chore: cherry-pick 4cf9311 from v8 (#48951)

In 6399527761 we changed the path strings
that `node_modules.cc` operates on from single-byte to wide strings.
Unfortunately this means that `generic_path()` that the
"fix: ensure TraverseParent bails on resource path exit" patch was
calling was no longer a safe method to call on Windows if the underlying
string has unicode characters in it.

Here we fix it by using `ConvertGenericPathToUTF8` from the Node.js
internal utilities.

.devcontainer/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   buildtools:
-    image: ghcr.io/electron/devcontainer:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+    image: ghcr.io/electron/devcontainer:933c7d6ff6802706875270bec2e3c891cf8add3f
 
     volumes:
       - ..:/workspaces/gclient/src/electron:cached

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -58,6 +58,16 @@ body:
     label: Last Known Working Electron version
     description: What is the last version of Electron this worked in, if applicable?
     placeholder: 16.0.0
+- type: dropdown
+  attributes:
+    label: Does the issue also appear in Chromium / Google Chrome?
+    description: If it does, please report the issue in the [Chromium issue tracker](https://issues.chromium.org/issues), not against Electron. Electron will inherit the fix once Chromium resolves the issue.
+    options:
+      - I don't know how to test
+      - "Yes"
+      - "No"
+  validations:
+    required: true
 - type: textarea
   attributes:
     label: Expected Behavior

.github/actions/build-electron/action.yml

@@ -132,6 +132,14 @@ runs:
       run: |
         cd src
         e build --target electron:electron_chromedriver_zip
+
+        if [ "${{ inputs.is-asan }}" != "true" ]; then
+          target_os=${{ inputs.target-platform == 'macos' && 'mac' || inputs.target-platform }}
+          if [ "${{ inputs.artifact-platform }}" = "mas" ]; then
+            target_os="${target_os}_mas"
+          fi
+          electron/script/zip_manifests/check-zip-manifest.py out/Default/chromedriver.zip electron/script/zip_manifests/chromedriver_zip.$target_os.${{ inputs.target-arch }}.manifest
+        fi
     - name: Create installed_software.json ${{ inputs.step-suffix }}
       shell: powershell
       if: ${{ inputs.is-release == 'true' && inputs.target-platform == 'win' }}
@@ -176,11 +184,10 @@ runs:
       shell: bash
       run: |
         cd src/electron
-        node script/yarn.js create-typescript-definitions
+        node script/yarn create-typescript-definitions
     - name: Publish Electron Dist ${{ inputs.step-suffix }}
       if: ${{ inputs.is-release == 'true' }}
       shell: bash
-      id: github-upload
       run: |
         rm -rf src/out/Default/obj
         cd src/electron
@@ -191,11 +198,6 @@ runs:
           echo 'Uploading Electron release distribution to GitHub releases'
           script/release/uploaders/upload.py --verbose
         fi
-    - name: Generate artifact attestation
-      if: ${{ inputs.is-release == 'true' }}
-      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-      with:
-        subject-path: ${{ steps.github-upload.outputs.UPLOADED_PATHS }}
     - name: Generate siso report
       if: ${{ inputs.target-platform != 'win' && !cancelled() }}
       shell: bash

.github/actions/checkout/action.yml

@@ -143,17 +143,16 @@ runs:
           echo "No changes to patches detected"
         fi
       fi
-  - name: Remove patch conflict problem matchers
+  - name: Remove patch conflict problem matcher
     shell: bash
     run: |
       echo "::remove-matcher owner=merge-conflict::"
       echo "::remove-matcher owner=patch-conflict::"
-      echo "::remove-matcher owner=patch-needs-update::"
   - name: Upload patches stats
     if: ${{ inputs.target-platform == 'linux' && github.ref == 'refs/heads/main' }}
     shell: bash
     run: |
-      node src/electron/script/patches-stats.mjs --upload-stats || true
+      npx node src/electron/script/patches-stats.mjs --upload-stats || true
   # delete all .git directories under src/ except for
   # third_party/angle/ and third_party/dawn/ because of build time generation of files
   # gen/angle/commit.h depends on third_party/angle/.git/HEAD
@@ -173,7 +172,6 @@ runs:
     run: |
       rm -rf src/android_webview
       rm -rf src/ios/chrome
-      rm -rf src/third_party/blink/web_tests
       rm -rf src/third_party/blink/perf_tests
       rm -rf src/chrome/test/data/xr/webvr_info
       rm -rf src/third_party/angle/third_party/VK-GL-CTS/src

.github/actions/free-space-macos/action.yml

@@ -6,6 +6,8 @@ runs:
     - name: Free Space on MacOS
       shell: bash
       run: |
+        echo "Disk usage before cleanup:"
+        df -h
         sudo mkdir -p $TMPDIR/del-target
 
         tmpify() {
@@ -15,28 +17,30 @@ runs:
         }
 
         strip_universal_deep() {
-          opwd=$(pwd)
-          cd $1
-          f=$(find . -perm +111 -type f)
-          for fp in $f
-          do
-            if [[ $(file "$fp") == *"universal binary"* ]]; then
-              if [ "`arch`" == "arm64" ]; then
-                if [[ $(file "$fp") == *"x86_64"* ]]; then
-                  sudo lipo -remove x86_64 "$fp" -o "$fp" || true
-                fi
-              else
-                if [[ $(file "$fp") == *"arm64e)"* ]]; then
-                  sudo lipo -remove arm64e "$fp" -o "$fp" || true
-                fi
-                if [[ $(file "$fp") == *"arm64)"* ]]; then
-                  sudo lipo -remove arm64 "$fp" -o "$fp" || true
+          if [ -d "$1" ]; then
+            opwd=$(pwd)
+            cd $1
+            f=$(find . -perm +111 -type f)
+            for fp in $f
+            do
+              if [[ $(file "$fp") == *"universal binary"* ]]; then
+                if [ "`arch`" == "arm64" ]; then
+                  if [[ $(file "$fp") == *"x86_64"* ]]; then
+                    sudo lipo -remove x86_64 "$fp" -o "$fp" || true
+                  fi
+                else
+                  if [[ $(file "$fp") == *"arm64e)"* ]]; then
+                    sudo lipo -remove arm64e "$fp" -o "$fp" || true
+                  fi
+                  if [[ $(file "$fp") == *"arm64)"* ]]; then
+                    sudo lipo -remove arm64 "$fp" -o "$fp" || true
+                  fi
                 fi
               fi
-            fi
-          done
+            done
 
-          cd $opwd
+            cd $opwd
+          fi
         }
 
         tmpify /Library/Developer/CoreSimulator
@@ -58,10 +62,9 @@ runs:
 
         sudo rm -rf /Applications/Safari.app
         sudo rm -rf /Applications/Xcode_16.1.app
-        sudo rm -rf /Applications/Xcode_16.3.app
         sudo rm -rf /Applications/Xcode_16.2.app
+        sudo rm -rf /Applications/Xcode_16.3.app
         sudo rm -rf /Applications/Google Chrome.app
-        sudo rm -rf /Applications/Xcode_16.4.app
         sudo rm -rf /Applications/Google Chrome for Testing.app
         sudo rm -rf	/Applications/Firefox.app
         sudo rm -rf ~/project/src/third_party/catapult/tracing/test_data
@@ -73,4 +76,5 @@ runs:
 
         # lipo off some huge binaries arm64 versions to save space
         strip_universal_deep $(xcode-select -p)/../SharedFrameworks
-        # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr
+        # strip_arm_deep /System/Volumes/Data/Library/Developer/CommandLineTools/usr
+        sudo mdutil -a -i off

.github/actions/generate-types/action.yml

@@ -13,16 +13,12 @@ runs:
   - name: Generating Types for SHA in ${{ inputs.sha-file }}
     shell: bash
     run: |
-      export ELECTRON_DIR=$(pwd)
-      if [ "${{ inputs.sha-file }}" == ".dig-old" ]; then
-        cd /tmp
-        git clone https://github.com/electron/electron.git
-        cd electron
-      fi
-      git checkout $(cat $ELECTRON_DIR/${{ inputs.sha-file }})
-      node script/yarn.js install --immutable
+      git checkout $(cat ${{ inputs.sha-file }})
+      rm -rf node_modules
+      yarn install --frozen-lockfile --ignore-scripts
       echo "#!/usr/bin/env node\nglobal.x=1" > node_modules/typescript/bin/tsc
       node node_modules/.bin/electron-docs-parser --dir=./ --outDir=./ --moduleVersion=0.0.0-development
       node node_modules/.bin/electron-typescript-definitions --api=electron-api.json --outDir=artifacts
-      mv artifacts/electron.d.ts $ELECTRON_DIR/artifacts/${{ inputs.filename }}
+      mv artifacts/electron.d.ts artifacts/${{ inputs.filename }}
+      git checkout .
     working-directory: ./electron

.github/actions/install-build-tools/action.yml

@@ -15,7 +15,7 @@ runs:
         git config --global core.preloadindex true
         git config --global core.longpaths true
       fi
-      export BUILD_TOOLS_SHA=a0cc95a1884a631559bcca0c948465b725d9295a
+      export BUILD_TOOLS_SHA=a5d9f9052dcc36ee88bef5c8b13acbefd87b7d8d
       npm i -g @electron/build-tools
       # Update depot_tools to ensure python
       e d update_depot_tools

.github/actions/install-dependencies/action.yml

@@ -6,7 +6,7 @@ runs:
   - name: Get yarn cache directory path
     shell: bash
     id: yarn-cache-dir-path
-    run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
+    run: echo "dir=$(node src/electron/script/yarn cache dir)" >> $GITHUB_OUTPUT
   - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
     id: yarn-cache
     with:
@@ -18,14 +18,4 @@ runs:
     shell: bash
     run: |
       cd src/electron
-      if [ "$TARGET_ARCH" = "x86" ]; then
-        export npm_config_arch="ia32"
-      fi
-      # if running on linux arm skip yarn Builds
-      ARCH=$(uname -m)
-      if [ "$ARCH" = "armv7l" ]; then
-        echo "Skipping yarn build on linux arm"
-        node script/yarn.js install --immutable --mode=skip-build
-      else
-        node script/yarn.js install --immutable
-      fi
+      node script/yarn install --frozen-lockfile --prefer-offline

.github/copilot-instructions.md

@@ -1,122 +0,0 @@
-# Copilot Instructions for Electron
-
-## Build System
-
-Electron uses `@electron/build-tools` (`e` CLI). Install with `npm i -g @electron/build-tools`.
-
-```bash
-e sync              # Fetch sources and apply patches
-e build             # Build Electron (GN + Ninja)
-e build -k 999      # Build, continuing through errors
-e start             # Run built Electron
-e start --version   # Verify Electron launches
-e test              # Run full test suite
-e debug             # Run in debugger (lldb on macOS, gdb on Linux)
-```
-
-### Linting
-
-```bash
-npm run lint              # Run all linters (JS, C++, Python, GN, docs)
-npm run lint:js           # JavaScript/TypeScript only
-npm run lint:clang-format # C++ formatting only
-npm run lint:cpp          # C++ linting only
-npm run lint:docs         # Documentation only
-```
-
-### Running a Single Test
-
-```bash
-npm run test -- -g "pattern"   # Run tests matching a regex pattern
-# Example: npm run test -- -g "ipc"
-```
-
-### Running a Single Node.js Test
-
-```bash
-node script/node-spec-runner.js parallel/test-crypto-keygen
-```
-
-## Architecture
-
-Electron embeds Chromium (rendering) and Node.js (backend) to enable desktop apps with web technologies. The parent directory (`../`) is the Chromium source tree.
-
-### Process Model
-
-Electron has two primary process types, mirroring Chromium:
-
-- **Main process** (`shell/browser/` + `lib/browser/`): Controls app lifecycle, creates windows, system APIs
-- **Renderer process** (`shell/renderer/` + `lib/renderer/`): Runs web content in BrowserWindows
-
-### Native ↔ JavaScript Bridge
-
-Each API is implemented as a C++/JS pair:
-
-- C++ side: `shell/browser/api/electron_api_{name}.cc/.h` — uses `gin::Wrappable` and `ObjectTemplateBuilder`
-- JS side: `lib/browser/api/{name}.ts` — exports the module, registered in `lib/browser/api/module-list.ts`
-- Binding: `NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{name}, Initialize)` in C++ and registered in `shell/common/node_bindings.cc`
-- Type declaration: `typings/internal-ambient.d.ts` maps `process._linkedBinding('electron_browser_{name}')`
-
-### Patches System
-
-Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) rather than forking them. Patches live in `patches/` organized by target, with `patches/config.json` mapping directories to repos.
-
-```text
-patches/{target}/*.patch  →  [e sync]   →  target repo commits
-                          ←  [e patches] ←
-```
-
-Key rules:
-
-- Fix existing patches rather than creating new ones
-- Preserve original authorship in TODO comments — never change `TODO(name)` assignees
-- Each patch commit message must explain why the patch exists
-- After modifying patches, run `e patches {target}` to export
-
-When working on the `roller/chromium/main` branch for Chromium upgrades, use `e sync --3` for 3-way merge conflict resolution.
-
-## Conventions
-
-### File Naming
-
-- JS/TS files: kebab-case (`file-name.ts`)
-- C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
-- Test files: `api-{module-name}-spec.ts` in `spec/`
-- Source file lists are maintained in `filenames.gni` (with platform-specific sections)
-
-### JavaScript/TypeScript
-
-- Semicolons required (`"semi": ["error", "always"]`)
-- `const` and `let` only (no `var`)
-- Arrow functions preferred
-- Import order enforced: `@electron/internal` → `@electron` → `electron` → external → builtin → relative
-- API naming: `PascalCase` for classes (`BrowserWindow`), `camelCase` for module APIs (`globalShortcut`)
-- Prefer getters/setters over jQuery-style `.text([text])` patterns
-
-### C++
-
-- Follows Chromium coding style, enforced by `clang-format` and `clang-tidy`
-- Uses Chromium abstractions (`base::`, `content::`, etc.)
-- Header guards: `#ifndef ELECTRON_SHELL_BROWSER_API_ELECTRON_API_{NAME}_H_`
-- Platform-specific files: `_mac.mm`, `_win.cc`, `_linux.cc`
-
-### Testing
-
-- Framework: Mocha + Chai + Sinon
-- Test helpers in `spec/lib/` (e.g., `spec-helpers.ts`, `window-helpers.ts`)
-- Use `defer()` from spec-helpers for cleanup, `closeAllWindows()` for window teardown
-- Tests import from `electron/main` or `electron/renderer`
-
-### Documentation
-
-- API docs in `docs/api/` as Markdown, parsed by `@electron/docs-parser` to generate `electron.d.ts`
-- API history tracked via YAML blocks in HTML comments within doc files
-- Docs must pass `npm run lint:docs`
-
-### Build Configuration
-
-- `BUILD.gn`: Main GN build config
-- `buildflags/buildflags.gni`: Feature flags (PDF viewer, extensions, spellchecker)
-- `build/args/`: Build argument profiles (`testing.gn`, `release.gn`, `all.gn`)
-- `DEPS`: Dependency versions and checkout paths
-- `chromium_src/`: Chromium source file overrides (compiled instead of originals)

.github/problem-matchers/patch-conflict.json

@@ -19,16 +19,6 @@
           "line": 3
         }
       ]
-    },
-    {
-      "owner": "patch-needs-update",
-      "pattern": [
-        {
-          "regexp": "^((patches\/.*): needs update)$",
-          "message": 1,
-          "file": 2
-        }
-      ]
     }
   ]
 }

.github/workflows/archaeologist-dig.yml

@@ -3,14 +3,10 @@ name: Archaeologist
 on:
   pull_request:
 
-permissions: {}
-
 jobs:
    archaeologist-dig:
     name: Archaeologist Dig
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Checkout Electron
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2

.github/workflows/audit-branch-ci.yml

@@ -15,7 +15,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - run: npm install @actions/cache @electron/fiddle-core
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 22.17.x
+      - run: npm install @actions/cache@4.0.3 @electron/fiddle-core@2.0.1
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: audit-errors
         with:
@@ -29,7 +33,7 @@ jobs:
             // Only want the most recent workflow run that wasn't skipped or cancelled
             const isValidWorkflowRun = (run) => !['skipped', 'cancelled'].includes(run.conclusion);
 
-            const versions = await ElectronVersions.create(undefined, { ignoreCache: true });
+            const versions = await ElectronVersions.create({ ignoreCache: true });
             const branches = versions.supportedMajors.map((branch) => `${branch}-x-y`);
 
             for (const branch of ["main", ...branches]) {
@@ -101,7 +105,6 @@ jobs:
             }
 
             if (runsWithErrors.length > 0) {
-              core.setOutput('errorsFound', true);
               core.summary.addHeading('⚠️ Runs with Errors');
               core.summary.addTable([
                 [
@@ -128,6 +131,7 @@ jobs:
 
               // Set this as failed so it's easy to scan runs to find failures
               if (runsWithErrors.find((run) => !run.isStale)) {
+                core.setOutput('errorsFound', true);
                 process.exitCode = 1;
               }
             } else {
@@ -137,7 +141,7 @@ jobs:
             await core.summary.write();
       - name: Send Slack message if errors
         if: ${{ always() && steps.audit-errors.outputs.errorsFound && github.ref == 'refs/heads/main' }}
-        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           payload: |
             link: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"

.github/workflows/build-git-cache.yml

@@ -6,15 +6,11 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
-permissions: {}
-
 jobs:
   build-git-cache-linux:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -34,10 +30,8 @@ jobs:
 
   build-git-cache-windows:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
       volumes:
         - /mnt/win-cache:/mnt/win-cache
@@ -58,12 +52,10 @@ jobs:
 
   build-git-cache-macos:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     # This job updates the same git cache as linux, so it needs to run after the linux one.
     needs: build-git-cache-linux
     container:
-      image: ghcr.io/electron/build:a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache

.github/workflows/build.yml

@@ -6,7 +6,7 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '933c7d6ff6802706875270bec2e3c891cf8add3f'
         required: true
       skip-macos:
         type: boolean
@@ -43,13 +43,10 @@ defaults:
   run:
     shell: bash
 
