chore(deps): bump the production-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the production-dependencies group with 11 updates in the / directory:

Package	From	To
yaml	2.8.3	2.9.0
rollup	4.60.1	4.60.3
@babel/parser	7.29.2	7.29.3
@electron/packager	19.1.0	19.1.1
electron-to-chromium	1.5.336	1.5.353
puppeteer-core	24.41.0	24.43.1
esbuild	0.27.7	0.28.0
@tauri-apps/api	2.10.1	2.11.0
@tauri-apps/plugin-deep-link	2.4.8	2.4.9
electron	41.2.0	41.5.1
electron-nightly	43.0.0-nightly.20260415	43.0.0-nightly.20260506

Updates yaml from 2.8.3 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• Additional commits viewable in compare view

Updates rollup from 4.60.1 to 4.60.3

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6346: fix(deps): update minor/patch updates (@​renovate[bot])
• #6347: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6348: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6349: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6350: fix: reset variable render names between outputs in the same generate (@​barry3406, @​lukastaegert)
• #6351: chore(deps): update minor/patch updates (@​renovate[bot])
• #6352: chore(deps): update cross-platform-actions/action action to v1 (@​renovate[bot])
• #6353: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6354: chore(deps): lock file maintenance (@​renovate[bot])
• #6355: chore(deps): lock file maintenance (@​renovate[bot])
• #6356: chore(deps): lock file maintenance (@​renovate[bot])
• #6358: chore: remove cross-env from devDeps (@​K-tecchan)

Changelog

Sourced from rollup's changelog.

4.60.3

2026-05-04

Bug Fixes

• Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

• #6360: fix: do not rename nested "exports" bindings that do not conflict (@​tariqrafique, @​lukastaegert)
• #6364: chore(deps): update msys2/setup-msys2 digest to e989830 (@​renovate[bot])
• #6365: fix(deps): update minor/patch updates (@​renovate[bot])
• #6366: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6367: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6368: docs: add missing backticks in plugin-development (@​lumirlumir, @​lukastaegert)

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6346: fix(deps): update minor/patch updates (@​renovate[bot])
• #6347: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6348: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6349: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6350: fix: reset variable render names between outputs in the same generate (@​barry3406, @​lukastaegert)
• #6351: chore(deps): update minor/patch updates (@​renovate[bot])
• #6352: chore(deps): update cross-platform-actions/action action to v1 (@​renovate[bot])
• #6353: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6354: chore(deps): lock file maintenance (@​renovate[bot])
• #6355: chore(deps): lock file maintenance (@​renovate[bot])
• #6356: chore(deps): lock file maintenance (@​renovate[bot])
• #6358: chore: remove cross-env from devDeps (@​K-tecchan)

Commits

• b47bdab 4.60.3
• 15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
• 12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
• b74aa39 Migrate instructions to AGENTS.md
• aa5a377 fix(deps): update minor/patch updates (#6365)
• 197e68b chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)
• cded70a fix(deps): update swc monorepo (major) (#6366)
• bb2b8a5 docs: add missing backticks in plugin-development (#6368)
• 20af1c4 chore(deps): lock file maintenance (#6367)
• a6be82b 4.60.2
• Additional commits viewable in compare view

Updates @babel/parser from 7.29.2 to 7.29.3

Release notes

Sourced from @​babel/parser's releases.

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules
  • #17818 Load async Wasm and JSON imports in parallel (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

Commits

• 183db7b v7.29.3
• 9bc522a Support flow extends bound (#17923)
• 69277a0 Improve trailing comma comment handling (#17782)
• See full diff in compare view

Updates @electron/packager from 19.1.0 to 19.1.1

Release notes

Sourced from @​electron/packager's releases.

v19.1.1

19.1.1 (2026-04-22)

Bug Fixes

• remove get-package-info and resolve dependencies (#1906) (48584a5)

Commits

• 48584a5 fix: remove get-package-info and resolve dependencies (#1906)
• 28ebc46 build: TS6 + oxc.rs (#1905)
• b98e355 chore: bump vite from 7.1.12 to 7.3.2 (#1904)
• bbe57d0 chore: bump @​xmldom/xmldom from 0.8.8 to 0.8.12 (#1903)
• 2f53752 build: remove lodash dependency (#1902)
• 201baa4 chore: resolve dependabot security alerts (#1901)
• cbdf34d ci: fix zizmor audit findings (#1899)
• d862e81 chore(ci): group Dependabot updates (#1898)
• a5a2ea0 chore: bump actions/setup-node from 6.2.0 to 6.3.0 (#1893)
• 431e9de chore: bump azure/login from 2.3.0 to 3.0.0 (#1895)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates electron-to-chromium from 1.5.336 to 1.5.353

