Update Electron resources dependencies and clear all npm advisories#122
Merged
Conversation
Laravel 13.13.0 tightened the HTTP client's header casting to throw on non-scalar values. The X-NativePHP-Secret header is set from config('nativephp-internal.secret'), which is null when NATIVEPHP_SECRET is unset, so every request blew up with an InvalidArgumentException.
Casting to a string keeps null as an empty string, which the client accepts. This is what older Laravel versions did implicitly.
SRWieZ
approved these changes
Jun 4, 2026
SRWieZ
left a comment
SRWieZ
left a comment
Member
There was a problem hiding this comment.
Thanks for this bump and also for the explanations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates every dependency in
resources/electronsonative:runstops surfacing npm security advisories.npm auditgoes from 26 vulnerabilities (1 critical, 16 high, 8 moderate, 1 low) to 0. Composer was checked too and needs nothing.Versions were researched and pinned deliberately rather than blind-bumped: latest minor/patch within each current major, crossing a major only where an advisory forces it. That happens in two places, Electron and Vitest, both covered below.
Vitest 4 migration
The critical vitest advisory only clears on 4.x, and v4 had two breaking changes for us:
@vitest/coverage-v8is now an explicit devDependency and--coverage.all(removed in v4) becomes--coverage.new, so arrow-function factories throw "is not a constructor". Theelectron-storemock is now a class and theNotification,BrowserWindow, andTraymocks are regular functions.Plugin tests are green: 18/18 pass.
Why Electron is capped at 40 for now
40.10.2 is the smallest bump that clears the advisory (fixed in 39.8.5) and stays on a supported major. Going further means taking on the 41 and 42 API changes below for no extra security. OS support floors are unchanged from 38 (macOS 12+, Windows 10+).
What's needed to go to 42 and beyond
NSUserNotificationforUNNotification, which only renders notifications when the app is code-signed. We constructNotificationdirectly in the main process, so unsigned dev and local builds would silently stop showing notifications. Needs a signing story documented for app developers first.postinstall. Worth confirming our build and run flow handles that cleanly.