[deps] Platform: Update electron to v37 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron	36.4.0 -> 37.4.0

---

Release Notes

electron/electron (electron)

v37.4.0: electron v37.4.0

Compare Source

Release Notes for v37.4.0

Features

• Added tray.{get|set}AutosaveName to enable macOS tray icons to maintain position across launches. #​48076 (Also in 36, 38)

Fixes

• Fixed an issue where net.isOnline() always returned true in utilityProcesses. #​48152 (Also in 36, 38)
• Fixed an issue where snapped corner state wasn't properly restored after minimizing and then restoring. #​48156 (Also in 36, 38)
• Fixed an issue where the accent color would be accidentally inverted when set to match the system color. #​48107 (Also in 36, 38)

Other Changes

• Updated Chromium to 138.0.7204.243. #​48119

v37.3.1: electron v37.3.1

Compare Source

Release Notes for v37.3.1

Fixes

• Fixed an issue where shell.openPath was not non-blocking as expected. #​48088 (Also in 36, 38)
• Fixed an issue where windows opened with window.open would never be offscreen. #​48070 (Also in 38)
• Fixed potential deadlock inside app.getLoginItemSettings on macOS. #​48096 (Also in 36)

Other Changes

• Updated Chromium to 138.0.7204.235. #​48066

v37.3.0: electron v37.3.0

Compare Source

Release Notes for v37.3.0

Features

• Added support for app.getRecentDocuments() on Windows and macOS. #​47923 (Also in 36, 38)
• Adds the ability to change window accent color on Windows after initial window initialization via {get|set}AccentColor. #​48017 (Also in 36, 38)
• Internally switched to using DIR_ASSETS instead of DIR_MODULE/DIR_EXE to locate assets and resources, and added "assets" as a key that can be queried via app.getPath. #​47951 (Also in 38)

Fixes

• Fixed a crash possible when calling webContents.loadURL() from a failed webContents.loadURL() call's catch handler. #​48045 (Also in 36, 38)
• Fixed an issue where app.accessibilitySupportEnabled didn't work as expected. #​48061 (Also in 38)
• Fixed an issue where importing from electron/utility in an ESM file threw an error at runtime. #​48021 (Also in 36, 38)
• Fixed an issue where importing from electron/utility threw a ERR_MODULE_NOT_FOUND error at runtime. #​47988 (Also in 36, 38)
• Fixed an issue where the accent border was drawn on all windows regardless of the window's active focused status. #​48011 (Also in 36, 38)
• Fixed compilation error when disabling extensions and pdf_viewer. #​47994 (Also in 38)

Other Changes

• Updated Chromium to 138.0.7204.224. #​47974
• Updated Node.js to v22.18.0. #​47935

v37.2.6: electron v37.2.6

Compare Source

Release Notes for v37.2.6

Fixes

• Fixed a bug where the Referer header was not being set correctly when using webContents.downloadURL(). #​47865 (Also in 36, 38)
• Fixed a crash when calling some webContents functions after window.close(). #​47954 (Also in 36, 38)
• Fixed an issue on some older Windows versions where setContentProtection didn't work as expected. #​47887 (Also in 36, 38)
• Fixed an issue where an invalid color passed as a string to accentColor would result in a white accent color. #​47800 (Also in 38)
• Fixed an issue where video scrubbing would not correctly hold the new position on playback. #​47971 (Also in 38)
• Fixed an issue where windows used dark theme on Linux all the time without reacting to system theme changes. #​47920 (Also in 38)
• Fixed applying background material correctly when creating windows on Windows, restored animations, and also fixed the issue where dynamically setting the background material had no effect. #​47956 (Also in 36, 38)

Other Changes

• Updated Chromium to 138.0.7204.185. #​47909

v37.2.5: electron v37.2.5

Compare Source

Release Notes for v37.2.5

Other Changes

• Updated Chromium to 138.0.7204.168. #​47861

v37.2.4: electron v37.2.4

Compare Source

Release Notes for v37.2.4

Fixes

• Fixed a bug where app extensions filters didn't allow for selecting app bundles in macOS file dialogs. #​47839 (Also in 36, 38)
• Fixed an issue where certain operations performed in a window close callback could trigger a crash. #​47813 (Also in 36, 38)