-permissions: {}
-
 jobs:
   setup:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       pull-requests: read
     outputs:
         docs: ${{ steps.filter.outputs.docs }}
@@ -76,7 +73,7 @@ jobs:
       id: set-output
       run: |
         if [ -z "${{ inputs.build-image-sha }}" ]; then
-          echo "build-image-sha=a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb" >> "$GITHUB_OUTPUT"
+          echo "build-image-sha=933c7d6ff6802706875270bec2e3c891cf8add3f" >> "$GITHUB_OUTPUT"
         else
           echo "build-image-sha=${{ inputs.build-image-sha }}" >> "$GITHUB_OUTPUT"
         fi
@@ -87,8 +84,6 @@ jobs:
     needs: setup
     if: ${{ !inputs.skip-lint }}
     uses: ./.github/workflows/pipeline-electron-lint.yml
-    permissions:
-      contents: read
     with:
       container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
     secrets: inherit
@@ -98,8 +93,6 @@ jobs:
     needs: [setup, checkout-linux]
     if: ${{ needs.setup.outputs.docs-only == 'true' }}
     uses: ./.github/workflows/pipeline-electron-docs-only.yml
-    permissions:
-      contents: read
     with:
       container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
     secrets: inherit
@@ -109,8 +102,6 @@ jobs:
     needs: setup
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-macos}}
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root
@@ -139,8 +130,6 @@ jobs:
     needs: setup
     if: ${{ !inputs.skip-linux}}
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root
@@ -170,8 +159,6 @@ jobs:
     needs: setup
     if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -202,20 +189,16 @@ jobs:
   # GN Check Jobs
   macos-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
     needs: checkout-macos
     with:
       target-platform: macos
       target-archs: x64 arm64
-      check-runs-on: macos-14
+      check-runs-on: macos-15
       gn-build-type: testing
     secrets: inherit
 
   linux-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
     needs: checkout-linux
     if: ${{ needs.setup.outputs.src == 'true' }}
     with:
@@ -228,8 +211,6 @@ jobs:
 
   windows-gn-check:
     uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
-    permissions:
-      contents: read
     needs: checkout-windows
     with:
       target-platform: win
@@ -248,8 +229,8 @@ jobs:
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-macos
     with:
-      build-runs-on: macos-14-xlarge
-      test-runs-on: macos-14-large 
+      build-runs-on: macos-15-xlarge
+      test-runs-on: macos-15-large
       target-platform: macos
       target-arch: x64
       is-release: false
@@ -267,8 +248,8 @@ jobs:
     uses: ./.github/workflows/pipeline-electron-build-and-test.yml
     needs: checkout-macos
     with:
-      build-runs-on: macos-14-xlarge
-      test-runs-on: macos-14
+      build-runs-on: macos-15-xlarge
+      test-runs-on: macos-15
       target-platform: macos
       target-arch: arm64
       is-release: false
@@ -333,7 +314,7 @@ jobs:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
       test-runs-on: electron-arc-centralus-linux-arm64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init --memory=12g","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
+      test-container: '{"image":"ghcr.io/electron/test:arm32v7-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init","volumes":["/home/runner/externals:/mnt/runner-externals"]}'
       target-platform: linux
       target-arch: arm
       is-release: false
@@ -423,8 +404,6 @@ jobs:
   gha-done:
     name: GitHub Actions Completed
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
     if: always() && !contains(needs.*.result, 'failure')
     steps: 

.github/workflows/clean-src-cache.yml

@@ -1,20 +1,16 @@
 name: Clean Source Cache
 
-# Description:
-# This workflow cleans up the source cache on the cross-instance cache volume
-# to free up space. It runs daily at midnight and clears files older than 15 days.
+description: |
+  This workflow cleans up the source cache on the cross-instance cache volume
+  to free up space. It runs daily at midnight and clears files older than 15 days.
 
 on:
   schedule:
     - cron: "0 0 * * *"
 
-permissions: {}
-
 jobs:
   clean-src-cache:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root

.github/workflows/issue-commented.yml

@@ -10,15 +10,24 @@ permissions: {}
 jobs:
   issue-commented:
     name: Remove blocked/{need-info,need-repro} on comment
-    if: ${{ (contains(github.event.issue.labels.*.name, 'blocked/need-repro') || contains(github.event.issue.labels.*.name, 'blocked/need-info ❌')) && !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && github.event.comment.user.type != 'Bot' }}
+    if: ${{ (contains(github.event.issue.labels.*.name, 'blocked/need-repro') || contains(github.event.issue.labels.*.name, 'blocked/need-info ❌')) && github.event.comment.user.type != 'Bot' }}
     runs-on: ubuntu-latest
     steps:
+      - name: Get author association
+        id: get-author-association
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
+          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
       - name: Remove label
+        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           ISSUE_URL: ${{ github.event.issue.html_url }}

.github/workflows/issue-labeled.yml

@@ -4,15 +4,14 @@ on:
   issues:
     types: [labeled]
 
-permissions: {}
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
 
 jobs:
   issue-labeled-with-status:
     name: status/{confirmed,reviewed} label added
     if: github.event.label.name == 'status/confirmed' || github.event.label.name == 'status/reviewed'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -32,8 +31,6 @@ jobs:
     name: blocked/* label added
     if: startsWith(github.event.label.name, 'blocked/')
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -75,7 +72,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
       - name: Create comment
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
+        uses: actions-cool/issues-helper@50068f49b7b2b3857270ead65e2d02e4459b022c # v3.6.2
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-opened.yml

@@ -11,7 +11,6 @@ jobs:
   add-to-issue-triage:
     if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -29,7 +28,6 @@ jobs:
   set-labels:
     if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -136,7 +134,7 @@ jobs:
             }
       - name: Create unsupported major comment
         if: ${{ steps.add-labels.outputs.unsupportedMajor }}
-        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
+        uses: actions-cool/issues-helper@50068f49b7b2b3857270ead65e2d02e4459b022c # v3.6.2
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-transferred.yml

@@ -10,7 +10,6 @@ jobs:
   issue-transferred:
     name: Issue Transferred
     runs-on: ubuntu-latest
-    permissions: {}
     if: ${{ !github.event.changes.new_repository.private }}
     steps:
       - name: Generate GitHub App token

.github/workflows/issue-unlabeled.yml

@@ -4,15 +4,14 @@ on:
   issues:
     types: [unlabeled]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   issue-unlabeled-blocked:
     name: All blocked/* labels removed
     if: startsWith(github.event.label.name, 'blocked/') && github.event.issue.state == 'open'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Check for any blocked labels
         id: check-for-blocked-labels

.github/workflows/linux-publish.yml

@@ -6,7 +6,7 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '933c7d6ff6802706875270bec2e3c891cf8add3f'
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -17,13 +17,9 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 jobs:
   checkout-linux:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
@@ -43,12 +39,7 @@ jobs:
       uses: ./src/electron/.github/actions/checkout
 
   publish-x64:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-linux
     with:
       environment: production-release
@@ -63,12 +54,7 @@ jobs:
     secrets: inherit
 
   publish-arm:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-linux
     with:
       environment: production-release
@@ -83,12 +69,7 @@ jobs:
     secrets: inherit
 
   publish-arm64:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-linux
     with:
       environment: production-release

.github/workflows/macos-publish.yml

@@ -6,7 +6,7 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '933c7d6ff6802706875270bec2e3c891cf8add3f'
         required: true
       upload-to-storage:
         description: 'Uploads to Azure storage'
@@ -18,13 +18,9 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 jobs:
   checkout-macos:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
@@ -47,16 +43,11 @@ jobs:
         target-platform: macos
 
   publish-x64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: x64
       target-variant: darwin
@@ -67,16 +58,11 @@ jobs:
     secrets: inherit
 
   publish-x64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: x64
       target-variant: mas
@@ -87,16 +73,11 @@ jobs:
     secrets: inherit
 
   publish-arm64-darwin:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: arm64
       target-variant: darwin
@@ -107,16 +88,11 @@ jobs:
     secrets: inherit
 
   publish-arm64-mas:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-macos
     with:
       environment: production-release
-      build-runs-on: macos-14-xlarge
+      build-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: arm64
       target-variant: mas

.github/workflows/non-maintainer-dependency-change.yml

@@ -7,22 +7,28 @@ on:
       - 'spec/yarn.lock'
       - '.github/workflows/**'
       - '.github/actions/**'
-      - '.yarn/**'
-      - '.yarnrc.yml'
 
 permissions: {}
 
 jobs:
   check-for-non-maintainer-dependency-change:
     name: Check for disallowed non-maintainer change
-    if: ${{ !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association) && github.event.pull_request.user.type != 'Bot' && !github.event.pull_request.draft }}
+    if: ${{ github.event.pull_request.user.type != 'Bot' && !github.event.pull_request.draft }}
     permissions:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - name: Get author association
+        id: get-author-association
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/pulls/${{ github.event.pull_request.number }} --jq '.author_association')
+          echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
       - name: Check for existing review
         id: check-for-review
+        if: ${{ !contains(fromJSON('["MEMBER", "OWNER"]'), steps.get-author-association.outputs.author_association) }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/pipeline-electron-build-and-test-and-nan.yml

@@ -55,8 +55,6 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 concurrency:
   group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -64,8 +62,6 @@ concurrency:
 jobs:
   build:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
     with:
       build-runs-on: ${{ inputs.build-runs-on }}
       build-container: ${{ inputs.build-container }}
@@ -78,10 +74,6 @@ jobs:
     secrets: inherit
   test:
     uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}
@@ -91,8 +83,6 @@ jobs:
     secrets: inherit
   nn-test:
     uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
-    permissions:
-      contents: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}

.github/workflows/pipeline-electron-build-and-test.yml

@@ -64,13 +64,14 @@ concurrency:
   group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
 
-permissions: {}
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read  
 
 jobs:
   build:
     uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
     with:
       build-runs-on: ${{ inputs.build-runs-on }}
       build-container: ${{ inputs.build-container }}
@@ -85,10 +86,6 @@ jobs:
     secrets: inherit
   test:
     uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     needs: build
     with:
       target-arch: ${{ inputs.target-arch }}

.github/workflows/pipeline-electron-docs-only.yml

@@ -8,8 +8,6 @@ on:
         description: 'Container to run the docs-only ts compile in'
         type: string
 
-permissions: {}
-
 concurrency:
   group: electron-docs-only-${{ github.ref }}
   cancel-in-progress: true
@@ -21,8 +19,6 @@ jobs:
   docs-only:
     name: Docs Only Compile
     runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
     timeout-minutes: 20
     container: ${{ fromJSON(inputs.container) }}
     steps:
@@ -54,12 +50,12 @@ jobs:
       shell: bash
       run: |
         cd src/electron
-        node script/yarn.js create-typescript-definitions
-        node script/yarn.js tsc -p tsconfig.default_app.json --noEmit
+        node script/yarn create-typescript-definitions
+        node script/yarn tsc -p tsconfig.default_app.json --noEmit
         for f in build/webpack/*.js
         do
             out="${f:29}"
             if [ "$out" != "base.js" ]; then
-            node script/yarn.js webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
+            node script/yarn webpack --config $f --output-filename=$out --output-path=./.tmp --env mode=development
             fi
         done

.github/workflows/pipeline-electron-lint.yml

@@ -8,8 +8,6 @@ on:
         description: 'Container to run lint in'
         type: string
 
-permissions: {}
-
 concurrency:
   group: electron-lint-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -21,8 +19,6 @@ jobs:
   lint:
     name: Lint
     runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
     timeout-minutes: 20
     container: ${{ fromJSON(inputs.container) }}
     steps:
@@ -78,15 +74,11 @@ jobs:
         # but then we would lint its contents (at least gn format), and it doesn't pass it.
 
         cd src/electron
-        node script/yarn.js install --immutable
-        node script/yarn.js lint
+        node script/yarn install --frozen-lockfile
+        node script/yarn lint
     - name: Run Script Typechecker
       shell: bash
       run: |
         cd src/electron
-        node script/yarn.js tsc -p tsconfig.script.json
-    - name: Check GHA Workflows
-      shell: bash
-      run: |
-        cd src/electron
-        node script/copy-pipeline-segment-publish.js --check
+        node script/yarn tsc -p tsconfig.script.json
+    

.github/workflows/pipeline-segment-electron-build.yml

@@ -59,8 +59,6 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 concurrency:
   group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -83,8 +81,6 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.build-runs-on }}
-    permissions:
-      contents: read
     container: ${{ fromJSON(inputs.build-container) }}
     environment: ${{ inputs.environment }}
     env:

.github/workflows/pipeline-segment-electron-gn-check.yml

@@ -26,8 +26,6 @@ on:
         type: string
         default: testing
 
-permissions: {}
-
 concurrency:
   group: electron-gn-check-${{ inputs.target-platform }}-${{ github.ref }}
   cancel-in-progress: true
@@ -43,8 +41,6 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.check-runs-on }}
-    permissions:
-      contents: read
     container: ${{ fromJSON(inputs.check-container) }}
     steps:
     - name: Checkout Electron

.github/workflows/pipeline-segment-electron-publish.yml

@@ -1,237 +0,0 @@
-# AUTOGENERATED FILE - DO NOT EDIT MANUALLY
-# ONLY EDIT .github/workflows/pipeline-segment-electron-build.yml
-
-name: Pipeline Segment - Electron Build
-on:
-  workflow_call:
-    inputs:
-      environment:
-        description: using the production or testing environment
-        required: false
-        type: string
-      target-platform:
-        type: string
-        description: Platform to run on, can be macos, win or linux
-        required: true
-      target-arch:
-        type: string
-        description: Arch to build for, can be x64, arm64, ia32 or arm
-        required: true
-      target-variant:
-        type: string
-        description: Variant to build for, no effect on non-macOS target platforms. Can
-          be darwin, mas or all.
-        default: all
-      build-runs-on:
-        type: string
-        description: What host to run the build
-        required: true
-      build-container:
-        type: string
-        description: JSON container information for aks runs-on
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: Whether this build job is a release job
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: The gn build type - testing or release
-        required: true
-        type: string
-        default: testing
-      generate-symbols:
-        description: Whether or not to generate symbols
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage:
-        description: Whether or not to upload build artifacts to external storage
-        required: true
-        type: string
-        default: "0"
-      is-asan:
-        description: Building the Address Sanitizer (ASan) Linux build
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: Enable SSH debugging
-        required: false
-        type: boolean
-        default: false
-permissions: {}
-concurrency:
-  group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch
-    }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{
-    github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-env:
-  CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
-  CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}
-  DD_API_KEY: ${{ secrets.DD_API_KEY }}
-  ELECTRON_ARTIFACTS_BLOB_STORAGE: ${{ secrets.ELECTRON_ARTIFACTS_BLOB_STORAGE }}
-  ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
-  SUDOWOODO_EXCHANGE_URL: ${{ secrets.SUDOWOODO_EXCHANGE_URL }}
-  SUDOWOODO_EXCHANGE_TOKEN: ${{ secrets.SUDOWOODO_EXCHANGE_TOKEN }}
-  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' &&
-    '--custom-var=checkout_mac=True --custom-var=host_os=mac' ||
-    inputs.target-platform == 'win' && '--custom-var=checkout_win=True' ||
-    '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' }}
-  ELECTRON_OUT_DIR: Default
-  ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
-jobs:
-  build:
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.build-runs-on }}
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
-    container: ${{ fromJSON(inputs.build-container) }}
-    environment: ${{ inputs.environment }}
-    env:
-      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
-    steps:
-      - name: Create src dir
-        run: |
-          mkdir src
-      - name: Checkout Electron
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-        with:
-          path: src/electron
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Setup SSH Debugging
-        if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh ||
-          env.ACTIONS_STEP_DEBUG == 'true') }}
-        uses: ./src/electron/.github/actions/ssh-debug
-        with:
-          tunnel: "true"
-        env:
-          CLOUDFLARE_TUNNEL_CERT: ${{ secrets.CLOUDFLARE_TUNNEL_CERT }}
-          CLOUDFLARE_TUNNEL_HOSTNAME: ${{ vars.CLOUDFLARE_TUNNEL_HOSTNAME }}
-          CLOUDFLARE_USER_CA_CERT: ${{ secrets.CLOUDFLARE_USER_CA_CERT }}
-          AUTHORIZED_USERS: ${{ secrets.SSH_DEBUG_AUTHORIZED_USERS }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Free up space (macOS)
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: ./src/electron/.github/actions/free-space-macos
-      - name: Check disk space after freeing up space
-        if: ${{ inputs.target-platform == 'macos' }}
-        run: df -h
-      - name: Setup Node.js/npm
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
-        with:
-          node-version: 20.19.x
-          cache: yarn
-          cache-dependency-path: src/electron/yarn.lock
-      - name: Install Dependencies
-        uses: ./src/electron/.github/actions/install-dependencies
-      - name: Install AZCopy
-        if: ${{ inputs.target-platform == 'macos' }}
-        run: brew install azcopy
-      - name: Set GN_EXTRA_ARGS for Linux
-        if: ${{ inputs.target-platform == 'linux' }}
-        run: >
-          if [ "${{ inputs.target-arch  }}" = "arm" ]; then
-            if [ "${{ inputs.is-release  }}" = true ]; then
-              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false symbol_level=1'
-            else
-              GN_EXTRA_ARGS='target_cpu="arm" build_tflite_with_xnnpack=false'
-            fi
-          elif [ "${{ inputs.target-arch }}" = "arm64" ]; then
-            GN_EXTRA_ARGS='target_cpu="arm64" fatal_linker_warnings=false enable_linux_installer=false'
-          elif [ "${{ inputs.is-asan }}" = true ]; then
-            GN_EXTRA_ARGS='is_asan=true'
-          fi
-
-          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
-      - name: Set Chromium Git Cookie
-        uses: ./src/electron/.github/actions/set-chromium-cookie
-      - name: Install Build Tools
-        uses: ./src/electron/.github/actions/install-build-tools
-      - name: Generate DEPS Hash
-        run: |
-          node src/electron/script/generate-deps-hash.js
-          DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
-          echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-          echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-      - name: Restore src cache via AZCopy
-        if: ${{ inputs.target-platform != 'linux' }}
-        uses: ./src/electron/.github/actions/restore-cache-azcopy
-        with:
-          target-platform: ${{ inputs.target-platform }}
-      - name: Restore src cache via AKS
-        if: ${{ inputs.target-platform == 'linux' }}
-        uses: ./src/electron/.github/actions/restore-cache-aks
-      - name: Checkout Electron
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-        with:
-          path: src/electron
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Fix Sync
-        if: ${{ inputs.target-platform != 'linux' }}
-        uses: ./src/electron/.github/actions/fix-sync
-        with:
-          target-platform: ${{ inputs.target-platform }}
-        env:
-          ELECTRON_DEPOT_TOOLS_DISABLE_LOG: true
-      - name: Init Build Tools
-        run: >
-          e init -f --root=$(pwd) --out=Default ${{ inputs.gn-build-type }}
-          --import ${{ inputs.gn-build-type }} --target-cpu ${{
-          inputs.target-arch }} --remote-build siso
-      - name: Run Electron Only Hooks
-        run: |
-          e d gclient runhooks --spec="solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]"
-      - name: Regenerate DEPS Hash
-        run: >
-          (cd src/electron && git checkout .) && node
-          src/electron/script/generate-deps-hash.js
-
-          echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
-      - name: Add CHROMIUM_BUILDTOOLS_PATH to env
-        run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-      - name: Free up space (macOS)
-        if: ${{ inputs.target-platform == 'macos' }}
-        uses: ./src/electron/.github/actions/free-space-macos
-      - name: Build Electron
-        if: ${{ inputs.target-platform != 'macos' || (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'darwin') }}
-        uses: ./src/electron/.github/actions/build-electron
-        with:
-          target-arch: ${{ inputs.target-arch }}
-          target-platform: ${{ inputs.target-platform }}
-          artifact-platform: ${{ inputs.target-platform == 'macos' && 'darwin' ||
-            inputs.target-platform }}
-          is-release: ${{ inputs.is-release }}
-          generate-symbols: ${{ inputs.generate-symbols }}
-          upload-to-storage: ${{ inputs.upload-to-storage }}
-          is-asan: ${{ inputs.is-asan }}
-      - name: Set GN_EXTRA_ARGS for MAS Build
-        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'mas') }}
-        run: |
-          echo "MAS_BUILD=true" >> $GITHUB_ENV
-          GN_EXTRA_ARGS='is_mas_build=true'
-          echo "GN_EXTRA_ARGS=$GN_EXTRA_ARGS" >> $GITHUB_ENV
-      - name: Build Electron (MAS)
-        if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
-          inputs.target-variant == 'mas') }}
-        uses: ./src/electron/.github/actions/build-electron
-        with:
-          target-arch: ${{ inputs.target-arch }}
-          target-platform: ${{ inputs.target-platform }}
-          artifact-platform: mas
-          is-release: ${{ inputs.is-release }}
-          generate-symbols: ${{ inputs.generate-symbols }}
-          upload-to-storage: ${{ inputs.upload-to-storage }}
-          step-suffix: (mas)

.github/workflows/pipeline-segment-electron-test.yml

@@ -35,7 +35,10 @@ concurrency:
   group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
 
-permissions: {}
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
 
 env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
@@ -50,10 +53,6 @@ jobs:
       run:
         shell: bash
     runs-on: ${{ inputs.test-runs-on }}
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     container: ${{ fromJSON(inputs.test-container) }}
     strategy:
       fail-fast: false
@@ -77,6 +76,7 @@ jobs:
     - name: Add TCC permissions on macOS
       if: ${{ inputs.target-platform == 'macos' }}
       run: |
+        epochdate=$(($(date +'%s * 1000 + %-N / 1000000')))
         configure_user_tccdb () {
           local values=$1
           local dbPath="$HOME/Library/Application Support/com.apple.TCC/TCC.db"
@@ -95,11 +95,14 @@ jobs:
             "'kTCCServiceCamera','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
             "'kTCCServiceBluetoothAlways','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
             "'kTCCServiceAppleEvents','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
+            "'kTCCServiceCamera','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
+            "'kTCCServiceBluetoothAlways','/opt/hca/hosted-compute-agent',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159"
+            "'kTCCServiceScreenCapture','/bin/bash',1,2,3,1,NULL,NULL,NULL,'UNUSED',NULL,0,$epochdate"
         )
         for values in "${userValuesArray[@]}"; do
           # Sonoma and higher have a few extra values
           # Ref: https://github.com/actions/runner-images/blob/main/images/macos/scripts/build/configure-tccdb-macos.sh
-          if [ "$OSTYPE" = "darwin23" ]; then
+          if [ "$OSTYPE" = "darwin23" ] || [ "$OSTYPE" = "darwin24" ]; then
             configure_user_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
             configure_sys_tccdb "$values,NULL,NULL,'UNUSED',${values##*,}"
           else
@@ -110,12 +113,21 @@ jobs:
     - name: Turn off the unexpectedly quit dialog on macOS
       if: ${{ inputs.target-platform == 'macos' }}
       run: defaults write com.apple.CrashReporter DialogType server
+    - name: Set xcode to 16.4
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: sudo xcode-select --switch /Applications/Xcode_16.4.app
     - name: Checkout Electron
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         path: src/electron
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
+    - name: Turn off screenshot nag on macOS
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: |
+        defaults write ~/Library/Group\ Containers/group.com.apple.replayd/ScreenCaptureApprovals.plist "/bin/bash" -date "3024-09-23 12:00:00 +0000"
+        src/electron/script/actions/screencapture-nag-remover.sh -a $(which bash)
+        src/electron/script/actions/screencapture-nag-remover.sh -a /opt/hca/hosted-compute-agent
     - name: Setup SSH Debugging
       if: ${{ inputs.target-platform == 'macos' && (inputs.enable-ssh || env.ACTIONS_STEP_DEBUG == 'true') }}
       uses: ./src/electron/.github/actions/ssh-debug
@@ -154,12 +166,12 @@ jobs:
         echo "DISABLE_CRASH_REPORTER_TESTS=true" >> $GITHUB_ENV
         echo "IS_ASAN=true" >> $GITHUB_ENV
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
@@ -177,12 +189,16 @@ jobs:
       run: |
         cd src/out/Default
         unzip -:o dist.zip
-    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
-      if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
+    #- name: Import & Trust Self-Signed Codesigning Cert on MacOS
+    #  if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
+    #  run: |
+    #    sudo security authorizationdb write com.apple.trust-settings.admin allow
+    #    cd src/electron
+    #    ./script/codesign/generate-identity.sh
+    - name: Install Datadog CLI
       run: |
-        sudo security authorizationdb write com.apple.trust-settings.admin allow
         cd src/electron
-        ./script/codesign/generate-identity.sh
+        node script/yarn global add @datadog/datadog-ci
     - name: Run Electron Tests
       shell: bash
       env:
@@ -208,7 +224,7 @@ jobs:
               export ELECTRON_FORCE_TEST_SUITE_EXIT="true"
             fi
           fi
-          node script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+          node script/yarn test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
         else
           chown :builduser .. && chmod g+w ..
           chown -R :builduser . && chmod -R g+w .
@@ -225,14 +241,9 @@ jobs:
             export MOCHA_TIMEOUT=180000
             echo "Piping output to ASAN_SYMBOLIZE ($ASAN_SYMBOLIZE)"
             cd electron
-            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
           else
-            if [ "${{ inputs.target-arch }}" = "arm" ]; then
-              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --skipYarnInstall --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-            else 
-              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-            fi
-            
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn test --runners=main --trace-uncaught --enable-logging --files $tests_files
           fi
         fi
     - name: Upload Test results to Datadog
@@ -244,10 +255,9 @@ jobs:
         DD_TAGS: "os.architecture:${{ inputs.target-arch }},os.family:${{ inputs.target-platform }},os.platform:${{ inputs.target-platform }},asan:${{ inputs.is-asan }}"
       run: |
         if ! [ -z $DD_API_KEY ] && [ -f src/electron/junit/test-results-main.xml ]; then
-          cd src/electron
-          export DATADOG_PATH=`node script/yarn.js bin datadog-ci`
-          $DATADOG_PATH junit upload junit/test-results-main.xml
-        fi
+          export DATADOG_PATH=`node src/electron/script/yarn global bin`
+          $DATADOG_PATH/datadog-ci junit upload src/electron/junit/test-results-main.xml
+        fi          
       if: always() && !cancelled()
     - name: Upload Test Artifacts
       if: always() && !cancelled()

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -26,8 +26,6 @@ on:
         type: string
         default: testing
 
-permissions: {}
-
 concurrency:
   group: electron-node-nan-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
   cancel-in-progress: ${{ github.ref_protected != true }}
@@ -41,8 +39,6 @@ jobs:
   node-tests:
     name: Run Node.js Tests
     runs-on: electron-arc-centralus-linux-amd64-8core
-    permissions:
-      contents: read
     timeout-minutes: 30
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -65,12 +61,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -97,8 +93,6 @@ jobs:
   nan-tests:
     name: Run Nan Tests
     runs-on: electron-arc-centralus-linux-amd64-4core
-    permissions:
-      contents: read
     timeout-minutes: 30
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -121,12 +115,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -138,16 +132,10 @@ jobs:
         unzip -:o dist.zip
     - name: Setup Linux for Headless Testing
       run: sh -e /etc/init.d/xvfb start
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
     - name: Run Nan Tests
       run: |
         cd src
         node electron/script/nan-spec-runner.js
-    - name: Remove Clang problem matcher
-      shell: bash
-      run: echo "::remove-matcher owner=clang::"
     - name: Wait for active SSH sessions
       shell: bash
       if: always() && !cancelled()

.github/workflows/pull-request-labeled.yml

@@ -11,10 +11,9 @@ jobs:
     name: backport/requested label added
     if: github.event.label.name == 'backport/requested 🗳'
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Trigger Slack workflow
-        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           webhook: ${{ secrets.BACKPORT_REQUESTED_SLACK_WEBHOOK_URL }} 
           webhook-type: webhook-trigger
@@ -29,7 +28,6 @@ jobs:
     name: deprecation-review/complete label added
     if: github.event.label.name == 'deprecation-review/complete ✅'
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1

.github/workflows/scorecards.yml

@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/semantic.yml

@@ -7,7 +7,8 @@ on:
       - edited
       - synchronize
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   main:
@@ -18,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: semantic-pull-request
-        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/stable-prep-items.yml

@@ -11,7 +11,6 @@ jobs:
   check-stable-prep-items:
     name: Check Stable Prep Items
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1

.github/workflows/stale.yml

@@ -10,7 +10,6 @@ permissions: {}
 jobs:
   stale:
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - name: Generate GitHub App token
         uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -32,7 +31,6 @@ jobs:
           only-pr-labels: not-a-real-label
   pending-repro:
     runs-on: ubuntu-latest
-    permissions: {}
     if: ${{ always() }}
     needs: stale
     steps:

.github/workflows/windows-publish.yml

@@ -6,7 +6,7 @@ on:
       build-image-sha:
         type: string
         description: 'SHA for electron/build image'
-        default: 'a82b87d7a4f5ff0cab61405f8151ac4cf4942aeb'
+        default: '933c7d6ff6802706875270bec2e3c891cf8add3f'
         required: true
       upload-to-storage:
         description: 'Uploads to Azure storage'
@@ -18,13 +18,9 @@ on:
         type: boolean
         default: false
 
-permissions: {}
-
 jobs:
   checkout-windows:
     runs-on: electron-arc-centralus-linux-amd64-32core
-    permissions:
-      contents: read
     container:
       image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -51,12 +47,7 @@ jobs:
         target-platform: win
 
   publish-x64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-windows
     with:
       environment: production-release
@@ -70,12 +61,7 @@ jobs:
     secrets: inherit
 
   publish-arm64-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-windows
     with:
       environment: production-release
@@ -89,12 +75,7 @@ jobs:
     secrets: inherit
 
   publish-x86-win:
-    uses: ./.github/workflows/pipeline-segment-electron-publish.yml
-    permissions:
-      artifact-metadata: write
-      attestations: write
-      contents: read
-      id-token: write
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
     needs: checkout-windows
     with:
       environment: production-release

.gitignore

@@ -53,5 +53,3 @@ ts-gen
 patches/mtime-cache.json
 
 spec/fixtures/logo.png
-
-.yarn/install-state.gz

.nvmrc

@@ -1 +1 @@
-20
+22

.yarnrc.yml

@@ -1,12 +0,0 @@
-enableScripts: false
-
-nmHoistingLimits: workspaces
-
-nodeLinker: node-modules
-
-npmMinimalAgeGate: 10080
-
-npmPreapprovedPackages:
-  - "@electron/*"
-
-yarnPath: .yarn/releases/yarn-4.12.0.cjs

BUILD.gn

@@ -586,6 +586,11 @@ source_set("electron_lib") {
   }
 
   if (is_mac) {
+    # Disable C++ modules to resolve linking error when including MacOS SDK
+    # headers from third_party/electron_node/deps/uv/include/uv/darwin.h
+    # TODO(samuelmaddock): consider revisiting this in the future
+    use_libcxx_modules = false
+
     deps += [
       "//components/remote_cocoa/app_shim",
       "//components/remote_cocoa/browser",
@@ -689,7 +694,6 @@ source_set("electron_lib") {
       "//components/app_launch_prefetch",
       "//components/crash/core/app:crash_export_thunks",
       "//third_party/libxml:xml_writer",
-      "//ui/native_theme:native_theme_browser",
       "//ui/wm",
       "//ui/wm/public",
     ]
@@ -781,9 +785,13 @@ source_set("electron_lib") {
 
 action("mksnapshot_checksum_gen") {
   script = "build/checksum_header.py"
+
   outputs = [ "$target_gen_dir/snapshot_checksum.h" ]
   inputs = [ "$root_out_dir/$v8_context_snapshot_filename" ]
-  args = rebase_path(inputs) + rebase_path(outputs)
+  args = rebase_path(inputs)
+
+  args += rebase_path(outputs)
+
   deps = [ "//tools/v8_context_snapshot" ]
 }
 

DEPS

@@ -2,9 +2,9 @@ gclient_gn_args_from = 'src'
 
 vars = {
   'chromium_version':
-    '140.0.7339.249',
+    '142.0.7444.162',
   'node_version':
-    'v22.22.0',
+    'v22.21.1',
   'nan_version':
     'e14bdcd1f72d62bca1d541b66da43130384ec213',
   'squirrel.mac_version':
@@ -30,6 +30,9 @@ vars = {
   # The path of the sysroots.json file.
   'sysroots_json_path': 'electron/script/sysroots.json',
 
+  # KEEP IN SYNC WITH utils.js FILE
+  'yarn_version': '1.22.22',
+
   # To be able to build clean Chromium from sources.
   'apply_patches': True,
 
@@ -152,7 +155,7 @@ hooks = [
     'action': [
       'python3',
       '-c',
-      'import os, subprocess; os.chdir(os.path.join("src", "electron")); subprocess.check_call(["node", ".yarn/releases/yarn-4.12.0.cjs", "install", "--immutable"]);',
+      'import os, subprocess; os.chdir(os.path.join("src", "electron")); subprocess.check_call(["python3", "script/lib/npx.py", "yarn@' + (Var("yarn_version")) + '", "install", "--frozen-lockfile"]);',
     ],
   },
   {

README.md

@@ -37,7 +37,7 @@ For more installation options and troubleshooting tips, see
 
 Each Electron release provides binaries for macOS, Windows, and Linux.
 
-* macOS (Big Sur and up): Electron provides 64-bit Intel and Apple Silicon / ARM binaries for macOS.
+* macOS (Monterey and up): Electron provides 64-bit Intel and Apple Silicon / ARM binaries for macOS.
 * Windows (Windows 10 and up): Electron provides `ia32` (`x86`), `x64` (`amd64`), and `arm64` binaries for Windows. Windows on ARM support was added in Electron 5.0.8. Support for Windows 7, 8 and 8.1 was [removed in Electron 23, in line with Chromium's Windows deprecation policy](https://www.electronjs.org/blog/windows-7-to-8-1-deprecation-notice).
 * Linux: The prebuilt binaries of Electron are built on Ubuntu 22.04. They have also been verified to work on:
   * Ubuntu 18.04 and newer

build/args/all.gn

@@ -2,7 +2,7 @@ is_electron_build = true
 root_extra_deps = [ "//electron" ]
 
 # Registry of NMVs --> https://github.com/nodejs/node/blob/main/doc/abi_version_registry.json
-node_module_version = 139
+node_module_version = 140
 
 v8_promise_internal_field_count = 1
 v8_embedder_string = "-electron.0"
@@ -19,6 +19,10 @@ proprietary_codecs = true
 
 enable_printing = true
 
+# Refs https://chromium-review.googlesource.com/c/chromium/src/+/6986517
+# CI is using MacOS 15.5 which doesn't have the required modulemaps.
+use_clang_modules = false
+
 # Removes DLLs from the build, which are only meant to be used for Chromium development.
 # See https://github.com/electron/electron/pull/17985
 angle_enable_vulkan_validation_layers = false

build/checksum_header.py

@@ -12,7 +12,7 @@ TEMPLATE_H = """
 
 namespace electron::snapshot_checksum {
 
-const std::string kChecksum = "{checksum}";
+inline constexpr std::string_view kChecksum = "{checksum}";
 
 }  // namespace electron::snapshot_checksum
 

build/rules.gni

@@ -67,10 +67,6 @@ template("mac_xib_bundle_data") {
     ibtool_flags = [
       "--minimum-deployment-target",
       mac_deployment_target,
-
-      # TODO(rsesek): Enable this once all the bots are on Xcode 7+.
-      # "--target-device",
-      # "mac",
     ]
   }
 

chromium_src/BUILD.gn

@@ -23,6 +23,8 @@ static_library("chrome") {
     "//chrome/browser/browser_process.h",
     "//chrome/browser/devtools/devtools_contents_resizing_strategy.cc",
     "//chrome/browser/devtools/devtools_contents_resizing_strategy.h",
+    "//chrome/browser/devtools/devtools_dispatch_http_request_params.cc",
+    "//chrome/browser/devtools/devtools_dispatch_http_request_params.h",
     "//chrome/browser/devtools/devtools_embedder_message_dispatcher.cc",
     "//chrome/browser/devtools/devtools_embedder_message_dispatcher.h",
     "//chrome/browser/devtools/devtools_eye_dropper.cc",
@@ -142,8 +144,6 @@ static_library("chrome") {
     "//chrome/browser/ui/views/overlay/toggle_camera_button.h",
     "//chrome/browser/ui/views/overlay/toggle_microphone_button.cc",
     "//chrome/browser/ui/views/overlay/toggle_microphone_button.h",
-    "//chrome/browser/ui/views/overlay/video_overlay_window_native_widget_mac.h",
-    "//chrome/browser/ui/views/overlay/video_overlay_window_native_widget_mac.mm",
     "//chrome/browser/ui/views/overlay/video_overlay_window_views.cc",
     "//chrome/browser/ui/views/overlay/video_overlay_window_views.h",
     "//chrome/browser/ui/views/picture_in_picture/picture_in_picture_bounds_change_animation.cc",
@@ -280,6 +280,8 @@ static_library("chrome") {
       "//chrome/browser/process_singleton_mac.mm",
       "//chrome/browser/ui/views/eye_dropper/eye_dropper_view_mac.h",
       "//chrome/browser/ui/views/eye_dropper/eye_dropper_view_mac.mm",
+      "//chrome/browser/ui/views/overlay/video_overlay_window_native_widget_mac.h",
+      "//chrome/browser/ui/views/overlay/video_overlay_window_native_widget_mac.mm",
     ]
     deps += [ ":system_media_capture_permissions_mac_conflict" ]
   }
@@ -502,15 +504,17 @@ source_set("chrome_spellchecker") {
   ]
 }
 
-# These sources create an object file conflict with one in |:chrome|, so they
-# must live in a separate target.
-# Conflicting sources:
-#   //chrome/browser/media/webrtc/system_media_capture_permissions_stats_mac.mm
-#   //chrome/browser/permissions/system/system_media_capture_permissions_mac.mm
-source_set("system_media_capture_permissions_mac_conflict") {
-  sources = [
-    "//chrome/browser/permissions/system/system_media_capture_permissions_mac.h",
-    "//chrome/browser/permissions/system/system_media_capture_permissions_mac.mm",
-  ]
-  deps = [ "//chrome/common" ]
+if (is_mac) {
+  # These sources create an object file conflict with one in |:chrome|, so they
+  # must live in a separate target.
+  # Conflicting sources:
+  #   //chrome/browser/media/webrtc/system_media_capture_permissions_stats_mac.mm
+  #   //chrome/browser/permissions/system/system_media_capture_permissions_mac.mm
+  source_set("system_media_capture_permissions_mac_conflict") {
+    sources = [
+      "//chrome/browser/permissions/system/system_media_capture_permissions_mac.h",
+      "//chrome/browser/permissions/system/system_media_capture_permissions_mac.mm",
+    ]
+    deps = [ "//chrome/common" ]
+  }
 }

docs/api/app.md

@@ -421,6 +421,7 @@ Returns:
     * `oom` - Process ran out of memory
     * `launch-failed` - Process never successfully launched
     * `integrity-failure` - Windows code integrity checks failed
+    * `memory-eviction` - Process proactively terminated to prevent a future out-of-memory (OOM) situation
   * `exitCode` number - The exit code for the process
       (e.g. status from waitpid if on POSIX, from GetExitCodeProcess on Windows).
   * `serviceName` string (optional) - The non-localized name of the process.
@@ -564,8 +565,9 @@ and subscribing to the `ready` event if the app is not ready yet.
   * `steal` boolean _macOS_ - Make the receiver the active app even if another app is
   currently active.
 
-On Linux, focuses on the first visible window. On macOS, makes the application
-the active app. On Windows, focuses on the application's first window.
+On macOS, makes the application the active app. On Windows, focuses on the application's
+first window. On Linux, either focuses on the first visible window (X11) or requests
+focus but may instead show a notification or flash the app icon (Wayland).
 
 You should seek to use the `steal` option as sparingly as possible.
 
@@ -1216,7 +1218,7 @@ This method can only be called before app is ready.
 
 ### `app.isHardwareAccelerationEnabled()`
 
-Returns `boolean` - whether hardware acceleration is currently disabled.
+Returns `boolean` - whether hardware acceleration is currently enabled.
 
