[Security] Bump electron from 4.1.4 to 5.0.0

[dependabot-preview]

Bumps electron from 4.1.4 to 5.0.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Node Security Working Group.

Arbitrary Code Execution
A vulnerability in Chromium, which Electron is based on, can be exploited and used to execute arbitrary code. According to the Electron team, "this affects any Electron application that may run third-party or untrusted JavaScript." Depending on the Electron application's privileges, this can allow an attacker to create and delete files or modify a user's system in other ways. Google has received reports of this vulnerability being exploited in the wild.

Affected versions: <2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5

Release notes

Sourced from electron's releases.

electron v5.0.0

Release Notes for v5.0.0

Breaking Changes

• Upgraded to Chromium 73.0.3683.119, Node.js 12.0.0, and V8 7.3.492.27.

Features

• Added `ELECTRON_DISABLE_SANDBOX environment variable to make it easier to disable sandboxing in Docker-based Linux CI environments. #16662
• Added Promise support for the Cookies API. #16702
• Added activate option to webContents.openDevTools. #13852
• Added app.commandLine.hasSwitch() / app.commandLine.getSwitchValue(). #16282
• Added fileMenu / viewMenu / appMenu roles. #16328
• Added ipc-message and ipc-message-sync events to webContents. #16468
• Added preload-error event to webContents emitted when preload script fails (parse error, unhandled exception, etc.). #16411
• Added win.removeMenu() to remove application menus instead of using win.setMenu(null). #16657
• Added a way to query for system colors on MacOS via systemPreferences.getSystemColor(). #16248
• Added about panel customization on linux. #15658
• Added caps lock and numlock as keyboard accelerator modifiers. #16725
• Added event and method to detect high contrast color schemes . #15493
• Added getMemoryFootprint API. #14847
• Added macOS support for systemPreferences.getAccentColor(). #16251
• Added macOS support to systemPreferences.getColor(). #16249
• Added methods to DownloadItem that enable customization of the save dialog options during will-download events. #15497
• Added response header support to protocol.registerFileProtocol to match protocol.registerStreamProtocol. #16098
• Added support for DesktopCapturerSource.appIcon. 1f55f163
• Added support for multiple browser views per BrowserWindow. #16148
• Added support for running preload scripts and nodeIntegration in iframes. #16425
• Allow for MacOS notifications to be immediately delivered. #16060
• Allow numpad keys to be used as accelerators. #15689
• Allow partial setting of window bounds with win.setBounds(). #15677
• Allow registering of multiple globalShortcuts. #15542
• Allowed filtering of remote.getBuiltin(), remote.getCurrentWindow(), remote.getCurrentWebContents and <webview>.getWebContents(). #16293
• Converted contentTracing.getCategories() to return a promise instead taking a callback. #16624
• Converted contentTracing.startRecording() and contentTracing.stopRecording() to return a promise instead taking a callback. #16642
• Converted debugger.sendCommand() to return a Promise instead of taking a callback. #16931
• Converted zoomLevel() and zoomFactor() for webContents and <webview> to return a promise instead taking a callback. #16410
• Deprecated modules internally using remote.require in sandboxed renderer context. #15145
• Enabled NodeIntegrationInSubFrames option usage for webview tags. #17398
• Enabled the setuid sandbox on Linux, allowing Electron to launch sandboxed processes in environments that disable CLONE_NEWUSER for unprivileged users. #17343
• Exposed an API to allow apps to determine their status as a trusted accessibility client. #16119
• Provided user system's region with app.getLocaleCountryCode(). #15035
• Enabled mixed-sandbox mode by default. enableMixedSandbox and the --enable-mixed-sandbox command-line switch still exist for compatibility, but are deprecated and have no effect. #15894
• Mixed-sandbox mode works on Linux. #15870
• Promisified app.getFileIcon. #15742
• Promisified shell.openExternal() by splitting it into a sync and async method. #16176
• Promisified win.capturePage(). #15743
• Implemented the browser-backward and browser-forward app-command events available in BrowserWindow on Linux. #15441
• Unified behavior between the default app and packaged apps (application menu / window-all-closed handling). #16310

... (truncated)

Commits

• 7514372 Bump v5.0.0
• 151a338 Revert "Bump v5.0.0"
• d572935 Bump v5.0.0
• c400976 build: fix bump-version script for stable releases
• 3408997 Revert "Bump v5.0.0"
• 9ca2b31 Bump v5.0.0
• 5aa0a1a build: fix release notes generation
• 3825bf0 fix: enable autofill popups on mac (backport: 5-0-x) (#17888)
• d15bcfb refactor: allow embedder overriding of internal FS calls (#17906)
• ccb051c fix: remove duplicate function deprecator
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.