Commits

• d2bd4d8 1.5.353
• 3c6685c generate new version
• d542de9 1.5.352
• 7b711f1 generate new version
• f3e7665 1.5.351
• 4938def generate new version
• d292d13 1.5.350
• 800f78b generate new version
• 7fc7dcd 1.5.349
• 5549446 generate new version
• Additional commits viewable in compare view

Updates puppeteer-core from 24.41.0 to 24.43.1

Release notes

Sourced from puppeteer-core's releases.

puppeteer-core: v24.43.1

24.43.1 (2026-05-11)

🛠️ Fixes

• reject BiDi URL restrictions (#14956) (b2140ae)
• remove networkidle options from setContent (#14940) (54254e4)
• roll to Firefox 150.0.2 (#14946) (a588310)

⚡ Performance

• dispose sub-classes correctly (#14430) (e285ff2)
• optimize url blocking on navigation (#14945) (e4002a4)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.1 to 2.13.2

puppeteer-core: v24.43.0

24.43.0 (2026-05-06)

🎉 Features

• Implement allowlist (#14897) (e7e31f8)
• roll to Chrome 148.0.7778.56 (#14918) (65890b7)
• roll to Firefox 150.0 (#14900) (beab61b)
• support checkboxes and radios in locator.fill (#14939) (fec05a0)
• webmcp: Add support for untrustedContent WebMCPAnnotation (#14901) (0314942)

🛠️ Fixes

• Disable WebUIReloadButton experiment (#14925) (d9639e9)
• do not open DevTools if it is already open (#14922) (84c9d34)
• do not set global offline flag for allowlist (#14931) (d6a1003)
• roll to Chrome 148.0.7778.97 (#14929) (536eb11)
• roll to Firefox 150.0.1 (#14923) (50438cf)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.0 to 2.13.1

... (truncated)

Changelog

Sourced from puppeteer-core's changelog.

24.43.1 (2026-05-11)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.1 to 2.13.2

🛠️ Fixes

• reject BiDi URL restrictions (#14956) (b2140ae)
• remove networkidle options from setContent (#14940) (54254e4)
• roll to Firefox 150.0.2 (#14946) (a588310)

⚡ Performance

• dispose sub-classes correctly (#14430) (e285ff2)
• optimize url blocking on navigation (#14945) (e4002a4)

24.43.0 (2026-05-06)

🎉 Features

• Implement allowlist (#14897) (e7e31f8)
• roll to Chrome 148.0.7778.56 (#14918) (65890b7)
• roll to Firefox 150.0 (#14900) (beab61b)
• support checkboxes and radios in locator.fill (#14939) (fec05a0)
• webmcp: Add support for untrustedContent WebMCPAnnotation (#14901) (0314942)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 2.13.0 to 2.13.1

🛠️ Fixes

• Disable WebUIReloadButton experiment (#14925) (d9639e9)

... (truncated)

Commits

• 970bda6 chore: release main (#14944)
• 8465576 chore(deps): bump deps (#14962)
• e285ff2 perf: dispose sub-classes correctly (#14430)
• 6a091b6 build: fix tools/ensure-correct-devtools-protocol-package.mts (#14961)
• d8b5fd9 fix: do not use shell for setup.exe (#14959)
• b2140ae fix: reject BiDi URL restrictions (#14956)
• 4b4c762 chore(deps): bump fast-uri from 3.0.6 to 3.1.2 in /website (#14950)
• a588310 fix: roll to Firefox 150.0.2 (#14946)
• 9eb59d1 chore(deps): bump @​babel/plugin-transform-modules-systemjs from 7.28.5 to 7.2...
• 5bc26eb chore(deps): bump the all group in /website with 4 updates (#14952)
• Additional commits viewable in compare view

Updates esbuild from 0.27.7 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Changelog

Sourced from esbuild's changelog.

0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• See full diff in compare view

Updates @tauri-apps/api from 2.10.1 to 2.11.0

Release notes

Sourced from @​tauri-apps/api's releases.

@​tauri-apps/api v2.11.0

No known vulnerabilities found

[2.11.0]

New Features

• 074299c08 (#14307) Add Bring All to Front predefined menu item type
• a12142a48 (#14357) Add macos support for setting the icon and icon template state in the same step of the main thread, to prevent flickering.
• 001c8fe3d (#14722) Add a WebView option to control browser-level general autofill behavior. This option does not disable password or credit card autofill. On Windows (WebView2), setting it to true disables the general autofill "Suggestions" UI, which may appear even when autocomplete="off" is specified on input elements. On Linux, macOS, iOS, and Android, this option is currently unsupported and performs no operation.
• eb0312ea9 (#15199) Propagates the Event::Suspended and Event::Resumed events from tao when they are emitted on mobile targets.

> @tauri-apps/api@2.11.0 npm-publish /home/runner/work/tauri/tauri/packages/api
> pnpm build && cd ./dist && pnpm publish --access public --loglevel silly --no-git-checks
> @​tauri-apps/api@​2.11.0 build /home/runner/work/tauri/tauri/packages/api
> rollup -c --configPlugin typescript
�[36m
�[1m./src/app.ts, ./src/core.ts, ./src/dpi.ts, ./src/event.ts, ./src/image.ts, ./src/index.ts, ./src/menu.ts, ./src/mocks.ts, ./src/path.ts, ./src/tray.ts, ./src/webview.ts, ./src/webviewWindow.ts, ./src/window.ts�[22m → �[1m./dist, ./dist�[22m...�[39m
�[32mcreated �[1m./dist, ./dist�[22m in �[1m1s�[22m�[39m
�[36m
�[1msrc/index.ts�[22m → �[1m../../crates/tauri/scripts/bundle.global.js�[22m...�[39m
�[32mcreated �[1m../../crates/tauri/scripts/bundle.global.js�[22m in �[1m1.6s�[22m�[39m
npm verbose cli /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/npm
npm info using npm@11.11.0
npm info using node@v24.14.1
npm silly config load:file:/opt/hostedtoolcache/node/24.14.1/x64/lib/node_modules/npm/npmrc
npm silly config load:file:/tmp/62753b73fd2498862aee9b07ed29cc21/.npmrc
npm silly config load:file:/home/runner/.npmrc
npm silly config load:file:/home/runner/.config/pnpm/rc
npm verbose title npm publish tauri-apps-api-2.11.0.tgz
npm verbose argv "publish" "--ignore-scripts" "tauri-apps-api-2.11.0.tgz" "--access" "public" "--loglevel" "silly"
npm verbose logfile logs-max:10 dir:/home/runner/.npm/_logs/2026-04-30T15_51_13_171Z-
npm verbose logfile /home/runner/.npm/_logs/2026-04-30T15_51_13_171Z-debug-0.log
npm warn Unknown env config "verify-deps-before-run". This will stop working in the next major version of npm. See npm help npmrc for supported config options.
npm warn Unknown env config "npm-globalconfig". This will stop working in the next major version of npm. See npm help npmrc for supported config options.
npm warn Unknown env config "_jsr-registry". This will stop working in the next major version of npm. See npm help npmrc for supported config options.
</tr></table>

... (truncated)

Commits

• e60834f Apply Version Updates From Current Changes (#15041)
• df05c00 chore: minor bump for codegen crate
• 13bea17 chore: fmt
• 9808236 fix(macOS): correct value for work_area.position.y (#14655)
• eb0312e feat(mobile): Propagate tao::Event::Suspended and tao::Event::Resumed to the ...
• 4ef5797 feat(ios): add --no-sign and --archive-only flags to ios build (#15061)
• 110336c fix(macOS): fix incorrect window position on multi-monitor setups (#15250)
• c00a3db feat(macros): add support for rename command macro in tauri-macros #14173 (#1...
• 764b913 feat(cli): restart Android emulator if it is disconnected from adb (#14313)
• 1035f12 fix(windows): tauri-bundler detect arm system (#14923)
• Additional commits viewable in compare view

Updates @tauri-apps/plugin-deep-link from 2.4.8 to 2.4.9

Release notes

Sourced from @​tauri-apps/plugin-deep-link's releases.

deep-link-js v2.4.9

[2.4.9]

• e6cdc9f5 (#3396 by @​Legend-Master) Fix broken iOS custom URL schemes

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-deep-link@2.4.9
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 6.2kB README.md
npm notice 3.5kB dist-js/index.cjs
npm notice 2.9kB dist-js/index.d.ts
npm notice 3.4kB dist-js/index.js
npm notice 801B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-deep-link
npm notice version: 2.4.9
npm notice filename: tauri-apps-plugin-deep-link-2.4.9.tgz
npm notice package size: 4.4 kB
npm notice unpacked size: 17.7 kB
npm notice shasum: ae56d59130380f806b533b3107c3f16654e66a8d
npm notice integrity: sha512-u0SKOUHnJ1wqe[...]hIvqLBRpgHJlA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011657
+ @tauri-apps/plugin-deep-link@2.4.9

deep-link v2.4.9

[2.4.9]

• e6cdc9f5 (#3396 by @​Legend-Master) Fix broken iOS custom URL schemes

</tr></table> 

... (truncated)

Commits

• 5c7668b publish new versions (#3397)
• ec05401 chore(deps): update rust crate toml to v1 (#3323)
• b86e999 chore(deps): update tauri packages to 2.11 (#3407)
• c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
• 1bb7beb chore(deps): bump openssl (#3402)
• 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
• af81fda docs(readme): fix platform support matrix (mobile is supported)
• c1fd33b fix(opener): allow open network share locations (#3343)
• 250857b chore(deps): update dependency typescript to v6 (#3363)
• 964e13f fix(store): dead lock trying to set while exiting (#3395)
• Additional commits viewable in compare view

Updates electron from 41.2.0 to 41.5.1

Release notes

Sourced from electron's releases.

electron v41.5.1

Release Notes for v41.5.1

Fixes

• Fixed app.getLoginItemSettings() returning undefined for executableWillLaunchAtLogin on macOS; the property is now always a boolean. #51508 (Also in 40, 42)
• Fixed a potential race condition crash when closing DevTools. #51474 (Also in 42)
• Fixed cross-origin isolation failing for non-file origins. #51403 (Also in 42)
• Improved the way Electron determines the default XDG App ID and WM_CLASS on Linux for better platform compatibility if desktopName is not provided in package.json. #51480 (Also in 42)

electron v41.5.0

Release Notes for v41.5.0

Features

• Added app.configureWebAuthn() to enable the Touch ID platform authenticator for WebAuthn on macOS, and a select-webauthn-account session event for choosing between multiple discoverable credentials. #51412 (Also in 42)

Fixes

• Fixed a regression on Windows where frameless windows changed their size after calling setResizable. #51427 (Also in 42)
• Fixed an issue on Windows where a transient UnhookWindowsHookEx failure in setIgnoreMouseEvents(true, { forward: true }) teardown could cause duplicate low-level mouse hooks to be installed on the next activation. #51419 (Also in 42)
• Fixed remote debugging via --remote-debugging-port not working when inspecting from Chrome's chrome://inspect page. The DevTools page would appear empty due to the frontend URL pointing to a CDN that returned 404 for Electron's Chromium builds. #51413

electron v41.4.0

Release Notes for v41.4.0

Features

• Added support for heap profiling via contentTracing.enableHeapProfiling(). #51178 (Also in 42)

Fixes

• Ensured cross-origin fetch() and XHR are blocked for custom protocols registered with supportFetchAPI: true unless corsEnabled: true is also set; cross-origin mode: 'no-cors' requests now receive an opaque response. #51270 (Also in 39, 40, 42)
• Fixed a crash when providing invalid HTTP header names or values in the webRequest.onBeforeSendHeaders() callback. #51365 (Also in 40, 42)
• Fixed a bug that cause offscreen rendering doesn't have valid screen info and unable to get valid result of related media queries.
  • Added webPreference.offscreen.deviceScaleFactor to allow user specify a value, instead of using user's primary display's value. #50375 (Also in 40)
• Fixed a bug where errors would occur when using the Chrome DevTools Fetch API. #51371 (Also in 42)
• Fixed a crash that could occur when an autofill suggestion popup was shown while a window was closing. #51321 (Also in 42)
• Fixed a regression where frameless fullscreen windows had white borders on Windows. #51332 (Also in 42)
• Fixed a renderer crash when a page uses the <geolocation> HTML element.

[github-actions]

Release Preview — no release

No bump label detected.
Reason: No release labels found (need bump:* or release:stable)
Note: Add bump:patch, bump:minor, or bump:major to trigger a release.

---

Updated automatically by ReleaseKit

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.