate etc) while the nativefier client should be modified to use the latest Electron from that repo instead at runtime (instead of declaring the Electron version at nativefier build time). |
@ronjouch @TheCleric Can you create a pinned issue with a list of all nativefier related accounts (github, docker, npm, etc) and who has access? |
Electron releases have breaking changes that affect nativefier. Automatically using the latest version of electron in nativefier is as simple as running |
Sorry for the delay in response. So here's the current situation with Nativefier.
I can look at getting us to a newer version of Electron, but as you noted I'm not sure what kind of breaking changes would be present that would need fixing. As well if that is successful, that will solve the problem until it doesn't (as in Electron gets updated again). I wouldn't consider Nativefier to be a dead project, but it's always been one that is heavily reliant on community contributions, which we haven't received many of lately. All of that is to say, if someone were to provide a PR to updating Electron I'd take a look. The future of this project is in the hands of those who use it. If they give back, I'm hopeful it can continue. |
@TheCleric What access do you have to the docker/npm accounts? Could the project be able to continue on without any involvement from jiahaog? Can you create a separate pinned issue documenting everyone who has access/permissions to all of the nativefier related accounts? Also, can I have the "Triager" GitHub role so I can help organize the GitHub issues? |
Yes, deployments are all done via Github, so I don't need the direct credentials.
Unfortunately I do not have the permissions to do that, but if @jiahaog sees this, I'd recommend allowing it, as you've been trustworthy in the past. I have also pinned this issue as documentation of the current state of the project. |
Should I bump the current electron version to the latest version of electron 19? This would fix CVE-2022-413. |
We should also probably bump the minimum node version to 16 or 18 since 12 is EOL. |
So looking into this I can quickly get us to Electron 21.4.4 and Node 16. Anything past that will require a LOT more work, as Electron completely redid its new window event handling in a way that is incompatible with some stuff we do. I've tried twice in the past to fix this and had not had much success. To go past 21, we would possibly have to retire some functionality. I'll look when I have time. |
@TheCleric Do you have access to https://github.com/nativefier/page-icon? |
I don't, sorry. |
@jiahaog Can you add @TheCleric to the @nativefier organization with access to all of the repos? |
Electron 21.4.4 and Node 16 would be much better at this point even if it reached EOL |
Nativefier 51.0.0 has been released with Electron 21.4.4 and Node 16. |
The docker image is still on v48.0.0. $ sudo docker pull nativefier/nativefier
Using default tag: latest
latest: Pulling from nativefier/nativefier
df9b9388f04a: Pull complete
3bf6d7380205: Pull complete
7939e601ee5e: Pull complete
31f0fb9de071: Pull complete
db29529b83d0: Pull complete
1c196395bd39: Pull complete
640cd151f04c: Pull complete
5eca5a2135d4: Pull complete
fdfd4ad86023: Pull complete
9317b41e9dd7: Pull complete
Digest: sha256:85f94cce9fd6b340cd6978f21af215ff2d4e707b4a5a345149f6f3cb5432e414
Status: Downloaded newer image for nativefier/nativefier:latest
docker.io/nativefier/nativefier:latest
$ sudo docker run --rm -v ~/nativefier-apps:/target/ nativefier/nativefier --version
48.0.0 |
Yeah the Docker build was failing. I'll make a version with the fix in it. |
Well it looks like our Docker creds may not be valid. @jiahaog do you have up to date ones that can be added to the appropriate GitHub secrets? |
@mattruzzi I've started the process of going to Electron 25. Fortunately I had code from over a year ago still laying around from when I started exploring some of the planned deprecations. It has known issues, but I think it would be good to get an alpha version out quickly to allow people to use it if they want and help discover any issues. PR #1559 |
@TheCleric Can you email @jiahaog and ask to be added a member of the nativefier GitHub organization? |
Homework
nativefier --help
and API.md, no existing option fits my needs.Problem statement
The current default version of electron is EOL and has not received any security patches update in 8 months.
Motivation & context
The current default version of electron is EOL and has not received any security patches update in 8 months.
The text was updated successfully, but these errors were encountered: