Skip to content

Update esm-asar-entrypoints #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
krombel wants to merge 39 commits into
base: esm-asar-entrypoints
Choose a base branch
from
Open

Update esm-asar-entrypoints #160

krombel wants to merge 39 commits into from

Conversation

@krombel
Copy link

@krombel krombel commented Dec 15, 2025
edited
Loading

just a merge of main into esm-asar-entrypoints

This intended to update #101.

A more familiar view might be the diff to main.

It is working in this state for me right now for an esm build.

dependabot bot and others added 30 commits July 1, 2024 13:58
@dependabot
build(deps): bump amannn/action-semantic-pull-request (electron#105)
03b8419 
Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.5.2 to 5.5.3.
- [Release notes](https://github.com/amannn/action-semantic-pull-request/releases)
- [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md)
- [Commits](amannn/action-semantic-pull-request@cfb6070...0723387)

---
updated-dependencies:
- dependency-name: amannn/action-semantic-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dsanders11
build: fix repository.url in package.json (electron#108)
9495fc3
@dsanders11
build: bump lint-staged to clear audit (electron#109)
dd52b47
@electron-roller
chore: bump continuousauth/npm in .circleci/config.yml to 2.1.1 (elec…
bf62ed4 
…tron#110)

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
@electron-roller
chore: bump electronjs/node in .circleci/config.yml to 2.3.1 (electro…
ef4ce1f 
…n#111)

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
@dependabot
build(deps): bump dsanders11/project-actions from 1.3.0 to 1.4.0 (ele…
915c061 
…ctron#112)

Bumps [dsanders11/project-actions](https://github.com/dsanders11/project-actions) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/dsanders11/project-actions/releases)
- [Changelog](https://github.com/dsanders11/project-actions/blob/main/.releaserc.json)
- [Commits](dsanders11/project-actions@eb760c4...438b25e)

---
updated-dependencies:
- dependency-name: dsanders11/project-actions
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump cross-spawn from 7.0.3 to 7.0.6 (electron#114)
7f59407 
Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6.
- [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md)
- [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6)

---
updated-dependencies:
- dependency-name: cross-spawn
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dsanders11
ci: switch to GHA (electron#115)
caa0567
@dependabot
build(deps): bump dsanders11/project-actions from 1.4.0 to 1.5.1 (ele…
4bf3341 
…ctron#119)

Bumps [dsanders11/project-actions](https://github.com/dsanders11/project-actions) from 1.4.0 to 1.5.1.
- [Release notes](https://github.com/dsanders11/project-actions/releases)
- [Changelog](https://github.com/dsanders11/project-actions/blob/main/.releaserc.json)
- [Commits](dsanders11/project-actions@438b25e...9c80cd3)

---
updated-dependencies:
- dependency-name: dsanders11/project-actions
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump actions/setup-node from 4.1.0 to 4.2.0 (electron#118)
d76ca76
@mmaietta
test: giving steroids to the test suite 💪 (electron#122)
7c0ad6c 
* purely test suite on steroids

* verify stuff

* more fun verifies

* ok ok ok I'm done

* extend timeout and consolidate to constant for easier usage across tests

* PR feedback :)
Remove warnings by adding transform regex to `ts-jest` and `testMatch`.

* cleanup

* cleanup

* PR feedback & converting `export function` to `export const` in `util.ts`
@mmaietta
test: add test should shim asars with different unpacked dirs (elec…
d90d573 
…tron#125)
@erikian
chore(deps): bump @electron/asar to 3.3.1 (electron#127)
740dd4a 
* chore(deps): bump `@electron/asar` to `3.3.1`

* update snapshots
@mmaietta
fix: Allow EnableEmbeddedAsarIntegrityValidation when multiple asar…
2b67c90 
…s are present in app (electron#124)

