fix(deps): update dependency electron to v40.8.5 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron	40.6.1 → 40.8.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-34781

Impact

Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.

Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.

Workarounds

Validate that the clipboard contains image data via clipboard.availableFormats() before calling clipboard.readImage(). Note this only narrows the window — upgrading to a fixed version is recommended.

Fixed Versions

• 42.0.0-alpha.5
• 41.1.0
• 40.8.5
• 39.8.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

---

Release Notes

electron/electron (electron)

v40.8.5: electron v40.8.5

Compare Source

Release Notes for v40.8.5

Fixes

• Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #​50484 ^{(Also in 41)}
• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50491 ^{(Also in 39, 41, 42)}
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50500 ^{(Also in 39, 41, 42)}
• Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #​50505 ^{(Also in 41, 42)}
• Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #​50518

Other Changes

• Backported fix for chromium:475877320. #​50438

v40.8.4: electron v40.8.4

Compare Source

Release Notes for v40.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #​50467 ^{(Also in 38, 39, 41)}
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #​50401 ^{(Also in 39, 41, 42)}
• Fixed improper focus tracking in BaseWindow on MacOS. #​50337 ^{(Also in 39, 41, 42)}
• Fixed logic bug that rendered certain window types un-resizable on MAS builds. #​50355 ^{(Also in 41, 42)}
• Fixed utilityProcess exit event reporting incorrect exit codes on Windows when the exit code has the high bit. #​50387 ^{(Also in 41, 42)}
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #​50344 ^{(Also in 39, 41, 42)}

Other Changes

• Added support for using a proxy during yarn install. #​50352 ^{(Also in 39, 41, 42)}
• Backported fix for 4859353. #​50441
• Backported fix for 4893813. #​50449
• Backported fixes for 4847510, 4871177. #​50460

v40.8.3: electron v40.8.3

Compare Source

Release Notes for v40.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #​50287 ^{(Also in 39, 41, 42)}
• Fixed an issue where some DevTools functionality didn't work as expected. #​50275 ^{(Also in 41, 42)}
• Fixed user resizing of transparent windows on win32 platform. #​50301 ^{(Also in 39, 41, 42)}

v40.8.2: electron v40.8.2

Compare Source

Release Notes for v40.8.2

Other Changes

• Backported fix for b/491421267. #​50229
• Fixed an issue where running app icons were not correctly retrieved on macOS Tahoe. #​50188

v40.8.1: electron v40.8.1

Compare Source

Release Notes for v40.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #​50158 ^{(Also in 38, 39, 41)}
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #​50216 ^{(Also in 39, 41)}
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #​50138 ^{(Also in 39, 41)}
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #​50162 ^{(Also in 38, 39, 41)}
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #​50104 ^{(Also in 39, 41)}
• Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #​50084 ^{(Also in 39, 41)}
• Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #​50131 ^{(Also in 38, 39, 41)}
• Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #​50149 ^{(Also in 38, 39, 41)}
• Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #​50207 ^{(Also in 39, 41)}
• Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #​50189 ^{(Also in 39, 41)}
• Reverted AltGr key fix that caused menu bar to no longer show on Windows. #​50110 ^{(Also in 39, 41)}

Other Changes

• Backported fix for chromium:485622239. #​50168

v40.8.0: electron v40.8.0

Compare Source

Release Notes for v40.8.0

Features

• Added a reason property to the Notification 'closed' event on Windows to allow developers to know the reason the Notification was dismissed. #​50030 ^{(Also in 41)}

Fixes

• Fixed shutdown crash on windows when hidden titlebar is enabled. #​50053 ^{(Also in 39, 41)}

Other Changes

• Updated Chromium to 144.0.7559.236. #​50060

v40.7.0: electron v40.7.0

Compare Source

Release Notes for v40.7.0

Features

• Added support for --experimental-transform-types. #​49883 ^{(Also in 39, 41)}

Fixes

• Allow dynamically updating menu item labels, sublabels, and icons. #​49973 ^{(Also in 41)}
• Fixed safeStorage failing to clean up legacy keychain entries when migrating to suffixed account names on macOS, and fixed first launch creating entries with the wrong (unsuffixed) account name. #​49817
• Fixed a bug that cause offscreen rendering doesn't have valid screen info and unable to get valid result of related media queries.
  • Added webPreference.offscreen.deviceScaleFactor to allow user specify a value, instead of using user's primary display's value. #​49681
• Fixed a macOS crash when creating a new tab from the tab overview. #​49934 ^{(Also in 41)}
• Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #​50005 ^{(Also in 39, 41)}
• Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #​50022 ^{(Also in 39, 41)}
• Fixed an issue where malformed custom toastXml could cause a Notification crash. #​49952 ^{(Also in 41)}
• Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #​49994 ^{(Also in 41)}
• Fixed menus to correctly emit menu-will-close event when closed after any submenu has been open. #​49963 ^{(Also in 41)}

Other Changes

• Updated Chromium to 144.0.7559.225. #​49928
• Updated Node.js to v24.14.0. #​49939

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'CodeCharta Visualization'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud