fix(build): align electron-builder with Electron 42 and remove version drift#118
Merged
Conversation
PR #117 bumped the `electron` devDependency to 42.2.0 but left electron-builder.yml pinned at `electronVersion: 38.8.0`. That field is the single source of truth for both packaging and the webpack build target (webpack.config.js derives electronXX-* from it), so release builds would have bundled Electron 38 — leaving the audit advisories that #117 set out to close still present in shipped artifacts. No released artifact is affected: the Electron 42 bump is in no tagged release (latest, v3.3.0, predates it by ~2 months); this lands before the next release. - electron-builder.yml: electronVersion 38.8.0 -> 42.2.0 - bumping electronVersion surfaced that node-abi@4.26.0 (under @electron/rebuild) cannot detect the Electron 42 ABI, which fails `electron-builder install-app-deps`. Pinned node-abi to ^4.31.0 via overrides. Verified: install-app-deps rebuilds leveldown for Electron 42.2.0, webpack compiles with the electron42.2 target, lint and tests green.
…urce
electron-builder.yml's `electronVersion` and the `electron` devDependency
were two places holding the Electron version, kept in sync by hand — the
drift that the previous commit had to repair.
- electron-builder.yml: drop `electronVersion`. With the field absent,
electron-builder auto-detects the version from the installed `electron`
dependency.
- webpack.config.js: derive the build target from
`require('electron/package.json').version` instead of parsing
electron-builder.yml; drop the now-unused fs and yaml requires.
The `electron` dependency is now the only source. Both packaging and the
webpack target read it, so they cannot drift apart again.
Verified: webpack compiles with the electron42.2 target, electron-builder
install-app-deps auto-detects electronVersion=42.2.0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR #117 bumped the
electrondevDependency to 42.2.0 but leftelectron-builder.ymlpinned atelectronVersion: 38.8.0. That field is the single source of truth for both packaging and the webpack build target (webpack.config.jsderives theelectronXX-*target from it), so release builds would have bundled Electron 38 — leaving the audit advisories #117 set out to close present in shipped artifacts.This PR repairs the drift and removes the duplication that caused it.
Impact
No released artifact is affected: the Electron 42 bump is in no tagged release (the latest, v3.3.0, predates it by ~2 months). This lands before the next release.
Changes
electronVersion. With the field absent, electron-builder auto-detects the version from the installedelectrondependency.require('electron/package.json').versioninstead of parsing electron-builder.yml; drop the now-unusedfsandyamlrequires.node-abito^4.31.0viaoverrides. Bumping the Electron version surfaced thatnode-abi@4.26.0(under@electron/rebuild) cannot detect the Electron 42 ABI, which failselectron-builder install-app-deps.Result
The
electrondependency is now the single source of the Electron version. Both packaging and the webpack target read the installed package, so they cannot drift apart again.Validation
electron-builder install-app-depsauto-detectselectronVersion=42.2.0and rebuildsleveldownfor itwebpackcompiles with theelectron42.2-*targetnpm run lintclean · 332 tests passing ·npm audit0 findings