Security issue in 7zip-bin dependency.

[juancarlosgarcia-arg]

Electron-Builder Version: 24.13.3
Node Version: 20.16.0
Electron Version: 10.4.7

This issue is not related to your repo or electron -builder itsef, but is just for you to be aware that there is a security issue to one of the dependencies you use:

electron-builder@24.13.3
-- builder-util@24.13.1 -- 7zip-bin@5.2.0

The version 5.2 of the 7zip-bin package is using a very old version of the 7zip distributable console, which implies a security risk. Actually this is preventing me to use electron-builder on my machine, because a security software in my company detect that binary as a security risk.
I already log an issue on the repository owned by develar but i had no response so far.

[mmaietta]

Hmmm are there any alternatives for providing 7zip binaries via npm other than 7zip-bin npm package? That repo looks like it's unmaintained

[juancarlosgarcia-arg]

To be honest i can see there is 6 forks of the project, also i checked in npm and i can see a few packages doing the same but no one has a many weekly downloads.... so, I'm not sure about the alternatives.
I found this one with a lot of weekly downloads but not sure if it fits your needs: https://www.npmjs.com/package/adm-zip

[mmaietta]

This will be resolved in #8530. Dependency on develar/7zip-bin#27 to be merged/released first

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.

[gorbinphilip]

@mmaietta
It's been way too long and not seeing any response from the core maintainers on getting that PR released. Any plans for electron-builder to change the dependency to something maintained in the meantime?

[mmaietta]

I'm working on migrating all electron-builder-binaries toolsets to be non-7z artifacts - that's the core dependency. The additional migration to utilize electron/get download npm package is already implemented, but many of the old toolsets that are yet-to-be updated have not been migrated to the new pipelines.

Note: I'm the only maintainer of the binaries repo and it's toolsets and am the sole "core" maintainer of this project. Reverse engineering the very-old/legacy toolsets has been a huge journey already.

For additional context, these are the additional workstreams that I'm trying to tackle as well

• appimage static runtime migration. ✅
• snap core24 support (requires also translating a Golang library into TS, and template snaps can no longer be leveraged due to extensions: [gnome] + snapcraft pack spinning up a full VM)
• ESM migration for v27 to unblock/enable updating to latest electron/___ packages (asar, fuses, universal, etc.)
• Node 22 upgrade for v27
• Updating all Windows codesigning binaries (makensis, osslsigntool, rcedit, etc.) ✅
• Updating squirrel.windows ✅
• Updating wine to the latest version
• Add dedicated support MSIX
• Migrating Azure Trusted Signing from powershell to dedicated/updated Windows signtool

Most of those require updated toolsets from the electron-builder-binaries repo to migrate from the dependency on 7zip-bin.