npm(deps-dev): bump electron from 39.2.7 to 40.0.0

[dependabot]

Bumps electron from 39.2.7 to 40.0.0.

Release notes

Sourced from electron's releases.

electron v40.0.0

Release Notes for v40.0.0

Stack Upgrades

• Chromium 144.0.7559.60
  • New in 144
  • New in 143
• Node v24.11.1
  • Node 24.11.1 blog post
• V8 14.4

Breaking Changes

• Deprecated clipboard API access from renderer processes #48923
• Fixed an error on debug symbol upload by moving dsym.zip to use tar.xz compression. #48952

Features

Additions

• Added "memory-eviction" as a possible reason for a child process to exit. #48362
• Added RGBAF16 output format with scRGB HDR color space support to Offscreen Rendering. #48265 (Also in 39)
• Added app.isHardwareAccelerationEnabled(). #47614 (Also in 37, 38, 39)
• Added bypassCustomProtocolHandlers option to net.request. #48883 (Also in 38, 39)
• Added methods to enable more granular accessibility support management. #48042 (Also in 37, 38, 39)
• Added support for WebSocket authentication through the login event on webContents. #49064 (Also in 39)
• Added support to import external shared texture as VideoFrame. #48831
• Added the ability to retrieve the system accent color on Linux using systemPreferences.getAccentColor. #48027 (Also in 39)
• Allowed for persisting File System API grant status within a given session. #48170 (Also in 37, 38, 39)
• Automatically focus DevTools when element is inspected or breakpoint is triggered. #46386 (Also in 37, 38, 39)

Improvements

• Enables resetting accent color to follow system accent settings if a previous color has been set via window.setAccentColor(null). #48274 (Also in 38, 39)
• Support dynamic ESM imports in non-context isolated preloads. #48375 (Also in 37, 38, 39)
• Updated nativeImage.createFromNamedImage to support SF Symbol names. #48772 (Also in 39)

Fixes

• Added support for --no-stdio-init to be used when nul device is disabled on windows. #47870
• Fixed an issue on Windows and Linux where no cookie encryption key provider was passed into the network service when cookie encryption was enabled. #49375
• Fixed an issue where no cookie encryption provider was passed into the network service when cookie encryption was enabled. #49350
• Fixed crash when attempting to resolve modules during process exit. #49104
• Fixed drag regions in child windows. #49312
• Fixed draw smoothing round corner issue. #48782
• Fixed the cookie encryption logic to use the old os_crypt sync implementation present in M142. #49384
• Fixed visual artifacts while resizing a window on Windows. #49191

Also in earlier versions...

• AccentColor set distinguishes the frame. #48405 (Also in 37, 38, 39)
• Corrected the appearance of tiled windows on GNOME (when frame: true), and removed resize handles from tiled edges. #48835 (Also in 38, 39)
• Fix: ESM-from-CJS import when CJK characters are in path. #48862 (Also in 39)

... (truncated)

Commits

• 35b8855 chore: empty commit to release stable 40.0.0 (#49404)
• 7872c33 fix: revert os_crypt async cookie provider implementation (#49384)
• 9c753c3 docs: remove stale example and standardize DevTools capitalization (#49387)
• 8b2a991 docs: improve build-tools instructions (#49385)
• c897602 refactor: add static ReplyChannel::SendError() helper (#49372)
• 8cc201e chore: bump chromium to 144.0.7559.60 (40-x-y) (#49380)
• ba26a5d chore: bump chromium to 144.0.7559.59 (40-x-y) (#49330)
• df4d0be fix: fix cookie encryption provider loading on Windows and Linux (#49375)
• 9c4e03f build: roll build-tools SHA to 4430e4a (#49366)
• 05b4b57 feat: support WebSocket authentication handling (#49064)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@emnapi/core	1.7.1	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 19 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime	1.7.1	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 19 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@napi-rs/wasm-runtime	1.1.0	🟢 5.7	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Code-Review 🟢 4 Found 10/23 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected
npm/@types/node	24.10.9	🟢 7	Details Check Score Reason Code-Review 🟢 9 Found 26/28 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/electron	40.0.0	🟢 7.2	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during GetBranch(41-x-y): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 88 contributing companies or organizations

Scanned Files

• package-lock.json