  > [!NOTE]
  > This information is only usable after the `gpu-info-update` event is emitted.

docs/api/browser-window.md

@@ -140,6 +140,10 @@ state is `hidden` in order to minimize power consumption.
   move.
 * On Linux the type of modal windows will be changed to `dialog`.
 * On Linux many desktop environments do not support hiding a modal window.
+* On Wayland (Linux) it is generally not possible to programmatically resize windows
+  after creation, or to position, move, focus, or blur windows without user input.
+  If your app needs these capabilities, run it in Xwayland by appending the flag
+  `--ozone-platform=x11`.
 
 ## Class: BrowserWindow extends `BaseWindow`
 
@@ -656,10 +660,15 @@ the [close event](#event-close).
 
 Focuses on the window.
 
+On Wayland (Linux), the desktop environment may show a notification or flash
+the app icon if the window or app is not already focused.
+
 #### `win.blur()`
 
 Removes focus from the window.
 
+Not supported on Wayland (Linux).
+
 #### `win.isFocused()`
 
 Returns `boolean` - Whether the window is focused.
@@ -676,6 +685,8 @@ Shows and gives focus to the window.
 
 Shows the window but doesn't focus on it.
 
+Not supported on Wayland (Linux).
+
 #### `win.hide()`
 
 Hides the window.
@@ -824,6 +835,8 @@ Closes the currently open [Quick Look][quick-look] panel.
 
 Resizes and moves the window to the supplied bounds. Any properties that are not supplied will default to their current values.
 
+On Wayland (Linux), has the same limitations as `setSize` and `setPosition`.
+
 ```js
 const { BrowserWindow } = require('electron')
 
@@ -866,6 +879,8 @@ See [Setting `backgroundColor`](#setting-the-backgroundcolor-property).
 Resizes and moves the window's client area (e.g. the web page) to
 the supplied bounds.
 
+On Wayland (Linux), has the same limitations as `setContentSize` and `setPosition`.
+
 #### `win.getContentBounds()`
 
 Returns [`Rectangle`](structures/rectangle.md) - The `bounds` of the window's client area as `Object`.
@@ -895,6 +910,8 @@ Returns `boolean` - whether the window is enabled.
 
 Resizes the window to `width` and `height`. If `width` or `height` are below any set minimum size constraints the window will snap to its minimum size.
 
+On Wayland (Linux), may not work as some window managers restrict programmatic window resizing.
+
 #### `win.getSize()`
 
 Returns `Integer[]` - Contains the window's width and height.
@@ -907,6 +924,8 @@ Returns `Integer[]` - Contains the window's width and height.
 
 Resizes the window's client area (e.g. the web page) to `width` and `height`.
 
+On Wayland (Linux), may not work as some window managers restrict programmatic window resizing.
+
 #### `win.getContentSize()`
 
 Returns `Integer[]` - Contains the window's client area's width and height.
@@ -1044,12 +1063,16 @@ this method throws an error.
 
 #### `win.moveTop()`
 
-Moves window to top(z-order) regardless of focus
+Moves window to top(z-order) regardless of focus.
+
+Not supported on Wayland (Linux).
 
 #### `win.center()`
 
 Moves window to the center of the screen.
 
+Not supported on Wayland (Linux).
+
 #### `win.setPosition(x, y[, animate])`
 
 * `x` Integer
@@ -1058,6 +1081,8 @@ Moves window to the center of the screen.
 
 Moves window to `x` and `y`.
 
+Not supported on Wayland (Linux).
+
 #### `win.getPosition()`
 
 Returns `Integer[]` - Contains the window's current position.

docs/api/command-line-switches.md

@@ -86,7 +86,7 @@ Field trials to be forcefully enabled or disabled.
 
 For example: `WebRTC-Audio-Red-For-Opus/Enabled/`
 
-### --host-rules=`rules`
+### --host-rules=`rules` _Deprecated_
 
 A comma-separated list of `rules` that control how hostnames are mapped.
 
@@ -104,9 +104,23 @@ These mappings apply to the endpoint host in a net request (the TCP connect
 and host resolver in a direct connection, and the `CONNECT` in an HTTP proxy
 connection, and the endpoint host in a `SOCKS` proxy connection).
 
+**Deprecated:** Use the `--host-resolver-rules` switch instead.
+
 ### --host-resolver-rules=`rules`
 
-Like `--host-rules` but these `rules` only apply to the host resolver.
+A comma-separated list of `rules` that control how hostnames are mapped.
+
+For example:
+
+* `MAP * 127.0.0.1` Forces all hostnames to be mapped to 127.0.0.1
+* `MAP *.google.com proxy` Forces all google.com subdomains to be resolved to
+  "proxy".
+* `MAP test.com [::1]:77` Forces "test.com" to resolve to IPv6 loopback. Will
+  also force the port of the resulting socket address to be 77.
+* `MAP * baz, EXCLUDE www.google.com` Remaps everything to "baz", except for
+  "www.google.com".
+
+These `rules` only apply to the host resolver.
 
 ### --ignore-certificate-errors
 
@@ -331,6 +345,22 @@ Affects the default output directory of [v8.setHeapSnapshotNearHeapLimit](https:
 
 Disable exposition of [Navigator API][] on the global scope from Node.js.
 
+## Chromium Flags
+
+There isn't a documented list of all Chromium switches, but there are a few ways to find them.
+
+The easiest way is through Chromium's flags page, which you can access at `about://flags`. These flags don't directly match switch names, but they show up in the process's command-line arguments.
+
+To see these arguments, enable a flag in `about://flags`, then go to `about://version` in Chromium. You'll find a list of command-line arguments, including `--flag-switches-begin --your --list --flag-switches-end`, which contains the list of your flag enabled switches.
+
+Most flags are included as part of `--enable-features=`, but some are standalone switches, like `--enable-experimental-web-platform-features`.
+
+A complete list of flags exists in [Chromium's flag metadata page](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/flag-metadata.json), but this list includes platform, environment and GPU specific, expired and potentially non-functional flags, so many of them might not always work in every situation.
+
+Keep in mind that standalone switches can sometimes be split into individual features, so there's no fully complete list of switches.
+
+Finally, you'll need to ensure that the version of Chromium in Electron matches the version of the browser you're using to cross-reference the switches.
+
 [app]: app.md
 [append-switch]: command-line.md#commandlineappendswitchswitch-value
 [debugging-main-process]: ../tutorial/debugging-main-process.md

docs/api/context-bridge.md

@@ -157,6 +157,7 @@ has been included below for completeness:
 | [Cloneable Types](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Structured_clone_algorithm) | Simple | ✅ | ✅ | See the linked document on cloneable types |
 | `Element` | Complex | ✅ | ✅ | Prototype modifications are dropped.  Sending custom elements will not work. |
 | `Blob` | Complex | ✅ | ✅ | N/A |
+| `VideoFrame` | Complex | ✅ | ✅ | N/A |
 | `Symbol` | N/A | ❌ | ❌ | Symbols cannot be copied across contexts so they are dropped |
 
 If the type you care about is not in the above table, it is probably not supported.

docs/api/desktop-capturer.md

@@ -102,6 +102,10 @@ Returns `Promise<DesktopCapturerSource[]>` - Resolves with an array of [`Desktop
 
 ## Caveats
 
+`desktopCapturer.getSources(options)` only returns a single source on Linux when using Pipewire.
+
+PipeWire supports a single capture for both screens and windows. If you request the window and screen type, the selected source will be returned as a window capture.
+
 `navigator.mediaDevices.getUserMedia` does not work on macOS for audio capture due to a fundamental limitation whereby apps that want to access the system's audio require a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html). Chromium, and by extension Electron, does not provide this.
 
 It is possible to circumvent this limitation by capturing system audio with another macOS app like Soundflower and passing it through a virtual audio input device. This virtual device can then be queried with `navigator.mediaDevices.getUserMedia`.

docs/api/menu-item.md

@@ -34,7 +34,8 @@ See [`Menu`](menu.md) for examples.
   * `sublabel` string (optional) _macOS_ - Available in macOS >= 14.4
   * `toolTip` string (optional) _macOS_ - Hover text for this menu item.
   * `accelerator` string (optional) - An [Accelerator](../tutorial/keyboard-shortcuts.md#accelerators) string.
-  * `icon` ([NativeImage](native-image.md) | string) (optional)
+  * `icon` ([NativeImage](native-image.md) | string) (optional) - Can be a
+    [NativeImage](native-image.md) or the file path of an icon.
   * `enabled` boolean (optional) - If false, the menu item will be greyed out and
     unclickable.
   * `acceleratorWorksWhenHidden` boolean (optional) _macOS_ - default is `true`, and when `false` will prevent the accelerator from triggering the item if the item is not visible.

docs/api/native-image.md

@@ -202,8 +202,7 @@ Creates a new `NativeImage` instance from `dataUrl`, a base 64 encoded [Data URL
 Returns `NativeImage`
 
 Creates a new `NativeImage` instance from the `NSImage` that maps to the
-given image name. See Apple's [`NSImageName`](https://developer.apple.com/documentation/appkit/nsimagename#2901388)
-documentation for a list of possible values.
+given image name. See Apple's [`NSImageName`](https://developer.apple.com/documentation/appkit/nsimagename#2901388) documentation and [SF Symbols](https://developer.apple.com/sf-symbols/) for a list of possible values.
 
 The `hslShift` is applied to the image with the following rules:
 
@@ -231,6 +230,15 @@ echo -e '#import <Cocoa/Cocoa.h>\nint main() { NSLog(@"%@", SYSTEM_IMAGE_NAME);
 
 where `SYSTEM_IMAGE_NAME` should be replaced with any value from [this list](https://developer.apple.com/documentation/appkit/nsimagename?language=objc).
 
+For SF Symbols, usage looks as follows:
+
+```js
+const image = nativeImage.createFromNamedImage('square.and.pencil')
+```
+
+where `'square.and.pencil'` is the symbol name from the
+[SF Symbols app](https://developer.apple.com/sf-symbols/).
+
 ## Class: NativeImage
 
 > Natively wrap images such as tray, dock, and application icons.

docs/api/structures/color-space.md

@@ -0,0 +1,195 @@
+# ColorSpace Object
+
+* `primaries` string - The color primaries of the color space. Can be one of the following values:
+  * `bt709` - BT709 primaries (also used for sRGB)
+  * `bt470m` - BT470M primaries
+  * `bt470bg` - BT470BG primaries
+  * `smpte170m` - SMPTE170M primaries
+  * `smpte240m` - SMPTE240M primaries
+  * `film` - Film primaries
+  * `bt2020` - BT2020 primaries
+  * `smptest428-1` - SMPTEST428-1 primaries
+  * `smptest431-2` - SMPTEST431-2 primaries
+  * `p3` - P3 primaries
+  * `xyz-d50` - XYZ D50 primaries
+  * `adobe-rgb` - Adobe RGB primaries
+  * `apple-generic-rgb` - Apple Generic RGB primaries
+  * `wide-gamut-color-spin` - Wide Gamut Color Spin primaries
+  * `ebu-3213-e` - EBU 3213-E primaries
+  * `custom` - Custom primaries
+  * `invalid` - Invalid primaries
+
+* `transfer` string - The transfer function of the color space. Can be one of the following values:
+  * `bt709` - BT709 transfer function
+  * `bt709-apple` - BT709 Apple transfer function
+  * `gamma18` - Gamma 1.8 transfer function
+  * `gamma22` - Gamma 2.2 transfer function
+  * `gamma24` - Gamma 2.4 transfer function
+  * `gamma28` - Gamma 2.8 transfer function
+  * `smpte170m` - SMPTE170M transfer function
+  * `smpte240m` - SMPTE240M transfer function
+  * `linear` - Linear transfer function
+  * `log` - Log transfer function
+  * `log-sqrt` - Log Square Root transfer function
+  * `iec61966-2-4` - IEC61966-2-4 transfer function
+  * `bt1361-ecg` - BT1361 ECG transfer function
+  * `srgb` - sRGB transfer function
+  * `bt2020-10` - BT2020-10 transfer function
+  * `bt2020-12` - BT2020-12 transfer function
+  * `pq` - PQ (Perceptual Quantizer) transfer function
+  * `smptest428-1` - SMPTEST428-1 transfer function
+  * `hlg` - HLG (Hybrid Log-Gamma) transfer function
+  * `srgb-hdr` - sRGB HDR transfer function
+  * `linear-hdr` - Linear HDR transfer function
+  * `custom` - Custom transfer function
+  * `custom-hdr` - Custom HDR transfer function
+  * `scrgb-linear-80-nits` - scRGB Linear 80 nits transfer function
+  * `invalid` - Invalid transfer function
+
+* `matrix` string - The color matrix of the color space. Can be one of the following values:
+  * `rgb` - RGB matrix
+  * `bt709` - BT709 matrix
+  * `fcc` - FCC matrix
+  * `bt470bg` - BT470BG matrix
+  * `smpte170m` - SMPTE170M matrix
+  * `smpte240m` - SMPTE240M matrix
+  * `ycocg` - YCoCg matrix
+  * `bt2020-ncl` - BT2020 NCL matrix
+  * `ydzdx` - YDzDx matrix
+  * `gbr` - GBR matrix
+  * `invalid` - Invalid matrix
+
+* `range` string - The color range of the color space. Can be one of the following values:
+  * `limited` - Limited color range (RGB values ranging from 16 to 235)
+  * `full` - Full color range (RGB values from 0 to 255)
+  * `derived` - Range defined by the transfer function and matrix
+  * `invalid` - Invalid range
+
+## Common `ColorSpace` definitions
+
+### Standard Color Spaces
+
+**sRGB**:
+
+  ```js
+  const cs = {
+    primaries: 'bt709',
+    transfer: 'srgb',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+**Display P3**:
+
+  ```js
+  const cs = {
+    primaries: 'p3',
+    transfer: 'srgb',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+**XYZ D50**:
+
+  ```js
+  const cs = {
+    primaries: 'xyz-d50',
+    transfer: 'linear',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+### HDR Color Spaces
+
+**Extended sRGB** (extends sRGB to all real values):
+
+  ```js
+  const cs = {
+    primaries: 'bt709',
+    transfer: 'srgb-hdr',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+**scRGB Linear** (linear transfer function for all real values):
+
+  ```js
+  const cs = {
+    primaries: 'bt709',
+    transfer: 'linear-hdr',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+**scRGB Linear 80 Nits** (with an SDR white level of 80 nits):
+
+  ```js
+  const cs = {
+    primaries: 'bt709',
+    transfer: 'scrgb-linear-80-nits',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+**HDR10** (BT.2020 primaries with PQ transfer function):
+
+  ```js
+  const cs = {
+    primaries: 'bt2020',
+    transfer: 'pq',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+**HLG** (BT.2020 primaries with HLG transfer function):
+
+  ```js
+  const cs = {
+    primaries: 'bt2020',
+    transfer: 'hlg',
+    matrix: 'rgb',
+    range: 'full'
+  }
+  ```
+
+### Video Color Spaces
+
+**Rec. 601** (SDTV):
+
+  ```js
+  const cs = {
+    primaries: 'smpte170m',
+    transfer: 'smpte170m',
+    matrix: 'smpte170m',
+    range: 'limited'
+  }
+  ```
+
+**Rec. 709** (HDTV):
+
+  ```js
+  const cs = {
+    primaries: 'bt709',
+    transfer: 'bt709',
+    matrix: 'bt709',
+    range: 'limited'
+  }
+  ```
+
+**JPEG** (typical color space for JPEG images):
+
+  ```js
+  const cs = {
+    primaries: 'bt709',
+    transfer: 'srgb',
+    matrix: 'smpte170m',
+    range: 'full'
+  }
+  ```

docs/api/structures/offscreen-shared-texture.md

@@ -2,9 +2,13 @@
 
 * `textureInfo` Object - The shared texture info.
   * `widgetType` string - The widget type of the texture. Can be `popup` or `frame`.
-  * `pixelFormat` string - The pixel format of the texture. Can be `rgba` or `bgra`.
+  * `pixelFormat` string - The pixel format of the texture.
+    * `rgba` - The texture format is 8-bit unorm RGBA.
+    * `bgra` - The texture format is 8-bit unorm BGRA.
+    * `rgbaf16` - The texture format is 16-bit float RGBA.
   * `codedSize` [Size](size.md) - The full dimensions of the video frame.
-  * `visibleRect` [Rectangle](rectangle.md) - A subsection of [0, 0, codedSize.width(), codedSize.height()]. In OSR case, it is expected to have the full section area.
+  * `colorSpace` [ColorSpace](color-space.md) - The color space of the video frame.
+  * `visibleRect` [Rectangle](rectangle.md) - A subsection of [0, 0, codedSize.width, codedSize.height]. In OSR case, it is expected to have the full section area.
   * `contentRect` [Rectangle](rectangle.md) - The region of the video frame that capturer would like to populate. In OSR case, it is the same with `dirtyRect` that needs to be painted.
   * `timestamp` number - The time in microseconds since the capture start.
   * `metadata` Object - Extra metadata. See comments in src\media\base\video_frame_metadata.h for accurate details.
@@ -12,13 +16,6 @@
     * `regionCaptureRect` [Rectangle](rectangle.md) (optional) - May reflect the frame's contents origin if region capture is used internally.
     * `sourceSize` [Rectangle](rectangle.md) (optional) - Full size of the source frame.
     * `frameCount` number (optional) - The increasing count of captured frame. May contain gaps if frames are dropped between two consecutively received frames.
-  * `sharedTextureHandle` Buffer _Windows_ _macOS_ - The handle to the shared texture.
-  * `planes` Object[] _Linux_ - Each plane's info of the shared texture.
-    * `stride` number - The strides and offsets in bytes to be used when accessing the buffers via a memory mapping. One per plane per entry.
-    * `offset` number - The strides and offsets in bytes to be used when accessing the buffers via a memory mapping. One per plane per entry.
-    * `size` number - Size in bytes of the plane. This is necessary to map the buffers.
-    * `fd` number - File descriptor for the underlying memory object (usually dmabuf).
-  * `modifier` string _Linux_ - The modifier is retrieved from GBM library and passed to EGL driver.
+  * `handle` [SharedTextureHandle](shared-texture-handle.md) - The shared texture handle data.
 * `release` Function - Release the resources. The `texture` cannot be directly passed to another process, users need to maintain texture lifecycles in
-  main process, but it is safe to pass the `textureInfo` to another process. Only a limited number of textures can exist at the same time, so it's important
-  that you call `texture.release()` as soon as you're done with the texture.
+  main process, but it is safe to pass the `textureInfo` to another process. Only a limited number of textures can exist at the same time, so it's important that you call `texture.release()` as soon as you're done with the texture.

docs/api/structures/render-process-gone-details.md

@@ -8,6 +8,7 @@
   * `oom` - Process ran out of memory
   * `launch-failed` - Process never successfully launched
   * `integrity-failure` - Windows code integrity checks failed
+  * `memory-eviction` - Process proactively terminated to prevent a future out-of-memory (OOM) situation
 * `exitCode` Integer - The exit code of the process, unless `reason` is
   `launch-failed`, in which case `exitCode` will be a platform-specific
   launch failure error code.

docs/api/structures/shared-texture-handle.md

@@ -0,0 +1,12 @@
+# SharedTextureHandle Object
+
+* `ntHandle` Buffer (optional) _Windows_ - NT HANDLE holds the shared texture. Note that this NT HANDLE is local to current process.
+* `ioSurface` Buffer (optional) _macOS_ - IOSurfaceRef holds the shared texture. Note that this IOSurface is local to current process (not global).
+* `nativePixmap` Object (optional) _Linux_ - Structure contains planes of shared texture.
+  * `planes` Object[] _Linux_ - Each plane's info of the shared texture.
+    * `stride` number - The strides and offsets in bytes to be used when accessing the buffers via a memory mapping. One per plane per entry.
+    * `offset` number - The strides and offsets in bytes to be used when accessing the buffers via a memory mapping. One per plane per entry.
+    * `size` number - Size in bytes of the plane. This is necessary to map the buffers.
+    * `fd` number - File descriptor for the underlying memory object (usually dmabuf).
+  * `modifier` string _Linux_ - The modifier is retrieved from GBM library and passed to EGL driver.
+  * `supportsZeroCopyWebGpuImport` boolean _Linux_ - Indicates whether supports zero copy import to WebGPU.

