Skip to content

Updated Dependencies of MusicBlockV4 Launcher #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Updated Dependencies of MusicBlockV4 Launcher #35

wants to merge 2 commits into from

Conversation

@MostlyKIGuess
Copy link
Member

Description

This pull request addresses several security vulnerabilities identified during a yarn audit in the MusicBlockV4 launcher project. The following updates and changes have been made:

  1. Updated Electron:

    • Upgraded electron to version >=22.3.25 to resolve the libvpx heap buffer overflow issue.

  2. Updated Electron Builder Dependencies:

    • Updated electron-builder to ensure patched dependencies (minimatch, app-builder-lib, and others), resolving:
      • Minimatch ReDoS vulnerability.
      • NSIS installer arbitrary code execution vulnerability.

  3. General Dependency Updates:

    • Applied updates to other high and moderate severity vulnerabilities where applicable.

Key Changes

  • Dependencies Updated:
    • electron upgraded to the latest version (>=22.3.25).
    • electron-builder updated to include patched dependencies:
      • Resolved vulnerabilities related to minimatch and app-builder-lib.
    • Added or adjusted resolution overrides in package.json to enforce specific patched versions.

Testing

  • Verified application functionality after updates:
    • Launcher builds successfully using the updated dependencies.
    • No regression in core features observed.
  • Ran yarn audit after updates:
    • Confirmed no remaining critical vulnerabilities.

References

Checklist

  • Updated dependencies to patched versions.
  • Verified no regression in functionality.
  • Resolved high and critical vulnerabilities as reported by yarn audit.
  • Tested the application post-updates.

MostlyKIGuess
MostlyKIGuess commented Jan 8, 2025
View reviewed changes
README.md
cd src
yarn install
git clone https://github.com/sugarlabs/musicblocks [--depth=1]
git clone https://github.com/sugarlabs/musicblocks --depth=1
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

corrected this to work with depth 1 rather than it being optional?

@MostlyKIGuess
Copy link
Member Author

  • Checked by creating and installing a flatpak as well.

@MostlyKIGuess
Copy link
Member Author

@quozl do review, incase missed.
Sorry for the ping

@quozl
Copy link

quozl commented Jan 14, 2025

Thanks. Saw it, but don't know this repository very well and hoping the Music Blocks maintainers will look at this for you. If they don't, give them a nudge in the Music Blocks repositories.

@MostlyKIGuess
Copy link
Member Author

@walterbender Do review.

@walterbender walterbender reopened this Aug 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MostlyKIGuess @quozl @walterbender