chore(deps): bump electron to 37.3.0 fix #737 #753
Conversation
WalkthroughElectron devDependency was updated in package.json from ^36.7.4 to ^37.3.0. No other files or fields were changed. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
package.json (1)
133-133: Optional: pin Electron for reproducible release buildsIf you want deterministic release artifacts, consider pinning Electron to an exact version instead of a caret range.
- "electron": "^37.3.0", + "electron": "37.3.0",
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
package.json(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
- GitHub Check: build-mac (arm64)
- GitHub Check: build-mac (x64)
- GitHub Check: build-windows (x64)
- GitHub Check: build-linux (x64)
- GitHub Check: build-windows (arm64)
- GitHub Check: build-check (x64)
🔇 Additional comments (2)
package.json (2)
133-133: LGTM: Electron bumped to 37.3.0The caret range (^37.3.0) keeps you on Electron 37.x for security/patch updates. No other changes detected.
132-136: electron-builder/electron-updater compatibility with Electron 37 confirmedelectron-builder 26.x and electron-updater 6.x work with Electron 37.x. There are no known breaking incompatibilities, but to avoid runtime or packaging hiccups, please verify the following:
• Native modules / Node ABI
– Electron 37 bundles Node 22.16.0. Rebuild any C/C++ addons against the Electron/Node 22 ABI (e.g. viaelectron-builder install-app-depsor@electron/rebuild).
• Compiler & toolchain
– Ensure your CI and dev machines have up-to-date compilers (VS with C++17 toolset on Windows, recent Xcode on macOS) and node-gyp prerequisites.
• Auto-updater testing
– Exercise the full update flow on Windows (NSIS), macOS (Squirrel.Mac/ZIP), and Linux (AppImage/rpm/deb). Watch for permission/elevation edge cases.
• Electron download / mirror config
– If you use a custom mirror or cache (electronDownload, ELECTRON_MIRROR, ELECTRON_CACHE), confirm it pulls the correct v37 binaries.
• Code signing & notarization
– Review your signing/notarization setup for all targets after upgrading; builder v26 introduced changes in publisher options.Recommended checklist before rollout:
- Run a CI build with native-module rebuild hooks and verify all
.nodeartifacts load.- Confirm compiler/toolchain versions on all build agents.
- Run end-to-end auto-update tests on each platform.
- Validate custom mirror downloads the v37 artifacts.
- If you ship prebuilt native binaries, ensure they target Electron/Node 22 or are rebuilt at package time.
Let me know if you’d like a sample CI recipe or an audit of your native dependencies.
| "clsx": "^2.1.1", | ||
| "dompurify": "^3.2.6", | ||
| "electron": "^36.7.4", | ||
| "electron": "^37.3.0", |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Sanity checks for Electron 37 migration (native deps, security flags, deprecated APIs)
Before merge, please validate:
- Native modules rebuilt against Electron 37: sharp, better-sqlite3-multiple-ciphers.
- No usage of deprecated/insecure Electron patterns that could break with newer Chromium/Node.
- Builds/package on all targets via electron-builder still succeed.