Other Changes

• Updated Chromium to 138.0.7204.157. #​47773
• Updated Node.js to v22.17.1. #​47774

v37.2.3: electron v37.2.3

Compare Source

Release Notes for v37.2.3

Fixes

• Fixed a child process crash on macOS when the running application is replaced with one that has a newer implementation triggering the sandbox. #​47784 (Also in 38)
• Fixed a crash when adding the -electron-corner-smoothing CSS rule to a stylesheet with no associated document. #​47792
• Fixed an issue where require('node:sqlite') didn't work. #​47756 (Also in 36, 38)

v37.2.2: electron v37.2.2

Compare Source

Release Notes for v37.2.2

Other Changes

• Updated Chromium to 138.0.7204.100. #​47701

v37.2.1: electron v37.2.1

Compare Source

Release Notes for v37.2.1

Fixes

• Fixed a crash when calling desktopCapturer.getSources with an empty thumbnail size. #​47653 (Also in 36, 38)
• Fixed an issue where child windows could crash if they were opened from a fullscreen parent and have roundedCorners set to false. #​47682 (Also in 36, 38)
• Fixed an issue where the window required restart in order to recognize system accent color setting change. #​47656 (Also in 36, 38)

v37.2.0: electron v37.2.0

Compare Source

Release Notes for v37.2.0

Other Changes

• Updated Chromium to 138.0.7204.97. #​47619
• Updated Node.js to v22.17.0. #​47555

v37.1.0: electron v37.1.0

Compare Source

Release Notes for v37.1.0

Features

• Added support for customizing system accent color and highlighting of active window border. #​47537 (Also in 35, 36)

Fixes

• Fixed an issue where utility processes could leak file handles. #​47543 (Also in 35, 36)

v37.0.0: electron v37.0.0

Compare Source

Release Notes for v37.0.0

Stack Upgrades

• Chromium 138.0.7204.35
  • New in 138
  • New in 137
• Node22.16.0
  • Node 22.16.0 blog post
• V8 13.8

Breaking Changes

• Added support for Web Serial & WebUSB blocklists. #​46600
• Fixed an issue where utility processes crashed on unhandled rejections. #​45921
• Fixed utilityProcess running user script after process.exit is called. #​47492
• Removed deprecated feature of creating a new random session by setting ProtocolResponse.session's property to null. #​46264

Features

Additions

• Added BrowserWindow.isSnapped() to indicate whether a given window has been arranged via Snap. #​46079 (Also in 36)
• Added before-mouse-event to allow intercepting and preventing mouse events in WebContents. #​47364 (Also in 36)
• Added ffmpeg.dll to delay load configuration. #​46151 (Also in 34, 35, 36)
• Added innerWidth and innerHeight options for window.open. #​47039 (Also in 35, 36)
• Added nativeTheme.shouldUseDarkColorsForSystemIntegratedUI to distinguish system and app theme. #​46438 (Also in 35, 36)
• Added scriptURL property to ServiceWorkerMain. #​45863
• Added a CSS rule for smooth corners. #​45185
• Added sublabel functionality for menus on macOS >= 14.4. #​47042 (Also in 35, 36)
• Added support for Autofill, Writing Tools and Services macOS level menu items in context menus via the new frame option in menu.popup. #​45138 (Also in 36)
• Added support for HIDDevice.collections. #​47483 (Also in 36)
• Added support for --no-experimental-global-navigator flag. #​47418 (Also in 35, 36)
• Added support for screen.dipToScreenPoint(point) and screen.screenToDipPoint(point) on Linux X11. #​46895 (Also in 35, 36)
• Added support for system-context-menu on Linux. #​45848 (Also in 35, 36)
• Added support for menu item role palette and header on macOS. #​47245
• Added support for node option --experimental-network-inspection. #​47031 (Also in 35, 36)
• Added the priority and priorityIncremental options to net.request(). #​47321 (Also in 36)
• Exposed win.isContentProtected() to allow developers to check window protection status. #​47310 (Also in 36)

