Bump the npm_and_yarn group across 7 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /docs/src/examples/desktop directory: electron.
Bumps the npm_and_yarn group with 3 updates in the /packages/browser/e2e-tests directory: basic-ftp, follow-redirects and protobufjs.
Bumps the npm_and_yarn group with 1 update in the /packages/desktop directory: electron.
Bumps the npm_and_yarn group with 1 update in the /packages/desktop/samples/basic directory: electron.
Bumps the npm_and_yarn group with 1 update in the /packages/desktop/samples/file-persistence-idbfs directory: electron.
Bumps the npm_and_yarn group with 1 update in the /packages/desktop/samples/file-persistence-nodefs directory: electron.
Bumps the npm_and_yarn group with 2 updates in the /packages/react/e2e-tests directory: vite and follow-redirects.

Updates electron from 34.3.0 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates basic-ftp from 5.2.0 to 5.3.0

Release notes

Sourced from basic-ftp's releases.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Changelog

Sourced from basic-ftp's changelog.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Commits

• c9378a8 Fix test
• 22abe43 Update Github Actions
• 0feaaec Fix test
• 6629d7d Improve error message
• 9c3bf4f Set higher default value for max size of directory listing
• acd3942 Bump version
• 1304429 Offer maxListingBytes as an option
• 5cb5367 Add bounded StringWriter
• 07e9fc5 Update dev dependencies
• e9d09d6 Bump version
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates follow-redirects from 1.15.9 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• 21ef28a Release version 1.15.11 of the npm package.
• 7c88135 Roll back tree shaking.
• 6e389ba Release version 1.15.10 of the npm package.
• 5bc496e Shake me up before you go-go.
• 694d6b4 Bump minimist from 1.2.5 to 1.2.8
• See full diff in compare view

Updates protobufjs from 7.4.0 to 7.5.5

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.4

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

protobufjs: v7.5.3

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

protobufjs: v7.5.2

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

protobufjs: v7.5.1

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

protobufjs: v7.5.0

7.5.0 (2025-04-15)

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)
• add Edition 2023 Support (b936af4)
• add Edition 2023 Support (a938467)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

Changelog

8.0.1 (2026-03-11)

Bug Fixes

• bump protobufjs dependency version for cli package (#2128) (549b05e)
• correct json syntax in tsconfig.json (#2120) (8065625)
• descriptor: guard oneof index for non-Type parents (#2122) (1cac5cf)
• do not allow setting proto in Message constructor (#2126) (f05e3c3)
• filter invalid characters from the type name (#2127) (535df44)

8.0.0 (2025-12-16)

⚠ BREAKING CHANGES

• add Edition 2024 Support (#2060)

Features

• add Edition 2024 Support (#2060) (53e8492)

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

7.5.1 (2025-05-08)

Bug Fixes

... (truncated)

Commits

• b7bdfaf chore: release 7.5.5
• ff7b2af fix: filter invalid characters from the type name (#2127)
• 086b19d fix: do not allow setting proto in Message constructor (#2126)
• 827ff8e chore: release master (#2093)
• 5a3769a fix: invalid syntax in descriptor.proto (#2092)
• f42297b chore: release master (#2076)
• 6e255d4 fix: descriptor extensions handling post-editions (#2075)
• 9467abe chore: release master (#2070)
• 4b51cb2 fix: ensure that types are always resolved (#2068)
• 69cced8 chore: release master (#2067)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.

Updates electron from 34.3.0 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates electron from 34.3.0 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates electron from 34.3.0 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates electron from 34.3.0 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, Description has been truncated

[changeset-bot]

🦋 Changeset detected

Latest commit: 6fe3553

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/electron	39.8.5	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 26 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(39-x-y): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 89 contributing companies or organizations
npm/basic-ftp	5.3.0	🟢 5.6	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 20 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 SAST ⚠️ 0 no SAST tool detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
npm/follow-redirects	1.16.0	🟢 5	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 1/24 approved changesets -- score normalized to 0 Maintained 🟢 4 4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/protobufjs	7.5.5	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/electron	39.8.5	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 26 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(39-x-y): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 89 contributing companies or organizations
npm/vite	^8.0.8	Unknown	Unknown
npm/electron	39.8.5	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 26 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(39-x-y): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 89 contributing companies or organizations
npm/electron	39.8.5	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 26 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(39-x-y): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 89 contributing companies or organizations
npm/electron	39.8.5	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices 🟢 5 badge detected: Passing Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 26 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(39-x-y): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 89 contributing companies or organizations
npm/follow-redirects	1.16.0	🟢 5	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 1/24 approved changesets -- score normalized to 0 Maintained 🟢 4 4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/vite	7.3.2	🟢 6.5	Details Check Score Reason Code-Review 🟢 5 Found 16/28 approved changesets -- score normalized to 5 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 5 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Binary-Artifacts 🟢 5 binaries present in source code Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6

Scanned Files

• docs/src/examples/desktop/package.json
• packages/browser/e2e-tests/yarn.lock
• packages/desktop/package.json
• packages/desktop/samples/basic/package.json
• packages/desktop/samples/file-persistence-idbfs/package.json
• packages/desktop/samples/file-persistence-nodefs/package.json
• packages/react/e2e-tests/yarn.lock