Bump v17.0.0-nightly.20210928

Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>

.github/CODEOWNERS

@@ -16,3 +16,4 @@ DEPS                                    @electron/wg-upgrades
 /lib/browser/guest-view-manager.ts      @electron/wg-security
 /lib/browser/guest-window-proxy.ts      @electron/wg-security
 /lib/browser/rpc-server.ts              @electron/wg-security
+/lib/renderer/security-warnings.ts      @electron/wg-security

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -8,9 +8,9 @@ body:
     label: Preflight Checklist
     description: Please ensure you've completed all of the following.
     options:
-      - label: I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/master/CONTRIBUTING.md) for this project.
+      - label: I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/main/CONTRIBUTING.md) for this project.
         required: true
-      - label: I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/master/CODE_OF_CONDUCT.md) that this project adheres to.
+      - label: I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md) that this project adheres to.
         required: true
       - label: I have searched the [issue tracker](https://www.github.com/electron/electron/issues) for a feature request that matches the one I want to file, without success.
         required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -8,9 +8,9 @@ body:
     label: Preflight Checklist
     description: Please ensure you've completed all of the following.
     options:
-      - label: I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/master/CONTRIBUTING.md) for this project.
+      - label: I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/main/CONTRIBUTING.md) for this project.
         required: true
-      - label: I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/master/CODE_OF_CONDUCT.md) that this project adheres to.
+      - label: I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md) that this project adheres to.
         required: true
       - label: I have searched the [issue tracker](https://www.github.com/electron/electron/issues) for a feature request that matches the one I want to file, without success.
         required: true

.github/ISSUE_TEMPLATE/mac_app_store_private_api_rejection.yml

@@ -7,9 +7,9 @@ body:
     label: Preflight Checklist
     description: Please ensure you've completed all of the following.
     options:
-      - label: I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/master/CONTRIBUTING.md) for this project.
+      - label: I have read the [Contributing Guidelines](https://github.com/electron/electron/blob/main/CONTRIBUTING.md) for this project.
         required: true
-      - label: I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/master/CODE_OF_CONDUCT.md) that this project adheres to.
+      - label: I agree to follow the [Code of Conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md) that this project adheres to.
         required: true
 - type: input
   attributes:

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,7 +3,7 @@
 Thank you for your Pull Request. Please provide a description above and review
 the requirements below.
 
-Contributors guide: https://github.com/electron/electron/blob/master/CONTRIBUTING.md
+Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.md
 -->
 
 #### Checklist
@@ -11,7 +11,7 @@ Contributors guide: https://github.com/electron/electron/blob/master/CONTRIBUTIN
 
 - [ ] PR description included and stakeholders cc'd
 - [ ] `npm test` passes
-- [ ] tests are [changed or added](https://github.com/electron/electron/blob/master/docs/development/testing.md)
+- [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant documentation is changed or added
 - [ ] [PR release notes](https://github.com/electron/clerk/blob/master/README.md) describe the change in a way relevant to app developers, and are [capitalized, punctuated, and past tense](https://github.com/electron/clerk/blob/master/README.md#examples).
 

.github/config.yml

@@ -2,7 +2,7 @@
 newPRWelcomeComment: |
   💖 Thanks for opening this pull request! 💖
 
-  We use [semantic commit messages](https://github.com/electron/electron/blob/master/docs/development/pull-requests.md#commit-message-guidelines) to streamline the release process. Before your pull request can be merged, you should **update your pull request title** to start with a semantic prefix.
+  We use [semantic commit messages](https://github.com/electron/electron/blob/main/docs/development/pull-requests.md#commit-message-guidelines) to streamline the release process. Before your pull request can be merged, you should **update your pull request title** to start with a semantic prefix.
 
   Examples of commit messages with semantic prefixes:
 
@@ -12,9 +12,9 @@ newPRWelcomeComment: |
 
   Things that will help get your PR across the finish line:
 
-  - Follow the JavaScript, C++, and Python [coding style](https://github.com/electron/electron/blob/master/docs/development/coding-style.md).
+  - Follow the JavaScript, C++, and Python [coding style](https://github.com/electron/electron/blob/main/docs/development/coding-style.md).
   - Run `npm run lint` locally to catch formatting errors earlier.
-  - Document any user-facing changes you've made following the [documentation styleguide](https://github.com/electron/electron/blob/master/docs/styleguide.md).
+  - Document any user-facing changes you've made following the [documentation styleguide](https://github.com/electron/electron/blob/main/docs/styleguide.md).
   - Include tests when adding/changing behavior.
   - Include screenshots and animated GIFs whenever possible.
 

BUILD.gn

@@ -379,6 +379,7 @@ source_set("electron_lib") {
     "//ppapi/shared_impl",
     "//printing/buildflags",
     "//services/device/public/cpp/geolocation",
+    "//services/device/public/cpp/hid",
     "//services/device/public/mojom",
     "//services/proxy_resolver:lib",
     "//services/video_capture/public/mojom:constants",
@@ -1024,6 +1025,12 @@ if (is_mac) {
     outputs = [ "{{bundle_resources_dir}}/{{source_file_part}}" ]
   }
 
+  asar_hashed_info_plist("electron_app_plist") {
+    keys = [ "DEFAULT_APP_ASAR_HEADER_SHA" ]
+    hash_targets = [ ":default_app_asar_header_hash" ]
+    plist_file = "shell/browser/resources/mac/Info.plist"
+  }
+
   mac_app_bundle("electron_app") {
     output_name = electron_product_name
     sources = filenames.app_sources
@@ -1031,6 +1038,7 @@ if (is_mac) {
     include_dirs = [ "." ]
     deps = [
       ":electron_app_framework_bundle_data",
+      ":electron_app_plist",
       ":electron_app_resources",
       ":electron_fuses",
       "//base",
@@ -1039,7 +1047,7 @@ if (is_mac) {
     if (is_mas_build) {
       deps += [ ":electron_login_helper_app" ]
     }
-    info_plist = "shell/browser/resources/mac/Info.plist"
+    info_plist_target = ":electron_app_plist"
     extra_substitutions = [
       "ELECTRON_BUNDLE_ID=$electron_mac_bundle_id",
       "ELECTRON_VERSION=$electron_version",

CONTRIBUTING.md

@@ -36,7 +36,7 @@ Having the original text _as well as_ the translation can help mitigate translat
 
 Responses to posted issues may or may not be in the original language.
 
-**Please note** that using non-English as an attempt to circumvent our [Code of Conduct](https://github.com/electron/electron/blob/master/CODE_OF_CONDUCT.md) will be an immediate, and possibly indefinite, ban from the project.
+**Please note** that using non-English as an attempt to circumvent our [Code of Conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md) will be an immediate, and possibly indefinite, ban from the project.
 
 ## [Pull Requests](https://electronjs.org/docs/development/pull-requests)
 

DEPS

@@ -17,7 +17,7 @@ vars = {
   'chromium_version':
     '95.0.4629.0',
   'node_version':
-    'v16.8.0',
+    'v16.10.0',
   'nan_version':
     # The following commit hash of NAN is v2.14.2 with *only* changes to the
     # test suite. This should be updated to a specific tag when one becomes

ELECTRON_VERSION

@@ -1 +1 @@
-16.0.0-nightly.20210907
+17.0.0-nightly.20210928

README.md

@@ -1,7 +1,7 @@
 [![Electron Logo](https://electronjs.org/images/electron-logo.svg)](https://electronjs.org)
 
-[![CircleCI Build Status](https://circleci.com/gh/electron/electron/tree/master.svg?style=shield)](https://circleci.com/gh/electron/electron/tree/master)
-[![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/4lggi9dpjc1qob7k/branch/master?svg=true)](https://ci.appveyor.com/project/electron-bot/electron-ljo26/branch/master)
+[![CircleCI Build Status](https://circleci.com/gh/electron/electron/tree/main.svg?style=shield)](https://circleci.com/gh/electron/electron/tree/main)
+[![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/4lggi9dpjc1qob7k/branch/main?svg=true)](https://ci.appveyor.com/project/electron-bot/electron-ljo26/branch/main)
 [![Electron Discord Invite](https://img.shields.io/discord/745037351163527189?color=%237289DA&label=chat&logo=discord&logoColor=white)](https://discord.com/invite/electron)
 
 :memo: Available Translations: 🇨🇳 🇧🇷 🇪🇸 🇯🇵 🇷🇺 🇫🇷 🇺🇸 🇩🇪.
@@ -16,7 +16,7 @@ Follow [@ElectronJS](https://twitter.com/electronjs) on Twitter for important
 announcements.
 
 This project adheres to the Contributor Covenant
-[code of conduct](https://github.com/electron/electron/tree/master/CODE_OF_CONDUCT.md).
+[code of conduct](https://github.com/electron/electron/tree/main/CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report unacceptable
 behavior to [coc@electronjs.org](mailto:coc@electronjs.org).
 
@@ -97,6 +97,6 @@ and more can be found in the [support document](docs/tutorial/support.md#finding
 
 ## License
 
-[MIT](https://github.com/electron/electron/blob/master/LICENSE)
+[MIT](https://github.com/electron/electron/blob/main/LICENSE)
 
 When using the Electron or other GitHub logos, be sure to follow the [GitHub logo guidelines](https://github.com/logos).

SECURITY.md

@@ -10,7 +10,7 @@ Report security bugs in third-party modules to the person or team maintaining th
 
 ## The Electron Security Notification Process
 
-For context on Electron's security notification process, please see the [Notifications](https://github.com/electron/governance/blob/master/wg-security/membership-and-notifications.md#notifications) section of the Security WG's [Membership and Notifications](https://github.com/electron/governance/blob/master/wg-security/membership-and-notifications.md) Governance document.
+For context on Electron's security notification process, please see the [Notifications](https://github.com/electron/governance/blob/main/wg-security/membership-and-notifications.md#notifications) section of the Security WG's [Membership and Notifications](https://github.com/electron/governance/blob/main/wg-security/membership-and-notifications.md) Governance document.
 
 ## Learning More About Security
 

build/args/all.gn

@@ -2,7 +2,7 @@ is_electron_build = true
 root_extra_deps = [ "//electron" ]
 
 # Registry of NMVs --> https://github.com/nodejs/node/blob/master/doc/abi_version_registry.json
-node_module_version = 89
+node_module_version = 99
 
 v8_promise_internal_field_count = 1
 v8_typed_array_max_size_in_heap = 0

build/asar.gni

@@ -57,4 +57,42 @@ template("asar") {
              rebase_path(outputs[0]),
            ]
   }
+
+  node_action(target_name + "_header_hash") {
+    invoker_out = invoker.outputs
+
+    deps = [ ":" + invoker.target_name ]
+    sources = invoker.outputs
+
+    script = "//electron/script/gn-asar-hash.js"
+    outputs = [ "$target_gen_dir/asar_hashes/$target_name.hash" ]
+
+    args = [
+      rebase_path(invoker_out[0]),
+      rebase_path(outputs[0]),
+    ]
+  }
+}
+
+template("asar_hashed_info_plist") {
+  node_action(target_name) {
+    assert(defined(invoker.plist_file),
+           "Need plist_file to add hashed assets to")
+    assert(defined(invoker.keys), "Need keys to replace with asset hash")
+    assert(defined(invoker.hash_targets), "Need hash_targets to read hash from")
+
+    deps = invoker.hash_targets
+
+    script = "//electron/script/gn-plist-but-with-hashes.js"
+    inputs = [ invoker.plist_file ]
+    outputs = [ "$target_gen_dir/hashed_plists/$target_name.plist" ]
+    hash_files = []
+    foreach(hash_target, invoker.hash_targets) {
+      hash_files += get_target_outputs(hash_target)
+    }
+    args = [
+             rebase_path(invoker.plist_file),
+             rebase_path(outputs[0]),
+           ] + invoker.keys + rebase_path(hash_files)
+  }
 }

build/fuses/fuses.json5

@@ -5,5 +5,7 @@
   "run_as_node": "1",
   "cookie_encryption": "0",
   "node_options": "1",
-  "node_cli_inspect": "1"
+  "node_cli_inspect": "1",
+  "embedded_asar_integrity_validation": "0",
+  "only_load_app_from_asar": "0"
 }

chromium_src/BUILD.gn

@@ -48,6 +48,8 @@ static_library("chrome") {
     "//chrome/browser/predictors/resolve_host_client_impl.cc",
     "//chrome/browser/predictors/resolve_host_client_impl.h",
     "//chrome/browser/process_singleton.h",
+    "//chrome/browser/ui/browser_dialogs.cc",
+    "//chrome/browser/ui/browser_dialogs.h",
     "//chrome/browser/ui/views/autofill/autofill_popup_view_utils.cc",
     "//chrome/browser/ui/views/autofill/autofill_popup_view_utils.h",
     "//chrome/browser/ui/views/eye_dropper/eye_dropper.cc",
@@ -321,17 +323,13 @@ source_set("plugins") {
   sources += [
     "//chrome/renderer/pepper/chrome_renderer_pepper_host_factory.cc",
     "//chrome/renderer/pepper/chrome_renderer_pepper_host_factory.h",
+    "//chrome/renderer/pepper/pepper_flash_font_file_host.cc",
+    "//chrome/renderer/pepper/pepper_flash_font_file_host.h",
     "//chrome/renderer/pepper/pepper_shared_memory_message_filter.cc",
     "//chrome/renderer/pepper/pepper_shared_memory_message_filter.h",
   ]
   if (enable_pdf_viewer) {
-    sources += [
-      "//chrome/renderer/pepper/pepper_flash_font_file_host.cc",
-      "//chrome/renderer/pepper/pepper_flash_font_file_host.h",
-    ]
-    if (enable_pdf_viewer) {
-      deps += [ "//components/pdf/renderer" ]
-    }
+    deps += [ "//components/pdf/renderer" ]
   }
   deps += [
     "//components/strings",

docs/api/app.md

@@ -277,6 +277,7 @@ Returns:
 * `certificate` [Certificate](structures/certificate.md)
 * `callback` Function
   * `isTrusted` Boolean - Whether to consider the certificate as trusted
+* `isMainFrame` Boolean
 
 Emitted when failed to verify the `certificate` for `url`, to trust the
 certificate you should prevent the default behavior with

docs/api/auto-updater.md

@@ -43,7 +43,7 @@ The installer generated with Squirrel will create a shortcut icon with an
 same ID for your app with `app.setAppUserModelId` API, otherwise Windows will
 not be able to pin your app properly in task bar.
 
-Unlike Squirrel.Mac, Windows can host updates on S3 or any other static file host.
+Like Squirrel.Mac, Windows can host updates on S3 or any other static file host.
 You can read the documents of [Squirrel.Windows][squirrel-windows] to get more details
 about how Squirrel.Windows works.
 

docs/api/browser-window.md

@@ -22,12 +22,13 @@ win.loadFile('index.html')
 To create a window without chrome, or a transparent window in arbitrary shape,
 you can use the [Frameless Window](frameless-window.md) API.
 
-## Showing window gracefully
+## Showing the window gracefully
 
-When loading a page in the window directly, users may see the page load incrementally, which is not a good experience for a native app. To make the window display
-without visual flash, there are two solutions for different situations.
+When loading a page in the window directly, users may see the page load incrementally,
+which is not a good experience for a native app. To make the window display
+without a visual flash, there are two solutions for different situations.
 
-## Using `ready-to-show` event
+### Using the `ready-to-show` event
 
 While loading the page, the `ready-to-show` event will be emitted when the renderer
 process has rendered the page for the first time if the window has not been shown yet. Showing
@@ -48,7 +49,7 @@ event.
 Please note that using this event implies that the renderer will be considered "visible" and
 paint even though `show` is false.  This event will never fire if you use `paintWhenInitiallyHidden: false`
 
-## Setting `backgroundColor`
+### Setting the `backgroundColor` property
 
 For a complex app, the `ready-to-show` event could be emitted too late, making
 the app feel slow. In this case, it is recommended to show the window
@@ -987,7 +988,7 @@ the player itself we would call this function with arguments of 16/9 and
 are within the content view--only that they exist. Sum any extra width and
 height areas you have within the overall content view.
 
-The aspect ratio is not respected when window is resized programmingly with
+The aspect ratio is not respected when window is resized programmatically with
 APIs like `win.setSize`.
 
 #### `win.setBackgroundColor(backgroundColor)`

docs/api/dialog.md

@@ -234,6 +234,7 @@ expanding and collapsing the dialog.
   * `title` String (optional) - Title of the message box, some platforms will not show it.
   * `detail` String (optional) - Extra information of the message.
   * `icon` ([NativeImage](native-image.md) | String) (optional)
+  * `textWidth` Integer (optional) _macOS_ - Custom width of the text in the message box.
   * `cancelId` Integer (optional) - The index of the button to be used to cancel the dialog, via
     the `Esc` key. By default this is assigned to the first button with "cancel" or "no" as the
     label. If no such labeled buttons exist and this option is not set, `0` will be used as the
@@ -285,6 +286,7 @@ If `browserWindow` is not shown dialog will not be attached to it. In such case
   * `checkboxChecked` Boolean (optional) - Initial checked state of the
     checkbox. `false` by default.
   * `icon` [NativeImage](native-image.md) (optional)
+  * `textWidth` Integer (optional) _macOS_ - Custom width of the text in the message box.
   * `cancelId` Integer (optional) - The index of the button to be used to cancel the dialog, via
     the `Esc` key. By default this is assigned to the first button with "cancel" or "no" as the
     label. If no such labeled buttons exist and this option is not set, `0` will be used as the

docs/api/session.md

@@ -180,6 +180,96 @@ Emitted when a hunspell dictionary file download fails.  For details
 on the failure you should collect a netlog and inspect the download
 request.
 
+#### Event: 'select-hid-device'
+
+Returns:
+
+* `event` Event
+* `details` Object
+  * `deviceList` [HIDDevice[]](structures/hid-device.md)
+  * `frame` [WebFrameMain](web-frame-main.md)
+* `callback` Function
+  * `deviceId` String | null (optional)
+
+Emitted when a HID device needs to be selected when a call to
+`navigator.hid.requestDevice` is made. `callback` should be called with
+`deviceId` to be selected; passing no arguments to `callback` will
+cancel the request.  Additionally, permissioning on `navigator.hid` can
+be further managed by using [ses.setPermissionCheckHandler(handler)](#sessetpermissioncheckhandlerhandler)
+and [ses.setDevicePermissionHandler(handler)`](#sessetdevicepermissionhandlerhandler).
+
+```javascript
+const { app, BrowserWindow } = require('electron')
+
+let win = null
+
+app.whenReady().then(() => {
+  win = new BrowserWindow()
+
+  win.webContents.session.setPermissionCheckHandler((webContents, permission, requestingOrigin, details) => {
+    if (permission === 'hid') {
+      // Add logic here to determine if permission should be given to allow HID selection
+      return true
+    }
+    return false
+  })
+
+  // Optionally, retrieve previously persisted devices from a persistent store
+  const grantedDevices = fetchGrantedDevices()
+
+  win.webContents.session.setDevicePermissionHandler((details) => {
+    if (new URL(details.origin).hostname === 'some-host' && details.deviceType === 'hid') {
+      if (details.device.vendorId === 123 && details.device.productId === 345) {
+        // Always allow this type of device (this allows skipping the call to `navigator.hid.requestDevice` first)
+        return true
+      }
+
+      // Search through the list of devices that have previously been granted permission
+      return grantedDevices.some((grantedDevice) => {
+        return grantedDevice.vendorId === details.device.vendorId &&
+              grantedDevice.productId === details.device.productId &&
+              grantedDevice.serialNumber && grantedDevice.serialNumber === details.device.serialNumber
+      })
+    }
+    return false
+  })
+
+  win.webContents.session.on('select-hid-device', (event, details, callback) => {
+    event.preventDefault()
+    const selectedDevice = details.deviceList.find((device) => {
+      return device.vendorId === '9025' && device.productId === '67'
+    })
+    callback(selectedPort?.deviceId)
+  })
+})
+```
+
+#### Event: 'hid-device-added'
+
+Returns:
+
+* `event` Event
+* `details` Object
+  * `device` [HIDDevice[]](structures/hid-device.md)
+  * `frame` [WebFrameMain](web-frame-main.md)
+
+Emitted when a new HID device becomes available. For example, when a new USB device is plugged in.
+
+This event will only be emitted after `navigator.hid.requestDevice` has been called and `select-hid-device` has fired.
+
+#### Event: 'hid-device-removed'
+
+Returns:
+
+* `event` Event
+* `details` Object
+  * `device` [HIDDevice[]](structures/hid-device.md)
+  * `frame` [WebFrameMain](web-frame-main.md)
+
+Emitted when a HID device has been removed.  For example, this event will fire when a USB device is unplugged.
+
+This event will only be emitted after `navigator.hid.requestDevice` has been called and `select-hid-device` has fired.
+
 #### Event: 'select-serial-port'
 
 Returns:
@@ -525,7 +615,7 @@ session.fromPartition('some-partition').setPermissionRequestHandler((webContents
 
 * `handler` Function\<Boolean> | null
   * `webContents` ([WebContents](web-contents.md) | null) - WebContents checking the permission.  Please note that if the request comes from a subframe you should use `requestingUrl` to check the request origin.  All cross origin sub frames making permission checks will pass a `null` webContents to this handler, while certain other permission checks such as `notifications` checks will always pass `null`.  You should use `embeddingOrigin` and `requestingOrigin` to determine what origin the owning frame and the requesting frame are on respectively.
-  * `permission` String - Type of permission check.  Valid values are `midiSysex`, `notifications`, `geolocation`, `media`,`mediaKeySystem`,`midi`, `pointerLock`, `fullscreen`, `openExternal`, or `serial`.
+  * `permission` String - Type of permission check.  Valid values are `midiSysex`, `notifications`, `geolocation`, `media`,`mediaKeySystem`,`midi`, `pointerLock`, `fullscreen`, `openExternal`, `hid`, or `serial`.
   * `requestingOrigin` String - The origin URL of the permission check
   * `details` Object - Some properties are only available on certain permission types.
     * `embeddingOrigin` String (optional) - The origin of the frame embedding the frame that made the permission check.  Only set for cross-origin sub frames making permission checks.
@@ -553,6 +643,71 @@ session.fromPartition('some-partition').setPermissionCheckHandler((webContents,
 })
 ```
 
+#### `ses.setDevicePermissionHandler(handler)`
+
+* `handler` Function\<Boolean> | null
+  * `details` Object
+    * `deviceType` String - The type of device that permission is being requested on, can be `hid`.
+    * `origin` String - The origin URL of the device permission check.
+    * `device` [HIDDevice](structures/hid-device.md) - the device that permission is being requested for.
+    * `frame` [WebFrameMain](web-frame-main.md) - WebFrameMain checking the device permission.
+
+Sets the handler which can be used to respond to device permission checks for the `session`.
+Returning `true` will allow the device to be permitted and `false` will reject it.
+To clear the handler, call `setDevicePermissionHandler(null)`.
+This handler can be used to provide default permissioning to devices without first calling for permission
+to devices (eg via `navigator.hid.requestDevice`).  If this handler is not defined, the default device
+permissions as granted through device selection (eg via `navigator.hid.requestDevice`) will be used.
+Additionally, the default behavior of Electron is to store granted device permision through the lifetime
+of the corresponding WebContents.  If longer term storage is needed, a developer can store granted device
+permissions (eg when handling the `select-hid-device` event) and then read from that storage with `setDevicePermissionHandler`.
+
+```javascript
+const { app, BrowserWindow } = require('electron')
+
+let win = null
+
+app.whenReady().then(() => {
+  win = new BrowserWindow()
+
+  win.webContents.session.setPermissionCheckHandler((webContents, permission, requestingOrigin, details) => {
+    if (permission === 'hid') {
+      // Add logic here to determine if permission should be given to allow HID selection
+      return true
+    }
+    return false
+  })
+
+  // Optionally, retrieve previously persisted devices from a persistent store
+  const grantedDevices = fetchGrantedDevices()
+
+  win.webContents.session.setDevicePermissionHandler((details) => {
+    if (new URL(details.origin).hostname === 'some-host' && details.deviceType === 'hid') {
+      if (details.device.vendorId === 123 && details.device.productId === 345) {
+        // Always allow this type of device (this allows skipping the call to `navigator.hid.requestDevice` first)
+        return true
+      }
+
+      // Search through the list of devices that have previously been granted permission
+      return grantedDevices.some((grantedDevice) => {
+        return grantedDevice.vendorId === details.device.vendorId &&
+              grantedDevice.productId === details.device.productId &&
+              grantedDevice.serialNumber && grantedDevice.serialNumber === details.device.serialNumber
+      })
+    }
+    return false
+  })
+
+  win.webContents.session.on('select-hid-device', (event, details, callback) => {
+    event.preventDefault()
+    const selectedDevice = details.deviceList.find((device) => {
+      return device.vendorId === '9025' && device.productId === '67'
+    })
+    callback(selectedPort?.deviceId)
+  })
+})
+```
+
 #### `ses.clearHostResolverCache()`
 
 Returns `Promise<void>` - Resolves when the operation is complete.

docs/api/structures/hid-device.md

@@ -0,0 +1,8 @@
+# HIDDevice Object
+
+* `deviceId` String - Unique identifier for the device.
+* `name` String - Name of the device.
+* `vendorId` Integer - The USB vendor ID.
+* `productId` Integer - The USB product ID.
+* `serialNumber` String (optional) - The USB device serial number.
+* `guid` String (optional) - Unique identifier for the HID interface.  A device may have multiple HID interfaces.

docs/api/web-contents.md

@@ -530,6 +530,7 @@ Returns:
 * `certificate` [Certificate](structures/certificate.md)
 * `callback` Function
   * `isTrusted` Boolean - Indicates whether the certificate can be considered trusted.
+* `isMainFrame` Boolean
 
 Emitted when failed to verify the `certificate` for `url`.
 
@@ -650,6 +651,7 @@ Returns:
 * `params` Object
   * `x` Integer - x coordinate.
   * `y` Integer - y coordinate.
+  * `frame` WebFrameMain - Frame from which the context menu was invoked.
   * `linkURL` String - URL of the link that encloses the node the context menu
     was invoked on.
   * `linkText` String - Text associated with the link. May be an empty
@@ -1825,7 +1827,8 @@ End subscribing for frame presentation events.
 #### `contents.startDrag(item)`
 
 * `item` Object
-  * `file` String[] | String - The path(s) to the file(s) being dragged.
+  * `file` String - The path to the file being dragged.
+  * `files` String[] (optional) - The paths to the files being dragged. (`files` will override `file` field)
   * `icon` [NativeImage](native-image.md) | String - The image must be
     non-empty on macOS.
 

docs/breaking-changes.md

@@ -632,7 +632,7 @@ error.
 ### API Changed: `shell.openItem` is now `shell.openPath`
 
 The `shell.openItem` API has been replaced with an asynchronous `shell.openPath` API.
-You can see the original API proposal and reasoning [here](https://github.com/electron/governance/blob/master/wg-api/spec-documents/shell-openitem.md).
+You can see the original API proposal and reasoning [here](https://github.com/electron/governance/blob/main/wg-api/spec-documents/shell-openitem.md).
 
 ## Planned Breaking API Changes (8.0)
 

docs/development/README.md

@@ -4,8 +4,8 @@ These guides are intended for people working on the Electron project itself.
 For guides on Electron app development, see
 [/docs/README.md](../README.md#guides-and-tutorials).
 
-* [Code of Conduct](https://github.com/electron/electron/blob/master/CODE_OF_CONDUCT.md)
-* [Contributing to Electron](https://github.com/electron/electron/blob/master/CONTRIBUTING.md)
+* [Code of Conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md)
+* [Contributing to Electron](https://github.com/electron/electron/blob/main/CONTRIBUTING.md)
 * [Issues](issues.md)
 * [Pull Requests](pull-requests.md)
 * [Documentation Styleguide](coding-style.md#documentation)

docs/development/azure-vm-setup.md

@@ -8,7 +8,7 @@ Example Use Case:
     * We need `VS15.9` and we have `VS15.7` installed; this would require us to update an Azure image.
 
 1. Identify the image you wish to modify.
-    * In [appveyor.yml](https://github.com/electron/electron/blob/master/appveyor.yml), the image is identified by the property *image*.
+    * In [appveyor.yml](https://github.com/electron/electron/blob/main/appveyor.yml), the image is identified by the property *image*.
         * The names used correspond to the *"images"* defined for a build cloud, eg the [libcc-20 cloud](https://windows-ci.electronjs.org/build-clouds/8).
     * Find the image you wish to modify in the build cloud and make note of the **VHD Blob Path** for that image, which is the value for that corresponding key.
         * You will need this URI path to copy into a new image.

docs/development/build-instructions-gn.md

@@ -65,8 +65,8 @@ origin URLs.
 $ cd src/electron
 $ git remote remove origin
 $ git remote add origin https://github.com/electron/electron
-$ git checkout master
-$ git branch --set-upstream-to=origin/master
+$ git checkout main
+$ git branch --set-upstream-to=origin/main
 $ cd -
 ```
 

docs/development/debugging-instructions-macos.md

@@ -26,7 +26,9 @@ you prefer a graphical interface.
 * **.lldbinit**: Create or edit `~/.lldbinit` to allow Chromium code to be properly source-mapped.
 
    ```text
-   command script import ~/electron/src/tools/lldb/lldbinit.py
+   # e.g: ['~/electron/src/tools/lldb']
+   script sys.path[:0] = ['<...path/to/electron/src/tools/lldb>']
+   script import lldbinit
    ```
 
 ## Attaching to and Debugging Electron

docs/development/electron-vs-nwjs.md

@@ -72,4 +72,4 @@ to try NW.js.
 
 [nwjs]: https://nwjs.io/
 [electron-modules]: https://www.npmjs.com/search?q=electron
-[node-bindings]: https://github.com/electron/electron/tree/master/lib/common
+[node-bindings]: https://github.com/electron/electron/tree/main/lib/common

docs/development/pull-requests.md

@@ -45,10 +45,10 @@ Once you've built the project locally, you're ready to start making changes!
 ### Step 3: Branch
 
 To keep your development environment organized, create local branches to
-hold your work. These should be branched directly off of the `master` branch.
+hold your work. These should be branched directly off of the `main` branch.
 
 ```sh
-$ git checkout -b my-branch -t upstream/master
+$ git checkout -b my-branch -t upstream/main
 ```
 
 ## Making Changes
@@ -134,11 +134,11 @@ Once you have committed your changes, it is a good idea to use `git rebase`
 
 ```sh
 $ git fetch upstream
-$ git rebase upstream/master
+$ git rebase upstream/main
 ```
 
 This ensures that your working branch has the latest changes from `electron/electron`
-master.
+main.
 
 ### Step 7: Test
 
@@ -189,7 +189,7 @@ the requirements below.
 
 Bug fixes and new features should include tests and possibly benchmarks.
 
-Contributors guide: https://github.com/electron/electron/blob/master/CONTRIBUTING.md
+Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.md
 -->
 ```
 
@@ -222,7 +222,7 @@ seem unfamiliar, refer to this
 #### Approval and Request Changes Workflow
 
 All pull requests require approval from a
-[Code Owner](https://github.com/electron/electron/blob/master/.github/CODEOWNERS)
+[Code Owner](https://github.com/electron/electron/blob/main/.github/CODEOWNERS)
 of the area you modified in order to land. Whenever a maintainer reviews a pull
 request they may request changes. These may be small, such as fixing a typo, or
 may involve substantive changes. Such requests are intended to be helpful, but

docs/fiddles/features/web-bluetooth/index.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
+    <title>Web Bluetooth API</title>
+  </head>
+  <body>
+    <h1>Web Bluetooth API</h1>
+
+    <button id="clickme">Test Bluetooth</button>
+
+    <p>Currently selected bluetooth device: <strong id="device-name""></strong></p>
+
+    <script src="./renderer.js"></script>
+  </body>
+</html>

docs/fiddles/features/web-bluetooth/main.js

@@ -0,0 +1,30 @@
+const {app, BrowserWindow} = require('electron')
+const path = require('path')
+
+function createWindow () {
+  const mainWindow = new BrowserWindow({
+    width: 800,
+    height: 600
+  })
+
+  mainWindow.webContents.on('select-bluetooth-device', (event, deviceList, callback) => {
+    event.preventDefault()
+    if (deviceList && deviceList.length > 0) {
+      callback(deviceList[0].deviceId)
+    } 
+  })
+
+  mainWindow.loadFile('index.html')
+}
+
+app.whenReady().then(() => {
+  createWindow()
+  
+  app.on('activate', function () {
+    if (BrowserWindow.getAllWindows().length === 0) createWindow()
+  })
+})
+
+app.on('window-all-closed', function () {
+  if (process.platform !== 'darwin') app.quit()
+})

docs/fiddles/features/web-bluetooth/renderer.js

@@ -0,0 +1,8 @@
+async function testIt() {
+  const device = await navigator.bluetooth.requestDevice({
+    acceptAllDevices: true
+  })
+  document.getElementById('device-name').innerHTML = device.name || `ID: ${device.id}`
+}
+
+document.getElementById('clickme').addEventListener('click',testIt)

docs/fiddles/features/web-hid/index.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
+    <title>WebHID API</title>
+  </head>
+  <body>
+    <h1>WebHID API</h1>
+
+    <button id="clickme">Test WebHID</button>
+
+    <h3>HID devices automatically granted access via <i>setDevicePermissionHandler</i></h3>
+    <div id="granted-devices"></div>
+    
+    <h3>HID devices automatically granted access via <i>select-hid-device</i></h3>
+    <div id="granted-devices2"></div>
+
+    <script src="./renderer.js"></script>
+  </body>
+</html>

docs/fiddles/features/web-hid/main.js

@@ -0,0 +1,50 @@
+const {app, BrowserWindow} = require('electron')
+const path = require('path')
+
+function createWindow () {
+  const mainWindow = new BrowserWindow({
+    width: 800,
+    height: 600
+  })
+  
+  mainWindow.webContents.session.on('select-hid-device', (event, details, callback) => {
+    event.preventDefault()
+    if (details.deviceList && details.deviceList.length > 0) {
+      callback(details.deviceList[0].deviceId)
+    }
+  })
+
+  mainWindow.webContents.session.on('hid-device-added', (event, device) => {    
+    console.log('hid-device-added FIRED WITH', device)
+  })
+
+  mainWindow.webContents.session.on('hid-device-removed', (event, device) => {    
+    console.log('hid-device-removed FIRED WITH', device)
+  })
+
+  mainWindow.webContents.session.setPermissionCheckHandler((webContents, permission, requestingOrigin, details) => {
+    if (permission === 'hid' && details.securityOrigin === 'file:///') {
+      return true
+    }
+  })
+
+  mainWindow.webContents.session.setDevicePermissionHandler((details) => {
+    if (details.deviceType === 'hid' && details.origin === 'file://') {
+      return true
+    }
+  })
+  
+  mainWindow.loadFile('index.html')
+}
+
+app.whenReady().then(() => {
+  createWindow()
+  
+  app.on('activate', function () {
+    if (BrowserWindow.getAllWindows().length === 0) createWindow()
+  })
+})
+
+app.on('window-all-closed', function () {
+  if (process.platform !== 'darwin') app.quit()
+})

docs/fiddles/features/web-hid/renderer.js

@@ -0,0 +1,19 @@
+async function testIt() {
+  const grantedDevices = await navigator.hid.getDevices()
+  let grantedDeviceList = ''
+  grantedDevices.forEach(device => {
+    grantedDeviceList += `<hr>${device.productName}</hr>`
+  })
+  document.getElementById('granted-devices').innerHTML = grantedDeviceList
+  const grantedDevices2 = await navigator.hid.requestDevice({
+    filters: []
+  })
+
+  grantedDeviceList = ''
+   grantedDevices2.forEach(device => {
+    grantedDeviceList += `<hr>${device.productName}</hr>`
+  })
+  document.getElementById('granted-devices2').innerHTML = grantedDeviceList
+}
+
+document.getElementById('clickme').addEventListener('click',testIt)

docs/fiddles/features/web-serial/index.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
+    <title>Web Serial API</title>
+  <body>
+    <h1>Web Serial API</h1>
+
+    <button id="clickme">Test Web Serial API</button>
+
+    <p>Matching Arduino Uno device: <strong id="device-name""></strong></p>
+
+    <script src="./renderer.js"></script>
+  </body>
+</html>

docs/fiddles/features/web-serial/main.js

@@ -0,0 +1,54 @@
+const {app, BrowserWindow} = require('electron')
+const path = require('path')
+
+function createWindow () {
+  const mainWindow = new BrowserWindow({
+    width: 800,
+    height: 600
+  })
+  
+  mainWindow.webContents.session.on('select-serial-port', (event, portList, webContents, callback) => {
+    event.preventDefault()
+    if (portList && portList.length > 0) {
+      callback(portList[0].portId)
+    } else {
+      callback('') //Could not find any matching devices
+    }
+  })
+
+  mainWindow.webContents.session.on('serial-port-added', (event, port) => {
+    console.log('serial-port-added FIRED WITH', port)
+  })
+
+  mainWindow.webContents.session.on('serial-port-removed', (event, port) => {
+    console.log('serial-port-removed FIRED WITH', port)
+  })
+
+  mainWindow.webContents.session.setPermissionCheckHandler((webContents, permission, requestingOrigin, details) => {
+    if (permission === 'serial' && details.securityOrigin === 'file:///') {
+      return true
+    }
+  })
+
+  mainWindow.webContents.session.setDevicePermissionHandler((details) => {
+    if (details.deviceType === 'serial' && details.origin === 'file://') {
+      return true
+    }
+  })
+  
+  mainWindow.loadFile('index.html')
+
+  mainWindow.webContents.openDevTools()
+}
+
+app.whenReady().then(() => {
+  createWindow()
+  
+  app.on('activate', function () {
+    if (BrowserWindow.getAllWindows().length === 0) createWindow()
+  })
+})
+
+app.on('window-all-closed', function () {
+  if (process.platform !== 'darwin') app.quit()
+})

docs/fiddles/features/web-serial/renderer.js

@@ -0,0 +1,19 @@
+async function testIt() {
+  const filters = [
+    { usbVendorId: 0x2341, usbProductId: 0x0043 },
+    { usbVendorId: 0x2341, usbProductId: 0x0001 }
+  ];
+  try {
+    const port = await navigator.serial.requestPort({filters});
+    const portInfo = port.getInfo();
+    document.getElementById('device-name').innerHTML = `vendorId: ${portInfo.usbVendorId} | productId: ${portInfo.usbProductId} `
+  } catch (ex) {
+    if (ex.name === 'NotFoundError') {
+      document.getElementById('device-name').innerHTML = 'Device NOT found'
+    } else {
+      document.getElementById('device-name').innerHTML = ex
+    }
+  }
+}
+
+document.getElementById('clickme').addEventListener('click',testIt)

docs/glossary.md

@@ -4,15 +4,39 @@ This page defines some terminology that is commonly used in Electron development
 
 ### ASAR
 
-ASAR stands for Atom Shell Archive Format. An [asar][asar] archive is a simple
+ASAR stands for Atom Shell Archive Format. An [asar] archive is a simple
 `tar`-like format that concatenates files into a single file. Electron can read
 arbitrary files from it without unpacking the whole file.
 
-The ASAR format was created primarily to improve performance on Windows... TODO
+The ASAR format was created primarily to improve performance on Windows when
+reading large quantities of small files (e.g. when loading your app's JavaScript
+dependency tree from `node_modules`).
+
+### code signing
+
+Code signing is a process where an app developer digitally signs their code to
+ensure that it hasn't been tampered with after packaging. Both Windows and
+macOS implement their own version of code signing. As a desktop app developer,
+it's important that you sign your code if you plan on distributing it to the
+general public.
+
+For more information, read the [Code Signing] tutorial.
+
+### context isolation
+
+Context isolation is a security measure in Electron that ensures that your
+preload script cannot leak privileged Electron or Node.js APIs to the web
+contents in your renderer process. With context isolation enabled, the
+only way to expose APIs from your preload script is through the
+`contextBridge` API.
+
+For more information, read the [Context Isolation] tutorial.
+
+See also: [preload script](#preload-script), [renderer process](#renderer-process)
 
 ### CRT
 
-The C Run-time Library (CRT) is the part of the C++ Standard Library that
+The C Runtime Library (CRT) is the part of the C++ Standard Library that
 incorporates the ISO C99 standard library. The Visual C++ libraries that
 implement the CRT support native code development, and both mixed native and
 managed code, and pure managed code for .NET development.
@@ -20,8 +44,7 @@ managed code, and pure managed code for .NET development.
 ### DMG
 
 An Apple Disk Image is a packaging format used by macOS. DMG files are
-commonly used for distributing application "installers". [electron-builder]
-supports `dmg` as a build target.
+commonly used for distributing application "installers".
 
 ### IME
 
@@ -31,19 +54,15 @@ keyboards to input Chinese, Japanese, Korean and Indic characters.
 
 ### IDL
 
-Interface description language. Write function signatures and data types in a format that can be used to generate interfaces in Java, C++, JavaScript, etc.
+Interface description language. Write function signatures and data types in a
+format that can be used to generate interfaces in Java, C++, JavaScript, etc.
 
 ### IPC
 
-IPC stands for Inter-Process Communication. Electron uses IPC to send
-serialized JSON messages between the [main] and [renderer] processes.
+IPC stands for inter-process communication. Electron uses IPC to send
+serialized JSON messages between the main and renderer processes.
 
-### libchromiumcontent
-
-A shared library that includes the [Chromium Content module] and all its
-dependencies (e.g., Blink, [V8], etc.). Also referred to as "libcc".
-
-- [github.com/electron/libchromiumcontent](https://github.com/electron/libchromiumcontent)
+see also: [main process](#main-process), [renderer process](#renderer-process)
 
 ### main process
 
@@ -68,10 +87,22 @@ MAS, see the [Mac App Store Submission Guide].
 
 ### Mojo
 
-An IPC system for communicating intra- or inter-process, and that's important because Chrome is keen on being able to split its work into separate processes or not, depending on memory pressures etc.
+An IPC system for communicating intra- or inter-process, and that's important
+because Chrome is keen on being able to split its work into separate processes
+or not, depending on memory pressures etc.
 
 See https://chromium.googlesource.com/chromium/src/+/master/mojo/README.md
 
+See also: [IPC](#ipc)
+
+### MSI
+
+On Windows, MSI packages are used by the Windows Installer
+(also known as Microsoft Installer) service to install and configure
+applications.
+
+More information can be found in [Microsoft's documentation][msi].
+
 ### native modules
 
 Native modules (also called [addons] in
@@ -85,22 +116,33 @@ likely to use a different V8 version from the Node binary installed in your
 system, you have to manually specify the location of Electron’s headers when
 building native modules.
 
-See also [Using Native Node Modules].
+For more information, read the [Native Node Modules] tutorial.
 
-### NSIS
+### notarization
 
-Nullsoft Scriptable Install System is a script-driven Installer
-authoring tool for Microsoft Windows. It is released under a combination of
-free software licenses, and is a widely-used alternative to commercial
-proprietary products like InstallShield. [electron-builder] supports NSIS
-as a build target.
+Notarization is a macOS-specific process where a developer can send a
+code-signed app to Apple servers to get verified for malicious
+components through an automated service.
+
+See also: [code signing](#code-signing)
 
 ### OSR
 
-OSR (Off-screen rendering) can be used for loading heavy page in
+OSR (offscreen rendering) can be used for loading heavy page in
 background and then displaying it after (it will be much faster).
 It allows you to render page without showing it on screen.
 
+For more information, read the [Offscreen Rendering][osr] tutorial.
+
+### preload script
+
+Preload scripts contain code that executes in a renderer process
+before its web contents begin loading. These scripts run within
+the renderer context, but are granted more privileges by having
+access to Node.js APIs.
+
+See also: [renderer process](#renderer-process), [context isolation](#context-isolation)
+
 ### process
 
 A process is an instance of a computer program that is being executed. Electron
@@ -120,13 +162,17 @@ The renderer process is a browser window in your app. Unlike the main process,
 there can be multiple of these and each is run in a separate process.
 They can also be hidden.
 
-In normal browsers, web pages usually run in a sandboxed environment and are not
-allowed access to native resources. Electron users, however, have the power to
-use Node.js APIs in web pages allowing lower level operating system
-interactions.
-
 See also: [process](#process), [main process](#main-process)
 
+### sandbox
+
+The sandbox is a security feature inherited from Chromium that restricts
+your renderer processes to a limited set of permissions.
+
+For more information, read the [Process Sandboxing] tutorial.
+
+See also: [process](#process)
+
 ### Squirrel
 
 Squirrel is an open-source framework that enables Electron apps to update
@@ -174,13 +220,15 @@ embedded content.
 
 [addons]: https://nodejs.org/api/addons.html
 [asar]: https://github.com/electron/asar
-[autoUpdater]: api/auto-updater.md
-[Chromium Content module]: https://www.chromium.org/developers/content-module
-[electron-builder]: https://github.com/electron-userland/electron-builder
-[libchromiumcontent]: #libchromiumcontent
-[Mac App Store Submission Guide]: tutorial/mac-app-store-submission-guide.md
+[autoupdater]: api/auto-updater.md
+[code signing]: tutorial/code-signing.md
+[context isolation]: tutorial/context-isolation.md
+[mac app store submission guide]: tutorial/mac-app-store-submission-guide.md
 [main]: #main-process
+[msi]: https://docs.microsoft.com/en-us/windows/win32/msi/windows-installer-portal
+[offscreen rendering]: tutorial/offscreen-rendering.md
+[process sandboxing]: tutorial/sandbox.md
 [renderer]: #renderer-process
 [userland]: #userland
-[Using Native Node Modules]: tutorial/using-native-node-modules.md
-[V8]: #v8
+[using native node modules]: tutorial/using-native-node-modules.md
+[v8]: #v8

docs/tutorial/context-isolation.md

@@ -4,39 +4,38 @@
 
 Context Isolation is a feature that ensures that both your `preload` scripts and Electron's internal logic run in a separate context to the website you load in a [`webContents`](../api/web-contents.md).  This is important for security purposes as it helps prevent the website from accessing Electron internals or the powerful APIs your preload script has access to.
 
-This means that the `window` object that your preload script has access to is actually a **different** object than the website would have access to.  For example, if you set `window.hello = 'wave'` in your preload script and context isolation is enabled `window.hello` will be undefined if the website tries to access it.
+This means that the `window` object that your preload script has access to is actually a **different** object than the website would have access to.  For example, if you set `window.hello = 'wave'` in your preload script and context isolation is enabled, `window.hello` will be undefined if the website tries to access it.
 
-Every single application should have context isolation enabled and from Electron 12 it will be enabled by default.
-
-## How do I enable it?
-
-From Electron 12, it will be enabled by default. For lower versions it is an option in the `webPreferences` option when constructing `new BrowserWindow`'s.
-
-```javascript
-const mainWindow = new BrowserWindow({
-  webPreferences: {
-    contextIsolation: true
-  }
-})
-```
+Context isolation has been enabled by default since Electron 12, and it is a recommended security setting for _all applications_.
 
 ## Migration
 
-> I used to provide APIs from my preload script using `window.X = apiObject` now what?
+> Without context isolation, I used to provide APIs from my preload script using `window.X = apiObject`. Now what?
 
-Exposing APIs from your preload script to the loaded website is a common usecase and there is a dedicated module in Electron to help you do this in a painless way.
+### Before: context isolation disabled
 
-**Before: With context isolation disabled**
+Exposing APIs from your preload script to a loaded website in the renderer process is a common use-case. With context isolation disabled, your preload script would share a common global `window` object with the renderer. You could then attach arbitrary properties to a preload script:
 
-```javascript
+```javascript title='preload.js'
+// preload with contextIsolation disabled
 window.myAPI = {
   doAThing: () => {}
 }
 ```
 
-**After: With context isolation enabled**
+The `doAThing()` function could then be used directly in the renderer process:
 
-```javascript
+```javascript title='renderer.js'
+// use the exposed API in the renderer
+window.myAPI.doAThing()
+```
+
+### After: context isolation enabled
+
+There is a dedicated module in Electron to help you do this in a painless way. The [`contextBridge`](../api/context-bridge.md) module can be used to **safely** expose APIs from your preload script's isolated context to the context the website is running in. The API will also be accessible from the website on `window.myAPI` just like it was before.
+
+```javascript title='preload.js'
+// preload with contextIsolation enabled
 const { contextBridge } = require('electron')
 
 contextBridge.exposeInMainWorld('myAPI', {
@@ -44,26 +43,63 @@ contextBridge.exposeInMainWorld('myAPI', {
 })
 ```
 
-The [`contextBridge`](../api/context-bridge.md) module can be used to **safely** expose APIs from the isolated context your preload script runs in to the context the website is running in. The API will also be accessible from the website on `window.myAPI` just like it was before.
+```javascript title='renderer.js'
+// use the exposed API in the renderer
+window.myAPI.doAThing()
+```
 
-You should read the `contextBridge` documentation linked above to fully understand its limitations.  For instance you can't send custom prototypes or symbols over the bridge.
+Please read the `contextBridge` documentation linked above to fully understand its limitations. For instance, you can't send custom prototypes or symbols over the bridge.
 
-## Security Considerations
+## Security considerations
 
-Just enabling `contextIsolation` and using `contextBridge` does not automatically mean that everything you do is safe.  For instance this code is **unsafe**.
+Just enabling `contextIsolation` and using `contextBridge` does not automatically mean that everything you do is safe. For instance, this code is **unsafe**.
 
-```javascript
+```javascript title='preload.js'
 // ❌ Bad code
 contextBridge.exposeInMainWorld('myAPI', {
   send: ipcRenderer.send
 })
 ```
 
-It directly exposes a powerful API without any kind of argument filtering. This would allow any website to send arbitrary IPC messages which you do not want to be possible. The correct way to expose IPC-based APIs would instead be to provide one method per IPC message.
+It directly exposes a powerful API without any kind of argument filtering. This would allow any website to send arbitrary IPC messages, which you do not want to be possible. The correct way to expose IPC-based APIs would instead be to provide one method per IPC message.
 
-```javascript
+```javascript title='preload.js'
 // ✅ Good code
 contextBridge.exposeInMainWorld('myAPI', {
   loadPreferences: () => ipcRenderer.invoke('load-prefs')
 })
 ```
+
+## Usage with TypeScript
+
+If you're building your Electron app with TypeScript, you'll want to add types to your APIs exposed over the context bridge. The renderer's `window` object won't have the correct typings unless you extend the types with a [declaration file].
+
+For example, given this `preload.ts` script:
+
+```typescript title='preload.ts'
+contextBridge.exposeInMainWorld('electronAPI', {
+  loadPreferences: () => ipcRenderer.invoke('load-prefs')
+})
+```
+
+You can create a `renderer.d.ts` declaration file and globally augment the `Window` interface:
+
+```typescript title='renderer.d.ts'
+export interface IElectronAPI {
+  loadPreferences: () => Promise<void>,
+}
+
+declare global {
+  interface Window {
+    electronAPI: IElectronAPI
+  }
+}
+```
+
+Doing so will ensure that the TypeScript compiler will know about the `electronAPI` property on your global `window` object when writing scripts in your renderer process:
+
+```typescript title='renderer.ts'
+window.electronAPI.loadPreferences()
+```
+
+[declaration file]: https://www.typescriptlang.org/docs/handbook/declaration-files/introduction.html

docs/tutorial/devices.md

@@ -0,0 +1,99 @@
+# Device Access
+
+Like Chromium based browsers, Electron provides access to device hardware
+through web APIs.  For the most part these APIs work like they do in a browser,
+but there are some differences that need to be taken into account.  The primary
+difference between Electron and browsers is what happens when device access is
+requested.  In a browser, users are presented with a popup where they can grant
+access to an individual device.  In Electron APIs are provided which can be
+used by a developer to either automatically pick a device or prompt users to
+pick a device via a developer created interface.
+
+## Web Bluetooth API
+
+The [Web Bluetooth API](https://web.dev/bluetooth/) can be used to communicate
+with bluetooth devices. In order to use this API in Electron, developers will
+need to handle the [`select-bluetooth-device` event on the webContents](../api/web-contents.md#event-select-bluetooth-device)
+associated with the device request.
+
+### Example
+
+This example demonstrates an Electron application that automatically selects
+the first available bluetooth device when the `Test Bluetooth` button is
+clicked.
+
+```javascript fiddle='docs/fiddles/features/web-bluetooth'
+
+```
+
+## WebHID API
+
+The [WebHID API](https://web.dev/hid/) can be used to access HID devices such
+as keyboards and gamepads.  Electron provides several APIs for working with
+the WebHID API:
+
+* The [`select-hid-device` event on the Session](../api/session.md#event-select-hid-device)
+  can be used to select a HID device when a call to
+  `navigator.hid.requestDevice` is made.  Additionally the [`hid-device-added`](../api/session.md#event-hid-device-added)
+  and [`hid-device-removed`](../api/session.md#event-hid-device-removed) events
+  on the Session can be used to handle devices being plugged in or unplugged during the
+  `navigator.hid.requestDevice` process.
+* [`ses.setDevicePermissionHandler(handler)`](../api/session.md#sessetdevicepermissionhandlerhandler)
+  can be used to provide default permissioning to devices without first calling
+  for permission to devices via `navigator.hid.requestDevice`.  Additionally,
+  the default behavior of Electron is to store granted device permision through
+  the lifetime of the corresponding WebContents.  If longer term storage is
+  needed, a developer can store granted device permissions (eg when handling
+  the `select-hid-device` event) and then read from that storage with
+  `setDevicePermissionHandler`.
+* [`ses.setPermissionCheckHandler(handler)`](../api/session.md#sessetpermissioncheckhandlerhandler)
+  can be used to disable HID access for specific origins.
+
+### Blocklist
+
+By default Electron employs the same [blocklist](https://github.com/WICG/webhid/blob/main/blocklist.txt)
+used by Chromium.  If you wish to override this behavior, you can do so by
+setting the `disable-hid-blocklist` flag:
+
+```javascript
+app.commandLine.appendSwitch('disable-hid-blocklist')
+```
+
+### Example
+
+This example demonstrates an Electron application that automatically selects
+HID devices through [`ses.setDevicePermissionHandler(handler)`](../api/session.md#sessetdevicepermissionhandlerhandler)
+and through [`select-hid-device` event on the Session](../api/session.md#event-select-hid-device)
+when the `Test WebHID` button is clicked.
+
+```javascript fiddle='docs/fiddles/features/web-hid'
+
+```
+
+## Web Serial API
+
+The [Web Serial API](https://web.dev/serial/) can be used to access serial
+devices that are connected via serial port, USB, or Bluetooth.  In order to use
+this API in Electron, developers will need to handle the
+[`select-serial-port` event on the Session](../api/session.md#event-select-serial-port)
+associated with the serial port request.
+
+There are several additional APIs for working with the Web Serial API:
+
+* The [`serial-port-added`](../api/session.md#event-serial-port-added)
+  and [`serial-port-removed`](../api/session.md#event-serial-port-removed) events
+  on the Session can be used to handle devices being plugged in or unplugged during the
+  `navigator.serial.requestPort` process.
+* [`ses.setPermissionCheckHandler(handler)`](../api/session.md#sessetpermissioncheckhandlerhandler)
+  can be used to disable serial access for specific origins.
+
+### Example
+
+This example demonstrates an Electron application that automatically selects
+the first available Arduino Uno serial device (if connected) through
+[`select-serial-port` event on the Session](../api/session.md#event-select-serial-port)
+when the `Test Web Serial` button is clicked.
+
+```javascript fiddle='docs/fiddles/features/web-serial'
+
+```

docs/tutorial/electron-timelines.md

@@ -23,5 +23,6 @@ Special notes:
 | 11.0.0 | -- | 2020-Aug-27 | 2020-Nov-17 | M87 | v12.18 |
 | 12.0.0 | -- | 2020-Nov-19 | 2021-Mar-02 | M89 | v14.16 |
 | 13.0.0 | -- | 2021-Mar-04 | 2021-May-25 | M91 | v14.16 |
-| 14.0.0 | -- | 2021-May-27 | 2021-Aug-31 | M93 | TBD |
-| 15.0.0 | 2021-Jul-20 | 2021-Sep-01 | 2021-Sep-21 | M94 | TBD |
+| 14.0.0 | -- | 2021-May-27 | 2021-Aug-31 | M93 | v14.17 |
+| 15.0.0 | 2021-Jul-20 | 2021-Sep-01 | 2021-Sep-21 | M94 | v16.5 |
+| 16.0.0 | -- | 2021-Sep-23 | 2021-Nov-16 | M96 | TBD |

docs/tutorial/fuses.md

@@ -12,7 +12,7 @@ Fuses are the solution to this problem, at a high level they are "magic bits" in
 
 ### The easy way
 
-We've made a handy module `@electron/fuses` to make flipping these fuses easy.  Check out the README of that module for more details on usage and potential error cases.
+We've made a handy module, [`@electron/fuses`](https://npmjs.com/package/@electron/fuses), to make flipping these fuses easy.  Check out the README of that module for more details on usage and potential error cases.
 
 ```js
 require('@electron/fuses').flipFuses(
@@ -51,4 +51,4 @@ Somewhere in the Electron binary there will be a sequence of bytes that look lik
 
 To flip a fuse you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
 
-You can view the current schema [here](https://github.com/electron/electron/blob/master/build/fuses/fuses.json5).
+You can view the current schema [here](https://github.com/electron/electron/blob/main/build/fuses/fuses.json5).

docs/tutorial/launch-app-from-url-in-another-app.md

@@ -1,5 +1,5 @@
 ---
-title: Launching Your Electron App From A URL In Another App
+title: Launching Your Electron App From a URL In Another App
 description: This guide will take you through the process of setting your electron app as the default handler for a specific protocol.
 slug: launch-app-from-url-in-another-app
 hide_title: true
@@ -11,7 +11,7 @@ hide_title: true
 
 <!-- ✍ Update this section if you want to provide more details -->
 
-This guide will take you through the process of setting your electron app as the default
+This guide will take you through the process of setting your Electron app as the default
 handler for a specific [protocol](https://www.electronjs.org/docs/api/protocol).
 
 By the end of this tutorial, we will have set our app to intercept and handle
@@ -22,16 +22,17 @@ we will use will be "`electron-fiddle://`".
 
 ### Main Process (main.js)
 
-First we will import the required modules from `electron`. These modules help control our application life and create a native browser window.
+First, we will import the required modules from `electron`. These modules help
+control our application lifecycle and create a native browser window.
 
-```js
+```javascript
 const { app, BrowserWindow, shell } = require('electron')
 const path = require('path')
 ```
 
 Next, we will proceed to register our application to handle all "`electron-fiddle://`" protocols.
 
-```js
+```javascript
 if (process.defaultApp) {
   if (process.argv.length >= 2) {
     app.setAsDefaultProtocolClient('electron-fiddle', process.execPath, [path.resolve(process.argv[1])])
@@ -43,7 +44,7 @@ if (process.defaultApp) {
 
 We will now define the function in charge of creating our browser window and load our application's `index.html` file.
 
-```js
+```javascript
 const createWindow = () => {
   // Create the browser window.
   mainWindow = new BrowserWindow({
@@ -60,11 +61,11 @@ const createWindow = () => {
 
 In this next step, we will create our  `BrowserWindow` and tell our application how to handle an event in which an external protocol is clicked.
 
-This code will be different in WindowsOS compared to MacOS and Linux. This is due to Windows requiring additional code in order to open the contents of the protocol link within the same electron instance. Read more about this [here](https://www.electronjs.org/docs/api/app#apprequestsingleinstancelock).
+This code will be different in Windows compared to MacOS and Linux. This is due to Windows requiring additional code in order to open the contents of the protocol link within the same Electron instance. Read more about this [here](https://www.electronjs.org/docs/api/app#apprequestsingleinstancelock).
 
-### Windows code:
+#### Windows code:
 
-```js
+```javascript
 const gotTheLock = app.requestSingleInstanceLock()
 
 if (!gotTheLock) {
@@ -83,16 +84,16 @@ if (!gotTheLock) {
     createWindow()
   })
 
-  // handling the protocol. In this case, we choose to show an Error Box.
+  // Handle the protocol. In this case, we choose to show an Error Box.
   app.on('open-url', (event, url) => {
     dialog.showErrorBox('Welcome Back', `You arrived from: ${url}`)
   })
 }
 ```
 
-### MacOS and Linux code:
+#### MacOS and Linux code:
 
-```js
+```javascript
 // This method will be called when Electron has finished
 // initialization and is ready to create browser windows.
 // Some APIs can only be used after this event occurs.
@@ -100,15 +101,15 @@ app.whenReady().then(() => {
   createWindow()
 })
 
-// handling the protocol. In this case, we choose to show an Error Box.
+// Handle the protocol. In this case, we choose to show an Error Box.
 app.on('open-url', (event, url) => {
   dialog.showErrorBox('Welcome Back', `You arrived from: ${url}`)
 })
 ```
 
-Finally, we will add some additional code to handle when someone closes our application
+Finally, we will add some additional code to handle when someone closes our application.
 
-```js
+```javascript
 // Quit when all windows are closed, except on macOS. There, it's common
 // for applications and their menu bar to stay active until the user quits
 // explicitly with Cmd + Q.
@@ -117,40 +118,84 @@ app.on('window-all-closed', () => {
 })
 ```
 
-## Important Note:
+## Important notes
 
 ### Packaging
 
-This feature will only work on macOS when your app is packaged. It will not work when you're launching it in development from the command-line. When you package your app you'll need to make sure the macOS `plist` for the app is updated to include the new protocol handler. If you're using [`electron-packager`](https://github.com/electron/electron-packager) then you
-can add the flag `--extend-info` with a path to the `plist` you've created. The one for this app is below:
+On macOS and Linux, this feature will only work when your app is packaged. It will not work when
+you're launching it in development from the command-line. When you package your app you'll need to
+make sure the macOS `Info.plist` and the Linux `.desktop` files for the app are updated to include
+the new protocol handler. Some of the Electron tools for bundling and distributing apps handle
+this for you.
 
-### Plist
+#### [Electron Forge](https://electronforge.io)
 
-```XML
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>CFBundleURLTypes</key>
-        <array>
-            <dict>
-                <key>CFBundleURLSchemes</key>
-                <array>
-                    <string>electron-api-demos</string>
-                </array>
-                <key>CFBundleURLName</key>
-                <string>Electron API Demos Protocol</string>
-            </dict>
-        </array>
-        <key>ElectronTeamID</key>
-        <string>VEKTX9H2N7</string>
-    </dict>
-</plist>
+If you're using Electron Forge, adjust `packagerConfig` for macOS support, and the configuration for
+the appropriate Linux makers for Linux support, in your [Forge
+configuration](https://www.electronforge.io/configuration) _(please note the following example only
+shows the bare minimum needed to add the configuration changes)_:
+
+```json
+{
+  "config": {
+    "forge": {
+      "packagerConfig": {
+        "protocols": [
+          {
+            "name": "Electron Fiddle",
+            "schemes": ["electron-fiddle"]
+          }
+        ]
+      },
+      "makers": [
+        {
+          "name": "@electron-forge/maker-deb",
+          "config": {
+            "mimeType": ["x-scheme-handler/electron-fiddle"]
+          }
+        }
+      ]
+    }
+  }
+}
+```
+
+#### [Electron Packager](https://github.com/electron/electron-packager)
+
+For macOS support:
+
+If you're using Electron Packager's API, adding support for protocol handlers is similar to how
+Electron Forge is handled, except
+`protocols` is part of the Packager options passed to the `packager` function.
+
+```javascript
+const packager = require('electron-packager')
+
+packager({
+  // ...other options...
+  protocols: [
+    {
+      name: 'Electron Fiddle',
+      schemes: ['electron-fiddle']
+    }
+  ]
+
+}).then(paths => console.log(`SUCCESS: Created ${paths.join(', ')}`))
+  .catch(err => console.error(`ERROR: ${err.message}`))
+```
+
+If you're using Electron Packager's CLI, use the `--protocol` and `--protocol-name` flags. For
+example:
+
+```shell
+npx electron-packager . --protocol=electron-fiddle --protocol-name="Electron Fiddle"
 ```
 
 ## Conclusion
 
-After you start your electron app, you can now enter in a URL in your browser that contains the custom protocol, for example `"electron-fiddle://open"` and observe that the application will respond and show an error dialog box.
+After you start your Electron app, you can enter in a URL in your browser that contains the custom
+protocol, for example `"electron-fiddle://open"` and observe that the application will respond and
+show an error dialog box.
 
 <!--
     Because Electron examples usually require multiple files (HTML, CSS, JS

docs/tutorial/performance.md

@@ -120,9 +120,9 @@ file in the directory you executed it in. Both files can be analyzed using
 the Chrome Developer Tools, using the `Performance` and `Memory` tabs
 respectively.
 
-![Performance CPU Profile][performance-cpu-prof]
+![Performance CPU Profile](../images/performance-cpu-prof.png)
 
-![Performance Heap Memory Profile][performance-heap-prof]
+![Performance Heap Memory Profile](../images/performance-heap-prof.png)
 
 In this example, on the author's machine, we saw that loading `request` took
 almost half a second, whereas `node-fetch` took dramatically less memory
@@ -412,8 +412,6 @@ As of writing this article, the popular choices include [Webpack][webpack],
 [Parcel][parcel], and [rollup.js][rollup].
 
 [security]: ./security.md
-[performance-cpu-prof]: ../images/performance-cpu-prof.png
-[performance-heap-prof]: ../images/performance-heap-prof.png
 [chrome-devtools-tutorial]: https://developers.google.com/web/tools/chrome-devtools/evaluate-performance/
 [worker-threads]: https://nodejs.org/api/worker_threads.html
 [web-workers]: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers

docs/tutorial/progress-bar.md

@@ -7,16 +7,16 @@ without the need of switching to the window itself.
 
 On Windows, you can use a taskbar button to display a progress bar.
 
-![Windows Progress Bar][windows-progress-bar]
+![Windows Progress Bar][https://cloud.githubusercontent.com/assets/639601/5081682/16691fda-6f0e-11e4-9676-49b6418f1264.png]
 
 On macOS, the progress bar will be displayed as a part of the dock icon.
 
-![macOS Progress Bar][macos-progress-bar]
+![macOS Progress Bar](../images/macos-progress-bar.png)
 
 On Linux, the Unity graphical interface also has a similar feature that allows
 you to specify the progress bar in the launcher.
 
-![Linux Progress Bar][linux-progress-bar]
+![Linux Progress Bar](../images/linux-progress-bar.png)
 
 > NOTE: on Windows, each window can have its own progress bar, whereas on macOS
 and Linux (Unity) there can be only one progress bar for the application.
@@ -102,8 +102,4 @@ For macOS, the progress bar will also be indicated for your application
 when using [Mission Control](https://support.apple.com/en-us/HT204100):
 
 ![Mission Control Progress Bar](../images/mission-control-progress-bar.png)
-
-[windows-progress-bar]: https://cloud.githubusercontent.com/assets/639601/5081682/16691fda-6f0e-11e4-9676-49b6418f1264.png
-[macos-progress-bar]: ../images/macos-progress-bar.png
-[linux-progress-bar]: ../images/linux-progress-bar.png
 [setprogressbar]: ../api/browser-window.md#winsetprogressbarprogress-options

docs/tutorial/security.md

@@ -23,7 +23,7 @@ your responsibility to ensure that the code is not malicious.
 ## Reporting Security Issues
 
 For information on how to properly disclose an Electron vulnerability,
-see [SECURITY.md](https://github.com/electron/electron/tree/master/SECURITY.md)
+see [SECURITY.md](https://github.com/electron/electron/tree/main/SECURITY.md)
 
 ## Chromium Security Issues and Upgrades
 

docs/tutorial/support.md

@@ -3,7 +3,7 @@
 ## Finding Support
 
 If you have a security concern,
-please see the [security document](https://github.com/electron/electron/tree/master/SECURITY.md).
+please see the [security document](https://github.com/electron/electron/tree/main/SECURITY.md).
 
 If you're looking for programming help,
 for answers to questions,
@@ -26,7 +26,7 @@ you can interact with the community in these locations:
 * [`electron-pl`](https://electronpl.github.io) *(Poland)*
 
 If you'd like to contribute to Electron,
-see the [contributing document](https://github.com/electron/electron/blob/master/CONTRIBUTING.md).
+see the [contributing document](https://github.com/electron/electron/blob/main/CONTRIBUTING.md).
 
 If you've found a bug in a [supported version](#supported-versions) of Electron,
 please report it with the [issue tracker](../development/issues.md).
@@ -50,15 +50,15 @@ as the 4.2.x series are supported.  We only support the latest minor release
 for each stable release series.  This means that in the case of a security fix
 6.1.x will receive the fix, but we will not release a new version of 6.0.x.
 
-The latest stable release unilaterally receives all fixes from `master`,
+The latest stable release unilaterally receives all fixes from `main`,
 and the version prior to that receives the vast majority of those fixes
 as time and bandwidth warrants. The oldest supported release line will receive
 only security fixes directly.
 
 All supported release lines will accept external pull requests to backport
-fixes previously merged to `master`, though this may be on a case-by-case
+fixes previously merged to `main`, though this may be on a case-by-case
 basis for some older supported lines. All contested decisions around release
-line backports will be resolved by the [Releases Working Group](https://github.com/electron/governance/tree/master/wg-releases) as an agenda item at their weekly meeting the week the backport PR is raised.
+line backports will be resolved by the [Releases Working Group](https://github.com/electron/governance/tree/main/wg-releases) as an agenda item at their weekly meeting the week the backport PR is raised.
 
 When an API is changed or removed in a way that breaks existing functionality, the
 previous functionality will be supported for a minimum of two major versions when
@@ -70,9 +70,9 @@ until the maintainers feel the maintenance burden is too high to continue doing
 
 ### Currently supported versions
 
+* 17.x.y
 * 16.x.y
 * 15.x.y
-* 14.x.y
 * 13
 
 ### End-of-life

electron_strings.grdp

@@ -125,5 +125,7 @@
   </message>
   <message name="IDS_BADGE_UNREAD_NOTIFICATIONS" desc="The accessibility text which will be read by a screen reader when there are notifcatications">
     {UNREAD_NOTIFICATIONS, plural, =1 {1 Unread Notification} other {# Unread Notifications}}
-  </message>  
+  </message>
+  <message name="IDS_HID_CHOOSER_ITEM_WITHOUT_NAME" desc="User option displaying the device IDs for a Human Interface Device (HID) without a device name.">
+        Unknown Device (<ph name="DEVICE_ID">$1<ex>1234:abcd</ex></ph>) </message>
 </grit-part>

filenames.auto.gni

@@ -84,6 +84,7 @@ auto_filenames = {
     "docs/api/structures/file-filter.md",
     "docs/api/structures/file-path-with-headers.md",
     "docs/api/structures/gpu-feature-status.md",
+    "docs/api/structures/hid-device.md",
     "docs/api/structures/input-event.md",
     "docs/api/structures/io-counters.md",
     "docs/api/structures/ipc-main-event.md",
@@ -138,7 +139,6 @@ auto_filenames = {
     "lib/common/api/native-image.ts",
     "lib/common/define-properties.ts",
     "lib/common/ipc-messages.ts",
-    "lib/common/type-utils.ts",
     "lib/common/web-view-methods.ts",
     "lib/renderer/api/context-bridge.ts",
     "lib/renderer/api/crash-reporter.ts",
@@ -168,7 +168,6 @@ auto_filenames = {
   ]
 
   isolated_bundle_deps = [
-    "lib/common/type-utils.ts",
     "lib/common/web-view-methods.ts",
     "lib/isolated_renderer/init.ts",
     "lib/renderer/web-view/web-view-attributes.ts",
@@ -246,7 +245,6 @@ auto_filenames = {
     "lib/common/ipc-messages.ts",
     "lib/common/parse-features-string.ts",
     "lib/common/reset-search-paths.ts",
-    "lib/common/type-utils.ts",
     "lib/common/web-view-events.ts",
     "lib/common/web-view-methods.ts",
     "lib/common/webpack-globals-provider.ts",
@@ -269,7 +267,6 @@ auto_filenames = {
     "lib/common/init.ts",
     "lib/common/ipc-messages.ts",
     "lib/common/reset-search-paths.ts",
-    "lib/common/type-utils.ts",
     "lib/common/web-view-methods.ts",
     "lib/common/webpack-provider.ts",
     "lib/renderer/api/context-bridge.ts",
@@ -309,7 +306,6 @@ auto_filenames = {
     "lib/common/init.ts",
     "lib/common/ipc-messages.ts",
     "lib/common/reset-search-paths.ts",
-    "lib/common/type-utils.ts",
     "lib/common/webpack-provider.ts",
     "lib/renderer/api/context-bridge.ts",
     "lib/renderer/api/crash-reporter.ts",

filenames.gni

@@ -191,6 +191,7 @@ filenames = {
     "shell/browser/ui/tray_icon_cocoa.mm",
     "shell/common/api/electron_api_clipboard_mac.mm",
     "shell/common/api/electron_api_native_image_mac.mm",
+    "shell/common/asar/archive_mac.mm",
     "shell/common/application_info_mac.mm",
     "shell/common/language_util_mac.mm",
     "shell/common/mac/main_application_bundle.h",
@@ -382,8 +383,18 @@ filenames = {
     "shell/browser/file_select_helper.cc",
     "shell/browser/file_select_helper.h",
     "shell/browser/file_select_helper_mac.mm",
+    "shell/browser/font/electron_font_access_delegate.cc",
+    "shell/browser/font/electron_font_access_delegate.h",
     "shell/browser/font_defaults.cc",
     "shell/browser/font_defaults.h",
+    "shell/browser/hid/electron_hid_delegate.cc",
+    "shell/browser/hid/electron_hid_delegate.h",
+    "shell/browser/hid/hid_chooser_context.cc",
+    "shell/browser/hid/hid_chooser_context.h",
+    "shell/browser/hid/hid_chooser_context_factory.cc",
+    "shell/browser/hid/hid_chooser_context_factory.h",
+    "shell/browser/hid/hid_chooser_controller.cc",
+    "shell/browser/hid/hid_chooser_controller.h",
     "shell/browser/javascript_environment.cc",
     "shell/browser/javascript_environment.h",
     "shell/browser/lib/bluetooth_chooser.cc",
@@ -403,6 +414,8 @@ filenames = {
     "shell/browser/native_window.cc",
     "shell/browser/native_window.h",
     "shell/browser/native_window_observer.h",
+    "shell/browser/net/asar/asar_file_validator.cc",
+    "shell/browser/net/asar/asar_file_validator.h",
     "shell/browser/net/asar/asar_url_loader.cc",
     "shell/browser/net/asar/asar_url_loader.h",
     "shell/browser/net/asar/asar_url_loader_factory.cc",
@@ -491,8 +504,6 @@ filenames = {
     "shell/browser/web_contents_preferences.h",
     "shell/browser/web_contents_zoom_controller.cc",
     "shell/browser/web_contents_zoom_controller.h",
-    "shell/browser/web_dialog_helper.cc",
-    "shell/browser/web_dialog_helper.h",
     "shell/browser/web_view_guest_delegate.cc",
     "shell/browser/web_view_guest_delegate.h",
     "shell/browser/web_view_manager.cc",

lib/asar/fs-wrapper.ts

@@ -1,6 +1,7 @@
 import { Buffer } from 'buffer';
 import * as path from 'path';
 import * as util from 'util';
+import type * as Crypto from 'crypto';
 
 const asar = process._linkedBinding('electron_common_asar');
 
@@ -194,6 +195,20 @@ const overrideAPI = function (module: Record<string, any>, name: string, pathArg
   }
 };
 
+let crypto: typeof Crypto;
+function validateBufferIntegrity (buffer: Buffer, integrity: NodeJS.AsarFileInfo['integrity']) {
+  if (!integrity) return;
+
+  // Delay load crypto to improve app boot performance
+  // when integrity protection is not enabled
+  crypto = crypto || require('crypto');
+  const actual = crypto.createHash(integrity.algorithm).update(buffer).digest('hex');
+  if (actual !== integrity.hash) {
+    console.error(`ASAR Integrity Violation: got a hash mismatch (${actual} vs ${integrity.hash})`);
+    process.exit(1);
+  }
+}
+
 const makePromiseFunction = function (orig: Function, pathArgumentIndex: number) {
   return function (this: any, ...args: any[]) {
     const pathArgument = args[pathArgumentIndex];
@@ -531,7 +546,7 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
       }
 
       const buffer = Buffer.alloc(info.size);
-      const fd = archive.getFd();
+      const fd = archive.getFdAndValidateIntegrityLater();
       if (!(fd >= 0)) {
         const error = createError(AsarError.NOT_FOUND, { asarPath, filePath });
         nextTick(callback, [error]);
@@ -540,6 +555,7 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
 
       logASARAccess(asarPath, filePath, info.offset);
       fs.read(fd, buffer, 0, info.size, info.offset, (error: Error) => {
+        validateBufferIntegrity(buffer, info.integrity);
         callback(error, encoding ? buffer.toString(encoding) : buffer);
       });
     }
@@ -595,11 +611,12 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
 
     const { encoding } = options;
     const buffer = Buffer.alloc(info.size);
-    const fd = archive.getFd();
+    const fd = archive.getFdAndValidateIntegrityLater();
     if (!(fd >= 0)) throw createError(AsarError.NOT_FOUND, { asarPath, filePath });
 
     logASARAccess(asarPath, filePath, info.offset);
     fs.readSync(fd, buffer, 0, info.size, info.offset);
+    validateBufferIntegrity(buffer, info.integrity);
     return (encoding) ? buffer.toString(encoding) : buffer;
   };
 
@@ -713,11 +730,12 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
     }
 
     const buffer = Buffer.alloc(info.size);
-    const fd = archive.getFd();
+    const fd = archive.getFdAndValidateIntegrityLater();
     if (!(fd >= 0)) return [];
 
     logASARAccess(asarPath, filePath, info.offset);
     fs.readSync(fd, buffer, 0, info.size, info.offset);
+    validateBufferIntegrity(buffer, info.integrity);
     const str = buffer.toString('utf8');
     return [str, str.length > 0];
   };

lib/browser/api/dialog.ts

@@ -168,6 +168,7 @@ const messageBox = (sync: boolean, window: BrowserWindow | null, options?: Messa
     defaultId = -1,
     detail = '',
     icon = null,
+    textWidth = 0,
     noLink = false,
     message = '',
     title = '',
@@ -225,7 +226,8 @@ const messageBox = (sync: boolean, window: BrowserWindow | null, options?: Messa
     detail,
     checkboxLabel,
     checkboxChecked,
-    icon
+    icon,
+    textWidth
   };
 
   if (sync) {

lib/browser/api/web-contents.ts

@@ -4,6 +4,7 @@ import type { BrowserWindowConstructorOptions, LoadURLOptions } from 'electron/m
 import * as url from 'url';
 import * as path from 'path';
 import { openGuestWindow, makeWebPreferences, parseContentTypeFormat } from '@electron/internal/browser/guest-window-manager';
+import { parseFeatures } from '@electron/internal/common/parse-features-string';
 import { ipcMainInternal } from '@electron/internal/browser/ipc-main-internal';
 import * as ipcMainUtils from '@electron/internal/browser/ipc-main-internal-utils';
 import { MessagePortMain } from '@electron/internal/browser/message-port-main';
@@ -665,6 +666,16 @@ WebContents.prototype._init = function () {
         postBody
       };
       windowOpenOverriddenOptions = this._callWindowOpenHandler(event, details);
+      // if attempting to use this API with the deprecated new-window event,
+      // windowOpenOverriddenOptions will always return null. This ensures
+      // short-term backwards compatibility until new-window is removed.
+      const parsedFeatures = parseFeatures(rawFeatures);
+      const overriddenFeatures: BrowserWindowConstructorOptions = {
+        ...parsedFeatures.options,
+        webPreferences: parsedFeatures.webPreferences
+      };
+      windowOpenOverriddenOptions = windowOpenOverriddenOptions || overriddenFeatures;
+
       if (!event.defaultPrevented) {
         const secureOverrideWebPreferences = windowOpenOverriddenOptions ? {
           // Allow setting of backgroundColor as a webPreference even though

lib/browser/guest-view-manager.ts

@@ -4,7 +4,6 @@ import * as ipcMainUtils from '@electron/internal/browser/ipc-main-internal-util
 import { parseWebViewWebPreferences } from '@electron/internal/common/parse-features-string';
 import { syncMethods, asyncMethods, properties } from '@electron/internal/common/web-view-methods';
 import { webViewEvents } from '@electron/internal/common/web-view-events';
-import { serialize } from '@electron/internal/common/type-utils';
 import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
 
 interface GuestInstance {
@@ -330,12 +329,6 @@ handleMessageSync(IPC_MESSAGES.GUEST_VIEW_MANAGER_PROPERTY_SET, function (event,
   (guest as any)[property] = val;
 });
 
-handleMessage(IPC_MESSAGES.GUEST_VIEW_MANAGER_CAPTURE_PAGE, async function (event, guestInstanceId: number, args: any[]) {
-  const guest = getGuestForWebContents(guestInstanceId, event.sender);
-
-  return serialize(await guest.capturePage(...args));
-});
-
 // Returns WebContents from its guest id hosted in given webContents.
 const getGuestForWebContents = function (guestInstanceId: number, contents: Electron.WebContents) {
   const guestInstance = guestInstances.get(guestInstanceId);

lib/browser/init.ts

@@ -81,9 +81,10 @@ require('@electron/internal/browser/guest-view-manager');
 require('@electron/internal/browser/guest-window-proxy');
 
 // Now we try to load app's package.json.
+const v8Util = process._linkedBinding('electron_common_v8_util');
 let packagePath = null;
 let packageJson = null;
-const searchPaths = ['app', 'app.asar', 'default_app.asar'];
+const searchPaths: string[] = v8Util.getHiddenValue(global, 'appSearchPaths');
 
 if (process.resourcesPath) {
   for (packagePath of searchPaths) {

lib/browser/rpc-server.ts

@@ -4,7 +4,6 @@ import { clipboard } from 'electron/common';
 import * as fs from 'fs';
 import { ipcMainInternal } from '@electron/internal/browser/ipc-main-internal';
 import * as ipcMainUtils from '@electron/internal/browser/ipc-main-internal-utils';
-import * as typeUtils from '@electron/internal/common/type-utils';
 import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
 
 import type * as desktopCapturerModule from '@electron/internal/browser/desktop-capturer';
@@ -56,7 +55,7 @@ ipcMainUtils.handleSync(IPC_MESSAGES.BROWSER_CLIPBOARD_SYNC, function (event, me
     throw new Error(`Invalid method: ${method}`);
   }
 
-  return typeUtils.serialize((clipboard as any)[method](...typeUtils.deserialize(args)));
+  return (clipboard as any)[method](...args);
 });
 
 if (BUILDFLAG(ENABLE_DESKTOP_CAPTURER)) {
@@ -71,7 +70,7 @@ if (BUILDFLAG(ENABLE_DESKTOP_CAPTURER)) {
       return [];
     }
 
-    return typeUtils.serialize(await desktopCapturer.getSourcesImpl(event.sender, options));
+    return await desktopCapturer.getSourcesImpl(event.sender, options);
   });
 }
 

lib/common/api/clipboard.ts

@@ -1,20 +1,14 @@
 import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
 
 import type * as ipcRendererUtilsModule from '@electron/internal/renderer/ipc-renderer-internal-utils';
-import type * as typeUtilsModule from '@electron/internal/common/type-utils';
 
 const clipboard = process._linkedBinding('electron_common_clipboard');
 
 if (process.type === 'renderer') {
   const ipcRendererUtils = require('@electron/internal/renderer/ipc-renderer-internal-utils') as typeof ipcRendererUtilsModule;
-  const typeUtils = require('@electron/internal/common/type-utils') as typeof typeUtilsModule;
 
-  const makeRemoteMethod = function (method: keyof Electron.Clipboard) {
-    return (...args: any[]) => {
-      args = typeUtils.serialize(args);
-      const result = ipcRendererUtils.invokeSync(IPC_MESSAGES.BROWSER_CLIPBOARD_SYNC, method, ...args);
-      return typeUtils.deserialize(result);
-    };
+  const makeRemoteMethod = function (method: keyof Electron.Clipboard): any {
+    return (...args: any[]) => ipcRendererUtils.invokeSync(IPC_MESSAGES.BROWSER_CLIPBOARD_SYNC, method, ...args);
   };
 
   if (process.platform === 'linux') {

lib/common/ipc-messages.ts

@@ -13,7 +13,6 @@ export const enum IPC_MESSAGES {
   GUEST_VIEW_MANAGER_DETACH_GUEST = 'GUEST_VIEW_MANAGER_DETACH_GUEST',
   GUEST_VIEW_MANAGER_FOCUS_CHANGE = 'GUEST_VIEW_MANAGER_FOCUS_CHANGE',
   GUEST_VIEW_MANAGER_CALL = 'GUEST_VIEW_MANAGER_CALL',
-  GUEST_VIEW_MANAGER_CAPTURE_PAGE = 'GUEST_VIEW_MANAGER_CAPTURE_PAGE',
   GUEST_VIEW_MANAGER_PROPERTY_GET = 'GUEST_VIEW_MANAGER_PROPERTY_GET',
   GUEST_VIEW_MANAGER_PROPERTY_SET = 'GUEST_VIEW_MANAGER_PROPERTY_SET',
 

lib/common/type-utils.ts

@@ -1,110 +0,0 @@
-function getCreateNativeImage () {
-  return process._linkedBinding('electron_common_native_image').nativeImage.createEmpty;
-}
-
-export function isPromise (val: any) {
-  return (
-    val &&
-    val.then &&
-    val.then instanceof Function &&
-    val.constructor &&
-    val.constructor.reject &&
-    val.constructor.reject instanceof Function &&
-    val.constructor.resolve &&
-    val.constructor.resolve instanceof Function
-  );
-}
-
-const serializableTypes = [
-  Boolean,
-  Number,
-  String,
-  Date,
-  Error,
-  RegExp,
-  ArrayBuffer
-];
-
-// https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Structured_clone_algorithm#Supported_types
-export function isSerializableObject (value: any) {
-  return value === null || ArrayBuffer.isView(value) || serializableTypes.some(type => value instanceof type);
-}
-
-const objectMap = function (source: Object, mapper: (value: any) => any) {
-  const sourceEntries = Object.entries(source);
-  const targetEntries = sourceEntries.map(([key, val]) => [key, mapper(val)]);
-  return Object.fromEntries(targetEntries);
-};
-
-function serializeNativeImage (image: Electron.NativeImage) {
-  const representations = [];
-  const scaleFactors = image.getScaleFactors();
-
-  // Use Buffer when there's only one representation for better perf.
-  // This avoids compressing to/from PNG where it's not necessary to
-  // ensure uniqueness of dataURLs (since there's only one).
-  if (scaleFactors.length === 1) {
-    const scaleFactor = scaleFactors[0];
-    const size = image.getSize(scaleFactor);
-    const buffer = image.toBitmap({ scaleFactor });
-    representations.push({ scaleFactor, size, buffer });
-  } else {
-    // Construct from dataURLs to ensure that they are not lost in creation.
-    for (const scaleFactor of scaleFactors) {
-      const size = image.getSize(scaleFactor);
-      const dataURL = image.toDataURL({ scaleFactor });
-      representations.push({ scaleFactor, size, dataURL });
-    }
-  }
-  return { __ELECTRON_SERIALIZED_NativeImage__: true, representations };
-}
-
-function deserializeNativeImage (value: any, createNativeImage: typeof Electron.nativeImage['createEmpty']) {
-  const image = createNativeImage();
-
-  // Use Buffer when there's only one representation for better perf.
-  // This avoids compressing to/from PNG where it's not necessary to
-  // ensure uniqueness of dataURLs (since there's only one).
-  if (value.representations.length === 1) {
-    const { buffer, size, scaleFactor } = value.representations[0];
-    const { width, height } = size;
-    image.addRepresentation({ buffer, scaleFactor, width, height });
-  } else {
-    // Construct from dataURLs to ensure that they are not lost in creation.
-    for (const rep of value.representations) {
-      const { dataURL, size, scaleFactor } = rep;
-      const { width, height } = size;
-      image.addRepresentation({ dataURL, scaleFactor, width, height });
-    }
-  }
-
-  return image;
-}
-
-export function serialize (value: any): any {
-  if (value && value.constructor && value.constructor.name === 'NativeImage') {
-    return serializeNativeImage(value);
-  } if (Array.isArray(value)) {
-    return value.map(serialize);
-  } else if (isSerializableObject(value)) {
-    return value;
-  } else if (value instanceof Object) {
-    return objectMap(value, serialize);
-  } else {
-    return value;
-  }
-}
-
-export function deserialize (value: any, createNativeImage: typeof Electron.nativeImage['createEmpty'] = getCreateNativeImage()): any {
-  if (value && value.__ELECTRON_SERIALIZED_NativeImage__) {
-    return deserializeNativeImage(value, createNativeImage);
-  } else if (Array.isArray(value)) {
-    return value.map(value => deserialize(value, createNativeImage));
-  } else if (isSerializableObject(value)) {
-    return value;
-  } else if (value instanceof Object) {
-    return objectMap(value, value => deserialize(value, createNativeImage));
-  } else {
-    return value;
-  }
-}

lib/common/web-view-methods.ts

@@ -59,6 +59,7 @@ export const properties = new Set([
 ]);
 
 export const asyncMethods = new Set([
+  'capturePage',
   'loadURL',
   'executeJavaScript',
   'insertCSS',

lib/renderer/api/desktop-capturer.ts

@@ -1,5 +1,4 @@
 import { ipcRendererInternal } from '@electron/internal/renderer/ipc-renderer-internal';
-import { deserialize } from '@electron/internal/common/type-utils';
 import deprecate from '@electron/internal/common/api/deprecate';
 import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
 
@@ -21,5 +20,5 @@ export async function getSources (options: Electron.SourcesOptions) {
     deprecate.log('The use of \'desktopCapturer.getSources\' in the renderer process is deprecated and will be removed. See https://www.electronjs.org/docs/breaking-changes#removed-desktopcapturergetsources-in-the-renderer for more details.');
     warned = true;
   }
-  return deserialize(await ipcRendererInternal.invoke(IPC_MESSAGES.DESKTOP_CAPTURER_GET_SOURCES, options, getCurrentStack()));
+  return await ipcRendererInternal.invoke(IPC_MESSAGES.DESKTOP_CAPTURER_GET_SOURCES, options, getCurrentStack());
 }

lib/renderer/security-warnings.ts

@@ -103,10 +103,14 @@ const warnAboutInsecureResources = function () {
     return;
   }
 
+  const isLocal = (url: URL): boolean =>
+    ['localhost', '127.0.0.1', '[::1]', ''].includes(url.hostname);
+  const isInsecure = (url: URL): boolean =>
+    ['http:', 'ftp:'].includes(url.protocol) && !isLocal(url);
+
   const resources = window.performance
     .getEntriesByType('resource')
-    .filter(({ name }) => /^(http|ftp):/gi.test(name || ''))
-    .filter(({ name }) => new URL(name).hostname !== 'localhost')
+    .filter(({ name }) => isInsecure(new URL(name)))
     .map(({ name }) => `- ${name}`)
     .join('\n');
 

lib/renderer/web-view/guest-view-internal.ts

@@ -43,10 +43,6 @@ export function detachGuest (guestInstanceId: number) {
   return ipcRendererUtils.invokeSync(IPC_MESSAGES.GUEST_VIEW_MANAGER_DETACH_GUEST, guestInstanceId);
 }
 
-export function capturePage (guestInstanceId: number, args: any[]) {
-  return ipcRendererInternal.invoke(IPC_MESSAGES.GUEST_VIEW_MANAGER_CAPTURE_PAGE, guestInstanceId, args);
-}
-
 export function invoke (guestInstanceId: number, method: string, args: any[]) {
   return ipcRendererInternal.invoke(IPC_MESSAGES.GUEST_VIEW_MANAGER_CALL, guestInstanceId, method, args);
 }

lib/renderer/web-view/web-view-impl.ts

@@ -3,7 +3,6 @@ import { WEB_VIEW_CONSTANTS } from '@electron/internal/renderer/web-view/web-vie
 import { syncMethods, asyncMethods, properties } from '@electron/internal/common/web-view-methods';
 import type { WebViewAttribute, PartitionAttribute } from '@electron/internal/renderer/web-view/web-view-attributes';
 import { setupWebViewAttributes } from '@electron/internal/renderer/web-view/web-view-attributes';
-import { deserialize } from '@electron/internal/common/type-utils';
 
 // ID generator.
 let nextId = 0;
@@ -16,7 +15,6 @@ export interface WebViewImplHooks {
   readonly guestViewInternal: typeof guestViewInternalModule;
   readonly allowGuestViewElementDefinition: NodeJS.InternalWebFrame['allowGuestViewElementDefinition'];
   readonly setIsWebView: (iframe: HTMLIFrameElement) => void;
-  readonly createNativeImage?: typeof Electron.nativeImage['createEmpty'];
 }
 
 // Represents the internal state of the WebView node.
@@ -235,10 +233,6 @@ export const setupMethods = (WebViewElement: typeof ElectronInternal.WebViewElem
     };
   }
 
-  WebViewElement.prototype.capturePage = async function (...args) {
-    return deserialize(await hooks.guestViewInternal.capturePage(this.getWebContentsId(), args), hooks.createNativeImage);
-  };
-
   const createPropertyGetter = function (property: string) {
     return function (this: ElectronInternal.WebViewElement) {
       return hooks.guestViewInternal.propertyGet(this.getWebContentsId(), property);

package.json

@@ -1,6 +1,6 @@
 {
   "name": "electron",
-  "version": "16.0.0-nightly.20210907",
+  "version": "17.0.0-nightly.20210928",
   "repository": "https://github.com/electron/electron",
   "description": "Build cross platform desktop apps with JavaScript, HTML, and CSS",
   "devDependencies": {
@@ -30,7 +30,7 @@
     "@types/webpack-env": "^1.15.2",
     "@typescript-eslint/eslint-plugin": "^4.4.1",
     "@typescript-eslint/parser": "^4.4.1",
-    "asar": "^3.0.3",
+    "asar": "^3.1.0",
     "aws-sdk": "^2.727.1",
     "check-for-leaks": "^1.2.1",
     "colors": "^1.4.0",

patches/boringssl/.patches

@@ -2,3 +2,4 @@ expose_ripemd160.patch
 expose_aes-cfb.patch
 expose_des-ede3.patch
 fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch
+add_maskhash_to_rsa_pss_params_st_for_compat.patch

patches/boringssl/add_maskhash_to_rsa_pss_params_st_for_compat.patch

@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shelley Vohr <shelley.vohr@gmail.com>
+Date: Wed, 8 Sep 2021 10:59:51 +0200
+Subject: Add maskHash to rsa_pss_params_st for compat
+
+This CL adds a maskHash member to the rsa_pss_params_st struct for
+increased compatibility with OpenSSL.
+
+Node.js recently began to make use of this member in
+https://github.com/nodejs/node/pull/39851
+and without this member Electron sees compilation errors.
+
+Upstreamed at https://boringssl-review.googlesource.com/c/boringssl/+/49365
+
+diff --git a/include/openssl/x509.h b/include/openssl/x509.h
+index fa333ca057dd8e90a3e38c51db6269815de7b85f..0f4a6d79514739fb4c719f9e5b41db364e775417 100644
+--- a/include/openssl/x509.h
++++ b/include/openssl/x509.h
+@@ -1949,6 +1949,7 @@ typedef struct rsa_pss_params_st {
+   X509_ALGOR *maskGenAlgorithm;
+   ASN1_INTEGER *saltLength;
+   ASN1_INTEGER *trailerField;
++  X509_ALGOR *maskHash;
+ } RSA_PSS_PARAMS;
+ 
+ DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)

patches/chromium/.patches

@@ -100,7 +100,6 @@ build_do_not_depend_on_packed_resource_integrity.patch
 refactor_restore_base_adaptcallbackforrepeating.patch
 hack_to_allow_gclient_sync_with_host_os_mac_on_linux_in_ci.patch
 don_t_run_pcscan_notifythreadcreated_if_pcscan_is_disabled.patch
-add_gin_wrappable_crash_key.patch
 logging_win32_only_create_a_console_if_logging_to_stderr.patch
 fix_media_key_usage_with_globalshortcuts.patch
 feat_expose_raw_response_headers_from_urlloader.patch

patches/chromium/add_gin_wrappable_crash_key.patch

@@ -1,63 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: VerteDinde <khammond@slack-corp.com>
-Date: Thu, 15 Jul 2021 12:16:50 -0700
-Subject: chore: add gin::wrappable wrapperinfo crash key
-
-This patch adds an additional crash key for gin::Wrappable, to help
-debug a crash that is occurring during garbage collection in SecondWeakCallback.
-
-The crash seems to be due to a class that is holding a reference to
-gin::Wrappable even after being deleted. This added crash key compares
-the soon-to-be-deleted WrapperInfo with known WrapperInfo components to
-help determine where the crash originated from.
-
-This patch should not be upstreamed, and can be removed in Electron 15 and
-beyond once we identify the cause of the crash.
-
-diff --git a/gin/BUILD.gn b/gin/BUILD.gn
-index c6059fdb0e0f74ee3ef78c5517634ed5a36f1b10..e16b2ec43b98c3b8724fd85085a33fe52a1e1979 100644
---- a/gin/BUILD.gn
-+++ b/gin/BUILD.gn
-@@ -88,6 +88,10 @@ component("gin") {
-     frameworks = [ "CoreFoundation.framework" ]
-   }
- 
-+  if (!is_mas_build) {
-+    public_deps += [ "//components/crash/core/common:crash_key" ]
-+  }
-+
-   configs += [
-     "//tools/v8_context_snapshot:use_v8_context_snapshot",
-     "//v8:external_startup_data",
-diff --git a/gin/wrappable.cc b/gin/wrappable.cc
-index fe07eb94a8e679859bba6d76ff0d6ee86bd0c67e..ecb0aa2c4ec57e1814f4c94194e775440f4e35ee 100644
---- a/gin/wrappable.cc
-+++ b/gin/wrappable.cc
-@@ -8,6 +8,11 @@
- #include "gin/object_template_builder.h"
- #include "gin/per_isolate_data.h"
- 
-+#if !defined(MAS_BUILD)
-+#include "components/crash/core/common/crash_key.h"
-+#include "electron/shell/common/crash_keys.h"
-+#endif
-+
- namespace gin {
- 
- WrappableBase::WrappableBase() = default;
-@@ -36,6 +41,15 @@ void WrappableBase::FirstWeakCallback(
- void WrappableBase::SecondWeakCallback(
-     const v8::WeakCallbackInfo<WrappableBase>& data) {
-   WrappableBase* wrappable = data.GetParameter();
-+
-+#if !defined(MAS_BUILD)
-+  WrapperInfo* wrapperInfo = static_cast<WrapperInfo*>(data.GetInternalField(0));
-+  std::string location = electron::crash_keys::GetCrashValueForGinWrappable(wrapperInfo);
-+
-+  static crash_reporter::CrashKeyString<32> crash_key("gin-wrappable-fatal.location");
-+  crash_reporter::ScopedCrashKeyString auto_clear(&crash_key, location);
-+#endif
-+
-   delete wrappable;
- }
- 

patches/node/.patches

@@ -21,9 +21,7 @@ fix_allow_preventing_initializeinspector_in_env.patch
 src_allow_embedders_to_provide_a_custom_pageallocator_to.patch
 fix_crypto_tests_to_run_with_bssl.patch
 fix_account_for_debugger_agent_race_condition.patch
-fix_use_new_v8_error_message_property_access_format.patch
 add_should_read_node_options_from_env_option_to_disable_node_options.patch
 repl_fix_crash_when_sharedarraybuffer_disabled.patch
 fix_readbarrier_undefined_symbol_error_on_woa_arm64.patch
-src_remove_extra_semicolons_outside_fns.patch
-fix_-wunreachable-code-return.patch
+fix_crash_creating_private_key_with_unsupported_algorithm.patch

patches/node/add_should_read_node_options_from_env_option_to_disable_node_options.patch

@@ -21,10 +21,10 @@ index 1cc7da1ce15f43905ce607adcc1a23ed9d92948a..16af6aec3791df1363682f1ed024c522
                           Isolate* isolate,
                           const std::vector<std::string>& args,
 diff --git a/src/env.h b/src/env.h
-index 33f34ed79452b004b5fb40e70cda6e3d0ee2d1e2..e729ff349931b512052ad3557c62af6808b36c38 100644
+index d31512ae37fba212a20cf306be46f7dfadeabd6a..8286ea06cc5c4e836921b06b37cf19d4508f4832 100644
 --- a/src/env.h
 +++ b/src/env.h
-@@ -1142,6 +1142,8 @@ class Environment : public MemoryRetainer {
+@@ -1145,6 +1145,8 @@ class Environment : public MemoryRetainer {
    inline double trigger_async_id();
    inline double get_default_trigger_async_id();
  
@@ -34,7 +34,7 @@ index 33f34ed79452b004b5fb40e70cda6e3d0ee2d1e2..e729ff349931b512052ad3557c62af68
    inline std::vector<double>* destroy_async_id_list();
  
 diff --git a/src/node.cc b/src/node.cc
-index 6302bb925339d709a54151a8fc8b58f1a2253881..48a9eedfaf6350fc05fb104a1f44e85b75878f9a 100644
+index 788e61645a281197cb3a1f3acbae427ddae1ab23..5afd3541d52d275d55067ddb1c11a585214eff41 100644
 --- a/src/node.cc
 +++ b/src/node.cc
 @@ -882,7 +882,7 @@ int InitializeNodeWithArgs(std::vector<std::string>* argv,
@@ -47,10 +47,10 @@ index 6302bb925339d709a54151a8fc8b58f1a2253881..48a9eedfaf6350fc05fb104a1f44e85b
          ParseNodeOptionsEnvVar(node_options, errors);
  
 diff --git a/src/node_worker.cc b/src/node_worker.cc
-index 3e3cb67d9e8c8b1ea867ff31d96a81709b47cc8d..679282e688258314fcd594bab7fd711cac2c9e48 100644
+index 16b7be36f284311f38583fa1df28a2945560b524..62a7dae080fad7e18863968dee22dbe4b461ab82 100644
 --- a/src/node_worker.cc
 +++ b/src/node_worker.cc
-@@ -457,6 +457,7 @@ void Worker::New(const FunctionCallbackInfo<Value>& args) {
+@@ -467,6 +467,7 @@ void Worker::New(const FunctionCallbackInfo<Value>& args) {
      });
  
  #ifndef NODE_WITHOUT_NODE_OPTIONS
@@ -58,7 +58,7 @@ index 3e3cb67d9e8c8b1ea867ff31d96a81709b47cc8d..679282e688258314fcd594bab7fd711c
      MaybeLocal<String> maybe_node_opts =
          env_vars->Get(isolate, OneByteString(isolate, "NODE_OPTIONS"));
      Local<String> node_opts;
-@@ -487,6 +488,7 @@ void Worker::New(const FunctionCallbackInfo<Value>& args) {
+@@ -497,6 +498,7 @@ void Worker::New(const FunctionCallbackInfo<Value>& args) {
          return;
        }
      }

patches/node/build_add_gn_build_files.patch

@@ -968,10 +968,10 @@ index 0000000000000000000000000000000000000000..2c9d2826c85bdd033f1df1d6188df636
 +}
 diff --git a/filenames.json b/filenames.json
 new file mode 100644
-index 0000000000000000000000000000000000000000..42ae2a31b79f0b5d04d9794416364d14bffdce84
+index 0000000000000000000000000000000000000000..c0b0624028fddb4f7b409f42b357fdc404d810f3
 --- /dev/null
 +++ b/filenames.json
-@@ -0,0 +1,602 @@
+@@ -0,0 +1,603 @@
 +// This file is automatically generated by generate_gn_filenames_json.py
 +// DO NOT EDIT
 +{
@@ -1250,6 +1250,7 @@ index 0000000000000000000000000000000000000000..42ae2a31b79f0b5d04d9794416364d14
 +    "lib/internal/util/inspect.js",
 +    "lib/internal/util/iterable_weak_map.js",
 +    "lib/internal/streams/add-abort-signal.js",
++    "lib/internal/streams/compose.js",
 +    "lib/internal/streams/duplexify.js",
 +    "lib/internal/streams/destroy.js",
 +    "lib/internal/streams/legacy.js",
@@ -1780,7 +1781,7 @@ index 0000000000000000000000000000000000000000..d1d6b51e8c0c5bc6a5d09e217eb30483
 +  args = rebase_path(inputs + outputs, root_build_dir)
 +}
 diff --git a/src/node_version.h b/src/node_version.h
-index fc09960e70b4999635889615f584588ed1ca76d5..9b4de7c6015a700206c331c0c083e4aec200c939 100644
+index a572d9b95853730a29a67349b46d47d6180586f3..888a95f93411a9168b75751e0af12c74fc5f0ba9 100644
 --- a/src/node_version.h
 +++ b/src/node_version.h
 @@ -89,7 +89,10 @@
@@ -1924,10 +1925,10 @@ index 0000000000000000000000000000000000000000..3088ae4bdf814ae255c9805ebd393b2e
 +
 +  out_file.writelines(new_contents)
 diff --git a/tools/install.py b/tools/install.py
-index 24cf51e73199e60b4c24700e1074fe9bd0a399e6..195f231c76b87dd9d06824df80a3f06ee07d8dc8 100755
+index 41cc1cbc60a9480cc08df3aa0ebe582c2becc3a2..1256a61024e27506ae14405abc37d0a11f83fc64 100755
 --- a/tools/install.py
 +++ b/tools/install.py
-@@ -159,17 +159,71 @@ def files(action):
+@@ -170,17 +170,71 @@ def files(action):
  def headers(action):
    def wanted_v8_headers(files_arg, dest):
      v8_headers = [
@@ -2009,7 +2010,7 @@ index 24cf51e73199e60b4c24700e1074fe9bd0a399e6..195f231c76b87dd9d06824df80a3f06e
      files_arg = [name for name in files_arg if name in v8_headers]
      action(files_arg, dest)
  
-@@ -190,7 +244,7 @@ def headers(action):
+@@ -201,7 +255,7 @@ def headers(action):
    if sys.platform.startswith('aix'):
      action(['out/Release/node.exp'], 'include/node/')
  

patches/node/chore_add_context_to_context_aware_module_prevention.patch

@@ -8,7 +8,7 @@ modules from being used in the renderer process. This should be upstreamed as
 a customizable error message.
 
 diff --git a/src/node_binding.cc b/src/node_binding.cc
-index 8b8389ae53608afedc9cc0ad2a6c8461b7aa893e..e79ddab7d73c6297ef1dc74b2a0ce469bf49e37c 100644
+index e323f76261f2028ef58da74066f9112d8a5a8df2..02d8566caffb86d05645fb602ca7b5c6b8c71aa9 100644
 --- a/src/node_binding.cc
 +++ b/src/node_binding.cc
 @@ -4,6 +4,7 @@
@@ -19,7 +19,7 @@ index 8b8389ae53608afedc9cc0ad2a6c8461b7aa893e..e79ddab7d73c6297ef1dc74b2a0ce469
  #include "util.h"
  
  #include <string>
-@@ -466,7 +467,12 @@ void DLOpen(const FunctionCallbackInfo<Value>& args) {
+@@ -472,7 +473,12 @@ void DLOpen(const FunctionCallbackInfo<Value>& args) {
        if (mp->nm_context_register_func == nullptr) {
          if (env->force_context_aware()) {
            dlib->Close();

patches/node/chore_allow_the_node_entrypoint_to_be_a_builtin_module.patch

@@ -8,10 +8,10 @@ they use themselves as the entry point. We should try to upstream some form
 of this.
 
 diff --git a/lib/internal/bootstrap/pre_execution.js b/lib/internal/bootstrap/pre_execution.js
-index 076eb528af016b9143985685bc6d1e7c14fa80e6..40370102a2f0b6e692761626653c232a77810fbc 100644
+index 9d2799c3c9ac3b216c2289ae4e037dd228844d23..5b31df1207d4417a6f9b784574e3779650ba21d2 100644
