Electron 'remote' Deprecated

Electron is deprecating the remote module, which we appear to use in Mailspring. There are some “serious security liabilities” with it that Electron wishes to mitigate.

According to the plan, remote will be removed on Electron 14.

Heads up, @bengotow!

1 Like

To elaborate on “serious security liabilities”…

I think @electron/remote will still be available in userland, but it’s definitely something that Mailspring should avoid and replace with regular, contract-based IPC. This is because Mailspring renders 3rd-party content, which could potentially break out of the sandbox and access remote and gain full unsandboxed access to the Node.js process, which has access to the system.

This doesn’t seem like too bad of a lift in Mailspring, most of the usage of remote seems to be out of convenience and could easily be ported to IPC calls.

1 Like