build(deps): bump the npm_and_yarn group across 3 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
webpack	5.94.0	5.104.1
electron	40.0.0	40.7.0
body-parser	1.18.3	1.20.3
express	4.16.4	4.22.0
minimatch	3.0.8	3.1.4
serve-static	1.13.2	1.16.0
socket.io	2.2.0	2.5.0

Bumps the npm_and_yarn group with 1 update in the /apps/desktop directory: electron.
Bumps the npm_and_yarn group with 5 updates in the /apps/server directory:

Package	From	To
body-parser	1.18.3	1.20.3
express	4.16.4	4.22.0
minimatch	3.0.8	3.1.4
serve-static	1.13.2	1.16.0
socket.io	2.2.0	2.5.0

Updates webpack from 5.94.0 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

• 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
• c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

• d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
• d3dd841: Enhance import.meta.env to support object access.
• 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
• 04cd530: Handle more at-rules for CSS modules.
• cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
• d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
• 5983843: Provide a stable runtime function variable __webpack_global__.
• d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

• 22c48fb: Added module existence check for informative error message in development mode.
• 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
• d3dd841: Support universal lazy compilation.
• d3dd841: Fixed module library export definitions when multiple runtimes.
• d3dd841: Fixed CSS nesting and CSS custom properties parsing.
• d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
• aab1da9: Fixed bugs for css/global type.
• d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
• d3dd841: Handle nested __webpack_require__.
• 728ddb7: The speed of identifier parsing has been improved.
• 0f8b31b: Improve types.
• d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
• 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
• d3dd841: Serialize HookWebpackError.
• d3dd841: Added ability to use built-in properties in dotenv and define plugin.
• 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
• d3dd841: Reduce collision for local indent name in CSS.
• d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

• Added DotenvPlugin and top level dotenv option to enable this plugin
• Added WebpackManifestPlugin
• Added support the ignoreList option in devtool plugins
• Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

• 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
• c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

• d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
• d3dd841: Enhance import.meta.env to support object access.
• 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
• 04cd530: Handle more at-rules for CSS modules.
• cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
• d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
• 5983843: Provide a stable runtime function variable __webpack_global__.
• d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

• 22c48fb: Added module existence check for informative error message in development mode.
• 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
• d3dd841: Support universal lazy compilation.
• d3dd841: Fixed module library export definitions when multiple runtimes.
• d3dd841: Fixed CSS nesting and CSS custom properties parsing.
• d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
• aab1da9: Fixed bugs for css/global type.
• d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
• d3dd841: Handle nested __webpack_require__.
• 728ddb7: The speed of identifier parsing has been improved.
• 0f8b31b: Improve types.
• d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
• 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
• d3dd841: Serialize HookWebpackError.
• d3dd841: Added ability to use built-in properties in dotenv and define plugin.
• 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
• d3dd841: Reduce collision for local indent name in CSS.
• d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

• 24e3c2d chore(release): new release (#20253)
• 2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
• c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
• 4b0501c ci: fix release (#20252)
• 0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
• 5bf8bc5 refactor: types for benchmarks and tests
• 505a5e7 chore(release): new release (#20188)
• 0c06680 refactor: update eslint configuration
• 2eb0d6a ci: release announcement (#20238)
• b2b2459 ci: cancel in progress (#20239)
• Additional commits viewable in compare view

Updates electron from 40.0.0 to 40.7.0

Release notes

Sourced from electron's releases.

electron v40.7.0

Release Notes for v40.7.0

Features

• Added support for --experimental-transform-types. #49883 (Also in 39, 41)

Fixes

• Allow dynamically updating menu item labels, sublabels, and icons. #49973 (Also in 41)
• Fixed safeStorage failing to clean up legacy keychain entries when migrating to suffixed account names on macOS, and fixed first launch creating entries with the wrong (unsuffixed) account name. #49817
• Fixed a bug that cause offscreen rendering doesn't have valid screen info and unable to get valid result of related media queries.
  • Added webPreference.offscreen.deviceScaleFactor to allow user specify a value, instead of using user's primary display's value. #49681
• Fixed a macOS crash when creating a new tab from the tab overview. #49934 (Also in 41)
• Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #50005 (Also in 39, 41)
• Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #50022 (Also in 39, 41)
• Fixed an issue where malformed custom toastXml could cause a Notification crash. #49952 (Also in 41)
• Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #49994 (Also in 41)
• Fixed menus to correctly emit menu-will-close event when closed after any submenu has been open. #49963 (Also in 41)