docs/api/structures/usb-device.md

@@ -1,17 +1,35 @@
 # USBDevice Object
 
+* `configuration` Object (optional) - A [USBConfiguration](https://developer.mozilla.org/en-US/docs/Web/API/USBConfiguration) object containing information about the currently selected configuration of a USB device.
+  * `configurationValue` Integer - the configuration value of this configuration.
+  * `configurationName` string - the name provided by the device to describe this configuration.
+  * `interfaces` Object[] - An array of [USBInterface](https://developer.mozilla.org/en-US/docs/Web/API/USBInterface) objects containing information about an interface provided by the USB device.
+    * `interfaceNumber` Integer - the interface number of this interface.
+    * `alternate` Object - the currently selected alternative configuration of this interface.
+      * `alternateSetting` Integer - the alternate setting number of this interface.
+      * `interfaceClass` Integer - the class of this interface. See [USB.org](https://www.usb.org/defined-class-codes) for class code descriptions.
+      * `interfaceSubclass` Integer - the subclass of this interface.
+      * `interfaceProtocol` Integer - the protocol supported by this interface.
+      * `interfaceName` string (optional) - the name of the interface, if one is provided by the device.
+      * `endpoints` Object[] - an array containing instances of the [USBEndpoint interface](https://developer.mozilla.org/en-US/docs/Web/API/USBEndpoint) describing each of the endpoints that are part of this interface.
+        * `endpointNumber` Integer - this endpoint's "endpoint number" which is a value from 1 to 15.
+        * `direction` string - the direction in which this endpoint transfers data - can be either 'in' or 'out'.
+        * `type` string - the type of this endpoint - can be either 'bulk', 'interrupt', or 'isochronous'.
+        * `packetSize` Integer - the size of the packets that data sent through this endpoint will be divided into.
+    * `alternates` Object[] - an array containing instances of the [USBAlternateInterface](https://developer.mozilla.org/en-US/docs/Web/API/USBAlternateInterface) interface describing each of the alternative configurations possible for this interface.
+* `configurations` Object[] - An array of [USBConfiguration](https://developer.mozilla.org/en-US/docs/Web/API/USBConfiguration) interfaces for controlling a paired USB device.
+* `deviceClass` Integer - The device class for the communication interface supported by the device.
 * `deviceId` string - Unique identifier for the device.
-* `vendorId` Integer - The USB vendor ID.
-* `productId` Integer - The USB product ID.
-* `productName` string (optional) - Name of the device.
-* `serialNumber` string (optional) - The USB device serial number.
-* `manufacturerName` string (optional) - The manufacturer name of the device.
-* `usbVersionMajor` Integer - The USB protocol major version supported by the device
-* `usbVersionMinor` Integer - The USB protocol minor version supported by the device
-* `usbVersionSubminor` Integer - The USB protocol subminor version supported by the device
-* `deviceClass` Integer - The device class for the communication interface supported by the device
-* `deviceSubclass` Integer - The device subclass for the communication interface supported by the device
-* `deviceProtocol` Integer - The device protocol for the communication interface supported by the device
+* `deviceProtocol` Integer - The device protocol for the communication interface supported by the device.
+* `deviceSubclass` Integer - The device subclass for the communication interface supported by the device.
 * `deviceVersionMajor` Integer - The major version number of the device as defined by the device manufacturer.
 * `deviceVersionMinor` Integer - The minor version number of the device as defined by the device manufacturer.
 * `deviceVersionSubminor` Integer - The subminor version number of the device as defined by the device manufacturer.
+* `manufacturerName` string (optional) - The manufacturer name of the device.
+* `productId` Integer - The USB product ID.
+* `productName` string (optional) - Name of the device.
+* `serialNumber` string (optional) - The USB device serial number.
+* `usbVersionMajor` Integer - The USB protocol major version supported by the device.
+* `usbVersionMinor` Integer - The USB protocol minor version supported by the device.
+* `usbVersionSubminor` Integer - The USB protocol subminor version supported by the device.
+* `vendorId` Integer - The USB vendor ID.

docs/api/structures/web-preferences.md

@@ -89,6 +89,11 @@
      paint event. Defaults to `false`. See the
     [offscreen rendering tutorial](../../tutorial/offscreen-rendering.md) for
     more details.
+  * `sharedTexturePixelFormat` string (optional) _Experimental_ - The requested output format of the shared texture. Defaults to `argb`.
+    The name is originated from Chromium [`media::VideoPixelFormat`](https://source.chromium.org/chromium/chromium/src/+/main:media/base/video_types.h) enum suffix and only subset of them are supported.
+    The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
+    * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
+    * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
   the specified `preload` script in a separate JavaScript context. Defaults
   to `true`. The context that the `preload` script runs in will only have

docs/api/system-preferences.md

@@ -14,7 +14,7 @@ console.log(systemPreferences.getEffectiveAppearance())
 
 The `systemPreferences` object emits the following events:
 
-### Event: 'accent-color-changed' _Windows_
+### Event: 'accent-color-changed' _Windows_ _Linux_
 
 Returns:
 
@@ -182,7 +182,7 @@ Some popular `key` and `type`s are:
 Removes the `key` in `NSUserDefaults`. This can be used to restore the default
 or global value of a `key` previously set with `setUserDefault`.
 
-### `systemPreferences.getAccentColor()` _Windows_ _macOS_
+### `systemPreferences.getAccentColor()`
 
 Returns `string` - The users current system wide accent color preference in RGBA
 hexadecimal form.

docs/breaking-changes.md

@@ -12,6 +12,37 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.
 
+## Planned Breaking API Changes (39.0)
+
+### Deprecated: `--host-rules` command line switch
+
+Chromium is deprecating the `--host-rules` switch.
+
+You should use `--host-resolver-rules` instead.
+
+### Behavior Changed: window.open popups are always resizable
+
+Per current [WHATWG spec](https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-open-dev), the `window.open` API will now always create a resizable popup window.
+
+To restore previous behavior:
+
+```js
+webContents.setWindowOpenHandler((details) => {
+  return {
+    action: 'allow',
+    overrideBrowserWindowOptions: {
+      resizable: details.features.includes('resizable=yes')
+    }
+  }
+})
+```
+
+### Behavior Changed: shared texture OSR `paint` event data structure
+
+When using shared texture offscreen rendering feature, the `paint` event now emits a more structured object.
+It moves the `sharedTextureHandle`, `planes`, `modifier` into a unified `handle` property.
+See the [OffscreenSharedTexture](./api/structures/offscreen-shared-texture.md) API structure for more details.
+
 ## Planned Breaking API Changes (38.0)
 
 ### Removed: `ELECTRON_OZONE_PLATFORM_HINT` environment variable

docs/development/build-instructions-linux.md

@@ -6,17 +6,77 @@ Follow the guidelines below for building **Electron itself** on Linux, for the p
 
 ## Prerequisites
 
-Due to Electron's dependency on Chromium, prerequisites and dependencies for Electron change over time. [Chromium's documentation on building on Linux](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/build_instructions.md) has up to date information for building Chromium on Linux. This documentation can generally
-be followed for building Electron on Linux as well.
+* At least 25GB disk space and 8GB RAM.
+* Python >= 3.9.
+* [Node.js](https://nodejs.org/download/) >= 22.12.0
+* [clang](https://clang.llvm.org/get_started.html) 3.4 or later.
+* Development headers of GTK 3 and libnotify.
 
-Additionally, Electron's [Linux dependency installer](https://github.com/electron/build-images/blob/main/tools/install-deps.sh) can be referenced to get the current dependencies that Electron requires in addition to what Chromium installs via [build/install-deps.sh](https://chromium.googlesource.com/chromium/src/+/HEAD/build/install-build-deps.sh).
+On Ubuntu >= 20.04, install the following libraries:
+
+```sh
+$ sudo apt-get install build-essential clang libdbus-1-dev libgtk-3-dev \
+                       libnotify-dev libasound2-dev libcap-dev \
+                       libcups2-dev libxtst-dev \
+                       libxss1 libnss3-dev gcc-multilib g++-multilib curl \
+                       gperf bison python3-dbusmock openjdk-8-jre
+```
+
+On Ubuntu < 20.04, install the following libraries:
+
+```sh
+$ sudo apt-get install build-essential clang libdbus-1-dev libgtk-3-dev \
+                       libnotify-dev libgnome-keyring-dev \
+                       libasound2-dev libcap-dev libcups2-dev libxtst-dev \
+                       libxss1 libnss3-dev gcc-multilib g++-multilib curl \
+                       gperf bison python-dbusmock openjdk-8-jre
+```
+
+On RHEL / CentOS, install the following libraries:
+
+```sh
+$ sudo yum install clang dbus-devel gtk3-devel libnotify-devel \
+                   libgnome-keyring-devel xorg-x11-server-utils libcap-devel \
+                   cups-devel libXtst-devel alsa-lib-devel libXrandr-devel \
+                   nss-devel python-dbusmock openjdk-8-jre
+```
+
+On Fedora, install the following libraries:
+
+```sh
+$ sudo dnf install clang dbus-devel gperf gtk3-devel \
+                   libnotify-devel libgnome-keyring-devel libcap-devel \
+                   cups-devel libXtst-devel alsa-lib-devel libXrandr-devel \
+                   nss-devel python-dbusmock
+```
+
+On Arch Linux / Manjaro, install the following libraries:
+
+```sh
+$ sudo pacman -Syu base-devel clang libdbus gtk2 libnotify \
+                   libgnome-keyring alsa-lib libcap libcups libxtst \
+                   libxss nss gcc-multilib curl gperf bison \
+                   python2 python-dbusmock jdk8-openjdk
+```
+
+Other distributions may offer similar packages for installation via package
+managers such as pacman. Or one can compile from source code.
 
 ### Cross compilation
 
-If you want to build for an `arm` target, you can use Electron's [Linux dependency installer](https://github.com/electron/build-images/blob/main/tools/install-deps.sh) to install the additional dependencies by passing the `--arm argument`:
+If you want to build for an `arm` target you should also install the following
+dependencies:
 
 ```sh
-$ sudo install-deps.sh --arm
+$ sudo apt-get install libc6-dev-armhf-cross linux-libc-dev-armhf-cross \
+                       g++-arm-linux-gnueabihf
+```
+
+Similarly for `arm64`, install the following:
+
+```sh
+$ sudo apt-get install libc6-dev-arm64-cross linux-libc-dev-arm64-cross \
+                       g++-aarch64-linux-gnu
 ```
 
 And to cross-compile for `arm` or targets, you should pass the

docs/glossary.md

@@ -12,6 +12,15 @@ The ASAR format was created primarily to improve performance on Windows when
 reading large quantities of small files (e.g. when loading your app's JavaScript
 dependency tree from `node_modules`).
 
+### ASAR integrity
+
+ASAR integrity is an security feature that validates the contents of your app's
+ASAR archives at runtime. When enabled, your Electron app will verify the
+header hash of its ASAR archive on runtime. If no hash is present or if there is a mismatch in the
+hashes, the app will forcefully terminate.
+
+See the [ASAR Integrity](./tutorial/asar-integrity.md) guide for more details.
+
 ### code signing
 
 Code signing is a process where an app developer digitally signs their code to

docs/tutorial/asar-integrity.md

@@ -5,7 +5,7 @@ slug: asar-integrity
 hide_title: false
 ---
 
-ASAR integrity is an experimental feature that validates the contents of your app's
+ASAR integrity is a security feature that validates the contents of your app's
 [ASAR archives](./asar-archives.md) at runtime.
 
 ## Version support
@@ -77,7 +77,7 @@ on package time. The process of providing this packaged hash is different for ma
 ### Using Electron tooling
 
 Electron Forge and Electron Packager do this setup automatically for you with no additional
-configuration. The minimum required versions for ASAR integrity are:
+configuration whenever `asar` is enabled. The minimum required versions for ASAR integrity are:
 
 * `@electron/packager@18.3.1`
 * `@electron/forge@7.4.0`

docs/tutorial/automated-testing.md

@@ -74,46 +74,22 @@ describe('keyboard input', () => {
 Furthermore, WebdriverIO allows you to access Electron APIs to get static information about your application:
 
 ```js @ts-nocheck
-import { browser, $, expect } from '@wdio/globals'
+import { browser } from '@wdio/globals'
 
-describe('when the make smaller button is clicked', () => {
-  it('should decrease the window height and width by 10 pixels', async () => {
-    const boundsBefore = await browser.electron.browserWindow('getBounds')
-    expect(boundsBefore.width).toEqual(210)
-    expect(boundsBefore.height).toEqual(310)
-
-    await $('.make-smaller').click()
-    const boundsAfter = await browser.electron.browserWindow('getBounds')
-    expect(boundsAfter.width).toEqual(200)
-    expect(boundsAfter.height).toEqual(300)
-  })
-})
-```
-
-or to retrieve other Electron process information:
-
-```js @ts-nocheck
-import fs from 'node:fs'
-import path from 'node:path'
-
-import { browser, expect } from '@wdio/globals'
-
-const packageJson = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), { encoding: 'utf-8' }))
-const { name, version } = packageJson
-
-describe('electron APIs', () => {
-  it('should retrieve app metadata through the electron API', async () => {
-    const appName = await browser.electron.app('getName')
-    expect(appName).toEqual(name)
-    const appVersion = await browser.electron.app('getVersion')
-    expect(appVersion).toEqual(version)
-  })
-
-  it('should pass args through to the launched application', async () => {
-    // custom args are set in the wdio.conf.js file as they need to be set before WDIO starts
-    const argv = await browser.electron.mainProcess('argv')
-    expect(argv).toContain('--foo')
-    expect(argv).toContain('--bar=baz')
+describe('trigger message modal', async () => {
+  it('message modal can be triggered from a test', async () => {
+    await browser.electron.execute(
+      (electron, param1, param2, param3) => {
+        const appWindow = electron.BrowserWindow.getFocusedWindow()
+        electron.dialog.showMessageBox(appWindow, {
+          message: 'Hello World!',
+          detail: `${param1} + ${param2} + ${param3} = ${param1 + param2 + param3}`
+        })
+      },
+      1,
+      2,
+      3
+    )
   })
 })
 ```
@@ -206,7 +182,7 @@ npm install --save-dev @playwright/test
 ```
 
 :::caution Dependencies
-This tutorial was written with `@playwright/test@1.41.1`. Check out
+This tutorial was written with `@playwright/test@1.52.0`. Check out
 [Playwright's releases][playwright-releases] page to learn about
 changes that might affect the code below.
 :::
@@ -218,10 +194,10 @@ To point this API to your Electron app, you can pass the path to your main proce
 entry point (here, it is `main.js`).
 
 ```js {5} @ts-nocheck
-const { test, _electron: electron } = require('@playwright/test')
+import { test, _electron as electron } from '@playwright/test'
 
 test('launch app', async () => {
-  const electronApp = await electron.launch({ args: ['main.js'] })
+  const electronApp = await electron.launch({ args: ['.'] })
   // close app
   await electronApp.close()
 })
@@ -231,10 +207,10 @@ After that, you will access to an instance of Playwright's `ElectronApp` class.
 is a powerful class that has access to main process modules for example:
 
 ```js {5-10} @ts-nocheck
-const { test, _electron: electron } = require('@playwright/test')
+import { test, _electron as electron } from '@playwright/test'
 
 test('get isPackaged', async () => {
-  const electronApp = await electron.launch({ args: ['main.js'] })
+  const electronApp = await electron.launch({ args: ['.'] })
   const isPackaged = await electronApp.evaluate(async ({ app }) => {
     // This runs in Electron's main process, parameter here is always
     // the result of the require('electron') in the main app script.
@@ -250,10 +226,10 @@ It can also create individual [Page][playwright-page] objects from Electron Brow
 For example, to grab the first BrowserWindow and save a screenshot:
 
 ```js {6-7} @ts-nocheck
-const { test, _electron: electron } = require('@playwright/test')
+import { test, _electron as electron } from '@playwright/test'
 
