SECURITY NOTICE: electron-packager v5.2.1 - v6.0.2 don't check SSL certificate validity
See original GitHub issueThere exists a bug in electron-packager from versions 5.2.1 - 6.0.2 where the --strict-ssl
command line option defaults to false
when not explicitly set to true
.
This only affects users using the electron-packager CLI. The strict-ssl
option defaults to true
for the node.js API.
The commit that introduced the issue is here: https://github.com/electron-userland/electron-packager/commit/30bdd0b187e96bc45ce20d5363104917a48fd93b The commit that fixed the issue is here: https://github.com/electron-userland/electron-packager/commit/ebea1d8c177f2a2816687c4a445998cc35375a18
The issue is fixed in v7.0.0. All users should upgrade immediately.
It’s also recommended to delete the electron-download cache folder, by default named .electron
, and located in your home folder. For example:
rm -rf ~/.electron
Props to @malept for discovering this.
Issue Analytics
- State:
- Created 7 years ago
- Comments:13 (11 by maintainers)
I recommend leaving this issue open for at least a few weeks, so more users will have a chance to read this and upgrade.
It’s been a few weeks, so closing. I think the deprecation notice is sufficient.