 --- a/lib/internal/bootstrap/pre_execution.js
 +++ b/lib/internal/bootstrap/pre_execution.js
-@@ -104,10 +104,12 @@ function patchProcessObject(expandArgv1) {
+@@ -105,10 +105,12 @@ function patchProcessObject(expandArgv1) {
    if (expandArgv1 && process.argv[1] &&
        !StringPrototypeStartsWith(process.argv[1], '-')) {
      // Expand process.argv[1] into a full path.

patches/node/enable_31_bit_smis_on_64bit_arch_and_ptr_compression.patch

@@ -8,7 +8,7 @@ node modules will have different (wrong) ideas about how v8 structs are laid
 out in memory on 64-bit machines, and will summarily fail to work.
 
 diff --git a/common.gypi b/common.gypi
-index f1f921f92ed4d504f2cf41bded1821def565c9a3..9525a6639f084136ed25c9b1790a00a461f24b11 100644
+index c222ed20be858544d454c59192889132eaa9e1ee..4f352dea639cc9ab8913b915d35df4edf4fb6a06 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -64,7 +64,7 @@

patches/node/expose_get_builtin_module_function.patch

@@ -9,10 +9,10 @@ modules to sandboxed renderers.
 TODO(codebytere): remove and replace with a public facing API.
 
 diff --git a/src/node_binding.cc b/src/node_binding.cc
-index 3c9776e655d0e458cdd3ab7c3adafff7de339cc5..8b8389ae53608afedc9cc0ad2a6c8461b7aa893e 100644
+index 050c5dff0ad5fc0692e348741b820762d40bd498..e323f76261f2028ef58da74066f9112d8a5a8df2 100644
 --- a/src/node_binding.cc
 +++ b/src/node_binding.cc
-@@ -608,6 +608,10 @@ void GetInternalBinding(const FunctionCallbackInfo<Value>& args) {
+@@ -614,6 +614,10 @@ void GetInternalBinding(const FunctionCallbackInfo<Value>& args) {
    args.GetReturnValue().Set(exports);
  }
  

patches/node/feat_add_flags_for_low-level_hooks_and_exceptions.patch

@@ -24,7 +24,7 @@ Environment on the V8 context of blink, so no new V8 context is created.
 As a result, a renderer process may have multiple Node Environments in it.
 
 diff --git a/src/node.cc b/src/node.cc
-index 3ee25ebbd67a01d607456e5158c98ca2fdea396b..6302bb925339d709a54151a8fc8b58f1a2253881 100644
+index acf4f0fac03c0ba655d55bc832a37a816ac26a33..788e61645a281197cb3a1f3acbae427ddae1ab23 100644
 --- a/src/node.cc
 +++ b/src/node.cc
 @@ -139,6 +139,8 @@ using v8::Undefined;
@@ -67,7 +67,7 @@ index 3ee25ebbd67a01d607456e5158c98ca2fdea396b..6302bb925339d709a54151a8fc8b58f1
    std::string tz;
    if (credentials::SafeGetenv("TZ", &tz) && !tz.empty()) {
 diff --git a/src/node.h b/src/node.h
-index 049163bf27cc7c1d6433b65becab0d7761491f09..09cb7a317cc46e88e5d214996dc87dc6e8730b1a 100644
+index 1f9afa558d0c8b7950a0f5862017e09a08118ec1..45de72bd94cf669ac2badf89d23164cb7022a5b3 100644
 --- a/src/node.h
 +++ b/src/node.h
 @@ -213,6 +213,8 @@ namespace node {

patches/node/feat_initialize_asar_support.patch

@@ -6,10 +6,10 @@ Subject: feat: initialize asar support
 This patch initializes asar support in Node.js.
 
 diff --git a/lib/internal/bootstrap/pre_execution.js b/lib/internal/bootstrap/pre_execution.js
-index 0906b35edc5ff38fb7730eba9cebcc0e472fe56c..076eb528af016b9143985685bc6d1e7c14fa80e6 100644
+index a4c73cba5481b3005474742483a554c93358c4e1..9d2799c3c9ac3b216c2289ae4e037dd228844d23 100644
 --- a/lib/internal/bootstrap/pre_execution.js
 +++ b/lib/internal/bootstrap/pre_execution.js
-@@ -76,6 +76,7 @@ function prepareMainThreadExecution(expandArgv1 = false) {
+@@ -77,6 +77,7 @@ function prepareMainThreadExecution(expandArgv1 = false) {
    assert(!CJSLoader.hasLoadedAnyUserCJSModule);
    loadPreloadModules();
    initializeFrozenIntrinsics();
@@ -17,7 +17,7 @@ index 0906b35edc5ff38fb7730eba9cebcc0e472fe56c..076eb528af016b9143985685bc6d1e7c
  }
  
  function patchProcessObject(expandArgv1) {
-@@ -482,6 +483,10 @@ function loadPreloadModules() {
+@@ -485,6 +486,10 @@ function loadPreloadModules() {
    }
  }
  

patches/node/fix_-wunreachable-code-return.patch

@@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: deepak1556 <hop2deep@gmail.com>
-Date: Fri, 20 Aug 2021 22:41:11 -0700
-Subject: fix: -Wunreachable-code-return
-
-Should be upstreamed.
-
-diff --git a/src/inspector_agent.cc b/src/inspector_agent.cc
-index 612ce2b78b41badccbbce0616dffd86de042738f..c4a3322c6d972fc2052af75b79389c522924d9c5 100644
---- a/src/inspector_agent.cc
-+++ b/src/inspector_agent.cc
-@@ -87,7 +87,6 @@ inline void* StartIoThreadMain(void* unused) {
-     if (agent != nullptr)
-       agent->RequestIoThreadStart();
-   }
--  return nullptr;
- }
- 
- static int StartDebugSignalHandler() {
-diff --git a/src/node_url.cc b/src/node_url.cc
-index d7549e3bc05562d67bdef5aebf1fefa550b72eb6..d78cb7a3e1ceb075bd532e823a915b18f5a52afd 100644
---- a/src/node_url.cc
-+++ b/src/node_url.cc
-@@ -600,7 +600,6 @@ std::string URLHost::ToString() const {
-     case HostType::H_DOMAIN:
-     case HostType::H_OPAQUE:
-       return value_.domain_or_opaque;
--      break;
-     case HostType::H_IPV4: {
-       dest.reserve(15);
-       uint32_t value = value_.ipv4;

patches/node/fix_add_default_values_for_variables_in_common_gypi.patch

@@ -7,7 +7,7 @@ common.gypi is a file that's included in the node header bundle, despite
 the fact that we do not build node with gyp.
 
 diff --git a/common.gypi b/common.gypi
-index 8db2c0dec6ecfef968a945b570fdbd77ee62bdb8..f1f921f92ed4d504f2cf41bded1821def565c9a3 100644
+index 7bc2b3abf470193640b40824ffb17891088cabfb..c222ed20be858544d454c59192889132eaa9e1ee 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -81,6 +81,23 @@

patches/node/fix_add_v8_enable_reverse_jsargs_defines_in_common_gypi.patch

@@ -6,7 +6,7 @@ Subject: fix: add v8_enable_reverse_jsargs defines in common.gypi
 This can be removed once node upgrades V8 and inevitably has to do this exact same thing.  Also hi node people if you are looking at this.
 
 diff --git a/common.gypi b/common.gypi
-index 9525a6639f084136ed25c9b1790a00a461f24b11..7c3fb852e1eb0e4382b25e6406c7d6514cf4fd21 100644
+index 4f352dea639cc9ab8913b915d35df4edf4fb6a06..63c7d2b1da5f1c83f02f856e0d14198bfed6787e 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -65,6 +65,7 @@
@@ -25,7 +25,7 @@ index 9525a6639f084136ed25c9b1790a00a461f24b11..7c3fb852e1eb0e4382b25e6406c7d651
      ##### end V8 defaults #####
  
      # When building native modules using 'npm install' with the system npm,
-@@ -384,6 +386,9 @@
+@@ -385,6 +387,9 @@
        ['v8_enable_pointer_compression == 1 or v8_enable_31bit_smis_on_64bit_arch == 1', {
          'defines': ['V8_31BIT_SMIS_ON_64BIT_ARCH'],
        }],

patches/node/fix_allow_preventing_initializeinspector_in_env.patch

@@ -36,11 +36,11 @@ index 523d252e08974a10f9a53fb46d3345669cec3380..5bf19a0dda42849159d954181058897c
  #endif
  
 diff --git a/src/env-inl.h b/src/env-inl.h
-index 061897d95d8b5f61968c59260e609d7be724b88f..7c7ee3207089bf3e51db646a367bdd6deba18628 100644
+index 2b000ed9ace5f73bfe0e8cab3e83ce94804f9c55..a1690712c457534d70db777cb722537913f86a0e 100644
 --- a/src/env-inl.h
 +++ b/src/env-inl.h
-@@ -881,6 +881,10 @@ inline bool Environment::hide_console_windows() const {
-   return flags_ & EnvironmentFlags::kHideConsoleWindows;
+@@ -891,6 +891,10 @@ inline bool Environment::no_global_search_paths() const {
+          !options_->global_search_paths;
  }
  
 +inline bool Environment::should_initialize_inspector() const {
@@ -51,31 +51,31 @@ index 061897d95d8b5f61968c59260e609d7be724b88f..7c7ee3207089bf3e51db646a367bdd6d
    return emit_filehandle_warning_;
  }
 diff --git a/src/env.h b/src/env.h
-index 8760bc4361f199a2e3471c4ca435f8e178c78e7e..33f34ed79452b004b5fb40e70cda6e3d0ee2d1e2 100644
+index f055e6b45013d9f8c039c662981bfd54f08266f6..d31512ae37fba212a20cf306be46f7dfadeabd6a 100644
 --- a/src/env.h
 +++ b/src/env.h
-@@ -1199,6 +1199,7 @@ class Environment : public MemoryRetainer {
-   inline bool owns_inspector() const;
+@@ -1204,6 +1204,7 @@ class Environment : public MemoryRetainer {
    inline bool tracks_unmanaged_fds() const;
    inline bool hide_console_windows() const;
+   inline bool no_global_search_paths() const;
 +  inline bool should_initialize_inspector() const;
    inline uint64_t thread_id() const;
    inline worker::Worker* worker_context() const;
    Environment* worker_parent_env() const;
 diff --git a/src/node.h b/src/node.h
-index b7f3e97873ef90b635e0648639f1a287a0bd88fa..48e378079f6d05e7cc1141a8875450b125028789 100644
+index 364f789fbcbec8e3234961294698d8e69b04a310..85b5ac6a5a5cb5e4388a92a1d07c9afe17140a8c 100644
 --- a/src/node.h
 +++ b/src/node.h
-@@ -409,7 +409,11 @@ enum Flags : uint64_t {
-   // Set this flag to force hiding console windows when spawning child
-   // processes. This is usually used when embedding Node.js in GUI programs on
-   // Windows.
--  kHideConsoleWindows = 1 << 5
-+  kHideConsoleWindows = 1 << 5,
+@@ -420,7 +420,11 @@ enum Flags : uint64_t {
+   // $HOME/.node_modules and $NODE_PATH. This is used by standalone apps that
+   // do not expect to have their behaviors changed because of globally
+   // installed modules.
+-  kNoGlobalSearchPaths = 1 << 7
++  kNoGlobalSearchPaths = 1 << 7,
 +  // Controls whether or not the Environment should call InitializeInspector.
 +  // This control is needed by embedders who may not want to initialize the V8
 +  // inspector in situations where it already exists.
-+  kNoInitializeInspector = 1 << 6
++  kNoInitializeInspector = 1 << 8
  };
  }  // namespace EnvironmentFlags
  

patches/node/fix_crash_creating_private_key_with_unsupported_algorithm.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shelley Vohr <shelley.vohr@gmail.com>
+Date: Thu, 23 Sep 2021 12:29:23 +0200
+Subject: fix: crash creating private key with unsupported algorithm
+
+This patch fixes an issue where some calls to crypto.createPrivateKey
+made with algorithms unsupported by BoringSSL cause a crash when invoking
+methods on their return values. This was happening because BoringSSL
+shims some algorithms but doesn't implement them and so attempted to
+created keys with them will fail (see https://source.chromium.org/chromium/chromium/src/+/main:third_party/boringssl/src/include/openssl/evp.h;l=835-837?q=ed448&ss=chromium)
+
+Node.js returned false in initEdRaw (see: https://github.com/nodejs/node/blob/20cf47004e7801ede1588d2de8785c0100f6ab38/src/crypto/crypto_keys.cc#L1106)
+but then did nothing with the return value, meaning that if no pkey was
+created successfully that a key object was still returned but attempts
+to use the data_ field would crash the process as data_ was never
+assigned. This is fixed by checking the return value of initEdRaw at the
+JavaScript level and throwing an error if the function returns false.
+
+This patch will be upstreamed in some form.
+
+diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
+index ce053fbb4b800a67adcd5642a6ef09f8f2a21ce6..1b0e4b8791cf422bba331b242cd7df29b18c9da8 100644
+--- a/lib/internal/crypto/keys.js
++++ b/lib/internal/crypto/keys.js
+@@ -436,15 +436,19 @@ function getKeyObjectHandleFromJwk(key, ctx) {
+ 
+     const handle = new KeyObjectHandle();
+     if (isPublic) {
+-      handle.initEDRaw(
++      if (!handle.initEDRaw(
+         `NODE-${key.crv.toUpperCase()}`,
+         keyData,
+-        kKeyTypePublic);
++        kKeyTypePublic)) {
++        throw new Error('Failed to create key - unsupported algorithm');
++      }
+     } else {
+-      handle.initEDRaw(
++      if (!handle.initEDRaw(
+         `NODE-${key.crv.toUpperCase()}`,
+         keyData,
+-        kKeyTypePrivate);
++        kKeyTypePrivate)) {
++        throw new Error('Failed to create key - unsupported algorithm');
++      }
+     }
+ 
+     return handle;

patches/node/fix_crypto_tests_to_run_with_bssl.patch

@@ -10,6 +10,26 @@ This should be upstreamed in some form, though it may need to be tweaked
 before it's acceptable to upstream, as this patch comments out a couple
 of tests that upstream probably cares about.
 
+diff --git a/test/parallel/test-crypto-async-sign-verify.js b/test/parallel/test-crypto-async-sign-verify.js
+index 4e3c32fdcd23fbe3e74bd5e624b739d224689f33..19d65aae7fa8ec9f9b907733ead17a208ed47909 100644
+--- a/test/parallel/test-crypto-async-sign-verify.js
++++ b/test/parallel/test-crypto-async-sign-verify.js
+@@ -88,6 +88,7 @@ test('rsa_public.pem', 'rsa_private.pem', 'sha256', false,
+ // ED25519
+ test('ed25519_public.pem', 'ed25519_private.pem', undefined, true);
+ // ED448
++/*
+ test('ed448_public.pem', 'ed448_private.pem', undefined, true);
+ 
+ // ECDSA w/ der signature encoding
+@@ -109,6 +110,7 @@ test('dsa_public.pem', 'dsa_private.pem', 'sha256',
+ // DSA w/ ieee-p1363 signature encoding
+ test('dsa_public.pem', 'dsa_private.pem', 'sha256', false,
+      { dsaEncoding: 'ieee-p1363' });
++*/
+ 
+ // Test Parallel Execution w/ KeyObject is threadsafe in openssl3
+ {
 diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
 index 21c5af6cfe3e5eef64fc2d4dcc63c55b1d79ad51..b21eb4b97ad778304b3a4e8d549e109614350dfb 100644
 --- a/test/parallel/test-crypto-authenticated.js
@@ -488,287 +508,6 @@ index af2146982c7a3bf7bd7527f44e4b17a3b605026e..f6b91f675cfea367c608892dee078b56
  
    // Non-XOF hash functions should accept valid outputLength options as well.
    assert.strictEqual(crypto.createHash('sha224', { outputLength: 28 })
-diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js
-index aa03a0379a291a4632b68d428d4e1875d60166a3..a6862ace1fa73473b406fe4513b9e7a99296d365 100644
---- a/test/parallel/test-crypto-key-objects.js
-+++ b/test/parallel/test-crypto-key-objects.js
-@@ -307,11 +307,11 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-   }, common.hasOpenSSL3 ? {
-     message: 'error:1E08010C:DECODER routines::unsupported',
-   } : {
--    message: 'error:0909006C:PEM routines:get_name:no start line',
--    code: 'ERR_OSSL_PEM_NO_START_LINE',
--    reason: 'no start line',
--    library: 'PEM routines',
--    function: 'get_name',
-+    message: /error:2007E073:BIO routines:BIO_new_mem_buf:null parameter|error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE/,
-+    code: /ERR_OSSL_BIO_NULL_PARAMETER|ERR_OSSL_PEM_NO_START_LINE/,
-+    reason: /null parameter|NO_START_LINE/,
-+    library: /BIO routines|PEM routines/,
-+    function: /BIO_new_mem_buf|OPENSSL_internal/,
-   });
- 
-   // This should not abort either: https://github.com/nodejs/node/issues/29904
-@@ -334,8 +334,8 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     message: /error:1E08010C:DECODER routines::unsupported/,
-     library: 'DECODER routines'
-   } : {
--    message: /asn1 encoding/,
--    library: 'asn1 encoding routines'
-+    message: /asn1 encoding|DECODE_ERROR/,
-+    library: /asn1 encoding routines|public key routines/
-   });
- }
- 
-@@ -349,6 +349,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-       d: 'wVK6M3SMhQh3NK-7GRrSV-BVWQx1FO5pW8hhQeu_NdA',
-       kty: 'OKP'
-     } },
-+/*
-   { private: fixtures.readKey('ed448_private.pem', 'ascii'),
-     public: fixtures.readKey('ed448_public.pem', 'ascii'),
-     keyType: 'ed448',
-@@ -380,6 +381,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-          'S0jlSYJk',
-       kty: 'OKP'
-     } },
-+*/
- ].forEach((info) => {
-   const keyType = info.keyType;
- 
-@@ -421,7 +423,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     }
-   }
- });
--
-+/*
- [
-   { private: fixtures.readKey('ec_p256_private.pem', 'ascii'),
-     public: fixtures.readKey('ec_p256_public.pem', 'ascii'),
-@@ -514,7 +516,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     }
-   }
- });
--
-+*/
- {
-   // Reading an encrypted key without a passphrase should fail.
-   assert.throws(() => createPrivateKey(privateDsa), common.hasOpenSSL3 ? {
-@@ -546,7 +548,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-   }), {
-     message: common.hasOpenSSL3 ?
-       'error:1E08010C:DECODER routines::unsupported' :
--      /bad decrypt/
-+      /bad decrypt|error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT/
-   });
- 
-   const publicKey = createPublicKey(publicDsa);
-@@ -569,7 +571,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     () => privateKey.export({ format: 'jwk' }),
-     { code: 'ERR_CRYPTO_JWK_UNSUPPORTED_KEY_TYPE' });
- }
--
-+/*
- {
-   // Test RSA-PSS.
-   {
-@@ -715,7 +717,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     }
-   }
- }
--
-+*/
- {
-   // Exporting an encrypted private key requires a cipher
-   const privateKey = createPrivateKey(privatePem);
-diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js
-index ed5986e6bfd4211a1cc22fa94aaf68fc1013133f..08986a6793a39b275277c8bf188316f669a53c63 100644
---- a/test/parallel/test-crypto-keygen.js
-+++ b/test/parallel/test-crypto-keygen.js
-@@ -297,6 +297,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-   }));
- }
- 
-+/*
- {
-   // Test RSA-PSS.
-   generateKeyPair('rsa-pss', {
-@@ -339,7 +340,9 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     testSignVerify(publicKey, privateKey);
-   }));
- }
-+*/
- 
-+/*
- {
-   const privateKeyEncoding = {
-     type: 'pkcs8',
-@@ -409,6 +412,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     });
-   }));
- }
-+*/
- 
- {
-   // Test async elliptic curve key generation, e.g. for ECDSA, with a SEC1
-@@ -433,6 +437,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     testSignVerify(publicKey, privateKey);
-   }));
- 
-+  /*
-   // Test async elliptic curve key generation, e.g. for ECDSA, with a SEC1
-   // private key with paramEncoding explicit.
-   generateKeyPair('ec', {
-@@ -454,6 +459,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
- 
-     testSignVerify(publicKey, privateKey);
-   }));
-+  */
- 
-   // Do the same with an encrypted private key.
-   generateKeyPair('ec', {
-@@ -489,6 +495,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     testSignVerify(publicKey, { key: privateKey, passphrase: 'secret' });
-   }));
- 
-+  /*
-   // Do the same with an encrypted private key with paramEncoding explicit.
-   generateKeyPair('ec', {
-     namedCurve: 'prime256v1',
-@@ -522,6 +529,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
- 
-     testSignVerify(publicKey, { key: privateKey, passphrase: 'secret' });
-   }));
-+  */
- }
- 
- {
-@@ -562,6 +570,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     });
-   }));
- 
-+  /*
-   // Test async elliptic curve key generation, e.g. for ECDSA, with an encrypted
-   // private key with paramEncoding explicit.
-   generateKeyPair('ec', {
-@@ -686,6 +695,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-       }
-     }
-   });
-+  */
- }
- 
- // Test invalid parameter encoding.
-@@ -709,6 +719,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     message: "The property 'options.paramEncoding' is invalid. " +
-       "Received 'otherEncoding'"
-   });
-+  /*
-   assert.throws(() => generateKeyPairSync('dsa', {
-     modulusLength: 4096,
-     publicKeyEncoding: {
-@@ -722,6 +733,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     code: 'ERR_CRYPTO_JWK_UNSUPPORTED_KEY_TYPE',
-     message: 'Unsupported JWK Key Type.'
-   });
-+  */
-   assert.throws(() => generateKeyPairSync('ec', {
-     namedCurve: 'secp224r1',
-     publicKeyEncoding: {
-@@ -1060,6 +1072,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-   }
- }
- 
-+  /*
- // Test DSA parameters.
- {
-   // Test invalid modulus lengths.
-@@ -1087,6 +1100,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     });
-   }
- }
-+*/
- 
- // Test EC parameters.
- {
-@@ -1131,13 +1145,13 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-   }));
- 
-   generateKeyPair('ec', {
--    namedCurve: 'secp256k1',
-+    namedCurve: 'secp521r1',
-   }, common.mustSucceed((publicKey, privateKey) => {
-     assert.deepStrictEqual(publicKey.asymmetricKeyDetails, {
--      namedCurve: 'secp256k1'
-+      namedCurve: 'secp521r1'
-     });
-     assert.deepStrictEqual(privateKey.asymmetricKeyDetails, {
--      namedCurve: 'secp256k1'
-+      namedCurve: 'secp521r1'
-     });
-   }));
- }
-@@ -1145,7 +1159,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
- // Test EdDSA key generation.
- {
-   if (!/^1\.1\.0/.test(process.versions.openssl)) {
--    ['ed25519', 'ed448', 'x25519', 'x448'].forEach((keyType) => {
-+    ['ed25519'/*, 'ed448', 'x25519', 'x448'*/].forEach((keyType) => {
-       generateKeyPair(keyType, common.mustSucceed((publicKey, privateKey) => {
-         assert.strictEqual(publicKey.type, 'public');
-         assert.strictEqual(publicKey.asymmetricKeyType, keyType);
-@@ -1159,6 +1173,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-   }
- }
- 
-+/*
- // Test classic Diffie-Hellman key generation.
- {
-   generateKeyPair('dh', {
-@@ -1271,6 +1286,7 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
-     });
-   }
- }
-+*/
- 
- // Test invalid key encoding types.
- {
-@@ -1471,6 +1487,7 @@ if (!common.hasOpenSSL3) {
-     }, common.mustSucceed((publicKey, privateKey) => {
-       assert.strictEqual(publicKey.type, 'public');
- 
-+      /*
-       for (const passphrase of ['', Buffer.alloc(0)]) {
-         const privateKeyObject = createPrivateKey({
-           passphrase,
-@@ -1478,6 +1495,7 @@ if (!common.hasOpenSSL3) {
-         });
-         assert.strictEqual(privateKeyObject.asymmetricKeyType, 'rsa');