 test('save screenshot', async () => {
-  const electronApp = await electron.launch({ args: ['main.js'] })
+  const electronApp = await electron.launch({ args: ['.'] })
   const window = await electronApp.firstWindow()
   await window.screenshot({ path: 'intro.png' })
   // close app
@@ -265,7 +241,7 @@ Putting all this together using the Playwright test-runner, let's create a `exam
 test file with a single test and assertion:
 
 ```js title='example.spec.js' @ts-nocheck
-const { test, expect, _electron: electron } = require('@playwright/test')
+import { test, expect, _electron as electron } from '@playwright/test'
 
 test('example test', async () => {
   const electronApp = await electron.launch({ args: ['.'] })

docs/tutorial/devtools-extension.md

@@ -94,7 +94,7 @@ If the extension works on Chrome but not on Electron, file a bug in Electron's
 [issue tracker][issue-tracker] and describe which part
 of the extension is not working as expected.
 
-[devtools-extension]: https://developer.chrome.com/extensions/devtools
+[devtools-extension]: https://developer.chrome.com/docs/extensions/how-to/devtools/extend-devtools
 [session]: ../api/session.md
 [react-devtools]: https://chrome.google.com/webstore/detail/react-developer-tools/fmkadmapgofadopljbjfkapdkoienihi
 [load-extension]: ../api/extensions-api.md#extensionsloadextensionpath-options

docs/tutorial/electron-timelines.md

@@ -9,10 +9,11 @@ check out our [Electron Versioning](./electron-versioning.md) doc.
 
 | Electron | Alpha | Beta | Stable | EOL | Chrome | Node | Supported |
 | ------- | ----- | ------- | ------ | ------ | ---- | ---- | ---- |
-| 39.0.0 |  2025-Sep-04 | 2025-Oct-01 | 2025-Oct-28 | 2026-May-05 | M142 | TBD | ✅ |
+| 40.0.0 |  2025-Oct-30 | 2025-Dec-03 | 2026-Jan-13 | 2026-Jun-30 | M144 | TBD | ✅ |
+| 39.0.0 |  2025-Sep-04 | 2025-Oct-01 | 2025-Oct-28 | 2026-May-05 | M142 | v22.20 | ✅ |
 | 38.0.0 |  2025-Jun-26 | 2025-Aug-06 | 2025-Sep-02 | 2026-Mar-10 | M140 | v22.18 | ✅ |
 | 37.0.0 |  2025-May-01 | 2025-May-28 | 2025-Jun-24 | 2026-Jan-13 | M138 | v22.16 | ✅ |
-| 36.0.0 |  2025-Mar-06 | 2025-Apr-02 | 2025-Apr-29 | 2025-Oct-28 | M136 | v22.14 | ✅ |
+| 36.0.0 |  2025-Mar-06 | 2025-Apr-02 | 2025-Apr-29 | 2025-Oct-28 | M136 | v22.14 | 🚫 |
 | 35.0.0 |  2025-Jan-16 | 2025-Feb-05 | 2025-Mar-04 | 2025-Sep-02 | M134 | v22.14 | 🚫 |
 | 34.0.0 |  2024-Oct-17 | 2024-Nov-13 | 2025-Jan-14 | 2025-Jun-24 | M132 | v20.18 | 🚫 |
 | 33.0.0 |  2024-Aug-22 | 2024-Sep-18 | 2024-Oct-15 | 2025-Apr-29 | M130 | v20.18 | 🚫 |

docs/tutorial/fuses.md

@@ -4,11 +4,24 @@
 
 ## What are fuses?
 
-For a subset of Electron functionality it makes sense to disable certain features for an entire application.  For example, 99% of apps don't make use of `ELECTRON_RUN_AS_NODE`, these applications want to be able to ship a binary that is incapable of using that feature.  We also don't want Electron consumers building Electron from source as that is both a massive technical challenge and has a high cost of both time and money.
+From a security perspective, it makes sense to disable certain unused Electron features
+that are powerful but may make your app's security posture weaker. For example, any app that doesn't
+use the `ELECTRON_RUN_AS_NODE` environment variable would want to disable the feature to prevent a
+subset of "living off the land" attacks.
 
-Fuses are the solution to this problem, at a high level they are "magic bits" in the Electron binary that can be flipped when packaging your Electron app to enable / disable certain features / restrictions.  Because they are flipped at package time before you code sign your app the OS becomes responsible for ensuring those bits aren't flipped back via OS level code signing validation (Gatekeeper / App Locker).
+We also don't want Electron consumers forking to achieve this goal, as building from source and
+maintaining a fork is a massive technical challenge and costs a lot of time and money.
 
-## Current Fuses
+Fuses are the solution to this problem. At a high level, they are "magic bits" in the Electron binary
+that can be flipped when packaging your Electron app to enable or disable certain features/restrictions.
+
+Because they are flipped at package time before you code sign your app, the OS becomes responsible
+for ensuring those bits aren't flipped back via OS-level code signing validation
+(e.g. [Gatekeeper](https://support.apple.com/en-ca/guide/security/sec5599b66df/web) on macOS or
+[AppLocker](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview)
+on Windows).
+
+## Current fuses
 
 ### `runAsNode`
 
@@ -16,7 +29,11 @@ Fuses are the solution to this problem, at a high level they are "magic bits" in
 
 **@electron/fuses:** `FuseV1Options.RunAsNode`
 
-The runAsNode fuse toggles whether the `ELECTRON_RUN_AS_NODE` environment variable is respected or not.  Please note that if this fuse is disabled then `process.fork` in the main process will not function as expected as it depends on this environment variable to function. Instead, we recommend that you use [Utility Processes](../api/utility-process.md), which work for many use cases where you need a standalone Node.js process (like a Sqlite server process or similar scenarios).
+The `runAsNode` fuse toggles whether the [`ELECTRON_RUN_AS_NODE`](../api/environment-variables.md)
+environment variable is respected or not. With this fuse disabled, [`child_process.fork`](https://nodejs.org/api/child_process.html#child_processforkmodulepath-args-options) in the main process will not function
+as expected, as it depends on this environment variable to function. Instead, we recommend that you
+use [Utility Processes](../api/utility-process.md), which work for many use cases where you need a
+standalone Node.js process (e.g. a SQLite server process).
 
 ### `cookieEncryption`
 
@@ -24,7 +41,12 @@ The runAsNode fuse toggles whether the `ELECTRON_RUN_AS_NODE` environment variab
 
 **@electron/fuses:** `FuseV1Options.EnableCookieEncryption`
 
-The cookieEncryption fuse toggles whether the cookie store on disk is encrypted using OS level cryptography keys.  By default the sqlite database that Chromium uses to store cookies stores the values in plaintext.  If you wish to ensure your apps cookies are encrypted in the same way Chrome does then you should enable this fuse.  Please note it is a one-way transition, if you enable this fuse existing unencrypted cookies will be encrypted-on-write but if you then disable the fuse again your cookie store will effectively be corrupt and useless.  Most apps can safely enable this fuse.
+The `cookieEncryption` fuse toggles whether the cookie store on disk is encrypted using OS level
+cryptography keys. By default, the SQLite database that Chromium uses to store cookies stores the
+values in plaintext. If you wish to ensure your app's cookies are encrypted in the same way Chrome
+does, then you should enable this fuse. Please note it is a one-way transition—if you enable this
+fuse, existing unencrypted cookies will be encrypted-on-write, but subsequently disabling the fuse
+later will make your cookie store corrupt and useless. Most apps can safely enable this fuse.
 
 ### `nodeOptions`
 
@@ -32,7 +54,11 @@ The cookieEncryption fuse toggles whether the cookie store on disk is encrypted
 
 **@electron/fuses:** `FuseV1Options.EnableNodeOptionsEnvironmentVariable`
 
-The nodeOptions fuse toggles whether the [`NODE_OPTIONS`](https://nodejs.org/api/cli.html#node_optionsoptions)  and [`NODE_EXTRA_CA_CERTS`](https://github.com/nodejs/node/blob/main/doc/api/cli.md#node_extra_ca_certsfile) environment variables are respected.  The `NODE_OPTIONS` environment variable can be used to pass all kinds of custom options to the Node.js runtime and isn't typically used by apps in production.  Most apps can safely disable this fuse.
+The `nodeOptions` fuse toggles whether the [`NODE_OPTIONS`](https://nodejs.org/api/cli.html#node_optionsoptions)
+and [`NODE_EXTRA_CA_CERTS`](https://github.com/nodejs/node/blob/main/doc/api/cli.md#node_extra_ca_certsfile)
+environment variables are respected. The `NODE_OPTIONS` environment variable can be used to pass all
+kinds of custom options to the Node.js runtime and isn't typically used by apps in production.
+Most apps can safely disable this fuse.
 
 ### `nodeCliInspect`
 
@@ -40,7 +66,9 @@ The nodeOptions fuse toggles whether the [`NODE_OPTIONS`](https://nodejs.org/api
 
 **@electron/fuses:** `FuseV1Options.EnableNodeCliInspectArguments`
 
-The nodeCliInspect fuse toggles whether the `--inspect`, `--inspect-brk`, etc. flags are respected or not.  When disabled it also ensures that `SIGUSR1` signal does not initialize the main process inspector.  Most apps can safely disable this fuse.
+The `nodeCliInspect` fuse toggles whether the `--inspect`, `--inspect-brk`, etc. flags are respected
+or not. When disabled, it also ensures that `SIGUSR1` signal does not initialize the main process
+inspector. Most apps can safely disable this fuse.
 
 ### `embeddedAsarIntegrityValidation`
 
@@ -48,9 +76,12 @@ The nodeCliInspect fuse toggles whether the `--inspect`, `--inspect-brk`, etc. f
 
 **@electron/fuses:** `FuseV1Options.EnableEmbeddedAsarIntegrityValidation`
 
-The embeddedAsarIntegrityValidation fuse toggles an experimental feature on macOS and Windows that validates the content of the `app.asar` file when it is loaded.  This feature is designed to have a minimal performance impact but may marginally slow down file reads from inside the `app.asar` archive.
+The `embeddedAsarIntegrityValidation` fuse toggles a feature on macOS and Windows that validates the
+content of the `app.asar` file when it is loaded. This feature is designed to have a minimal
+performance impact but may marginally slow down file reads from inside the `app.asar` archive.
+Most apps can safely enable this fuse.
 
-For more information on how to use asar integrity validation please read the [Asar Integrity](asar-integrity.md) documentation.
+For more information on how to use ASAR integrity validation, please read the [Asar Integrity](asar-integrity.md) documentation.
 
 ### `onlyLoadAppFromAsar`
 
@@ -58,7 +89,15 @@ For more information on how to use asar integrity validation please read the [As
 
 **@electron/fuses:** `FuseV1Options.OnlyLoadAppFromAsar`
 
-The onlyLoadAppFromAsar fuse changes the search system that Electron uses to locate your app code.  By default Electron will search in the following order `app.asar` -> `app` -> `default_app.asar`.  When this fuse is enabled the search order becomes a single entry `app.asar` thus ensuring that when combined with the `embeddedAsarIntegrityValidation` fuse it is impossible to load non-validated code.
+The `onlyLoadAppFromAsar` fuse changes the search system that Electron uses to locate your app code.
+By default, Electron will search for this code in the following order:
+
+1. `app.asar`
+1. `app`
+1. `default_app.asar`
+
+When this fuse is enabled, Electron will _only_ search for `app.asar`. When combined with the [`embeddedAsarIntegrityValidation`](#embeddedasarintegrityvalidation) fuse, this fuse ensures that
+it is impossible to load non-validated code.
 
 ### `loadBrowserProcessSpecificV8Snapshot`
 
@@ -66,11 +105,17 @@ The onlyLoadAppFromAsar fuse changes the search system that Electron uses to loc
 
 **@electron/fuses:** `FuseV1Options.LoadBrowserProcessSpecificV8Snapshot`
 
-The loadBrowserProcessSpecificV8Snapshot fuse changes which V8 snapshot file is used for the browser process.  By default Electron's processes will all use the same V8 snapshot file.  When this fuse is enabled the browser process uses the file called `browser_v8_context_snapshot.bin` for its V8 snapshot. The other processes will use the V8 snapshot file that they normally do.
+V8 snapshots can be useful to improve app startup performance. V8 lets you take snapshots of
+initialized heaps and then load them back in to avoid the cost of initializing the heap.
 
-V8 snapshots can be useful to improve app startup performance. V8 lets you take snapshots of initialized heaps and then load them back in to avoid the cost of initializing the heap.
+The `loadBrowserProcessSpecificV8Snapshot` fuse changes which V8 snapshot file is used for the browser
+process. By default, Electron's processes will all use the same V8 snapshot file. When this fuse is
+enabled, the main process uses the file called `browser_v8_context_snapshot.bin` for its V8 snapshot.
+Other processes will use the V8 snapshot file that they normally do.
 
-Using separate snapshots for renderer processes and the main process can improve security, especially to make sure that the renderer doesn't use a snapshot with `nodeIntegration` enabled. See [#35170](https://github.com/electron/electron/issues/35170) for details.
+Using separate snapshots for renderer processes and the main process can improve security, especially
+to make sure that the renderer doesn't use a snapshot with `nodeIntegration` enabled.
+See [electron/electron#35170](https://github.com/electron/electron/issues/35170) for details.
 
 ### `grantFileProtocolExtraPrivileges`
 
@@ -78,19 +123,25 @@ Using separate snapshots for renderer processes and the main process can improve
 
 **@electron/fuses:** `FuseV1Options.GrantFileProtocolExtraPrivileges`
 
-The grantFileProtocolExtraPrivileges fuse changes whether pages loaded from the `file://` protocol are given privileges beyond what they would receive in a traditional web browser.  This behavior was core to Electron apps in original versions of Electron but is no longer required as apps should be [serving local files from custom protocols](./security.md#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) now instead.  If you aren't serving pages from `file://` you should disable this fuse.
+The `grantFileProtocolExtraPrivileges` fuse changes whether pages loaded from the `file://` protocol
+are given privileges beyond what they would receive in a traditional web browser. This behavior was
+core to Electron apps in original versions of Electron, but is no longer required as apps should be
+[serving local files from custom protocols](./security.md#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols) now instead.
+
+If you aren't serving pages from `file://`, you should disable this fuse.
 
 The extra privileges granted to the `file://` protocol by this fuse are incompletely documented below:
 
 * `file://` protocol pages can use `fetch` to load other assets over `file://`
 * `file://` protocol pages can use service workers
-* `file://` protocol pages have universal access granted to child frames also running on `file://` protocols regardless of sandbox settings
+* `file://` protocol pages have universal access granted to child frames also running on `file://`
+  protocols regardless of sandbox settings
 
-## How do I flip the fuses?
+## How do I flip fuses?
 
 ### The easy way
 
-We've made a handy module, [`@electron/fuses`](https://npmjs.com/package/@electron/fuses), to make flipping these fuses easy.  Check out the README of that module for more details on usage and potential error cases.
+[`@electron/fuses`](https://npmjs.com/package/@electron/fuses) is a JavaScript utility designed to make flipping these fuses easy. Check out the README of that module for more details on usage and potential error cases.
 
 ```js @ts-nocheck
 const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses')
@@ -106,29 +157,37 @@ flipFuses(
 )
 ```
 
-You can validate the fuses have been flipped or check the fuse status of an arbitrary Electron app using the fuses CLI.
+You can validate the fuses that have been flipped or check the fuse status of an arbitrary Electron
+app using the `@electron/fuses` CLI.
 
 ```bash
 npx @electron/fuses read --app /Applications/Foo.app
 ```
 
+>[!NOTE]
+> If you are using Electron Forge to distribute your application, you can flip fuses using
+> [`@electron-forge/plugin-fuses`](https://www.electronforge.io/config/plugins/fuses),
+> which comes pre-installed with all templates.
+
 ### The hard way
 
-#### Quick Glossary
+> [!IMPORTANT]
+> Glossary:
+>
+> * **Fuse Wire**: A sequence of bytes in the Electron binary used to control the fuses
+> * **Sentinel**: A static known sequence of bytes you can use to locate the fuse wire
+> * **Fuse Schema**: The format/allowed values for the fuse wire
 
-* **Fuse Wire**: A sequence of bytes in the Electron binary used to control the fuses
-* **Sentinel**: A static known sequence of bytes you can use to locate the fuse wire
-* **Fuse Schema**: The format / allowed values for the fuse wire
+Manually flipping fuses requires editing the Electron binary and modifying the fuse wire to be the
+sequence of bytes that represent the state of the fuses you want.
 
-Manually flipping fuses requires editing the Electron binary and modifying the fuse wire to be the sequence of bytes that represent the state of the fuses you want.
-
-Somewhere in the Electron binary there will be a sequence of bytes that look like this:
+Somewhere in the Electron binary, there will be a sequence of bytes that look like this:
 
 ```text
 | ...binary | sentinel_bytes | fuse_version | fuse_wire_length | fuse_wire | ...binary |
 ```
 
-* `sentinel_bytes` is always this exact string `dL7pKGdnNz796PbbjQWNKmHXBZaB9tsX`
+* `sentinel_bytes` is always this exact string: `dL7pKGdnNz796PbbjQWNKmHXBZaB9tsX`
 * `fuse_version` is a single byte whose unsigned integer value represents the version of the fuse schema
 * `fuse_wire_length` is a single byte whose unsigned integer value represents the number of fuses in the following fuse wire
 * `fuse_wire` is a sequence of N bytes, each byte represents a single fuse and its state.
@@ -136,6 +195,6 @@ Somewhere in the Electron binary there will be a sequence of bytes that look lik
   * "1" (0x31) indicates the fuse is enabled
   * "r" (0x72) indicates the fuse has been removed and changing the byte to either 1 or 0 will have no effect.
 
-To flip a fuse you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
+To flip a fuse, you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
 
 You can view the current schema [here](https://github.com/electron/electron/blob/main/build/fuses/fuses.json5).

docs/tutorial/security.md

@@ -98,7 +98,7 @@ either `process.env` or the `window` object.
 You should at least follow these steps to improve the security of your application:
 
 1. [Only load secure content](#1-only-load-secure-content)
-2. [Disable the Node.js integration in all renderers that display remote content](#2-do-not-enable-nodejs-integration-for-remote-content)
+2. [Do not enable Node.js integration for remote content](#2-do-not-enable-nodejs-integration-for-remote-content)
 3. [Enable context isolation in all renderers](#3-enable-context-isolation)
 4. [Enable process sandboxing](#4-enable-process-sandboxing)
 5. [Use `ses.setPermissionRequestHandler()` in all sessions that load remote content](#5-handle-session-permission-requests-from-remote-content)
@@ -118,13 +118,6 @@ You should at least follow these steps to improve the security of your applicati
 19. [Check which fuses you can change](#19-check-which-fuses-you-can-change)
 20. [Do not expose Electron APIs to untrusted web content](#20-do-not-expose-electron-apis-to-untrusted-web-content)
 
-To automate the detection of misconfigurations and insecure patterns, it is
-possible to use
-[Electronegativity](https://github.com/doyensec/electronegativity). For
-additional details on potential weaknesses and implementation bugs when
-developing applications using Electron, please refer to this
-[guide for developers and auditors](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf).
-
 ### 1. Only load secure content
 
 Any resources not included with your application should be loaded using a
@@ -818,10 +811,10 @@ that your application might have the rights for.
 
 #### How?
 
-We've made a module, [`@electron/fuses`](https://npmjs.com/package/@electron/fuses), to make
+[`@electron/fuses`](https://npmjs.com/package/@electron/fuses) is a module we made to make
 flipping these fuses easy. Check out the README of that module for more details on usage and
 potential error cases, and refer to
-[How do I flip the fuses?](./fuses.md#how-do-i-flip-the-fuses) in our documentation.
+[How do I flip fuses?](./fuses.md#how-do-i-flip-fuses) in our documentation.
 
 ### 20. Do not expose Electron APIs to untrusted web content
 

filenames.auto.gni

@@ -82,6 +82,7 @@ auto_filenames = {
     "docs/api/structures/browser-window-options.md",
     "docs/api/structures/certificate-principal.md",
     "docs/api/structures/certificate.md",
+    "docs/api/structures/color-space.md",
     "docs/api/structures/cookie.md",
     "docs/api/structures/cpu-usage.md",
     "docs/api/structures/crash-report.md",
@@ -143,6 +144,7 @@ auto_filenames = {
     "docs/api/structures/service-worker-info.md",
     "docs/api/structures/shared-dictionary-info.md",
     "docs/api/structures/shared-dictionary-usage-info.md",
+    "docs/api/structures/shared-texture-handle.md",
     "docs/api/structures/shared-worker-info.md",
     "docs/api/structures/sharing-item.md",
     "docs/api/structures/shortcut-details.md",

filenames.libcxx.gni

@@ -217,6 +217,7 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__atomic/check_memory_order.h",
   "//third_party/libc++/src/include/__atomic/contention_t.h",
   "//third_party/libc++/src/include/__atomic/fence.h",
+  "//third_party/libc++/src/include/__atomic/floating_point_helper.h",
   "//third_party/libc++/src/include/__atomic/is_always_lock_free.h",
   "//third_party/libc++/src/include/__atomic/kill_dependency.h",
   "//third_party/libc++/src/include/__atomic/memory_order.h",
@@ -1034,14 +1035,12 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__fwd/get.h",
   "//third_party/libc++/src/include/__fwd/ios.h",
   "//third_party/libc++/src/include/__fwd/istream.h",
-  "//third_party/libc++/src/include/__fwd/map.h",
   "//third_party/libc++/src/include/__fwd/mdspan.h",
   "//third_party/libc++/src/include/__fwd/memory.h",
   "//third_party/libc++/src/include/__fwd/memory_resource.h",
   "//third_party/libc++/src/include/__fwd/ostream.h",
   "//third_party/libc++/src/include/__fwd/pair.h",
   "//third_party/libc++/src/include/__fwd/queue.h",
-  "//third_party/libc++/src/include/__fwd/set.h",
   "//third_party/libc++/src/include/__fwd/span.h",
   "//third_party/libc++/src/include/__fwd/sstream.h",
   "//third_party/libc++/src/include/__fwd/stack.h",
@@ -1367,7 +1366,6 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__tree",
   "//third_party/libc++/src/include/__tuple/find_index.h",
   "//third_party/libc++/src/include/__tuple/ignore.h",
-  "//third_party/libc++/src/include/__tuple/make_tuple_types.h",
   "//third_party/libc++/src/include/__tuple/sfinae_helpers.h",
   "//third_party/libc++/src/include/__tuple/tuple_element.h",
   "//third_party/libc++/src/include/__tuple/tuple_like.h",
@@ -1381,7 +1379,6 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__type_traits/aligned_storage.h",
   "//third_party/libc++/src/include/__type_traits/aligned_union.h",
   "//third_party/libc++/src/include/__type_traits/alignment_of.h",
-  "//third_party/libc++/src/include/__type_traits/can_extract_key.h",
   "//third_party/libc++/src/include/__type_traits/common_reference.h",
   "//third_party/libc++/src/include/__type_traits/common_type.h",
   "//third_party/libc++/src/include/__type_traits/conditional.h",
@@ -1462,6 +1459,7 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__type_traits/is_trivially_relocatable.h",
   "//third_party/libc++/src/include/__type_traits/is_unbounded_array.h",
   "//third_party/libc++/src/include/__type_traits/is_union.h",
+  "//third_party/libc++/src/include/__type_traits/is_unqualified.h",
   "//third_party/libc++/src/include/__type_traits/is_unsigned.h",
   "//third_party/libc++/src/include/__type_traits/is_valid_expansion.h",
   "//third_party/libc++/src/include/__type_traits/is_void.h",
@@ -1501,6 +1499,7 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__utility/cmp.h",
   "//third_party/libc++/src/include/__utility/convert_to_integral.h",
   "//third_party/libc++/src/include/__utility/declval.h",
+  "//third_party/libc++/src/include/__utility/default_three_way_comparator.h",
   "//third_party/libc++/src/include/__utility/element_count.h",
   "//third_party/libc++/src/include/__utility/empty.h",
   "//third_party/libc++/src/include/__utility/exception_guard.h",
@@ -1511,6 +1510,7 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__utility/integer_sequence.h",
   "//third_party/libc++/src/include/__utility/is_pointer_in_range.h",
   "//third_party/libc++/src/include/__utility/is_valid_range.h",
+  "//third_party/libc++/src/include/__utility/lazy_synth_three_way_comparator.h",
   "//third_party/libc++/src/include/__utility/move.h",
   "//third_party/libc++/src/include/__utility/no_destroy.h",
   "//third_party/libc++/src/include/__utility/pair.h",
@@ -1522,6 +1522,7 @@ libcxx_headers = [
   "//third_party/libc++/src/include/__utility/small_buffer.h",
   "//third_party/libc++/src/include/__utility/swap.h",
   "//third_party/libc++/src/include/__utility/to_underlying.h",
+  "//third_party/libc++/src/include/__utility/try_key_extraction.h",
   "//third_party/libc++/src/include/__utility/unreachable.h",
   "//third_party/libc++/src/include/__variant/monostate.h",
   "//third_party/libc++/src/include/__vector/comparison.h",

lib/browser/api/app.ts

@@ -1,11 +1,14 @@
 import { Menu } from 'electron/main';
 
+import { EventEmitter } from 'events';
 import * as fs from 'fs';
 
 const bindings = process._linkedBinding('electron_browser_app');
 const commandLine = process._linkedBinding('electron_common_command_line');
 const { app } = bindings;
 
+Object.setPrototypeOf(app, EventEmitter.prototype);
+
 // Only one app object permitted.
 export default app;
 

lib/browser/api/menu.ts

@@ -46,11 +46,11 @@ Menu.prototype._isCommandIdEnabled = function (id) {
 };
 
 Menu.prototype._shouldCommandIdWorkWhenHidden = function (id) {
-  return this.commandsMap[id] ? !!this.commandsMap[id].acceleratorWorksWhenHidden : false;
+  return this.commandsMap[id]?.acceleratorWorksWhenHidden ?? false;
 };
 
 Menu.prototype._isCommandIdVisible = function (id) {
-  return this.commandsMap[id] ? this.commandsMap[id].visible : false;
+  return this.commandsMap[id]?.visible ?? false;
 };
 
 Menu.prototype._getAcceleratorForCommandId = function (id, useDefaultAccelerator) {
@@ -61,12 +61,12 @@ Menu.prototype._getAcceleratorForCommandId = function (id, useDefaultAccelerator
 };
 
 Menu.prototype._shouldRegisterAcceleratorForCommandId = function (id) {
-  return this.commandsMap[id] ? this.commandsMap[id].registerAccelerator : false;
+  return this.commandsMap[id]?.registerAccelerator ?? false;
 };
 
 if (process.platform === 'darwin') {
   Menu.prototype._getSharingItemForCommandId = function (id) {
-    return this.commandsMap[id] ? this.commandsMap[id].sharingItem : null;
+    return this.commandsMap[id]?.sharingItem ?? null;
   };
 }
 

lib/browser/api/net-fetch.ts

@@ -119,10 +119,7 @@ export function fetchWithSession (input: RequestInfo, init: (RequestInit & {bypa
     p.reject(err);
   });
 
-  // pipeTo expects a WritableStream<Uint8Array>. Node.js' Writable.toWeb returns WritableStream<any>,
-  // which causes a TS structural mismatch.
-  const writable = Writable.toWeb(r as unknown as Writable) as unknown as WritableStream<Uint8Array>;
-  if (!req.body?.pipeTo(writable).then(() => r.end())) { r.end(); }
+  if (!req.body?.pipeTo(Writable.toWeb(r as unknown as Writable)).then(() => r.end())) { r.end(); }
 
   return p.promise;
 }

lib/browser/api/protocol.ts

@@ -4,8 +4,6 @@ import { createReadStream } from 'fs';
 import { Readable } from 'stream';
 import { ReadableStream } from 'stream/web';
 
-import type { ReadableStreamDefaultReader } from 'stream/web';
-
 // Global protocol APIs.
 const { registerSchemesAsPrivileged, getStandardSchemes, Protocol } = process._linkedBinding('electron_browser_protocol');
 
@@ -14,7 +12,7 @@ const ERR_UNEXPECTED = -9;
 
 const isBuiltInScheme = (scheme: string) => ['http', 'https', 'file'].includes(scheme);
 
-function makeStreamFromPipe (pipe: any): ReadableStream<Uint8Array> {
+function makeStreamFromPipe (pipe: any): ReadableStream {
   const buf = new Uint8Array(1024 * 1024 /* 1 MB */);
   return new ReadableStream({
     async pull (controller) {
@@ -40,26 +38,21 @@ function makeStreamFromFileInfo ({
   filePath: string;
   offset?: number;
   length?: number;
-}): ReadableStream<Uint8Array> {
-  // Node's Readable.toWeb produces a WHATWG ReadableStream whose chunks are Uint8Array.
+}): ReadableStream {
   return Readable.toWeb(createReadStream(filePath, {
     start: offset,
     end: length >= 0 ? offset + length : undefined
-  })) as ReadableStream<Uint8Array>;
+  }));
 }
 
 function convertToRequestBody (uploadData: ProtocolRequest['uploadData']): RequestInit['body'] {
   if (!uploadData) return null;
   // Optimization: skip creating a stream if the request is just a single buffer.
-  if (uploadData.length === 1 && (uploadData[0] as any).type === 'rawData') {
-    return uploadData[0].bytes as any;
-  }
+  if (uploadData.length === 1 && (uploadData[0] as any).type === 'rawData') return uploadData[0].bytes;
 
-  const chunks = [...uploadData] as any[]; // TODO: refine ProtocolRequest types
-  // Use Node's web stream types explicitly to avoid DOM lib vs Node lib structural mismatches.
-  // Generic <Uint8Array> ensures reader.read() returns value?: Uint8Array consistent with enqueue.
-  let current: ReadableStreamDefaultReader<Uint8Array> | null = null;
-  return new ReadableStream<Uint8Array>({
+  const chunks = [...uploadData] as any[]; // TODO: types are wrong
+  let current: ReadableStreamDefaultReader | null = null;
+  return new ReadableStream({
     async pull (controller) {
       if (current) {
         const { done, value } = await current.read();
@@ -74,7 +67,7 @@ function convertToRequestBody (uploadData: ProtocolRequest['uploadData']): Reque
         if (!chunks.length) { return controller.close(); }
         const chunk = chunks.shift()!;
         if (chunk.type === 'rawData') {
-          controller.enqueue(chunk.bytes as Uint8Array);
+          controller.enqueue(chunk.bytes);
         } else if (chunk.type === 'file') {
           current = makeStreamFromFileInfo(chunk).getReader();
           return this.pull!(controller);

lib/browser/api/web-contents.ts

@@ -882,7 +882,7 @@ export function create (options = {}): Electron.WebContents {
   return new (WebContents as any)(options);
 }
 
-export function fromId (id: string) {
+export function fromId (id: number) {
   return binding.fromId(id);
 }
 

lib/browser/init.ts

@@ -40,7 +40,7 @@ process.on('uncaughtException', function (error) {
 // Emit 'exit' event on quit.
 const { app } = require('electron');
 
-app.on('quit', (_event: any, exitCode: number) => {
+app.on('quit', (_event, exitCode) => {
   process.emit('exit', exitCode);
 });
 

lib/browser/parse-features-string.ts

@@ -91,6 +91,12 @@ export function parseFeatures (features: string) {
     delete parsed[key];
   }
 
+  // Per spec - https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-open-dev
+  // windows are always resizable.
+  if (parsed.resizable !== undefined) {
+    delete parsed.resizable;
+  }
+
   if (parsed.left !== undefined) parsed.x = parsed.left;
   if (parsed.top !== undefined) parsed.y = parsed.top;
 

package.json

@@ -1,23 +1,22 @@
 {
-  "name": "@electron-ci/dev-root",
+  "name": "electron",
   "version": "0.0.0-development",
   "repository": "https://github.com/electron/electron",
   "description": "Build cross platform desktop apps with JavaScript, HTML, and CSS",
   "devDependencies": {
-    "@azure/storage-blob": "^12.25.0",
-    "@datadog/datadog-ci": "^4.1.2",
+    "@azure/storage-blob": "^12.28.0",
     "@electron/asar": "^3.2.13",
     "@electron/docs-parser": "^2.0.0",
     "@electron/fiddle-core": "^1.3.4",
-    "@electron/github-app-auth": "^3.2.0",
-    "@electron/lint-roller": "^3.1.1",
+    "@electron/github-app-auth": "^2.2.1",
+    "@electron/lint-roller": "^3.1.2",
     "@electron/typescript-definitions": "^9.1.2",
-    "@octokit/rest": "^20.0.2",
+    "@octokit/rest": "^20.1.2",
     "@primer/octicons": "^10.0.0",
     "@types/minimist": "^1.2.5",
     "@types/node": "^22.7.7",
     "@types/semver": "^7.5.8",
-    "@types/stream-json": "^1.7.7",
+    "@types/stream-json": "^1.7.8",
     "@types/temp": "^0.9.4",
     "@typescript-eslint/eslint-plugin": "^8.32.1",
     "@typescript-eslint/parser": "^8.7.0",
@@ -25,6 +24,7 @@
     "buffer": "^6.0.3",
     "chalk": "^4.1.0",
     "check-for-leaks": "^1.2.1",
+    "dugite": "^2.7.1",
     "eslint": "^8.57.1",
     "eslint-config-standard": "^17.1.0",
     "eslint-plugin-import": "^2.32.0",
@@ -34,20 +34,19 @@
     "eslint-plugin-node": "^11.1.0",
     "eslint-plugin-promise": "^6.6.0",
     "events": "^3.2.0",
-    "folder-hash": "^2.1.1",
+    "folder-hash": "^4.1.1",
     "got": "^11.8.5",
     "husky": "^9.1.7",
     "lint-staged": "^16.1.0",
     "markdownlint-cli2": "^0.18.0",
     "minimist": "^1.2.8",
-    "node-gyp": "^11.4.2",
     "null-loader": "^4.0.1",
     "pre-flight": "^2.0.0",
     "process": "^0.11.10",
     "remark-cli": "^12.0.1",
-    "remark-preset-lint-markdown-style-guide": "^4.0.0",
+    "remark-preset-lint-markdown-style-guide": "^6.0.1",
     "semver": "^7.6.3",
-    "stream-json": "^1.8.0",
+    "stream-json": "^1.9.1",
     "tap-xunit": "^2.4.1",
     "temp": "^0.9.4",
     "timers-browserify": "1.4.2",
@@ -57,8 +56,7 @@
     "url": "^0.11.4",
     "webpack": "^5.95.0",
     "webpack-cli": "^5.1.4",
-    "wrapper-webpack-plugin": "^2.2.0",
-    "yaml": "^2.8.1"
+    "wrapper-webpack-plugin": "^2.2.0"
   },
   "private": true,
   "scripts": {
@@ -133,25 +131,9 @@
     "DEPS": [
       "node script/gen-hunspell-filenames.js",
       "node script/gen-libc++-filenames.js"
-    ],
-    ".github/workflows/pipeline-segment-electron-build.yml": [
-      "node script/copy-pipeline-segment-publish.js",
-      "git add .github/workflows/pipeline-segment-electron-publish.yml"
     ]
   },
   "resolutions": {
-    "dbus-native/xml2js": "0.5.0",
-    "abstract-socket": "github:deepak1556/node-abstractsocket#928cc591decd12aff7dad96449da8afc29832c19",
-    "minimist@npm:~0.0.1": "0.2.4"
-  },
-  "packageManager": "yarn@4.12.0",
-  "workspaces": [
-    "spec",
-    "spec/fixtures/native-addon/*"
-  ],
-  "dependenciesMeta": {
-    "abstract-socket": {
-      "built": true
-    }
+    "nan": "nodejs/nan#e14bdcd1f72d62bca1d541b66da43130384ec213"
   }
 }

patches/angle/.patches

@@ -1 +0,0 @@
-cherry-pick-2f564f1ca07b.patch

patches/angle/cherry-pick-2f564f1ca07b.patch

@@ -1,125 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mark Mentovai <mark@chromium.org>
-Date: Tue, 16 Sep 2025 16:46:36 -0400
-Subject: mac: handle Metal toolchain being unbundled from Xcode 26
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The Metal toolchain was formerly part of Xcode, but in Xcode 26, it has
-been unbundled and is now a separate install. Attempting to use the
-Metal toolchain without installing it results in a build error, such as:
-
-error: error: cannot execute tool 'metal' due to missing Metal
-Toolchain; use: xcodebuild -downloadComponent MetalToolchain
-
-By running the suggested command, the Metal toolchain can be installed,
-but the existing angle build does not know how to find it correctly.
-
-For system Xcode installations, tools from the Metal toolchain (`metal`
-and `metallib`) can be run via `xcrun`. This construct should work
-equally well for older Xcode versions, for situations where it’s still
-in use.
-
-For the hermetic toolchain, we’ll continue splicing the Metal toolchain
-into the location it had previously been avialable (see
-https://chromium-review.googlesource.com/c/6950738), although this is
-subject to change in the future.
-
-Bug: chromium:423933062, chromium:445400016
-Change-Id: I139eca51938f7cecfec9b90fd488947160ef4ec9
-Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/6955000
-Auto-Submit: Mark Mentovai <mark@chromium.org>
-Commit-Queue: Mark Mentovai <mark@chromium.org>
-Reviewed-by: Geoff Lang <geofflang@chromium.org>
-
-diff --git a/src/libANGLE/renderer/metal/BUILD.gn b/src/libANGLE/renderer/metal/BUILD.gn
-index 96e9ee8420810f6a3ca9a0c290d4a654200eb7b9..50ac42a5b9a0f7c8b3b161af40c598cb34ff132a 100644
---- a/src/libANGLE/renderer/metal/BUILD.gn
-+++ b/src/libANGLE/renderer/metal/BUILD.gn
-@@ -24,20 +24,56 @@ config("angle_metal_backend_config") {
- }
- 
- if (metal_internal_shader_compilation_supported) {
