Skip to content

build: upgrade dependencies and electron to fix security issues #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
igorls wants to merge 3 commits into
base: master
Choose a base branch
from
Open

build: upgrade dependencies and electron to fix security issues #162

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e810ff0
build: upgrade dependencies and electron to fix security issues
google-labs-jules[bot] Apr 2, 2026
7566e20
build: upgrade dependencies and electron to fix security issues
google-labs-jules[bot] Apr 2, 2026
8fb3c93
fix: address review comments on dependency upgrade PR
Copilot Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ process.defaultApp = true;
const systemVersion = process.getSystemVersion();
console.log(systemVersion);

const remoteMain = require('@electron/remote/main');
remoteMain.initialize();

const {
app,
BrowserWindow,
Expand Down Expand Up @@ -364,7 +367,7 @@ class SimpleosWallet {
paintWhenInitiallyHidden: true,
titleBarStyle: 'hiddenInset',
webPreferences: {
nodeIntegration: true,
nodeIntegration: true, contextIsolation: false,
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

Enabling nodeIntegration while disabling contextIsolation is a critical security risk in Electron. This configuration allows the renderer process to access Node.js APIs directly, which can be exploited via Cross-Site Scripting (XSS) to achieve Remote Code Execution (RCE) on the user's machine. Even as a temporary stop-gap, it is strongly recommended to use a preload script and contextBridge to expose only the minimum necessary APIs to the renderer.

Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nodeIntegration: true combined with contextIsolation: false significantly weakens Electron security boundaries (and becomes especially risky alongside @electron/remote). If this is required as a stop-gap, it should be tightly scoped/justified; otherwise prefer contextIsolation: true, nodeIntegration: false, and expose only the needed APIs via a preload script + IPC.

Suggested change
nodeIntegration: true, contextIsolation: false,
nodeIntegration: true, contextIsolation: true,

Copilot uses AI. Check for mistakes.
webSecurity: !this.serve,
devTools: this.devtools,
},
Expand Down Expand Up @@ -395,6 +398,7 @@ class SimpleosWallet {
}
});

remoteMain.enable(this.win.webContents);
this.win.once('ready-to-show', () => {
console.log('window is ready to show');
this.win.show();
Expand Down
Loading
Loading