Electron 33 → 39 upgrade blocked by better-sqlite3 ABI (defer to v0.1.x or v0.2)

[hqhq1025]

Status

Deferred. PR #103 attempted Electron 33.2.1 → 39.8.x and was closed because better-sqlite3@11.10.0 ships no prebuilt for Electron 39's Node ABI on darwin-arm64.

What this fixes when done

17 dependabot Electron alerts (4 high, 12 medium, 1 low):

• 4 high: use-after-free in PowerMonitor / WebContents permission callbacks / offscreen child window paint / renderer command-line switch injection
• Others: AppleScript injection, IPC spoofing, origin permission scoping, etc.

Plus brings Chromium from 130 → 142, unlocking newer CSS (@scope, @container, anchor positioning, text-wrap: balance mature) — relevant for our generated artifacts.

Three solutions, pick one when picking back up

A. Wait for better-sqlite3 upstream

Watch https://github.com/WiseLibs/better-sqlite3/releases for an Electron-39 prebuild. Zero work when it ships. Cost: indefinite delay.

B. Source-compile via @electron/rebuild postinstall

Replace prebuild-install path in apps/desktop/scripts/install-sqlite-bindings.cjs with a compile step. Cost: every dev install now needs Python + node-gyp + Xcode CLT; first install slow (~60s); brittle on user machines.

C. Switch to node:sqlite (Node 22.5+ built-in)

Rewrite apps/desktop/src/main/snapshots-db.ts to use Node's built-in sqlite module. Cost: ~50 LOC change; some sqlite behavior microdiffs to verify; no native binding ABI problem ever again.

Recommendation: C when revisiting. Pre-1.0 (pre-release), the cleanup pays off forever. Persistence is core; we want it to stop being a versioning hot zone.

Trigger to revisit

• Targeting v0.2 release publicly OR
• A specific high CVE becomes exploitable in our threat model OR
• We want a Chromium 142+ CSS feature for generated artifacts (e.g. anchor positioning for popovers/tooltips)

Hard constraint

Whichever option ships, must NOT use Electron 41.x — CLAUDE.md ban (cross-origin isolation regression).

Related

• PR chore(deps): bump electron 33 → 39 (PR-A: dependency bump only) #103 (closed, 2026-04-19): the bump-only PR that surfaced the blocker
• PR fix(desktop): dual-ABI prebuilt for better-sqlite3 (Node + Electron) #96: dual-ABI postinstall infrastructure that this work would replace
• PR chore(deps): bump happy-dom to fix 6 security advisories #98: happy-dom security upgrade (separate dev-only fix that already landed)

[github-actions]

Thanks for documenting this so clearly.

What I can verify from the current codebase is:

• Desktop is still pinned to Electron 33 (^33.2.1 in package.json; lock currently resolves to 33.4.11).
• Snapshot persistence is still built around better-sqlite3 with runtime-specific native bindings selected at startup.
• The postinstall path currently downloads prebuilt binaries via prebuild-install for Node/Electron ABIs; there is no source-compile fallback in that script.
• CLAUDE.md still explicitly bans Electron 41.x.

Given that this repo is still in pre-alpha/v0.x, we should keep expectations aligned that some roadmap items are tracked but not fully implemented yet.

Relevant code:

• apps/desktop/package.json:43 — Electron dependency (^33.2.1)
• pnpm-lock.yaml:7284 — lockfile currently at electron@33.4.11
• apps/desktop/package.json:27 — better-sqlite3 dependency
• apps/desktop/package.json:8 — postinstall uses install-sqlite-bindings.cjs
• apps/desktop/scripts/install-sqlite-bindings.cjs:54 — prebuild-install download path
• apps/desktop/scripts/install-sqlite-bindings.cjs:140 — Electron runtime prebuild fetch (no compile branch)
• apps/desktop/src/main/snapshots-db.ts:37 — selects Node/Electron-specific native binding
• CLAUDE.md:48 — Electron latest stable, but NOT 41.x
• README.md:65 — v0.1 pre-release note

Need more info:

• Should we keep this issue in deferred state for v0.1.x and revisit at v0.2 planning, or reopen now to implement one option immediately?

---

open-codesign Bot