Improvements

• Improved ASAR integrity checks on Windows. #​46509 (Also in 36)
• Improved performance of desktopCapturer.getSources when not requesting thumbnails on macOS. #​46138 (Also in 34, 35, 36)

Removed/Deprecated

• Deprecated NativeImage.getBitmap() and fixed incorrect documentation. #​46696 (Also in 36)

Fixes

• Fixed an issue on application close on Windows, where not all processes are quit on close. #​47485
• Fixed an issue where printing PDFs with webContents.print({ silent: true }) would fail. #​47397

Also in earlier versions...

• Fix: don't copy 'package.json's out of ASAR file. #​46390 (Also in 35, 36)
• Fix: osr stutter fix backport for electron. #​46650 (Also in 36)
• Fixed ElectronAccessibilityUI bug. #​46562 (Also in 33, 34, 35, 36)
• Fixed Minimize menu button to follow set window minimizability on Windows. #​46279 (Also in 34, 35, 36)
• Fixed NODE_OPTIONS parsing for child processes on macOS. #​46209 (Also in 34, 35, 36)
• Fixed addChildView() crashes when adding a closed WebContentsView. #​47338 (Also in 35, 36)
• Fixed electron.shell.openExternal and electron.shell.openPath to honor user-defined system defaults on Linux. #​45310 (Also in 33, 34, 35, 36)
• Fixed getNativeWindowHandle() crash that affected 36 betas on macOS. #​46733 (Also in 36)
• Fixed a bug that could cause some maximized windows on Linux to report an incorrect window state. #​46450 (Also in 34, 35, 36)
• Fixed a crash seen on Linux when calling webContents.print(). #​46087 (Also in 35, 36)
• Fixed a crash that could occur when dragging and dropping files into the browser. #​46253 (Also in 35, 36)
• Fixed a crash that could occur when opening some dialogs as windows are closing on macOS. #​46952 (Also in 35, 36)
• Fixed a possible BrowserWindow crash caused by closing a parent window with focus or blur events. #​46559 (Also in 34, 35, 36)
• Fixed a possible crash in shell.readShortcutLink. #​46294 (Also in 35, 36)
• Fixed a possible crash using Node.js on some arm32 devices. #​46435 (Also in 35, 36)
• Fixed a possible crash using the WebView tag and calling focus. #​47036 (Also in 35, 36)
• Fixed a possible crash when using navigator.bluetooth.requestDevice and the select-bluetooth-device event. #​46745 (Also in 34, 35, 36)
• Fixed a potential crash in parentPort. #​46437 (Also in 34, 35, 36)
• Fixed a potential crash in utilityProcess.postMessage when calling with an invalid transferable. #​46639 (Also in 35, 36)
• Fixed a potential crash using session.clearData in some circumstances. #​47412 (Also in 35, 36)
• Fixed a potential crash when closing a window with child windows. #​46758 (Also in 34, 35, 36)
• Fixed an error when calling window.emit('close') after toggling fullscreen mode. #​46605 (Also in 35, 36)
• Fixed an error when importing electron for the first time from an ESM module loaded by a CJS module in a packaged app. #​47342 (Also in 35, 36)
• Fixed an inverted conditional in the above PR that caused broken window borders in some circumstances on Wayland. #​46624 (Also in 33, 34, 35, 36)
• Fixed an issue where Node.js OOM errors terminate the process directly without raising an OOM exception. #​45895 (Also in 35, 36)
• Fixed an issue where Web Workers crashed on unhandled rejections. #​45992 (Also in 34, 35, 36)
• Fixed an issue where context-menu event weren't emitted as expected on Windows in draggable regions. #​45851 (Also in 34, 35, 36)
• Fixed an issue where navigationHistory.restore() failed to restore the userAgent if it was overridden. #​46260 (Also in 34, 35, 36)
• Fixed an issue where system-context-menu incorrectly fired for all regions in frameless windows. #​45893 (Also in 33, 34, 35, 36)
• Fixed an issue where webContents.printToPDF() didn't work as expected with cross-process subframes. #​46218 (Also in 34, 35, 36)
• Fixed an issue where webContents.print did not work as expected when mediaSize was not passed. #​46971 (Also in 36)
• Fixed an issue where badly formatted switches could cause crashes in app.commandLine functions. #​46004 (Also in 35, 36)
• Fixed an issue where calling Fetch.continueResponse via debugger with WebContentsView could cause a crash. #​47444 (Also in 35, 36)
• Fixed an issue where calling UtilityProcess.fork prior to the app ready event would cause a crash. #​46380 (Also in 34, 35, 36)
• Fixed an issue where context menu actions such as copy/paste did not correctly fire when a frame was not passed in. #​46595 (Also in 36)
