Update to electron 25

[mattruzzi]

Homework

• I took the time to write a good, descriptive issue title
• I read nativefier --help and API.md, no existing option fits my needs.
• I checked CATALOG.md for community suggestions & workarounds.
• I searched existing issues, open & closed. Yes, my feature request is new.
• I'm running the latest version. Yes, the feature I'm requesting isn't in it.

Problem statement

The current default version of electron is EOL and has not received any security patches update in 8 months.

Motivation & context

The current default version of electron is EOL and has not received any security patches update in 8 months.

[mattruzzi]

What is the state of this project? There have not been any commits in 4 months, and the current default version of electron is EOL and has not received any security patches in 8 months. I can help test for obvious regressions and triage issues, but we still will need more maintainers/contributors to keep the project afloat. Keeping the project in its current state is potentially dangerous to users, but deprecating/shutting it down would be bad since many people rely on it, and it has over a thousand weekly downloads.

[ReillyBrogan]

Yeah I was looking into this project as a potential replacement for WebCatalog (which recently deprecated Linux support) but the lack of maintainership and the extremely poor security posture around Electron updates is concerning. At the VERY least Electron updates should be separated out to something separate (perhaps a separate repo) with automated updates (Renovate etc) while the nativefier client should be modified to use the latest Electron from that repo instead at runtime (instead of declaring the Electron version at nativefier build time).

[mattruzzi]

@ronjouch @TheCleric Can you create a pinned issue with a list of all nativefier related accounts (github, docker, npm, etc) and who has access?

[mattruzzi]

Yeah I was looking into this project as a potential replacement for WebCatalog (which recently deprecated Linux support) but the lack of maintainership and the extremely poor security posture around Electron updates is concerning. At the VERY least Electron updates should be separated out to something separate (perhaps a separate repo) with automated updates (Renovate etc) while the nativefier client should be modified to use the latest Electron from that repo instead at runtime (instead of declaring the Electron version at nativefier build time).

Electron releases have breaking changes that affect nativefier. Automatically using the latest version of electron in nativefier is as simple as running nativefier --electron-version $(npm show electron version). This is not the default because of the breaking changes. One partial solution would be for nativefier to hardcode only a major version of electron (e.g. v23) and have nativefier automatically use the latest point release (e.g. 23.3.10) instead of pinning a specific point release. This could work since point releases theoretically don't have breaking changes. However, because nativefier is using an EOL version of electron that has not received a point release in over six months, this would not solve the problem unless the default version was updated to a supported version like v25. Another solution would be for nativefier to get more maintainers who would be able to just keep the pinned version of electron up to date.

[TheCleric]

Sorry for the delay in response. So here's the current situation with Nativefier.

• ronjouch has stepped down as maintainer (in fact I'm not even tagging him there so I don't contribute to him having to worry about it).
• @jiahaog is still the owner of the repo and all associated accounts
• I'm here on an "as I have time" basis. And lately, I just don't have the time.

I can look at getting us to a newer version of Electron, but as you noted I'm not sure what kind of breaking changes would be present that would need fixing. As well if that is successful, that will solve the problem until it doesn't (as in Electron gets updated again).

I wouldn't consider Nativefier to be a dead project, but it's always been one that is heavily reliant on community contributions, which we haven't received many of lately. All of that is to say, if someone were to provide a PR to updating Electron I'd take a look. The future of this project is in the hands of those who use it. If they give back, I'm hopeful it can continue.

[mattruzzi]

@TheCleric What access do you have to the docker/npm accounts? Could the project be able to continue on without any involvement from jiahaog? Can you create a separate pinned issue documenting everyone who has access/permissions to all of the nativefier related accounts?

Also, can I have the "Triager" GitHub role so I can help organize the GitHub issues?

[TheCleric]

What access do you have to the docker/npm accounts? Could the project be able to continue on without any involvement from jiahaog?

Yes, deployments are all done via Github, so I don't need the direct credentials.

Also, can I have the "Triager" GitHub role so I can help organize the GitHub issues?

Unfortunately I do not have the permissions to do that, but if @jiahaog sees this, I'd recommend allowing it, as you've been trustworthy in the past.

I have also pinned this issue as documentation of the current state of the project.

[mattruzzi]

Should I bump the current electron version to the latest version of electron 19? This would fix CVE-2022-413.
19.1.4 => 19.1.9

[mattruzzi]

We should also probably bump the minimum node version to 16 or 18 since 12 is EOL.

[TheCleric]

So looking into this I can quickly get us to Electron 21.4.4 and Node 16.

Anything past that will require a LOT more work, as Electron completely redid its new window event handling in a way that is incompatible with some stuff we do. I've tried twice in the past to fix this and had not had much success. To go past 21, we would possibly have to retire some functionality. I'll look when I have time.

[mattruzzi]

@TheCleric Do you have access to https://github.com/nativefier/page-icon?

[TheCleric]

@TheCleric Do you have access to https://github.com/nativefier/page-icon?

I don't, sorry.

[mattruzzi]

@jiahaog Can you add @TheCleric to the @nativefier organization with access to all of the repos?

[danieltomasz]

Electron 21.4.4 and Node 16 would be much better at this point even if it reached EOL

[TheCleric]

Nativefier 51.0.0 has been released with Electron 21.4.4 and Node 16.

[mattruzzi]

The docker image is still on v48.0.0.

$ sudo docker pull nativefier/nativefier
Using default tag: latest
latest: Pulling from nativefier/nativefier
df9b9388f04a: Pull complete 
3bf6d7380205: Pull complete 
7939e601ee5e: Pull complete 
31f0fb9de071: Pull complete 
db29529b83d0: Pull complete 
1c196395bd39: Pull complete 
640cd151f04c: Pull complete 
5eca5a2135d4: Pull complete 
fdfd4ad86023: Pull complete 
9317b41e9dd7: Pull complete 
Digest: sha256:85f94cce9fd6b340cd6978f21af215ff2d4e707b4a5a345149f6f3cb5432e414
Status: Downloaded newer image for nativefier/nativefier:latest
docker.io/nativefier/nativefier:latest
$ sudo docker run --rm -v ~/nativefier-apps:/target/ nativefier/nativefier --version
48.0.0

#848

[TheCleric]

Yeah the Docker build was failing. I'll make a version with the fix in it.

[TheCleric]

Well it looks like our Docker creds may not be valid. @jiahaog do you have up to date ones that can be added to the appropriate GitHub secrets?

[TheCleric]

@mattruzzi I've started the process of going to Electron 25. Fortunately I had code from over a year ago still laying around from when I started exploring some of the planned deprecations. It has known issues, but I think it would be good to get an alpha version out quickly to allow people to use it if they want and help discover any issues.

PR #1559

[mattruzzi]

@TheCleric Can you email @jiahaog and ask to be added a member of the nativefier GitHub organization?