Other Changes

• Updated Chromium to 144.0.7559.225. #49928
• Updated Node.js to v24.14.0. #49939

electron v40.6.1

Release Notes for v40.6.1

Fixes

• Fixed globalShortcut not working on Wayland with GlobalShortcutsPortal feature enabled. #49870 (Also in 41)
• Fixed an issue where making a window fullscreen on Windows, minimizing it and then restoring it broke previous fullscreen state. #49892 (Also in 41)
• Fixed an issue where menu item enabled state wasn't updated during key equivalent dispatch when the menu was closed on macOS. #49889 (Also in 39, 41)
• Fixed an issue where pressing AltGr could activate or focus the menu bar. #49915 (Also in 39, 41)
• Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #49909 (Also in 41)
• Fixed draggable regions not updating position when DevTools is docked to the left or right in a frameless window. #49847 (Also in 39, 41)
• Fixed memory leak when setting icons on Linux/GTK. #49898 (Also in 38, 39, 41)
• Fixed startup crash when V8 sandbox is disabled. #49884 (Also in 41)

Other Changes

• Fixed crash in platform_util::Beep() on Linux. #49864 (Also in 41)
• Updated Chromium to 144.0.7559.220. #49869

electron v40.6.0

Release Notes for v40.6.0

Features

• Added the ability to disable auto-focusing of WebContents on navigation using webPreferences.focusOnNavigation. #49512 (Also in 41)

Fixes

• Fixed an issue where frameless windows had resize issues in Mac App Store builds. #49856

... (truncated)

Commits

• 1598b91 fix: validate USB device selection against filtered device list (#50048)
• 68cd111 fix: use setter's creation context when proxying setter in OverrideGlobalProp...
• 1e2d590 fix: bind offscreen paint callback to child WebContents (#50024)
• 1bbe8c9 fix: use destination context when wrapping VideoFrame in contextBridge (#50022)
• 4bfc2a8 chore: remove unused commandLineSwitches flag (#50012)
• d80adf4 fix: prevent use-after-free in permission request callbacks (#50036)
• b39f8e3 fix: deliver Universal Links when NSUserActivity.userInfo is nil (#50005)
• 9c3f76f build: authenticate curl requests to googlesource in lint workflow (#50027)
• 3925b82 fix: potential UAF in OnDownloadPathGenerated (#50011)
• e2b4cbf fix: delete temporary blink* globals after restoring Blink implementations (#...
• Additional commits viewable in compare view

Updates body-parser from 1.18.3 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 / 2022-10-06

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1 / 2021-12-10

... (truncated)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: qs@6.12.3 (#521)
• 9478591 fix: pin to node@22.4.1
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.16.4 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

... (truncated)

Commits

• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• 3a5edfa fix(ci): updated github actions ci workflow (#6323)
• 52d9781 fix(test): add test for method routes without paths #5955
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates minimatch from 3.0.8 to 3.1.4

Commits

• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• 9c31b2d update test expectations for coalesced consecutive stars
• 46fe687 coalesce consecutive non-globstar * characters
• 5a9ccbd [meta] update publishConfig.tag to legacy-v3
• Additional commits viewable in compare view

Updates serve-static from 1.13.2 to 1.16.0

Release notes

Sourced from serve-static's releases.

1.16.0

What's Changed

• Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

• @​UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

1.15.0

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

1.14.1

• Set stricter CSP header in redirect response
• deps: send@0.17.1
  • deps: range-parser@~1.2.1

1.14.0

• deps: parseurl@~1.3.3
• deps: send@0.17.0
  • deps: http-errors@~1.7.2
  • deps: mime@1.6.0
  • deps: ms@2.1.1
  • deps: statuses@~1.5.0
  • perf: remove redundant path.normalize call

Changelog

Sourced from serve-static's changelog.

1.16.0 / 2024-09-10

• Remove link renderization in html while redirecting

1.15.0 / 2022-03-24

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2 / 2021-12-15

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

1.14.1 / 2019-05-10

• Set stricter CSP header in redirect response
• deps: send@0.17.1
  • deps: range-parser@~1.2.1

1.14.0 / 2019-05-07

• deps: parseurl@~1.3.3
• deps: send@0.17.0
  • deps: http-errors@~1.7.2
  • deps: mime@1.6.0
  • deps: ms@2.1.1
  • deps: statuses@~1.5.0
  • perf: remove redundant path.normalize call

Commits

• 48c7397 1.16.0
• 0c11fad Merge commit from fork
• 9b5a12a 1.15.0
• a39a0df docs: update CI link
• d702ea2 build: Node.js@17.8
• ff1510a deps: send@0.18.0
• 813c7e4 build: mocha@9.2.2
• 2e029f9 build: Node.js@17.7
• 3269f31 build: supertest@6.2.2
• 71cd4f8 build: mocha@9.2.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.

Updates socket.io from 2.2.0 to 2.5.0

Changelog

Sourced from socket.io's changelog.

2.5.0 (2022-06-26)

Bug Fixes

• fix race condition in dynamic namespaces (05e1278)
• ignore packet received after disconnection (22d4bdf)
• only set 'connected' to true after middleware execution (226cc16)
• prevent the socket from joining a room after disconnection (f223178)

2.4.1 (2021-01-07)

Reverts

• fix(security): do not allow all origins by default (a169050)

2.4.0 (2021-01-04)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

Commits

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0
• e6b8697 chore(release): 2.4.1
• a169050 revert: fix(security): do not allow all origins by default
• 873fdc5 chore(release): 2.4.0
• f78a575 fix(security): do not allow all origins by default
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.12 to 1.1.13

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Updates parseuri from 0.0.5 to 0.0.6

Commits

• See full diff in compare view

Updates ws from 6.1.4 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

• Backported bc8bd34e to the 7.x release line (0435e6e1).