-       }
-+      */
- 
-       // Encrypting with an empty passphrase is not the same as not encrypting
-       // the key, and not specifying a passphrase should fail when decoding it.
-diff --git a/test/parallel/test-crypto-padding-aes256.js b/test/parallel/test-crypto-padding-aes256.js
-index 14d853bdfd0a5dcc5bdb6e00cb20fdbeaabd2aff..3ae6fc47d4c6a8296a2c3c70daf464fad886a88d 100644
---- a/test/parallel/test-crypto-padding-aes256.js
-+++ b/test/parallel/test-crypto-padding-aes256.js
-@@ -32,13 +32,13 @@ const key = Buffer.from('0123456789abcdef0123456789abcdef' +
-                         '0123456789abcdef0123456789abcdef', 'hex');
- 
- function encrypt(val, pad) {
--  const c = crypto.createCipheriv('aes256', key, iv);
-+  const c = crypto.createCipheriv('aes-256-cbc', key, iv);
-   c.setAutoPadding(pad);
-   return c.update(val, 'utf8', 'latin1') + c.final('latin1');
- }
- 
- function decrypt(val, pad) {
--  const c = crypto.createDecipheriv('aes256', key, iv);
-+  const c = crypto.createDecipheriv('aes-256-cbc', key, iv);
-   c.setAutoPadding(pad);
-   return c.update(val, 'latin1', 'utf8') + c.final('utf8');
- }
 diff --git a/test/parallel/test-crypto-padding.js b/test/parallel/test-crypto-padding.js
 index f1f14b472997e76bb4100edb1c6cf4fc24d1074d..5057e3f9bc5bb78aceffa5e79530f8ceed84e6f7 100644
 --- a/test/parallel/test-crypto-padding.js
@@ -851,7 +590,7 @@ index 9afcb38616dafd6da1ab7b5843d68f4f796ca9a6..00d3381056a5a40c549f06d74c130149
  }
 +*/
 diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
-index 444135538ccff8a705806941843717be954ed143..fe07bbbf0b18ae4ff344cb972600d5ee3bd8ede3 100644
+index 6893f0c0e6d49a8e171ec9f156f74656dab9fd06..4c8ccd10e0dcd64669cccca1e8c2e5279d683595 100644
 --- a/test/parallel/test-crypto-sign-verify.js
 +++ b/test/parallel/test-crypto-sign-verify.js
 @@ -29,6 +29,7 @@ const keySize = 2048;
@@ -1220,6 +959,26 @@ index 151eebd36c9765df086a020ba42920b2442b1b77..efe97ff2499cba909ac5500d827364fa
      });
  }
  
+diff --git a/test/parallel/test-webcrypto-export-import-rsa.js b/test/parallel/test-webcrypto-export-import-rsa.js
+index ab7aa77394ac9989514b7a184900092bd6753996..b0104ac45867a923a8c651e01e8c6975a62f7c61 100644
+--- a/test/parallel/test-webcrypto-export-import-rsa.js
++++ b/test/parallel/test-webcrypto-export-import-rsa.js
+@@ -481,6 +481,7 @@ const testVectors = [
+   await Promise.all(variations);
+ })().then(common.mustCall());
+ 
++/*
+ {
+   const publicPem = fixtures.readKey('rsa_pss_public_2048.pem', 'ascii');
+   const privatePem = fixtures.readKey('rsa_pss_private_2048.pem', 'ascii');
+@@ -522,6 +523,7 @@ const testVectors = [
+     assert.strictEqual(jwk.alg, 'PS256');
+   })().then(common.mustCall());
+ }
++*/
+ 
+ {
+   const ecPublic = crypto.createPublicKey(
 diff --git a/test/parallel/test-webcrypto-wrap-unwrap.js b/test/parallel/test-webcrypto-wrap-unwrap.js
 index 1094845c73e14313860ad476fb7baba2a11b5af4..51972b4b34b191ac59145889dbf2da5c0d407dbe 100644
 --- a/test/parallel/test-webcrypto-wrap-unwrap.js

patches/node/fix_expose_tracing_agent_and_use_tracing_tracingcontroller_instead.patch

@@ -22,7 +22,7 @@ index 0fb750c5abbe00740f2095ec397c823e26666199..523d252e08974a10f9a53fb46d334566
      int thread_pool_size,
      node::tracing::TracingController* tracing_controller) {
 diff --git a/src/node.h b/src/node.h
-index 09cb7a317cc46e88e5d214996dc87dc6e8730b1a..b7f3e97873ef90b635e0648639f1a287a0bd88fa 100644
+index 45de72bd94cf669ac2badf89d23164cb7022a5b3..364f789fbcbec8e3234961294698d8e69b04a310 100644
 --- a/src/node.h
 +++ b/src/node.h
 @@ -118,6 +118,7 @@ namespace node {
@@ -33,7 +33,7 @@ index 09cb7a317cc46e88e5d214996dc87dc6e8730b1a..b7f3e97873ef90b635e0648639f1a287
  class TracingController;
  
  }
-@@ -488,6 +489,8 @@ NODE_EXTERN v8::MaybeLocal<v8::Value> PrepareStackTraceCallback(
+@@ -499,6 +500,8 @@ NODE_EXTERN v8::MaybeLocal<v8::Value> PrepareStackTraceCallback(
  NODE_EXTERN MultiIsolatePlatform* GetMultiIsolatePlatform(Environment* env);
  NODE_EXTERN MultiIsolatePlatform* GetMultiIsolatePlatform(IsolateData* env);
  

patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch

@@ -221,21 +221,37 @@ index 7cb4513f9ad0eaadd055b169520ae1e5073b7e2d..50a6663966cdb147a702df21240fa449
    if (!params->prime) {
      THROW_ERR_CRYPTO_OPERATION_FAILED(env, "could not generate prime");
      return Nothing<bool>();
-diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
-index 7b113a8dcb06b0b0e1329ce0daf7305598ea6545..b04e53a7f24885ffb6639430988d0ffb524b028e 100644
---- a/src/crypto/crypto_sig.cc
-+++ b/src/crypto/crypto_sig.cc
-@@ -110,7 +110,7 @@ unsigned int GetBytesOfRS(const ManagedEVPPKey& pkey) {
-   if (base_id == EVP_PKEY_DSA) {
-     const DSA* dsa_key = EVP_PKEY_get0_DSA(pkey.get());
-     // Both r and s are computed mod q, so their width is limited by that of q.
--    bits = BN_num_bits(DSA_get0_q(dsa_key));
-+    bits = BN_num_bits(dsa_key->q);
-   } else if (base_id == EVP_PKEY_EC) {
-     const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get());
-     const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key);
+diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc
+index d2307c33f5de8733b1343225a3fe6a700d1f51e4..fd31caa1355cd7be98992411b9cda2dbb500f211 100644
+--- a/src/crypto/crypto_rsa.cc
++++ b/src/crypto/crypto_rsa.cc
+@@ -580,7 +580,7 @@ Maybe<bool> GetRsaKeyDetail(
+     // In that case, RSA_get0_pss_params does not return nullptr but all fields
+     // of the returned RSA_PSS_PARAMS will be set to nullptr.
+ 
+-    const RSA_PSS_PARAMS* params = RSA_get0_pss_params(rsa);
++    const RSA_PSS_PARAMS* params = nullptr; // RSA_get0_pss_params(rsa);
+     if (params != nullptr) {
+       int hash_nid = NID_sha1;
+       int mgf_nid = NID_mgf1;
+@@ -621,10 +621,11 @@ Maybe<bool> GetRsaKeyDetail(
+       }
+ 
+       if (params->saltLength != nullptr) {
+-        if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) {
+-          ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error");
+-          return Nothing<bool>();
+-        }
++        // TODO(codebytere): Upstream a shim to BoringSSL?
++        // if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) {
++        //   ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error");
++        //   return Nothing<bool>();
++        // }
+       }
+ 
+       if (target
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
-index f18304cd655842e999a39659315c4eb3ce1c0c6e..1aed0e7e88460cea63950f71dac502829d662cff 100644
+index 7e0c8ba3eb60db88af8ba75e41e593dab86d2714..5c528c810256872c76dc7ba5a673d28652c405e1 100644
 --- a/src/crypto/crypto_util.cc
 +++ b/src/crypto/crypto_util.cc
 @@ -491,24 +491,14 @@ Maybe<bool> Decorate(Environment* env, Local<Object> obj,

patches/node/fix_use_new_v8_error_message_property_access_format.patch

@@ -1,26 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Shelley Vohr <shelley.vohr@gmail.com>
-Date: Wed, 14 Jul 2021 21:09:22 -0700
-Subject: fix: use new V8 error message property access format
-
-Refs changes in https://chromium-review.googlesource.com/c/v8/v8/+/3013935
-
-This patch can be removed when Node.js updates to a version of V8
-which contains the above CL.
-
-diff --git a/test/parallel/test-fs-read.js b/test/parallel/test-fs-read.js
-index 5c9e59795fc39f871748d5971453e3b6e2238b6b..16cae5486671e3ee60be77d986b25805649798c7 100644
---- a/test/parallel/test-fs-read.js
-+++ b/test/parallel/test-fs-read.js
-@@ -80,7 +80,10 @@ assert.throws(
- 
- assert.throws(
-   () => fs.read(fd, { buffer: null }, common.mustNotCall()),
--  /TypeError: Cannot read property 'byteLength' of null/,
-+  {
-+    name: 'TypeError',
-+    message: 'Cannot read properties of null (reading \'byteLength\')'
-+  },
-   'throws when options.buffer is null'
- );
- 

patches/node/repl_fix_crash_when_sharedarraybuffer_disabled.patch

@@ -48,10 +48,10 @@ index 71a07a63a3636ab211746004ebab24a0058b08fc..e3ce67987ee3185a93750ebad72beab3
        if (currentCounter === lastCounter)
          return cachedCwd;
 diff --git a/lib/internal/worker.js b/lib/internal/worker.js
-index 931bce0c518fc3355a9f94a7760556b6f0b75b96..99baa3e7f747bb3b351cb13c6ed512f2bb88812a 100644
+index d59399bfefed10f85e0adac7ef9fefc0cb1ae67c..ad70afa311d0a0418d788920b42259f94c283006 100644
 --- a/lib/internal/worker.js
 +++ b/lib/internal/worker.js
-@@ -92,7 +92,8 @@ let cwdCounter;
+@@ -91,7 +91,8 @@ let cwdCounter;
  
  const environmentData = new SafeMap();
  

patches/node/src_allow_embedders_to_provide_a_custom_pageallocator_to.patch

@@ -40,7 +40,7 @@ index 5bf19a0dda42849159d954181058897c45d280fd..03078ff3869fcd17101f1cdaf77f725d
  
  MaybeLocal<Object> GetPerContextExports(Local<Context> context) {
 diff --git a/src/node.h b/src/node.h
-index 48e378079f6d05e7cc1141a8875450b125028789..22e095804bca9d73d22707169c5aff2b13994344 100644
+index 85b5ac6a5a5cb5e4388a92a1d07c9afe17140a8c..4201c0d0460b032721ef42a26d79c38a9ee20c24 100644
 --- a/src/node.h
 +++ b/src/node.h
 @@ -313,7 +313,8 @@ class NODE_EXTERN MultiIsolatePlatform : public v8::Platform {
@@ -53,7 +53,7 @@ index 48e378079f6d05e7cc1141a8875450b125028789..22e095804bca9d73d22707169c5aff2b
  };
  
  enum IsolateSettingsFlags {
-@@ -498,7 +499,8 @@ NODE_EXTERN node::tracing::Agent* CreateAgent();
+@@ -509,7 +510,8 @@ NODE_EXTERN node::tracing::Agent* CreateAgent();
  NODE_DEPRECATED("Use MultiIsolatePlatform::Create() instead",
      NODE_EXTERN MultiIsolatePlatform* CreatePlatform(
          int thread_pool_size,

patches/node/src_remove_extra_semicolons_outside_fns.patch

@@ -1,21 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Shelley Vohr <shelley.vohr@gmail.com>
-Date: Wed, 18 Aug 2021 18:06:28 +0200
-Subject: src: remove extra semicolons outside fns
-
-Fixes several -Wc++98-compat-extra-semi issues.
-
-Upstreamed at https://github.com/nodejs/node/pull/39800.
-
-diff --git a/src/node_blob.cc b/src/node_blob.cc
-index c583d5e0a93791ae5ca42e3a6474790b7a43f824..4643da4c17496c7bc16bcde4b481e17f6f7de185 100644
---- a/src/node_blob.cc
-+++ b/src/node_blob.cc
-@@ -497,5 +497,5 @@ void Blob::RegisterExternalReferences(ExternalReferenceRegistry* registry) {
- 
- }  // namespace node
- 
--NODE_MODULE_CONTEXT_AWARE_INTERNAL(blob, node::Blob::Initialize);
--NODE_MODULE_EXTERNAL_REFERENCE(blob, node::Blob::RegisterExternalReferences);
-+NODE_MODULE_CONTEXT_AWARE_INTERNAL(blob, node::Blob::Initialize)
-+NODE_MODULE_EXTERNAL_REFERENCE(blob, node::Blob::RegisterExternalReferences)

patches/v8/.patches

@@ -7,3 +7,6 @@ do_not_export_private_v8_symbols_on_windows.patch
 fix_build_deprecated_attirbute_for_older_msvc_versions.patch
 fix_disable_implies_dcheck_for_node_stream_array_buffers.patch
 cppgc-js_support_eager_traced_value_in_ephemeron_pairs.patch
+regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch
+regexp_allow_reentrant_irregexp_execution.patch
+regexp_remove_the_stack_parameter_from_regexp_matchers.patch

patches/v8/regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch

@@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Mon, 6 Sep 2021 08:29:33 +0200
+Subject: Add a (currently failing) cctest for irregexp reentrancy
+
+The test should be enabled once reentrancy is supported.
+
+Bug: v8:11382
+Change-Id: Ifb90d8a6fd8bf9f05e9ca2405d4e04e013ce7ee3
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138201
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Auto-Submit: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#76667}
+
+diff --git a/test/cctest/cctest.status b/test/cctest/cctest.status
+index 0a6626ce332ae3ad3e49cb99404646c22c866b71..9c28520ed56998173c105b9d8a2ca3c4489b916e 100644
+--- a/test/cctest/cctest.status
++++ b/test/cctest/cctest.status
+@@ -136,6 +136,9 @@
+   'test-strings/Traverse': [PASS, HEAVY],
+   'test-swiss-name-dictionary-csa/DeleteAtBoundaries': [PASS, HEAVY],
+   'test-swiss-name-dictionary-csa/SameH2': [PASS, HEAVY],
++
++  # TODO(v8:11382): Reenable once irregexp is reentrant.
++  'test-regexp/RegExpInterruptReentrantExecution': [FAIL],
+ }],  # ALWAYS
+ 
+ ##############################################################################
+@@ -670,6 +673,9 @@
+ 
+   # Instruction cache flushing is disabled in jitless mode.
+   'test-icache/*': [SKIP],
++
++  # Tests generated irregexp code.
++  'test-regexp/RegExpInterruptReentrantExecution': [SKIP],
+ }], # lite_mode or variant == jitless
+ 
+ ##############################################################################
+diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
+index dc5e2ea50898fbf684f5f4655d8b50982d4ebbbd..f7cbc54499464acf1a7de45251a6118340ec51fd 100644
+--- a/test/cctest/test-api.cc
++++ b/test/cctest/test-api.cc
+@@ -21734,10 +21734,6 @@ TEST(RegExpInterruptAndMakeSubjectTwoByteExternal) {
+   // experimental engine.
+   i::FLAG_enable_experimental_regexp_engine_on_excessive_backtracks = false;
+   RegExpInterruptTest test;
+-  // We want to be stuck regexp execution, so no fallback to linear-time
+-  // engine.
+-  // TODO(mbid,v8:10765): Find a way to test interrupt support of the
+-  // experimental engine.
+   test.RunTest(RegExpInterruptTest::MakeSubjectTwoByteExternal);
+ }
+ 
+diff --git a/test/cctest/test-regexp.cc b/test/cctest/test-regexp.cc
+index 27204f7f519229cc4c21a10dd0a44222d4b6edd6..2692748e623d3d52780ff89a97f4300bcd981cbd 100644
+--- a/test/cctest/test-regexp.cc
++++ b/test/cctest/test-regexp.cc
+@@ -2346,6 +2346,50 @@ TEST(UnicodePropertyEscapeCodeSize) {
+   }
+ }
+ 
++namespace {
++
++struct RegExpExecData {
++  i::Isolate* isolate;
++  i::Handle<i::JSRegExp> regexp;
++  i::Handle<i::String> subject;
++};
++
++i::Handle<i::Object> RegExpExec(const RegExpExecData* d) {
++  return i::RegExp::Exec(d->isolate, d->regexp, d->subject, 0,
++                         d->isolate->regexp_last_match_info())
++      .ToHandleChecked();
++}
++
++void ReenterRegExp(v8::Isolate* isolate, void* data) {
++  RegExpExecData* d = static_cast<RegExpExecData*>(data);
++  i::Handle<i::Object> result = RegExpExec(d);
++  CHECK(result->IsNull());
++}
++
++}  // namespace
++
++// Tests reentrant irregexp calls.
++TEST(RegExpInterruptReentrantExecution) {
++  CHECK(!i::FLAG_jitless);
++  i::FLAG_regexp_tier_up = false;  // Enter irregexp, not the interpreter.
++
++  LocalContext context;
++  v8::Isolate* isolate = context->GetIsolate();
++  v8::HandleScope scope(isolate);
++
++  RegExpExecData d;
++  d.isolate = reinterpret_cast<i::Isolate*>(isolate);
++  d.regexp = v8::Utils::OpenHandle(
++      *v8::RegExp::New(context.local(), v8_str("(a*)*x"), v8::RegExp::kNone)
++           .ToLocalChecked());
++  d.subject = v8::Utils::OpenHandle(*v8_str("aaaa"));
++
++  isolate->RequestInterrupt(&ReenterRegExp, &d);
++
++  i::Handle<i::Object> result = RegExpExec(&d);
++  CHECK(result->IsNull());
++}
++
+ #undef CHECK_PARSE_ERROR
+ #undef CHECK_SIMPLE
+ #undef CHECK_MIN_MAX

patches/v8/regexp_remove_the_stack_parameter_from_regexp_matchers.patch

@@ -0,0 +1,397 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Wed, 22 Sep 2021 14:42:48 +0200
+Subject: Remove the `stack` parameter from regexp matchers
+
+The argument is no longer in use.
+
+Bug: v8:11382
+Change-Id: I7febc7fe7ef17ae462c700f0dba3ca1beade3021
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173681
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#77017}
+
+diff --git a/src/builtins/builtins-regexp-gen.cc b/src/builtins/builtins-regexp-gen.cc
+index 6e4307b404405c4c78614a956c64b4a86f5fe0fe..6c2d3b44a39a6bcce4e48ac621b21f54371e9b6f 100644
+--- a/src/builtins/builtins-regexp-gen.cc
++++ b/src/builtins/builtins-regexp-gen.cc
+@@ -436,8 +436,6 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+   // External constants.
+   TNode<ExternalReference> isolate_address =
+       ExternalConstant(ExternalReference::isolate_address(isolate()));
+-  TNode<ExternalReference> regexp_stack_memory_top_address = ExternalConstant(
+-      ExternalReference::address_of_regexp_stack_memory_top_address(isolate()));
+   TNode<ExternalReference> static_offsets_vector_address = ExternalConstant(
+       ExternalReference::address_of_static_offsets_vector(isolate()));
+ 
+@@ -606,26 +604,18 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+     MachineType arg5_type = type_int32;
+     TNode<Int32T> arg5 = SmiToInt32(register_count);
+ 
+-    // Argument 6: Start (high end) of backtracking stack memory area. This
+-    // argument is ignored in the interpreter.
+-    TNode<RawPtrT> stack_top = UncheckedCast<RawPtrT>(
+-        Load(MachineType::Pointer(), regexp_stack_memory_top_address));
++    // Argument 6: Indicate that this is a direct call from JavaScript.
++    MachineType arg6_type = type_int32;
++    TNode<Int32T> arg6 = Int32Constant(RegExp::CallOrigin::kFromJs);
+ 
+-    MachineType arg6_type = type_ptr;
+-    TNode<RawPtrT> arg6 = stack_top;
++    // Argument 7: Pass current isolate address.
++    MachineType arg7_type = type_ptr;
++    TNode<ExternalReference> arg7 = isolate_address;
+ 
+-    // Argument 7: Indicate that this is a direct call from JavaScript.
+-    MachineType arg7_type = type_int32;
+-    TNode<Int32T> arg7 = Int32Constant(RegExp::CallOrigin::kFromJs);
+-
+-    // Argument 8: Pass current isolate address.
+-    MachineType arg8_type = type_ptr;
+-    TNode<ExternalReference> arg8 = isolate_address;
+-
+-    // Argument 9: Regular expression object. This argument is ignored in native
++    // Argument 8: Regular expression object. This argument is ignored in native
+     // irregexp code.
+-    MachineType arg9_type = type_tagged;
+-    TNode<JSRegExp> arg9 = regexp;
++    MachineType arg8_type = type_tagged;
++    TNode<JSRegExp> arg8 = regexp;
+ 
+     // TODO(v8:11880): avoid roundtrips between cdc and code.
+     TNode<RawPtrT> code_entry = LoadCodeObjectEntry(code);
+@@ -640,8 +630,7 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+             std::make_pair(arg1_type, arg1), std::make_pair(arg2_type, arg2),
+             std::make_pair(arg3_type, arg3), std::make_pair(arg4_type, arg4),
+             std::make_pair(arg5_type, arg5), std::make_pair(arg6_type, arg6),
+-            std::make_pair(arg7_type, arg7), std::make_pair(arg8_type, arg8),
+-            std::make_pair(arg9_type, arg9)));
++            std::make_pair(arg7_type, arg7), std::make_pair(arg8_type, arg8)));
+ 
+     // Check the result.
+     // We expect exactly one result since we force the called regexp to behave
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.cc b/src/regexp/arm/regexp-macro-assembler-arm.cc
+index 10766db4cf1d41ad0fee0754c6eaeebe46ace500..6e79ffd8adf8417c356bb36e1dbb2d0bfc290858 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.cc
++++ b/src/regexp/arm/regexp-macro-assembler-arm.cc
+@@ -38,14 +38,12 @@ namespace internal {
+  * Each call to a public method should retain this convention.
+  *
+  * The stack will have the following structure:
+- *  - fp[56]  Address regexp     (address of the JSRegExp object; unused in
++ *  - fp[52]  Address regexp     (address of the JSRegExp object; unused in
+  *                                native code, passed to match signature of
+  *                                the interpreter)
+- *  - fp[52]  Isolate* isolate   (address of the current isolate)
+- *  - fp[48]  direct_call        (if 1, direct call from JavaScript code,
++ *  - fp[48]  Isolate* isolate   (address of the current isolate)
++ *  - fp[44]  direct_call        (if 1, direct call from JavaScript code,
+  *                                if 0, call through the runtime system).
+- *  - fp[44]  stack_area_base    (high end of the memory area to use as
+- *                                backtracking stack).
+  *  - fp[40]  capture array size (may fit multiple sets of matches)
+  *  - fp[36]  int* capture_array (int[num_saved_registers_], for output).
+  *  --- sp when called ---
+@@ -82,7 +80,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.h b/src/regexp/arm/regexp-macro-assembler-arm.h
+index a76f9dea70264d79d57ebd6c60b100bc9e0a499d..5aad6c1d85d574f4db307b6edcdda89ed25d5ca8 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.h
++++ b/src/regexp/arm/regexp-macro-assembler-arm.h
+@@ -91,15 +91,13 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
+   static const int kFramePointer = 0;
+ 
+   // Above the frame pointer - Stored registers and stack passed parameters.
+-  // Register 4..11.
+   static const int kStoredRegisters = kFramePointer;
+   // Return address (stored from link register, read into pc on return).
+   static const int kReturnAddress = kStoredRegisters + 8 * kPointerSize;
+   // Stack parameters placed by caller.
+   static const int kRegisterOutput = kReturnAddress + kPointerSize;
+   static const int kNumOutputRegisters = kRegisterOutput + kPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kPointerSize;
+-  static const int kDirectCall = kStackHighEnd + kPointerSize;
++  static const int kDirectCall = kNumOutputRegisters + kPointerSize;
+   static const int kIsolate = kDirectCall + kPointerSize;