- When an application uses multiple asars (`webapp.asar`, `anything.asar`, etc.), `EnableEmbeddedAsarIntegrityValidation` fuse breaks the application due to not all asars having integrity generated for them. Fixes: electron#116
- **Also fixes bug** to correctly test `makeUniversalApp no asar mode should shim two different app folders`, (it was not having an asar integrity generated for the shimmed asar)

Functionality added:
- Moves all asar integrity generation to **after** all app assets have been merged/shimmed/copied. This allows other asars that were provided to also be scanned and have asar integrity generated for them.
- Extracted common Integrity logic to a single file `integrity.ts`
- Adds unit test for multi-asar apps
@erikian
test: add explicit imports for jest functions (electron#128)
977baa4 
* test: add explicit imports for `jest` functions

* add workaround for non-`.spec.ts` file
@dependabot
build(deps): bump actions/setup-node from 4.2.0 to 4.3.0 (electron#131)
4276c7c 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@1d0ff46...cdca736)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump dsanders11/project-actions from 1.5.1 to 1.7.0 (ele…
5b957e6 
…ctron#132)

Bumps [dsanders11/project-actions](https://github.com/dsanders11/project-actions) from 1.5.1 to 1.7.0.
- [Release notes](https://github.com/dsanders11/project-actions/releases)
- [Changelog](https://github.com/dsanders11/project-actions/blob/main/.releaserc.json)
- [Commits](dsanders11/project-actions@9c80cd3...2134fe7)

---
updated-dependencies:
- dependency-name: dsanders11/project-actions
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 (electron#134)
ec7c971 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@cdca736...49933ea)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 4.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@mmaietta @erikian
fix: Skip lipo if native module is already universal. Add native mo…
64be29d 
…dule fixtures for `lipo` tests (electron#126)

* fix: when native modules are already universal, don't lipo. adds `node-mac-permissions` fixture from https://github.com/codebytere/node-mac-permissions and resolves 3 `it.todo` test cases

* add test `different app dirs with different macho files (shim and lipo)`

* add additional test

* PR feedback

* gotta close `fd`

* use `stream` to read first 4 bytes. copy native fixture before packing into asar to leverage `unpack: "**/*.node"` properly.

* convert params to object

* rename `createTestApp` to `createStagingAppDir` and add jsdoc to the function

* compiler error from merge conflict

* update snapshots

* update snapshots

* only check x64Content since it's the tmp app

* compile macho binaries at runtime using hellow-world.c for fixtures in lipo tests

* Update jest.setup.ts

Co-authored-by: Erik Moura <[email protected]>

* Update jest.setup.ts

Co-authored-by: Erik Moura <[email protected]>

* remove unstable properties for specific keys

* force redo

* update snapshots

* stripping only hello-world from snapshot and only hash from macho-specific asar integrity

* optimize logic :)

---------

Co-authored-by: Erik Moura <[email protected]>
@dsanders11
ci: timeout release job after 1 hour (electron#136)
1695dc9
@dsanders11
test: update snapshot to remove skipped test (electron#138)
175672e
@dsanders11
feat!: bump engines to Node.js >=22.12.0 (electron#139)
421713c 
BREAKING CHANGE: Requires Node.js v22.12.0 LTS or higher. ESM-only.
@dsanders11
fix: don't star import from plist package (electron#141)
b8379c0
@dependabot
build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (electron#143)
4eb37fa 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...08c6903)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @MarshallOfSound
build(deps): bump amannn/action-semantic-pull-request (electron#142)
9a2c19c 
Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.5.3 to 6.1.1.
- [Release notes](https://github.com/amannn/action-semantic-pull-request/releases)
- [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md)
- [Commits](amannn/action-semantic-pull-request@0723387...48f2562)

