[Security] Bump electron from 6.0.4 to 9.1.0

[dependabot-preview]

Bumps electron from 6.0.4 to 9.1.0.

Release notes

Sourced from electron's releases.

electron v9.1.0

Release Notes for v9.1.0

Features

• Added support for MessagePort in the main process. #24323
• Added support for suspend and resume events to Windows. #24283
• Added support for suspend and resume events to macOS. #24294
• Expose sessionId associated with a target from debugger module. #24398
• Implemented systemPreferences.getMediaAccessStatus() on Windows. #24312

Fixes

• Fixed an intermittent high-CPU usage problem caused a system clock issue during sleep. #24415
• Fixed an issue where some old notifications were not properly removed from the Notification Center on macOS. #24406
• Fixed bug on macOS where the main window could be targeted for a focus event when it was disabled behind a modal. #24354

electron v9.0.5

Release Notes for v9.0.5

Fixes

• Fixed "Paste and Match Style" shortcut on macOS to match OS's "Option-Shift-Command-V". #24185
• Fixed "null path-to-app" in test-app when Electron's path contains spaces or special characters. #24232
• Fixed an error when calling dialog.showCertificateTrustDialog with no BrowserWindow. #24121
• Fixed an issue where shutdown would be emitted both on app and system shutdown on macOS. #24141
• Fixed an issue where withFileTypes was not supported as an option to fs.readdir or fs.readdirSync under asar. #24108
• Fixed an issue which would cause streaming protocol responses to stall in some cases. #24082
• Fixed an issue with click events not being emitted on macOS for Trays with context menus set. #24236
• Fixed delayed execution of some Node.js callbacks in the main process. #24178
• Fixed tray menu showing in taskbar on Windows. #24193
• Fixed window titlebar not responding to pen on Windows 10. #24103

Other Changes

• Fixed issue with some IMEs on windows (for ex: Zhuyin) don't terminate after pressing shift. #24059
• Fixed mac app store rejection notice for invalid symbolic link in bundle. #24238
• Updated Chromium to 83.0.4103.119. #24234

Documentation

• Documentation changes: #24177

electron v9.0.4

Release Notes for v9.0.4

Fixes

• Added missing support for isComposing KeyboardEvent property. #23996
• Enable NTLM v2 for POSIX platforms and added --disable-ntlm-v2 switch to disable it. #23934

Commits

• a822d26 Bump v9.1.0
• 9d6ac05 feat: expose sessionId in debugger module (#24398)
• cbe66f2 fix: intermittent 100% CPU usage on macOS (#24415)
• 4f10bde feat: implement systemPreferences.getMediaAccessStatus() on Windows (#24275) ...
• 473c7db chore: use node_bindings loop for clarity (#24418)
• 4515c4d feat: add app render-process-gone event (#24315)
• 6dd394a fix: remove same-tag notifications before showing new ones (#24406)
• 4ace499 feat: MessagePorts in the main process (#24323)
• 71e3296 feat: add new render-process-gone event (#24309)
• 67002fd fix: macOS modal focus (#24354)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via contextBridge in Electron

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 9.0.0-beta.21
  ... (truncated)

Affected versions: ["< 7.2.4"]

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Context isolation bypass via Promise in Electron

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

• 9.0.0-beta.21
  ... (truncated)

Affected versions: ["< 6.1.11"]

[dependabot-preview]

Superseded by #130.