+ 
+   // Below the frame pointer.
+diff --git a/src/regexp/arm64/regexp-macro-assembler-arm64.cc b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+index 6192461fa32879469d56d36fb788b5de33038d77..4611a323afacb5accfb3886581879e60eb1c9f12 100644
+--- a/src/regexp/arm64/regexp-macro-assembler-arm64.cc
++++ b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+@@ -66,14 +66,12 @@ namespace internal {
+  *  ^^^^^^^^^ fp ^^^^^^^^^
+  *  - fp[-8]     direct_call        1 => Direct call from JavaScript code.
+  *                                  0 => Call through the runtime system.
+- *  - fp[-16]    stack_base         High end of the memory area to use as
+- *                                  the backtracking stack.
+- *  - fp[-24]    output_size        Output may fit multiple sets of matches.
+- *  - fp[-32]    input              Handle containing the input string.
+- *  - fp[-40]    success_counter
++ *  - fp[-16]    output_size        Output may fit multiple sets of matches.
++ *  - fp[-24]    input              Handle containing the input string.
++ *  - fp[-32]    success_counter
+  *  ^^^^^^^^^^^^^ From here and downwards we store 32 bit values ^^^^^^^^^^^^^
+- *  - fp[-44]    register N         Capture registers initialized with
+- *  - fp[-48]    register N + 1     non_position_value.
++ *  - fp[-40]    register N         Capture registers initialized with
++ *  - fp[-44]    register N + 1     non_position_value.
+  *               ...                The first kNumCachedRegisters (N) registers
+  *               ...                are cached in x0 to x7.
+  *               ...                Only positions must be stored in the first
+@@ -95,7 +93,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+@@ -750,11 +747,10 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) {
+   // x3:  byte*    input_end
+   // x4:  int*     output array
+   // x5:  int      output array size
+-  // x6:  Address  stack_base
+-  // x7:  int      direct_call
+-
+-  //  sp[8]:  address of the current isolate
+-  //  sp[0]:  secondary link/return address used by native call
++  // x6:  int      direct_call
++  // x7:  Isolate* isolate
++  //
++  // sp[0]:  secondary link/return address used by native call
+ 
+   // Tell the system that we have a stack frame.  Because the type is MANUAL, no
+   // code is generated.
+diff --git a/src/regexp/arm64/regexp-macro-assembler-arm64.h b/src/regexp/arm64/regexp-macro-assembler-arm64.h
+index 204ee68dc868142693e9959170c71df3f72f97ce..f3869a72b631f9fb42b275d2edd8f3cfe1cfd8bb 100644
+--- a/src/regexp/arm64/regexp-macro-assembler-arm64.h
++++ b/src/regexp/arm64/regexp-macro-assembler-arm64.h
+@@ -102,16 +102,12 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64
+   // Callee-saved registers (x19-x28).
+   static const int kNumCalleeSavedRegisters = 10;
+   static const int kCalleeSavedRegisters = kReturnAddress + kSystemPointerSize;
+-  // Stack parameter placed by caller.
+-  // It is placed above the FP, LR and the callee-saved registers.
+-  static const int kIsolate =
+-      kCalleeSavedRegisters + kNumCalleeSavedRegisters * kSystemPointerSize;
+ 
+   // Below the frame pointer.
+   // Register parameters stored by setup code.
+-  static const int kDirectCall = -kSystemPointerSize;
+-  static const int kStackHighEnd = kDirectCall - kSystemPointerSize;
+-  static const int kOutputSize = kStackHighEnd - kSystemPointerSize;
++  static const int kIsolate = -kSystemPointerSize;
++  static const int kDirectCall = kIsolate - kSystemPointerSize;
++  static const int kOutputSize = kDirectCall - kSystemPointerSize;
+   static const int kInput = kOutputSize - kSystemPointerSize;
+   // When adding local variables remember to push space for them in
+   // the frame in GetCode.
+diff --git a/src/regexp/experimental/experimental.cc b/src/regexp/experimental/experimental.cc
+index c05a010d06f34405128ffb9a9d67d86a20fcb83d..c3d701715aa88be3f5a8009319a09b032c85f4ad 100644
+--- a/src/regexp/experimental/experimental.cc
++++ b/src/regexp/experimental/experimental.cc
+@@ -192,8 +192,7 @@ int32_t ExperimentalRegExp::ExecRaw(Isolate* isolate,
+ int32_t ExperimentalRegExp::MatchForCallFromJs(
+     Address subject, int32_t start_position, Address input_start,
+     Address input_end, int* output_registers, int32_t output_register_count,
+-    Address backtrack_stack, RegExp::CallOrigin call_origin, Isolate* isolate,
+-    Address regexp) {
++    RegExp::CallOrigin call_origin, Isolate* isolate, Address regexp) {
+   DCHECK(FLAG_enable_experimental_regexp_engine);
+   DCHECK_NOT_NULL(isolate);
+   DCHECK_NOT_NULL(output_registers);
+diff --git a/src/regexp/experimental/experimental.h b/src/regexp/experimental/experimental.h
+index 5987fb4d7732f47c5f31cc0fab7b11e252c864f8..cdc683e97e901bd3e63332a04f69c6d31f964931 100644
+--- a/src/regexp/experimental/experimental.h
++++ b/src/regexp/experimental/experimental.h
+@@ -34,7 +34,6 @@ class ExperimentalRegExp final : public AllStatic {
+                                     Address input_start, Address input_end,
+                                     int* output_registers,
+                                     int32_t output_register_count,
+-                                    Address backtrack_stack,
+                                     RegExp::CallOrigin call_origin,
+                                     Isolate* isolate, Address regexp);
+   static MaybeHandle<Object> Exec(
+diff --git a/src/regexp/ia32/regexp-macro-assembler-ia32.cc b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+index 51d63b2531e2bc85fb115de23d7b6a6f40b36f11..8369b88e22c300890fe4ddb1bbba62093e8b23d8 100644
+--- a/src/regexp/ia32/regexp-macro-assembler-ia32.cc
++++ b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+@@ -40,8 +40,6 @@ namespace internal {
+  *       - Isolate* isolate     (address of the current isolate)
+  *       - direct_call          (if 1, direct call from JavaScript code, if 0
+  *                               call through the runtime system)
+- *       - stack_area_base      (high end of the memory area to use as
+- *                               backtracking stack)
+  *       - capture array size   (may fit multiple sets of matches)
+  *       - int* capture_array   (int[num_saved_registers_], for output).
+  *       - end of input         (address of end of string)
+@@ -74,7 +72,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate
+  *              Address regexp);
+diff --git a/src/regexp/ia32/regexp-macro-assembler-ia32.h b/src/regexp/ia32/regexp-macro-assembler-ia32.h
+index 861795da900d91111386e4f8e660f7f94ea46a33..01914a6b8b5abb96a4eec8d844e2d1aea7cbf231 100644
+--- a/src/regexp/ia32/regexp-macro-assembler-ia32.h
++++ b/src/regexp/ia32/regexp-macro-assembler-ia32.h
+@@ -105,8 +105,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32
+   // one set of capture results.  For the case of non-global regexp, we ignore
+   // this value.
+   static const int kNumOutputRegisters = kRegisterOutput + kSystemPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kSystemPointerSize;
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
++  static const int kDirectCall = kNumOutputRegisters + kSystemPointerSize;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+   // Below the frame pointer - local stack variables.
+   // When adding local variables remember to push space for them in
+diff --git a/src/regexp/regexp-interpreter.cc b/src/regexp/regexp-interpreter.cc
+index f9a959d2582a25cd60a97453e696f8f1f0560ce8..a2f23f78c308162240c5adf8904e732ce3bf6159 100644
+--- a/src/regexp/regexp-interpreter.cc
++++ b/src/regexp/regexp-interpreter.cc
+@@ -1111,7 +1111,7 @@ IrregexpInterpreter::Result IrregexpInterpreter::MatchInternal(
+ // builtin.
+ IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromJs(
+     Address subject, int32_t start_position, Address, Address,
+-    int* output_registers, int32_t output_register_count, Address,
++    int* output_registers, int32_t output_register_count,
+     RegExp::CallOrigin call_origin, Isolate* isolate, Address regexp) {
+   DCHECK_NOT_NULL(isolate);
+   DCHECK_NOT_NULL(output_registers);
+diff --git a/src/regexp/regexp-interpreter.h b/src/regexp/regexp-interpreter.h
+index a4d79184b08963598bbc42a91541c8df695bf4c5..e9dedd781b5b83d4017f8b2bd4353f1d57013a67 100644
+--- a/src/regexp/regexp-interpreter.h
++++ b/src/regexp/regexp-interpreter.h
+@@ -36,9 +36,8 @@ class V8_EXPORT_PRIVATE IrregexpInterpreter : public AllStatic {
+   // RETRY is returned if a retry through the runtime is needed (e.g. when
+   // interrupts have been scheduled or the regexp is marked for tier-up).
+   //
+-  // Arguments input_start, input_end and backtrack_stack are
+-  // unused. They are only passed to match the signature of the native irregex
+-  // code.
++  // Arguments input_start and input_end are unused. They are only passed to
++  // match the signature of the native irregex code.
+   //
+   // Arguments output_registers and output_register_count describe the results
+   // array, which will contain register values of all captures if SUCCESS is
+@@ -47,7 +46,6 @@ class V8_EXPORT_PRIVATE IrregexpInterpreter : public AllStatic {
+                                    Address input_start, Address input_end,
+                                    int* output_registers,
+                                    int32_t output_register_count,
+-                                   Address backtrack_stack,
+                                    RegExp::CallOrigin call_origin,
+                                    Isolate* isolate, Address regexp);
+ 
+diff --git a/src/regexp/regexp-macro-assembler.cc b/src/regexp/regexp-macro-assembler.cc
+index 1f5875afb8850da4136da6633d5b0ad9f52803e3..ced89ad4386b9d037851529f098c8aa111f2a478 100644
+--- a/src/regexp/regexp-macro-assembler.cc
++++ b/src/regexp/regexp-macro-assembler.cc
+@@ -306,23 +306,21 @@ int NativeRegExpMacroAssembler::Execute(
+     String input,  // This needs to be the unpacked (sliced, cons) string.
+     int start_offset, const byte* input_start, const byte* input_end,
+     int* output, int output_size, Isolate* isolate, JSRegExp regexp) {
+-  // Ensure that the minimum stack has been allocated.
+   RegExpStackScope stack_scope(isolate);
+-  Address stack_base = stack_scope.stack()->memory_top();
+ 
+   bool is_one_byte = String::IsOneByteRepresentationUnderneath(input);
+   Code code = FromCodeT(CodeT::cast(regexp.Code(is_one_byte)));
+   RegExp::CallOrigin call_origin = RegExp::CallOrigin::kFromRuntime;
+ 
+-  using RegexpMatcherSig = int(
+-      Address input_string, int start_offset, const byte* input_start,
+-      const byte* input_end, int* output, int output_size, Address stack_base,
+-      int call_origin, Isolate* isolate, Address regexp);
++  using RegexpMatcherSig =
++      // NOLINTNEXTLINE(readability/casting)
++      int(Address input_string, int start_offset, const byte* input_start,
++          const byte* input_end, int* output, int output_size, int call_origin,
++          Isolate* isolate, Address regexp);
+ 
+   auto fn = GeneratedCode<RegexpMatcherSig>::FromCode(code);
+-  int result =
+-      fn.Call(input.ptr(), start_offset, input_start, input_end, output,
+-              output_size, stack_base, call_origin, isolate, regexp.ptr());
++  int result = fn.Call(input.ptr(), start_offset, input_start, input_end,
++                       output, output_size, call_origin, isolate, regexp.ptr());
+   DCHECK_GE(result, SMALLEST_REGEXP_RESULT);
+ 
+   if (result == EXCEPTION && !isolate->has_pending_exception()) {
+diff --git a/src/regexp/x64/regexp-macro-assembler-x64.cc b/src/regexp/x64/regexp-macro-assembler-x64.cc
+index abcbed18aaa9bdc4a497962714bffde74d581173..e4bff5dafa9f12c14805c72e51f973252b97a5a7 100644
+--- a/src/regexp/x64/regexp-macro-assembler-x64.cc
++++ b/src/regexp/x64/regexp-macro-assembler-x64.cc
+@@ -47,14 +47,12 @@ namespace internal {
+  * Each call to a C++ method should retain these registers.
+  *
+  * The stack will have the following content, in some order, indexable from the
+- * frame pointer (see, e.g., kStackHighEnd):
++ * frame pointer (see, e.g., kDirectCall):
+  *    - Address regexp       (address of the JSRegExp object; unused in native
+  *                            code, passed to match signature of interpreter)
+  *    - Isolate* isolate     (address of the current isolate)
+  *    - direct_call          (if 1, direct call from JavaScript code, if 0 call
+  *                            through the runtime system)
+- *    - stack_area_base      (high end of the memory area to use as
+- *                            backtracking stack)
+  *    - capture array size   (may fit multiple sets of matches)
+  *    - int* capture_array   (int[num_saved_registers_], for output).
+  *    - end of input         (address of end of string)
+@@ -85,7 +83,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+@@ -849,8 +846,6 @@ Handle<HeapObject> RegExpMacroAssemblerX64::GetCode(Handle<String> source) {
+   }
+ 
+   // Initialize backtrack stack pointer.
+-  // TODO(jgruber): Remove the kStackHighEnd parameter (and others like
+-  // kIsolate).
+   LoadRegExpStackPointerFromMemory(backtrack_stackpointer());
+ 
+   __ jmp(&start_label_);
+diff --git a/src/regexp/x64/regexp-macro-assembler-x64.h b/src/regexp/x64/regexp-macro-assembler-x64.h
+index 74a3c95b06c771078ab03e6787e5912315421bb2..6f89ba9f8cf45430dc0edc7f2241a9aca34324c0 100644
+--- a/src/regexp/x64/regexp-macro-assembler-x64.h
++++ b/src/regexp/x64/regexp-macro-assembler-x64.h
+@@ -108,9 +108,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64
+   // this value. NumOutputRegisters is passed as 32-bit value.  The upper
+   // 32 bit of this 64-bit stack slot may contain garbage.
+   static const int kNumOutputRegisters = kRegisterOutput + kSystemPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kSystemPointerSize;
+   // DirectCall is passed as 32 bit int (values 0 or 1).
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
++  static const int kDirectCall = kNumOutputRegisters + kSystemPointerSize;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+ #else
+   // In AMD64 ABI Calling Convention, the first six integer parameters
+@@ -121,13 +120,12 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64
+   static const int kInputStart = kStartIndex - kSystemPointerSize;
+   static const int kInputEnd = kInputStart - kSystemPointerSize;
+   static const int kRegisterOutput = kInputEnd - kSystemPointerSize;
+-
+   // For the case of global regular expression, we have room to store at least
+   // one set of capture results.  For the case of non-global regexp, we ignore
+   // this value.
+   static const int kNumOutputRegisters = kRegisterOutput - kSystemPointerSize;
+-  static const int kStackHighEnd = kFrameAlign;
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
++
++  static const int kDirectCall = kFrameAlign;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+ #endif
+ 

script/gn-asar-hash.js

@@ -0,0 +1,9 @@
+const asar = require('asar');
+const crypto = require('crypto');
+const fs = require('fs');
+
+const archive = process.argv[2];
+const hashFile = process.argv[3];
+
+const { headerString } = asar.getRawHeader(archive);
+fs.writeFileSync(hashFile, crypto.createHash('SHA256').update(headerString).digest('hex'));

script/gn-plist-but-with-hashes.js

@@ -0,0 +1,16 @@
+const fs = require('fs');
+
+const [,, plistPath, outputPath, ...keySet] = process.argv;
+
+const keyPairs = {};
+for (let i = 0; i * 2 < keySet.length; i++) {
+  keyPairs[keySet[i]] = fs.readFileSync(keySet[(keySet.length / 2) + i], 'utf8');
+}
+
+let plistContents = fs.readFileSync(plistPath, 'utf8');
+
+for (const key of Object.keys(keyPairs)) {
+  plistContents = plistContents.replace(`$\{${key}}`, keyPairs[key]);
+}
+
+fs.writeFileSync(outputPath, plistContents);

script/node-disabled-tests.json

@@ -2,11 +2,6 @@
   "abort/test-abort-backtrace",
   "async-hooks/test-crypto-pbkdf2",
   "async-hooks/test-crypto-randomBytes",
-  "message/source_map_throw_catch",
-  "message/source_map_throw_first_tick",
-  "message/source_map_throw_set_immediate",
-  "message/v8_warning",
-  "parallel/test-assert",
   "parallel/test-bootstrap-modules",
   "parallel/test-buffer-backing-arraybuffer",
   "parallel/test-buffer-constructor-node-modules-paths",
@@ -18,7 +13,6 @@
   "parallel/test-cluster-shared-handle-bind-privileged-port",
   "parallel/test-code-cache",
   "parallel/test-crypto-aes-wrap",
-  "parallel/test-crypto-async-sign-verify",
   "parallel/test-crypto-authenticated-stream",
   "parallel/test-crypto-certificate",
   "parallel/test-crypto-des3-wrap",
@@ -27,36 +21,23 @@
   "parallel/test-crypto-engine",
   "parallel/test-crypto-fips",
   "parallel/test-crypto-hkdf.js",
+  "parallel/test-crypto-keygen",
+  "parallel/test-crypto-keygen-deprecation",
+  "parallel/test-crypto-key-objects",
+  "parallel/test-crypto-padding-aes256",
   "parallel/test-crypto-secure-heap",
-  "parallel/test-debug-args",
-  "parallel/test-debug-usage",
-  "parallel/test-debugger-pid",
-  "parallel/test-domain-abort-on-uncaught",
-  "parallel/test-domain-with-abort-on-uncaught-exception",
-  "parallel/test-finalization-group-error",
-  "parallel/test-freeze-intrinsics",
   "parallel/test-fs-utimes-y2K38",
-  "parallel/test-gc-tls-external-memory",
   "parallel/test-http2-clean-output",
-  "parallel/test-http2-reset-flood",
   "parallel/test-https-agent-session-reuse",
   "parallel/test-https-options-boolean-check",
-  "parallel/test-inspector-inspect-brk-node",
   "parallel/test-inspector-multisession-ws",
   "parallel/test-inspector-port-zero-cluster",
   "parallel/test-inspector-tracing-domain",
-  "parallel/test-inspector-vm-global-accessors-getter-sideeffect",
-  "parallel/test-inspector-vm-global-accessors-sideeffects",
   "parallel/test-module-loading-globalpaths",
-  "parallel/test-module-run-main-monkey-patch",
   "parallel/test-module-version",
   "parallel/test-openssl-ca-options",
-  "parallel/test-policy-integrity",
   "parallel/test-process-env-allowed-flags-are-documented",
-  "parallel/test-process-external-stdio-close",
-  "parallel/test-process-external-stdio-close-spawn",
   "parallel/test-process-versions",
-  "parallel/test-readline-interface",
   "parallel/test-repl",
   "parallel/test-repl-harmony",
   "parallel/test-repl-pretty-custom-stack",
@@ -134,14 +115,8 @@
   "parallel/test-trace-events-v8",
   "parallel/test-trace-events-vm",
   "parallel/test-trace-events-worker-metadata",
-  "parallel/test-util-inspect",
-  "parallel/test-v8-coverage",
   "parallel/test-v8-flags",
   "parallel/test-v8-untrusted-code-mitigations",
-  "parallel/test-vm-module-basic",
-  "parallel/test-vm-parse-abort-on-uncaught-exception",
-  "parallel/test-vm-sigint-existing-handler",
-  "parallel/test-vm-timeout",
   "parallel/test-webcrypto-derivebits-hkdf",
   "parallel/test-webcrypto-derivebits-node-dh",
   "parallel/test-webcrypto-ed25519-ed448",
@@ -153,17 +128,8 @@
   "parallel/test-webcrypto-sign-verify-node-dsa",
   "parallel/test-webcrypto-x25519-x448",
   "parallel/test-whatwg-encoding-custom-textdecoder",
-  "parallel/test-worker-message-channel",
-  "parallel/test-worker-message-port",
-  "parallel/test-worker-message-port-transfer-duplicate",
-  "parallel/test-worker-message-port-transfer-target",
-  "parallel/test-worker-resource-limits",
-  "parallel/test-worker-sharedarraybuffer-from-worker-thread",
   "parallel/test-worker-stdio",
-  "parallel/test-worker-workerdata-messageport",
   "parallel/test-zlib-unused-weak",
-  "pseudo-tty/test-set-raw-mode-reset-process-exit",
-  "pseudo-tty/test-set-raw-mode-reset-signal",
   "report/test-report-fatal-error",
   "report/test-report-getreport",
   "report/test-report-signal",
@@ -172,13 +138,7 @@
   "report/test-report-uv-handles",
   "report/test-report-worker",
   "report/test-report-writereport",
-  "sequential/test-inspector-contexts",
-  "sequential/test-inspector-port-zero",
-  "sequential/test-inspector-resource-name-to-url",
-  "sequential/test-inspector-stress-http",
-  "sequential/test-perf-hooks",
   "sequential/test-tls-connect",
-  "sequential/test-vm-timeout-rethrow",
   "sequential/test-worker-prof",
   "wpt/test-encoding",
   "wpt/test-webcrypto"

shell/browser/api/electron_api_app.cc

@@ -817,10 +817,10 @@ void App::AllowCertificateError(
   v8::Isolate* isolate = JavascriptEnvironment::GetIsolate();
   v8::Locker locker(isolate);
   v8::HandleScope handle_scope(isolate);
-  bool prevent_default =
-      Emit("certificate-error",
-           WebContents::FromOrCreate(isolate, web_contents), request_url,
-           net::ErrorToString(cert_error), ssl_info.cert, adapted_callback);
+  bool prevent_default = Emit(
+      "certificate-error", WebContents::FromOrCreate(isolate, web_contents),
+      request_url, net::ErrorToString(cert_error), ssl_info.cert,
+      adapted_callback, is_main_frame_request);
 
   // Deny the certificate by default.
   if (!prevent_default)