[Security] Bump electron from 1.8.8 to 9.0.0

[dependabot-preview]

Bumps electron from 1.8.8 to 9.0.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Arbitrary Code Execution A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild.

Affected versions: <2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5

Release notes

Sourced from electron's releases.

electron v9.0.0

Release Notes for 9.0.0

Stack Upgrades

• Chromium v83.0.4103.50
  • v81 blog post
  • v82 was skipped
  • v83 blog post
• Node v12.14.1
  • v12.13.1 release notes
  • v12.14.0 release notes
  • v12.14.1 release notes
• V8 8.3
  • v8.1 blog post
  • v8.3 blog post

Breaking Changes

• Changed the default value of app.allowRendererProcessReuse to true. This will prevent loading of non-context-aware native modules in renderer processes. (See #18397 for more information on this change.) #22401
• Removed deprecated <webview>.getWebContents(). #20986
• Removed the deprecated 'setLayoutZoomLevelLimits' method. #21383
• IPC between main and renderer processes now uses the Structured Clone Algorithm. #20214
• Split shell.openItem(path) into synchronous and asynchronous methods. #20682

Features

• Added fullScreen property support for BrowserWindows. #23330
• Added session.listWordsFromSpellCheckerDictionary API to list custom words in the dictionary. #22128
• Added session.removeWordFromSpellCheckerDictionary API to remove custom words in the dictionary. #22368
• Added session.serviceWorkerContext API to access basic service worker info and receive console logs from service workers. #22313
• Added a new force parameter to app.focus() on macOS to allow apps to forcefully take focus. #23447
• Added chrome.i18n extension API. #22570
• Added chrome.tabs.connect extension API for background pages. #22549
• Added support for property access to some getter/setter pairs on BrowserWindow. #23208
• Added support for the chrome.extension.getBackgroundPage API when building with enable_electron_extensions. #22177
• Allow an optional callback parameter for WebFrame.executeJavaScript* methods, which is called synchronously unless the target context is paused. #22501
• Restored support for pdfium-based PDF viewer. #22131

Fixes

• Don't allow window to go behind menu bar on mac. #22828
• Fixed webRequest module not working with file:// protocol. #22919
• Fixed webRequest not working for CORS requests. #22468
• Fixed win.setMenuBarVisibility(false) not hiding menu bar. #23263
• Fixed an issue where changing theme on macOS would break window maximizability state. #22724
• Fixed crash in network service process when using protocol.registerSchemeAsPrivileged api. #22917
• Fixed crash that could occur when calling session.fromPartition inside the ready event. #23472
• Fixed incorrect hit testing on top of ::after element with layoutNG. #23190
• Fixed missing debug symbols for crashpad handler on macOS. #23573

... (truncated)

Commits

• 4da0164 Bump v9.0.0
• 9d46395 refactor: revert release notes changes (#23649)
• 67a905c Revert "Bump v9.0.0"
• dcdca6a Bump v9.0.0
• 7db9c35 fix: eat octokit 422 errs when scraping commit PRs (#23643)
• 5c03d05 Revert "Bump v9.0.0"
• 0ac262d Bump v9.0.0
• 4de54b4 ci: use longer mocha timeout on WOA testing (#23636)
• 29af231 Revert "Bump v9.0.0-beta.25"
• 1a4c34b Bump v9.0.0-beta.25
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #39.