• Fixed an issue where filters wouldn't apply in the specific case only one was passed. #​46946 (Also in 36)
• Fixed an issue where packages could be mistakenly not found in asar. #​45997 (Also in 35, 36)
• Fixed an issue where printing from the renderer process crashes the main process when no printers are installed in the system or there's not a default printer. #​46587 (Also in 34, 35, 36)
• Fixed an issue where protected transparent windows inappropriately showed a titlebar after visibility change. #​47266 (Also in 35, 36)
• Fixed an issue where snapped windows in Windows may sometimes be improperly restored. #​46006 (Also in 33, 34, 35, 36)
• Fixed an issue where the 'suspend' and 'resume' events could be emitted in duplicate. #​47188 (Also in 35, 36)
• Fixed an issue where the backgroundMaterial feature did not work in a frameless window on initial window creation. #​46657 (Also in 35, 36)
• Fixed an issue where the resizing border didn't work as expected on Wayland windows. #​46155 (Also in 33, 34, 35, 36)
• Fixed an issue where the window flickers with either a light or dark color before loading the desired background color. #​47051 (Also in 35, 36)
• Fixed an issue where transparent child windows on macOS were rendering a grey block as opposed to their correct contents. #​46891 (Also in 35, 36)
• Fixed an issue with --inspect-brk failing in packaged apps. #​46560 (Also in 35, 36)
• Fixed an issue with the assert Node.js module in the renderer process. #​46528 (Also in 35, 36)
• Fixed an issue with token formatting for tokens received after calling pushNotifications.registerForAPNSNotifications(). #​46101 (Also in 34, 35, 36)
• Fixed build error with enable_electron_extensions=false. #​46812 (Also in 34, 35, 36)
• Fixed build failure when building with printing disabled. #​46283 (Also in 34, 35, 36)
• Fixed case where file dialog filters would get mixed up, if a * filter was included. #​46660 (Also in 34, 35, 36)
• Fixed crash in autoUpdater on macOS when zip extraction failed. #​47302 (Also in 34, 35, 36)
• Fixed crash in xdg portal version detection on startup. #​47023 (Also in 35, 36)
• Fixed crash on Linux when PipeWire screenshare source selection is cancelled. #​46112 (Also in 35, 36)
• Fixed crash on application exit with pending app.getGPUInfo promise. #​46434 (Also in 34, 35, 36)
• Fixed crash on reconversion with google IME and editcontext on macOS. #​46688 (Also in 34, 35, 36)
• Fixed crash when renderer process crashes while webview is reloading. #​46735 (Also in 34, 35, 36)
• Fixed crash with out-of-bounds string read when parsing NODE_OPTIONS. #​46210 (Also in 34, 35, 36)
• Fixed flickering and ghosting artifacts in transparent windows on macOS. #​46353 (Also in 35, 36)
• Fixed incorrect titlebar in file save dialogs. #​46067 (Also in 33, 34, 35, 36)
• Fixed log files written to the current working directory on Windows. #​46910 (Also in 35, 36)
• Fixed memory leak in AutofillPopupView. #​46384 (Also in 34, 35, 36)
• Fixed opening package paths as directory when treatPackageAsDirectory is enabled on macOS. #​47108 (Also in 35, 36)
• Fixed regression with directory selection in macOS dialogs. #​47277 (Also in 35, 36)
• Fixed several paint and white flash issues on macOS. #​46615 (Also in 35, 36)
• Fixed the border style of windows with vibrancy on macOS. #​46648 (Also in 35, 36)
• Fixed the issue where maximizing and restoring the window does not respect the corner radius settings, and the corner radius is incorrect in fullscreen mode. #​46641 (Also in 35, 36)
• Fixed the issue where rounded corners disappear momentarily when closing on Windows 11. #​46382 (Also in 35, 36)
• Fixed title changes to not occur while navigating within a page. #​45981 (Also in 34, 35, 36)
• Fixed xdg portal version detection for file dialogs on linux. #​46922 (Also in 35, 36)
• Improved webContents loading time when resolving fonts for uncommon scripts. #​45905 (Also in 34, 35, 36)
• Microtasks are no longer (incorrectly) run by serializing values, including when sending IPC. #​46668 (Also in 34, 35, 36)
• Partially fixes an issue with printing a PDF via webContents.print() where the callback would not be called. #​47398 (Also in 35, 36)
• Restored previous window-hiding behavior of win.setContentProtected() on Windows. #​47033 (Also in 35, 36)
• When a menu item on macOS is disabled (enabled = false), it is now greyed out. #​46307 (Also in 34, 35, 36)