---
updated-dependencies:
- dependency-name: amannn/action-semantic-pull-request
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Samuel Attard <[email protected]>
@dependabot
build(deps): bump vite from 6.3.5 to 6.3.6 (electron#145)
01eec61 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.3.5 to 6.3.6.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.3.6/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 6.3.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 (electron#146)
436b2ab 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 5.0.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@49933ea...a0853c2)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump azure/cli from 2.1.0 to 2.2.0 (electron#147)
7a73b77 
Bumps [azure/cli](https://github.com/azure/cli) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/azure/cli/releases)
- [Changelog](https://github.com/Azure/cli/blob/master/ReleaseProcess.md)
- [Commits](Azure/cli@089eac9...9f7ce6f)

---
updated-dependencies:
- dependency-name: azure/cli
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@erickzhao
build: upgrade to Yarn v4 (electron#149)
355fd7c
@dependabot
build(deps): bump brace-expansion from 1.1.11 to 1.1.12 (electron#150)
2e087ef 
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
indutny-signal and others added 9 commits October 29, 2025 12:52
@indutny-signal
fix: fully respect singleArchFiles option (electron#152)
0939980 
Files listed under `singleArchFiles` are allowed to be unique for
different platforms so `dupedFiles` should not return them.

Fix: electron#151
@dependabot @dsanders11
build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (electron#153)
ed04594 
* build(deps): bump actions/setup-node from 5.0.0 to 6.0.0

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@a0853c2...2028fbc)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* ci: use yarn cache

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Sanders <[email protected]>
@dependabot
build(deps): bump vite from 6.3.6 to 6.4.1 (electron#154)
0a0b41d 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.3.6 to 6.4.1.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/[email protected]/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 6.4.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@erickzhao
docs: add API docs and clean up README (electron#155)
b616385
@VerteDinde
ci: use npm trusted publishing instead of CFA (electron#156)
53c72d8
@dependabot
build(deps): bump tar from 7.5.1 to 7.5.2 (electron#157)
1b9f5eb 
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.1 to 7.5.2.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.1...v7.5.2)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (electron#158)
ca53e14 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@08c6903...1af3b93)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
build(deps): bump glob from 10.4.5 to 10.5.0 (electron#159)
bf1269f 
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0.
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

---
updated-dependencies:
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@krombel
Merge remote-tracking branch 'origin/main' into esm-asar-entrypoints
f91c77b
@krombel krombel requested a review from a team as a code owner December 15, 2025 11:19
@socket-security
Copy link

socket-security bot commented Dec 15, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedhusky@​8.0.3 ⏵ 9.1.7100 +110062 -1780100
Added@​tsconfig/​node22@​22.0.11001007090100
Addedvitest@​3.1.3981007999100
Added@​types/​node@​22.10.101001008196100
Updated@​electron/​get@​3.0.0 ⏵ 4.0.099 +310010081 +2100
Updated@​electron/​asar@​3.2.7 ⏵ 4.0.0100 +110010084100
Updatedtypescript@​5.2.2 ⏵ 5.8.31001009010090
Updatedlint-staged@​15.0.2 ⏵ 16.1.099 +1100100 +194 -2100
Updatedprettier@​3.0.3 ⏵ 3.5.399 +110010097100

View full report

@socket-security
Copy link

socket-security bot commented Dec 15, 2025

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm safer-buffer is 94.0% likely obfuscated

Confidence: 0.94

Location: Package overview

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: npm glob CLI: Command injection via -c/--cmd executes matches with shell:true

CVE: GHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:true (HIGH)

Affected versions: >= 11.0.0 < 11.1.0; >= 10.2.0 < 10.5.0

Patched version: 11.1.0

From: ?npm/@electron/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@krombel krombel mentioned this pull request Dec 15, 2025
Open
@krombel
Copy link
Author

krombel commented Dec 16, 2025

As a comment on socket security => Not actually a security issue.

See https://socket.dev/npm/package/vitest/alerts/3.2.3?tab=dependencies&alert_name=obfuscatedFile
it is only used in tests where it handles base64 encoded data to test the package. Not used outside of tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@krombel @dsanders11 @mmaietta @erikian @erickzhao @indutny-signal @VerteDinde