Run this sweep locally to spot common pitfalls:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Scanning for remote module usage (should be absent):"
rg -nP -C2 '(require\(["\']electron["\']\)\.remote|from\s+["\']@electron/remote["\'])' || echo "OK: no remote module found"
echo -e "\nScanning for risky webPreferences (prefer contextIsolation: true, nodeIntegration: false, webviewTag: false):"
rg -nP -C2 'webPreferences\s*:\s*{[^}]*}' --type js --type ts --type tsx --type vue | rg -nP -C0 '(enableRemoteModule\s*:\s*true|contextIsolation\s*:\s*false|nodeIntegration\s*:\s*true|webviewTag\s*:\s*true)' || echo "OK: no risky flags found"
echo -e "\nList possible native modules that must rebuild for Electron 37 ABI:"
jq -r '.dependencies // {} | keys[]' package.json | rg -n 'sharp|better-sqlite3|node-api|sqlite3|ffi|node-pty|keytar' || true
echo -e "\nConfirm postinstall rebuild hook (electron-builder install-app-deps) present:"
rg -n 'electron-builder install-app-deps' package.json || echo "WARN: electron-builder rebuild hook not detected"
echo -e "\nTip: validate packaging on each platform:"
echo " pnpm run build:win | pnpm run build:mac | pnpm run build:linux"Length of output: 244
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Scanning for remote module usage (should be absent):"
# Use double quotes and escape inner quotes to avoid single-quote conflicts
rg -nP -C2 "(require\\([\"']electron[\"']\\)\\.remote|from\\s+[\"']@electron/remote[\"'])" || echo "OK: no remote module found"
echo -e "\nScanning for risky webPreferences (prefer contextIsolation: true, nodeIntegration: false, webviewTag: false):"
rg -nP -C2 "webPreferences\s*:\s*{[^}]*}" --type js --type ts --type tsx --type vue \
| rg -nP -C0 "(enableRemoteModule\s*:\s*true|contextIsolation\s*:\s*false|nodeIntegration\s*:\s*true|webviewTag\s*:\s*true)" \
|| echo "OK: no risky flags found"
echo -e "\nList possible native modules that must rebuild for Electron 37 ABI:"
jq -r '.dependencies // {} | keys[]' package.json \
| rg -E '^(sharp|better-sqlite3(-multiple-ciphers)?|node-api|sqlite3|ffi|node-pty|keytar)$' || true
echo -e "\nConfirm postinstall rebuild hook (electron-builder install-app-deps) present:"
rg -n '"electron-builder install-app-deps"' package.json || echo "WARN: electron-builder rebuild hook not detected"
echo -e "\nTip: validate packaging on each platform:"
echo " pnpm run build:win | pnpm run build:mac | pnpm run build:linux"Length of output: 2109
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "1) Scanning for deprecated remote module usage:"
rg -nP -C2 "(require\(['\"]electron['\"]\)\.remote|from\s+['\"]@electron/remote['\"])" || echo "✔ OK: no remote module found"
echo -e "\n2) Scanning for risky webPreferences flags:"
rg -nP -C2 "webPreferences\s*:\s*{[^}]*}" --glob "*.{js,ts,tsx,vue}" \
| rg -nP "(enableRemoteModule\s*:\s*true|contextIsolation\s*:\s*false|nodeIntegration\s*:\s*true|webviewTag\s*:\s*true)" \
&& echo "⚠️ Risky flags detected above" || echo "✔ OK: no risky flags found"
echo -e "\n3) Checking for native modules needing rebuild (Electron 37 ABI):"
jq -r '.dependencies? | keys[]' package.json \
| grep -E '^(sharp|better-sqlite3(-multiple-ciphers)?|node-api|sqlite3|ffi|node-pty|keytar)$' \
&& echo "⚠️ Native modules above must be rebuilt" || echo "✔ OK: none of the listed native modules present"
echo -e "\n4) Verifying postinstall hook for electron-builder rebuild:"
grep -n '"install-app-deps"' package.json \
&& echo "✔ electron-builder install-app-deps hook found" \
|| echo "⚠️ WARN: electron-builder rebuild hook not detected"
echo -e "\n\nNext steps: run packaging on each platform:"
echo " pnpm run build:win | pnpm run build:mac | pnpm run build:linux"Length of output: 1606
Critical: Rebuild native modules & add missing postinstall rebuild hook
✅ No deprecated remote module usage found
✅ No insecure webPreferences flags detected
• better-sqlite3-multiple-ciphers
• sharp
electron-builder install-app-deps is missing
Please address before merge:
- Add or update your
"postinstall"script in package.json to runelectron-builder install-app-deps(ensures native modules are rebuilt automatically). - Manually rebuild sharp and better-sqlite3-multiple-ciphers against Electron 37 (e.g.
pnpm rebuild sharp better-sqlite3-multiple-ciphersor viainstall-app-deps). - Verify packaging on all platforms:
pnpm run build:win | pnpm run build:mac | pnpm run build:linux
🤖 Prompt for AI Agents
In package.json around line 133, native modules (better-sqlite3-multiple-ciphers
and sharp) need rebuilding for Electron v37 and the project lacks a postinstall
hook to run electron-builder's install-app-deps; add or update the "postinstall"
script to run "electron-builder install-app-deps" so native modules are rebuilt
automatically, and after that run a manual rebuild (e.g., pnpm rebuild sharp
better-sqlite3-multiple-ciphers or run the postinstall) and verify packaging on
all platforms using pnpm run build:win | pnpm run build:mac | pnpm run
build:linux.
Summary by CodeRabbit