Other Changes

• Backported fix for 4010597. #​45936
• Backported fix for 4010597. #​45941
• Backported fix for 4090597. #​47358
• Backported fix for 4206375. #​47356
• Fixed an issue where Electron could fail to load on some older Linux distributions. #​45974 (Also in 34, 35, 36)
• Reverts a change that greyed out disabled menu items on macOS (#​46307). #​46502 (Also in 34, 35, 36)
• Security: backported fix for CVE-2025-5419. #​47352

Documentation

• Documentation change
  • #​46073
  • #​46130
  • #​47297

Notices

End of Support for 34.x.y

Electron 34.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v36.8.1: electron v36.8.1

Compare Source

Release Notes for v36.8.1

Fixes

• Fixed an issue where shell.openPath was not non-blocking as expected. #​48087 (Also in 37, 38)
• Fixed potential deadlock inside app.getLoginItemSettings on macOS. #​48095 (Also in 37)

v36.8.0: electron v36.8.0

Compare Source

Release Notes for v36.8.0

Features

• Added support for app.getRecentDocuments() on Windows and macOS. #​47925 (Also in 37, 38)
• Adds the ability to change window accent color on Windows after initial window initialization via {get|set}AccentColor. #​48018 (Also in 37, 38)

Fixes

• Fixed a crash possible when calling webContents.loadURL() from a failed webContents.loadURL() call's catch handler. #​48044 (Also in 37, 38)
• Fixed an issue where importing from electron/utility in an ESM file threw an error at runtime. #​48020 (Also in 37, 38)
• Fixed an issue where importing from electron/utility threw a ERR_MODULE_NOT_FOUND error at runtime. #​47987 (Also in 37, 38)
• Fixed an issue where the accent border was drawn on all windows regardless of the window's active focused status. #​48012 (Also in 37, 38)

Other Changes

• Updated Node.js to v22.18.0. #​47934

v36.7.4: electron v36.7.4

Compare Source

Release Notes for v36.7.4

Fixes

• Fixed a bug where the Referer header was not being set correctly when using webContents.downloadURL(). #​47866 (Also in 37, 38)
• Fixed a crash when calling some webContents functions after window.close(). #​47953 (Also in 37, 38)
• Fixed an issue on some older Windows versions where setContentProtection didn't work as expected. #​47888 (Also in 37, 38)
• Fixed an issue where an invalid color passed as a string to accentColor would result in a white accent color. #​47921 (Also in 37, 38)
• Fixed applying background material correctly when creating windows on Windows, restored animations, and also fixed the issue where dynamically setting the background material had no effect. #​47957 (Also in 37, 38)

v36.7.3: electron v36.7.3

Compare Source

Release Notes for v36.7.3

Fixes

• Fixed a bug where app extension

[bitwarden-bot]

Internal tracking:

• ID: PM-23428
• Link: https://bitwarden.atlassian.net/browse/PM-23428

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.43%. Comparing base (363d6be) to head (84449f9).
⚠️ Report is 408 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15499      +/-   ##
==========================================
- Coverage   37.43%   37.43%   -0.01%     
==========================================
  Files        3351     3351              
  Lines       95184    95184              
  Branches    14391    14391              
==========================================
- Hits        35634    35631       -3     
- Misses      57981    57984       +3     
  Partials     1569     1569              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Checkmarx One – Scan Summary & Details – 801c3753-5329-46ea-b847-cf3eb34602c8

New Issues (22)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-10585	Npm-electron-37.4.0	details Recommended version: 37.6.0 Description: Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML p... Attack Vector: NETWORK Attack Complexity: LOW ID: zK1WEXk2AF7%2BJuwP0%2FpWKnBS95qFaEoRYTyB5Z5qhrs%3D Vulnerable Package
	CVE-2025-10200	Npm-electron-37.4.0	details Recommended version: 37.5.1 Description: Use After Free in 'ServiceWorker' in Google Chrome on Desktop prior to 140.0.7339.127 allowed a remote attacker to potentially exploit heap corrupt... Attack Vector: NETWORK Attack Complexity: LOW ID: %2Fu%2FfqDQGljqVbJGX%2FCiBfe21Ot%2Fy%2BGikdBIaNyAdoXU%3D Vulnerable Package
	CVE-2025-10201	Npm-electron-37.4.0	details Recommended version: 37.5.1 Description: Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site ... Attack Vector: NETWORK Attack Complexity: LOW ID: nYZEWEzPc%2FYuh7mIXkJl77lT5a9kFKblgGNEfw4TWfw%3D Vulnerable Package
	CVE-2025-10500	Npm-electron-37.4.0	details Recommended version: 37.6.0 Description: Use After Free in Dawn in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW ID: yEa8%2Bkeift95%2FjD7QDIqk5gBRD7kQItG4ftKcWJ%2FKs0%3D Vulnerable Package
	CVE-2025-10501	Npm-electron-37.4.0	details Recommended version: 37.6.1 Description: Use After Free in WebRTC in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: OJ6VOjkM1J9CrYUiH4bEzDfjgGA5HZcrqBAu%2FwwXEqU%3D Vulnerable Package
	CVE-2025-10502	Npm-electron-37.4.0	details Recommended version: 37.6.1 Description: Heap Buffer Overflow in 'ANGLE' in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via malic... Attack Vector: NETWORK Attack Complexity: LOW ID: IsPaP96X8DJL4txws%2BihJnGE1jm7%2FQfr7Wbgl78kLIA%3D Vulnerable Package
	CVE-2025-10891	Npm-electron-37.4.0	details Recommended version: 37.6.0 Description: Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW ID: Wf7Nr0SVFNo8zmQ7HgxZqNKhNwnaDTH6hHF%2BA6adH8A%3D Vulnerable Package
	CVE-2025-10892	Npm-electron-37.4.0	details Recommended version: 37.6.1 Description: Integer Overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW ID: RBHK1mLWBIs2S2AQKQgVdwytJDXEk1FctHxC%2FyEcwcE%3D Vulnerable Package
	CVE-2025-47935	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling "multipart/form-data". In versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory le... Attack Vector: NETWORK Attack Complexity: LOW ID: 41zmdjcE%2F2tjYNBdMChn8NRU30Yp5WFAd7svlqxi9mw%3D Vulnerable Package
	CVE-2025-47944	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling "multipart/form-data". A vulnerability that is present in versions 1.0.0 through 1.4.5-lts.2, and 2.0.0... Attack Vector: NETWORK Attack Complexity: LOW ID: emtZoAMcMnn9jP8q%2FkeCOe3jCYyJKy1nrv28imda3V0%3D Vulnerable Package
	CVE-2025-48997	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling "multipart/form-data". A vulnerability allows an attacker to trigger a Denial of Service (DoS) by sendi... Attack Vector: NETWORK Attack Complexity: LOW ID: YjH13ntxtl9rwoRh5dbUVkB30wRGKUjlk1rSahjPIrU%3D Vulnerable Package
	CVE-2025-58754	Npm-axios-1.10.0	details Recommended version: 1.12.0 Description: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.12.0 runs on Node.js and is given a URL with the "d... Attack Vector: NETWORK Attack Complexity: LOW ID: FfIh%2Fy5XuGFYLaDn3X3Mb8%2F3ZGgDCYKQDaH2BOcBLiY%3D Vulnerable Package
	CVE-2025-7338	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.2 Description: Multer is a Node.js middleware for handling `multipart/form-data`. A vulnerability that is present in versions 1.4.4-lts.1, 1.4.5-lts.1 through 1.4... Attack Vector: NETWORK Attack Complexity: LOW ID: k2YSe5xVM60CAVyo4c5gbIwdhw4uJVZ2O8z%2FTUTdZ24%3D Vulnerable Package
	CVE-2025-9132	Npm-electron-37.4.0	details Recommended version: 37.5.0 Description: Out-of-bounds Write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW ID: 2GuTUYXlb%2B6U2Qo%2BLsvxWCzf1dUI4txV%2BPolOHXJa74%3D Vulnerable Package
	CVE-2025-9478	Npm-electron-37.4.0	details Recommended version: 37.5.0 Description: Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW ID: blkBCJ%2Bvz2Zrnj%2BQxJw1%2FTdcCMmMTVcFr5HPGEzbVS4%3D Vulnerable Package
	CVE-2025-9864	Npm-electron-37.4.0	details Recommended version: 37.6.0 Description: Use After Free in V8 in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: LOW ID: 7Scwo2aFCnR%2BZOmBIQrf7Ugb12sHDKL3MjMYRPLpmbI%3D Vulnerable Package
	CVE-2025-9866	Npm-electron-37.4.0	details Recommended version: 37.5.0 Description: Inappropriate implementation in Extensions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to bypass content security policy via ... Attack Vector: NETWORK Attack Complexity: LOW ID: 8FxVRMkFcNIU9Ou5JvmVnBCrvURiavwOmSZEYhNz9FY%3D Vulnerable Package
	CVE-2025-55305	Npm-electron-37.4.0	details Recommended version: 37.5.0 Description: Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML, and CSS. In versions prior to 35.7.5, 36.0.x prior ... Attack Vector: LOCAL Attack Complexity: LOW ID: 9HSOUu4Crucc3PKEYuP2TmnvhwnqRKX0vZgr6je2EZk%3D Vulnerable Package
	CVE-2025-9865	Npm-electron-37.4.0	details Recommended version: 37.5.0 Description: Inappropriate implementation in the Toolbar in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker who convinced a user to en... Attack Vector: NETWORK Attack Complexity: LOW ID: vfnBlNHs%2F0jXXt%2FR6QOOymuNgnqx5PxpIrqoDiO7ii8%3D Vulnerable Package
	CVE-2025-9867	Npm-electron-37.4.0	details Recommended version: 37.5.0 Description: Inappropriate implementation in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a... Attack Vector: NETWORK Attack Complexity: LOW ID: VNFAtWvmGtK%2FJE1bI41hGGDUjnW2ZmLYqYIbfTNFTjY%3D Vulnerable Package
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 75	details The application takes sensitive, personal data password, found at line 75 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... ID: ujO3S48DoYDAJ1Cs%2FLyFXOahkU8%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.comp... ID: p3xM9XJ2b8uXntt84Va4Lt%2BAIkY%3D Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 77