Skip to content

chore(desktop): upgrade Electron to 43.1.1#12543

Draft
huhuanming wants to merge 1 commit into
xfrom
codex/upgrade-electron-43
Draft

chore(desktop): upgrade Electron to 43.1.1#12543
huhuanming wants to merge 1 commit into
xfrom
codex/upgrade-electron-43

Conversation

@huhuanming

Copy link
Copy Markdown
Contributor

What

  • upgrade the exact Desktop Electron pins from 39.8.9 to 43.1.1 and update node-abi for Electron 43
  • update Chromium/Electron identity data and make deep-link argv parsing resilient to Electron switches
  • move Desktop main-process HTTP calls from node-fetch to Node 24 native fetch, removing the obsolete tr46 runtime pin
  • upgrade electron-log to 5.4.4 and add narrowly scoped runtime patches for @sentry/electron@5.8.0 and bytebuffer@5.0.1
  • keep sandbox, context isolation, CSP, signing/update verification, hardware-wallet boundaries, and all OS minimum versions unchanged

Why

Electron 39.8.9 is EOL. Electron 43.1.1 supplies the supported Electron 43 runtime with Chromium 150 and Node 24.

The Electron 43 warning trace also exposed three third-party compatibility paths:

  • electron-log@5.2.0 called deprecated session.getPreloads/setPreloads; 5.4.4 uses registerPreloadScript
  • node-fetch@2 pulled whatwg-url@5 / tr46@0.0.3, which loaded deprecated core punycode
  • bytebuffer@5.0.1, reached through the hardware transport stack, used deprecated Buffer() constructors
  • @sentry/electron@5.8.0 retains the same old session API in an optional preload-injection path; the patch backports the upstream feature-detected registerPreloadScript implementation without forcing a cross-platform Sentry major upgrade

Compatibility impact

  • Electron 40–43 breaking changes were audited; only the affected argv/runtime/deprecation paths were changed.
  • Native dependencies were rebuilt for Electron 43.1.1 on Windows x64, including serialport, USB, Noble/BLE, biometric auth, and the packaged app runtime.
  • No product behavior, crypto logic, hardware-wallet security boundary, or OS minimum was changed.
  • macOS arm64/x64 and Linux x64/arm64 still require CI build/runtime coverage.

Checks

  • yarn install --immutable --mode=skip-build
  • targeted Jest: 5 suites / 20 tests
  • yarn _tsc
  • type-aware oxlint on all 13 changed JS/TS files
  • yarn agent:check --profile commit
  • Desktop renderer production build
  • Desktop main production build
  • yarn workspace @onekeyhq/desktop install-app-deps
  • Windows x64 Electron directory package build
  • packaged Electron Node runtime harness: 58 passed / 0 failed
  • real packaged-app launch: title OneKey, URL file:///, 1536×852 visible UI, account/token/activity data loaded
  • --trace-warnings --trace-deprecation: 0 matches for getPreloads/setPreloads, DEP0040/punycode, DEP0005/Buffer(), fatal exceptions, or unhandled rejections

CI matrix requested

  • Windows x64: signed installer/update path and cold/second/single-instance/deep-link smoke
  • macOS arm64 and x64: signed/notarized package, Apple Auth/iCloud native modules, updater, open-url
  • Linux x64 and arm64: package/AppImage/Snap as configured, database, USB/BLE, deep link, download/file picker

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedelectron-log@​5.2.0 ⏵ 5.4.499 +110010084100
Updatedelectron@​39.8.9 ⏵ 43.1.1100 +7100100 +198100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant