Back

@delfuego @TomSellers @electronjs Expanded to check against all #libwebp-patched #Electron versions:

find /Applications -type f -name '*Electron Framework*' -exec \
perl -Mversion=0.77 -nE \
'@safe = map version->parse($_), qw(22.3.24 24.8.3 25.8.1 26.2.1);
next unless m{Chrome/[0-9.]+ Electron/([0-9.]+)}; $ver = version->parse($1);
if ($ver < (grep int $_->numify >= int $ver->numify, @safe)[0]) {
say "vulnerable Electron $ver found in $ARGV"; next
}' {} \;

@delfuego @TomSellers (I am not checking betas because WTF are you doing installing #Electron apps with beta Electron?)

@toba @delfuego @TomSellers True. I have fixed the original post.

N.B. #Electron only supports the last three major versions and version 22 per https://www.electronjs.org/docs/latest/tutorial/electron-timelines#version-support-policy so fixes for v23 and anything below v22 will not come from @electronjs

@delfuego @TomSellers @electronjs @getpostman Some of those numbers are deceptively lower than the current supported #Electron releases: https://www.electronjs.org/docs/latest/tutorial/electron-timelines
But they all include Electron versions released in the past 18 months.

Like a lot of #JavaScript apps, Electron iterates versions *really* fast. #SemanticVersioning is *not* a guide to the chronological age of software, only its compatibility with *other* software.

@alancheilek @mjgardner @TomSellers @electronjs @getpostman VS Code definitely is no longer vulnerable; version 1.82.2, released *two weeks ago*, remediated.

https://github.com/microsoft/vscode/releases/tag/1.82.2