7.5.8

Bug fixes

• Backported 0fdcc0af to the 7.x release line (2758ed35).
• Backported d68ba9e1 to the 7.x release line (dc1781bc).

7.5.7

Bug fixes

• Backported 6946f5fe to the 7.x release line (1f72e2e1).

7.5.6

Bug fixes

• Backported b8186dd1 to the 7.x release line (73dec34b).
• Backported ed2b8039 to the 7.x release line (22a26afb).

7.5.5

Bug fixes

• Backported ec9377ca to the 7.x release line (0e274acd).

7.5.4

Bug fixes

• Backported 6a72da3e to the 7.x release line (76087fbf).
• Backported 869c9892 to the 7.x release line (27997933).

7.5.3

Bug fixes

• The WebSocketServer constructor now throws an error if more than one of the noServer, server, and port options are specefied (66e58d27).
• Fixed a bug where a 'close' event was emitted by a WebSocketServer before the internal HTTP/S server was actually closed (5a587304).
• Fixed a bug that allowed WebSocket connections to be established after WebSocketServer.prototype.close() was called (772236a1).

7.5.2

Bug fixes

... (truncated)

Commits

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 8a78f87 [dist] 7.5.9
• 0435e6e [security] Fix same host check for ws+unix: redirects
• 4271f07 [dist] 7.5.8
• dc1781b [security] Drop sensitive headers when following insecure redirects
• 2758ed3 [fix] Abort the handshake if the Upgrade header is invalid
• a370613 [dist] 7.5.7
• 1f72e2e [security] Drop sensitive headers when following redirects (#2013)
• 8ecd890 [dist] 7.5.6
• Additional commits viewable in compare view

Updates electron from 40.0.0 to 40.7.0

Release notes

Sourced from electron's releases.

electron v40.7.0

Release Notes for v40.7.0

Features

• Added support for --experimental-transform-types. #49883 (Also in 39, 41)

Fixes

• Allow dynamically updating menu item labels, sublabels, and icons. #49973 (Also in 41)
• Fixed safeStorage failing to clean up legacy keychain entries when migrating to suffixed account names on macOS, and fixed first launch creating entries with the wrong (unsuffixed) account name. #49817
• Fixed a bug that cause offscreen rendering doesn't have valid screen info and unable to get valid result of related media queries.
  • Added webPreference.offscreen.deviceScaleFactor to allow user specify a value, instead of using user's primary display's value. #49681
• Fixed a macOS crash when creating a new tab from the tab overview. #49934 (Also in 41)
• Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #50005 (Also in 39, 41)
• Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #50022 (Also in 39, 41)
• Fixed an issue where malformed custom toastXml could cause a Notification crash. #49952 (Also in 41)
• Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #49994 (Also in 41)
• Fixed menus to correctly emit menu-will-close event when closed after any submenu has been open. #49963 (Also in 41)

Other Changes

• Updated Chromium to 144.0.7559.225. #49928
• Updated Node.js to v24.14.0. #49939

electron v40.6.1

Release Notes for v40.6.1

Fixes

• Fixed globalShortcut not working on Wayland with GlobalShortcutsPortal feature enabled. #49870 (Also in 41)
• Fixed an issue where making a window fullscreen on Windows, minimizing it and then restoring it broke previous fullscreen state. #49892 (Also in 41)
• Fixed an issue where menu item enabled state wasn't updated during key equivalent dispatch when the menu was closed on macOS. #49889 (Also in 39, 41)
• Fixed an issue where pressing AltGr could activate or focus the menu bar. #49915 (Also in 39, 41)
• Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #49909 (Also in 41)
• Fixed draggable regions not updating position when DevTools is docked to the left or right in a frameless window. #49847 (Also in 39, 41)
• Fixed memory leak when setting icons on Linux/GTK. #49898 (Also in 38, 39, 41)
• Fixed startup crash when V8 sandbox is disabled. #49884 (Also in 41)

Other Changes

• Fixed crash in platform_util::Beep() on Linux. #49864 (Also in 41)
• Updated Chromium to 144.0.7559.220. #49869

electron v40.6.0

Release Notes for v40.6.0

Features

• Added the ability to disable auto-focusing of WebContents on navigation using webPreferences.focusOnNavigation. #49512 (Also in 41)

Fixes

• Fixed an issue where frameless windows had resize issues in Mac App Store builds. #49856

... (truncated)

Commits

• 1598b91 fix: validate USB device selection against filtered device list (#50048)
• 68cd111 fix: use setter's creation context when proxying setter in OverrideGlobalProp...

[dependabot]

Superseded by #53.