-+  template("run_metal_tool") {
-+    action(target_name) {
-+      forward_variables_from(invoker,
-+                             [
-+                               "deps",
-+                               "sources",
-+                               "outputs",
-+                               "metal_tool",
-+                             ])
-+      script = "shaders/metal_wrapper.py"
-+      if (use_system_xcode) {
-+        # System Xcode: run metal and metallib via xcrun. Since Xcode 26.0, the
-+        # Metal toolchain has been unbundled from Xcode, and must be installed
-+        # separately by running `xcodebuild -downloadComponent MetalToolchain`.
-+        # There is a vestigial metal executable in mac_bin_path, but it’s
-+        # incapable of running successfuly without the
-+        # rest of the Metal toolchain surrounding it. `xcrun` is able to find
-+        # and run the correct Metal toolchain when properly installed.
-+        #
-+        # If you’re using system Xcode and your build fails with this message:
-+        #   error: error: cannot execute tool 'metal' due to missing Metal Toolchain; use: xcodebuild -downloadComponent MetalToolchain
-+        # then do what the error message suggests, and then retry your build.
-+        args = [
-+          "xcrun",
-+          metal_tool,
-+        ]
-+      } else {
-+        # Hermetic Xcode: at least for now, the Metal toolchain is
-+        # “spliced” into the location in the hermetic toolchain where it lived
-+        # before Xcode 26.0, so it can be run directly from there.
-+        args = [ mac_bin_path + metal_tool ]
-+      }
-+
-+      args += invoker.args
-+    }
-+  }
-+
-   _metal_internal_shaders_air_file =
-       "$root_gen_dir/angle/mtl_internal_shaders_autogen.air"
- 
--  action("angle_metal_internal_shaders_to_air") {
--    script = "shaders/metal_wrapper.py"
--
--    outputs = [ _metal_internal_shaders_air_file ]
--
-+  run_metal_tool("angle_metal_internal_shaders_to_air") {
-     _metal_internal_shaders_metal_source =
-         "shaders/mtl_internal_shaders_autogen.metal"
-     sources = [ _metal_internal_shaders_metal_source ]
- 
-+    outputs = [ _metal_internal_shaders_air_file ]
-+
-+    metal_tool = "metal"
-+
-     args = [
--      mac_bin_path + "metal",
-       "-c",
-       rebase_path(_metal_internal_shaders_metal_source, root_build_dir),
-       "-o",
-@@ -60,17 +96,16 @@ if (metal_internal_shader_compilation_supported) {
-   _metal_internal_shaders_metallib_file =
-       "$root_gen_dir/angle/mtl_internal_shaders_autogen.metallib"
- 
--  action("angle_metal_internal_shaders_to_mtllib") {
--    script = "shaders/metal_wrapper.py"
--
--    outputs = [ _metal_internal_shaders_metallib_file ]
-+  run_metal_tool("angle_metal_internal_shaders_to_mtllib") {
-+    deps = [ ":angle_metal_internal_shaders_to_air" ]
- 
-     sources = [ _metal_internal_shaders_air_file ]
- 
--    deps = [ ":angle_metal_internal_shaders_to_air" ]
-+    outputs = [ _metal_internal_shaders_metallib_file ]
-+
-+    metal_tool = "metallib"
- 
-     args = [
--      mac_bin_path + "metallib",
-       rebase_path(_metal_internal_shaders_air_file, root_build_dir),
-       "-o",
-       rebase_path(_metal_internal_shaders_metallib_file, root_build_dir),

patches/boringssl/expose_ripemd160.patch

@@ -10,10 +10,10 @@ this patch is required to provide ripemd160 support in the nodejs crypto
 module.
 
 diff --git a/crypto/digest/digest_extra.cc b/crypto/digest/digest_extra.cc
-index 431214277314941c5ec031f03ad09e7f22800983..4cc48bbc3f8434876f35767c1a9f01d27388be99 100644
+index 345c94f6e26e88aac77b9feb92bd8d6665234981..8ef2ab8987da63f321d1dbb79f2eded8b8209bfc 100644
 --- a/crypto/digest/digest_extra.cc
 +++ b/crypto/digest/digest_extra.cc
-@@ -46,6 +46,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = {
+@@ -47,6 +47,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = {
      {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
      {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256},
      {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
@@ -82,7 +82,7 @@ index e04b80cd6a1a215fc87f8fd8d750c3d258c3974f..8fdf1c624794f568bfc77b7b6b0c510b
  
  void EVP_MD_do_all(void (*callback)(const EVP_MD *cipher, const char *name,
 diff --git a/include/openssl/digest.h b/include/openssl/digest.h
-index 710c6e6d110378d1db10d8c2ae57b2d844c603b9..dbb1e0cd5e9480d1ac7a86cbca6fae29d6a8dca4 100644
+index b604aba00c1c6cea8002b6dc298ea5fe979589b1..1c123aa1dca09ae60c31be2a6dab9a64748eac17 100644
 --- a/include/openssl/digest.h
 +++ b/include/openssl/digest.h
 @@ -48,6 +48,9 @@ OPENSSL_EXPORT const EVP_MD *EVP_blake2b256(void);

patches/boringssl/feat_expose_several_extra_cipher_functions.patch

@@ -28,7 +28,7 @@ RC2 Ciphers: rc2-40-cbc
 It's unclear whether this would be accepted upstream. We should try regardless.
 
 diff --git a/crypto/cipher/get_cipher.cc b/crypto/cipher/get_cipher.cc
-index 2622dc78d1da236862312f55bc0a40f26116486e..ac7aff6518ad5c2a0e48bd91d60a1f825851b634 100644
+index 6513df01c4b3e4d33fc6b521d9aae78ec5499e73..52eb7fea420e3d81d274fd5c1e21e4da0229687f 100644
 --- a/crypto/cipher/get_cipher.cc
 +++ b/crypto/cipher/get_cipher.cc
 @@ -31,6 +31,7 @@ static const struct {

patches/boringssl/revert_track_ssl_error_zero_return_explicitly.patch

@@ -20,10 +20,10 @@ index 2cdcbc346175eeee69402ecee7f169e61c655199..f7226fe711e4214b216ea2c5173a0212
  
      case ssl_open_record_error:
 diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
-index aa8ef8a0c53978021b675e1d909c3f78045dbb7b..61794458f7a7a849d48a225533ef4f8431434e42 100644
+index 532744f942301dfd124fa1c2c6fd547fffb7d9c5..0e1d89439fce44077cd6f224742e67ec4b891cad 100644
 --- a/ssl/ssl_lib.cc
 +++ b/ssl/ssl_lib.cc
-@@ -1206,7 +1206,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
+@@ -1211,7 +1211,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
    }
  
    if (ret_code == 0) {
@@ -32,7 +32,7 @@ index aa8ef8a0c53978021b675e1d909c3f78045dbb7b..61794458f7a7a849d48a225533ef4f84
        return SSL_ERROR_ZERO_RETURN;
      }
      // An EOF was observed which violates the protocol, and the underlying
-@@ -2567,13 +2567,7 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
+@@ -2662,13 +2662,7 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {
    return CRYPTO_get_ex_data(&ctx->ex_data, idx);
  }
  

patches/chromium/.patches

@@ -110,7 +110,6 @@ fix_getcursorscreenpoint_wrongly_returns_0_0.patch
 fix_add_support_for_skipping_first_2_no-op_refreshes_in_thumb_cap.patch
 refactor_expose_file_system_access_blocklist.patch
 feat_add_support_for_missing_dialog_features_to_shell_dialogs.patch
-fix_font_face_resolution_when_renderer_is_blocked.patch
 feat_enable_passing_exit_code_on_service_process_crash.patch
 chore_remove_reference_to_chrome_browser_themes.patch
 feat_enable_customizing_symbol_color_in_framecaptionbutton.patch
@@ -136,8 +135,11 @@ build_set_mac_sdk_minimum_to_10.patch
 fix_add_macos_memory_query_fallback_to_avoid_crash.patch
 fix_resolve_dynamic_background_material_update_issue_on_windows_11.patch
 feat_add_support_for_embedder_snapshot_validation.patch
-band-aid_over_an_issue_with_using_deprecated_nsopenpanel_api.patch
-inspectorpageagent_provisional_frame_speculative_fix.patch
+chore_restore_some_deprecated_wrapper_utility_in_gin.patch
+chore_add_electron_objects_to_wrappablepointertag.patch
+chore_expose_isolate_parameter_in_script_lifecycle_observers.patch
+revert_partial_remove_unused_prehandlemouseevent.patch
+allow_electron_to_depend_on_components_os_crypt_sync.patch
 expose_referrerscriptinfo_hostdefinedoptionsindex.patch
+chore_disable_protocol_handler_dcheck.patch
 fix_release_mouse_buttons_on_focus_loss_on_wayland.patch
-cherry-pick-e045399a1ecb.patch

patches/chromium/accelerator.patch

@@ -53,7 +53,7 @@ index 5ad9332dd27ceda7d67cd3f571b12218a4415a40..ffe083836c39fb60b4bff1f9fbdd6ceb
    }
  
 diff --git a/ui/base/accelerators/accelerator.h b/ui/base/accelerators/accelerator.h
-index e7d5adfac920c97df8bab9bf4ed69a835ee314a9..9aeea7cb4c48d1ccc27304fa99238151b2811c87 100644
+index 666ecbc118bec6d51465644ae4e573846c33610b..30b3ae49265eb263edda23c68587b46fab72a3ba 100644
 --- a/ui/base/accelerators/accelerator.h
 +++ b/ui/base/accelerators/accelerator.h
 @@ -18,6 +18,7 @@
@@ -64,8 +64,8 @@ index e7d5adfac920c97df8bab9bf4ed69a835ee314a9..9aeea7cb4c48d1ccc27304fa99238151
  #include "base/time/time.h"
  #include "build/blink_buildflags.h"
  #include "build/build_config.h"
-@@ -189,6 +190,8 @@ class COMPONENT_EXPORT(UI_BASE) Accelerator {
-     return interrupted_by_mouse_event_;
+@@ -199,6 +200,8 @@ class COMPONENT_EXPORT(UI_BASE) Accelerator {
+               << 18);  // masked to 6 bits
    }
  
 +  absl::optional<char16_t> shifted_char;

patches/chromium/add_contentgpuclient_precreatemessageloop_callback.patch

@@ -10,10 +10,10 @@ Allows Electron to restore WER when ELECTRON_DEFAULT_ERROR_MODE is set.
 This should be upstreamed.
 
 diff --git a/content/gpu/gpu_main.cc b/content/gpu/gpu_main.cc
-index f9e15ddeeb022b77607ae7880a5a7121abc7a111..954a4966c73a74816131217756f17c04483bb1fe 100644
+index 30cc1d4a179f9da59824cb98415baed8493fc843..2272eaa7e0e3306201e5e32226a0115f6f6636e5 100644
 --- a/content/gpu/gpu_main.cc
 +++ b/content/gpu/gpu_main.cc
-@@ -271,6 +271,10 @@ int GpuMain(MainFunctionParams parameters) {
+@@ -272,6 +272,10 @@ int GpuMain(MainFunctionParams parameters) {
    // to the GpuProcessHost once the GpuServiceImpl has started.
    viz::GpuLogMessageManager::GetInstance()->InstallPreInitializeLogHandler();
  
@@ -24,7 +24,7 @@ index f9e15ddeeb022b77607ae7880a5a7121abc7a111..954a4966c73a74816131217756f17c04
    // We are experiencing what appear to be memory-stomp issues in the GPU
    // process. These issues seem to be impacting the task executor and listeners
    // registered to it. Create the task executor on the heap to guard against
-@@ -380,7 +384,6 @@ int GpuMain(MainFunctionParams parameters) {
+@@ -381,7 +385,6 @@ int GpuMain(MainFunctionParams parameters) {
  #endif
    const bool dead_on_arrival = !init_success;
  

patches/chromium/add_didinstallconditionalfeatures.patch

@@ -10,10 +10,10 @@ DidCreateScriptContext is called, not all JS APIs are available in the
 context, which can cause some preload scripts to trip.
 
 diff --git a/content/public/renderer/render_frame_observer.h b/content/public/renderer/render_frame_observer.h
-index c26cff0adef977617b10bbaa7c0c13cf5e6e91d3..f9c7af85af33572a88956bf1bc9765e90be3d39b 100644
+index 88a4c3167e2935a11fc50f4c147fef6b2253abc5..e9e88619c349d018abbf183b16339339c7fb29b6 100644
 --- a/content/public/renderer/render_frame_observer.h
 +++ b/content/public/renderer/render_frame_observer.h
-@@ -138,6 +138,8 @@ class CONTENT_EXPORT RenderFrameObserver {
+@@ -139,6 +139,8 @@ class CONTENT_EXPORT RenderFrameObserver {
    virtual void DidHandleOnloadEvents() {}
    virtual void DidCreateScriptContext(v8::Local<v8::Context> context,
                                        int32_t world_id) {}
@@ -23,10 +23,10 @@ index c26cff0adef977617b10bbaa7c0c13cf5e6e91d3..f9c7af85af33572a88956bf1bc9765e9
                                          int32_t world_id) {}
    virtual void DidClearWindowObject() {}
 diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
-index ede4414f875254b77ffb29d0e1bfb254c619b10f..5f766b7d1bd20131b380e862090716de899d086c 100644
+index 8603f912e83db5211f21701b2f08db07790ea4ba..4816cb344ee9474a663863a5c2668a112c299919 100644
 --- a/content/renderer/render_frame_impl.cc
 +++ b/content/renderer/render_frame_impl.cc
-@@ -4676,6 +4676,12 @@ void RenderFrameImpl::DidCreateScriptContext(v8::Local<v8::Context> context,
+@@ -4700,6 +4700,12 @@ void RenderFrameImpl::DidCreateScriptContext(v8::Local<v8::Context> context,
      observer.DidCreateScriptContext(context, world_id);
  }
  
@@ -40,10 +40,10 @@ index ede4414f875254b77ffb29d0e1bfb254c619b10f..5f766b7d1bd20131b380e862090716de
                                                 int world_id) {
    for (auto& observer : observers_)
 diff --git a/content/renderer/render_frame_impl.h b/content/renderer/render_frame_impl.h
-index 5456a50df5f75509c22afa47034afbb624303a75..bbd1edd567aee984001288901581dfa56dbfa2dc 100644
+index 29c0e1703bb7e8e7bf53440a7f0cb7a6ceb4381b..155d2c3d9ce02fa02a655abf8bf7dbb1f83553f3 100644
 --- a/content/renderer/render_frame_impl.h
 +++ b/content/renderer/render_frame_impl.h
-@@ -603,6 +603,8 @@ class CONTENT_EXPORT RenderFrameImpl
+@@ -602,6 +602,8 @@ class CONTENT_EXPORT RenderFrameImpl
    void DidObserveLayoutShift(double score, bool after_input_or_scroll) override;
    void DidCreateScriptContext(v8::Local<v8::Context> context,
                                int world_id) override;
@@ -53,10 +53,10 @@ index 5456a50df5f75509c22afa47034afbb624303a75..bbd1edd567aee984001288901581dfa5
                                  int world_id) override;
    void DidChangeScrollOffset() override;
 diff --git a/third_party/blink/public/web/web_local_frame_client.h b/third_party/blink/public/web/web_local_frame_client.h
-index 5c1c325d1e4037b0b413c3519e963c5f0210086a..994dd3118dfa43816db60e5dfb61c00bf366e92d 100644
+index 101e727b3a97bc764315eb694dc3975f9a408f9c..52e8828d8fffaba8ab05436cb4d727595f18238a 100644
 --- a/third_party/blink/public/web/web_local_frame_client.h
 +++ b/third_party/blink/public/web/web_local_frame_client.h
-@@ -662,6 +662,9 @@ class BLINK_EXPORT WebLocalFrameClient {
+@@ -661,6 +661,9 @@ class BLINK_EXPORT WebLocalFrameClient {
    virtual void DidCreateScriptContext(v8::Local<v8::Context>,
                                        int32_t world_id) {}
  
@@ -92,7 +92,7 @@ index 36baf908d3be8aed44ff60b8de2cffe2eee15efe..8d73ddb12013ce195026b9f63050cf33
                                          int32_t world_id) = 0;
    virtual bool AllowScriptExtensions() = 0;
 diff --git a/third_party/blink/renderer/core/frame/local_frame_client_impl.cc b/third_party/blink/renderer/core/frame/local_frame_client_impl.cc
-index 22f1a4a3a903cb82a1066642e542bb78bf321d79..77d76bf97976e18a8bd077e005b8a3addf9b029d 100644
+index b02b60ff5f6650332c54ecc66f6fdb274b737aa7..1aacf6f66b543a4ede6ab5d885143dd4a0821e8a 100644
 --- a/third_party/blink/renderer/core/frame/local_frame_client_impl.cc
 +++ b/third_party/blink/renderer/core/frame/local_frame_client_impl.cc
 @@ -295,6 +295,13 @@ void LocalFrameClientImpl::DidCreateScriptContext(
@@ -110,7 +110,7 @@ index 22f1a4a3a903cb82a1066642e542bb78bf321d79..77d76bf97976e18a8bd077e005b8a3ad
      v8::Local<v8::Context> context,
      int32_t world_id) {
 diff --git a/third_party/blink/renderer/core/frame/local_frame_client_impl.h b/third_party/blink/renderer/core/frame/local_frame_client_impl.h
-index 081c8fabbcc514e47ff33d7e07a5eac3d112a518..e3fab574523a4b63069587b2fcaf30267fddf7c4 100644
+index fcc0928abbc454281b022e0451d993651ecba42f..16066fe34ee0335a0dabe00b6890e5844349c0b5 100644
 --- a/third_party/blink/renderer/core/frame/local_frame_client_impl.h
 +++ b/third_party/blink/renderer/core/frame/local_frame_client_impl.h
 @@ -81,6 +81,8 @@ class CORE_EXPORT LocalFrameClientImpl final : public LocalFrameClient {

patches/chromium/add_electron_deps_to_license_credits_file.patch

@@ -7,10 +7,10 @@ Ensure that licenses for the dependencies introduced by Electron
 are included in `LICENSES.chromium.html`
 
 diff --git a/tools/licenses/licenses.py b/tools/licenses/licenses.py
-index b0807ee3d8ebcf34f0d740362aa46c8631562d38..118d200b74953c0068ad59300ccc0e3041d77a10 100755
+index a8afd4c9a95ad62fa0c8adb6fd53c2783d6eee96..ef8ab7dd5368d79c4bcf1e22fb539029956d4c67 100755
 --- a/tools/licenses/licenses.py
 +++ b/tools/licenses/licenses.py
-@@ -337,6 +337,31 @@ SPECIAL_CASES = {
+@@ -342,6 +342,31 @@ SPECIAL_CASES = {
          "License": "Apache 2.0",
          "License File": ["//third_party/dawn/third_party/khronos/LICENSE"],
      },

patches/chromium/add_ui_scopedcliboardwriter_writeunsaferawdata.patch

@@ -8,10 +8,10 @@ was removed as part of the Raw Clipboard API scrubbing.
 https://bugs.chromium.org/p/chromium/issues/detail?id=1217643
 
 diff --git a/ui/base/clipboard/scoped_clipboard_writer.cc b/ui/base/clipboard/scoped_clipboard_writer.cc
-index 0b457d0742b24381718092d6af11f396fda30436..e1619eeeb8f29e6745da282a33a3464ec97aefb0 100644
+index e104f4d7814b6f6a0e1f5cf49ae24d5571e30fb1..cc7e9064b21f8f2c45690454805901c0c56e2aa1 100644
 --- a/ui/base/clipboard/scoped_clipboard_writer.cc
 +++ b/ui/base/clipboard/scoped_clipboard_writer.cc
-@@ -236,6 +236,16 @@ void ScopedClipboardWriter::WriteData(std::u16string_view format,
+@@ -244,6 +244,16 @@ void ScopedClipboardWriter::WriteData(std::u16string_view format,
    }
  }
  
@@ -29,10 +29,10 @@ index 0b457d0742b24381718092d6af11f396fda30436..e1619eeeb8f29e6745da282a33a3464e
    objects_.clear();
    raw_objects_.clear();
 diff --git a/ui/base/clipboard/scoped_clipboard_writer.h b/ui/base/clipboard/scoped_clipboard_writer.h
-index 939a99b2a086d5373f82fe96da73dabe02f6f9d8..fccc200b1b11076c8fcffde071a53598ffba9a12 100644
+index 8c2be540757856a3e704764fe56003205b24812f..e31fbc01f68c0e92284a72298cac878d7247e7fb 100644
 --- a/ui/base/clipboard/scoped_clipboard_writer.h
 +++ b/ui/base/clipboard/scoped_clipboard_writer.h
-@@ -87,6 +87,10 @@ class COMPONENT_EXPORT(UI_BASE_CLIPBOARD) ScopedClipboardWriter {
+@@ -91,6 +91,10 @@ class COMPONENT_EXPORT(UI_BASE_CLIPBOARD) ScopedClipboardWriter {
    // This is only used to write custom format data.
    void WriteData(std::u16string_view format, mojo_base::BigBuffer data);
  

patches/chromium/add_webmessageportconverter_entangleandinjectmessageportchannel.patch

@@ -8,7 +8,7 @@ accessing Blink internals. Its inverse, which already exists, is used in
 Android WebView.
 
 diff --git a/third_party/blink/public/web/web_message_port_converter.h b/third_party/blink/public/web/web_message_port_converter.h
-index e7c4464f1b5aa19cbe441d94d88c949798ccb1e3..bd804d509ad5f3581154c6ede8653e7521cb71b8 100644
+index e7c4464f1b5aa19cbe441d94d88c949798ccb1e3..cdf9bca3df292531831b6df0077ba211a29548aa 100644
 --- a/third_party/blink/public/web/web_message_port_converter.h
 +++ b/third_party/blink/public/web/web_message_port_converter.h
 @@ -13,6 +13,7 @@
@@ -19,18 +19,20 @@ index e7c4464f1b5aa19cbe441d94d88c949798ccb1e3..bd804d509ad5f3581154c6ede8653e75
  }  // namespace v8
  
  namespace blink {
-@@ -25,6 +26,9 @@ class BLINK_EXPORT WebMessagePortConverter {
+@@ -25,6 +26,11 @@ class BLINK_EXPORT WebMessagePortConverter {
    // neutered, it will return nullopt.
    static std::optional<MessagePortChannel>
    DisentangleAndExtractMessagePortChannel(v8::Isolate*, v8::Local<v8::Value>);
 +
 +  BLINK_EXPORT static v8::Local<v8::Value>
-+  EntangleAndInjectMessagePortChannel(v8::Local<v8::Context>, MessagePortChannel);
++  EntangleAndInjectMessagePortChannel(v8::Isolate*,
++                                      v8::Local<v8::Context>,
++                                      MessagePortChannel);
  };
  
  }  // namespace blink
 diff --git a/third_party/blink/renderer/core/exported/web_message_port_converter.cc b/third_party/blink/renderer/core/exported/web_message_port_converter.cc
-index 3270da19f73077b1fab7522144b9f3d52d9f6a5a..e6c5764c54a18b31223ac8c5b8f2d6ef732225d6 100644
+index 3270da19f73077b1fab7522144b9f3d52d9f6a5a..bbd3c968027549b89087d9a4394f575d84213eba 100644
 --- a/third_party/blink/renderer/core/exported/web_message_port_converter.cc
 +++ b/third_party/blink/renderer/core/exported/web_message_port_converter.cc
 @@ -6,6 +6,7 @@
@@ -41,19 +43,20 @@ index 3270da19f73077b1fab7522144b9f3d52d9f6a5a..e6c5764c54a18b31223ac8c5b8f2d6ef
  #include "third_party/blink/renderer/bindings/core/v8/v8_message_port.h"
  #include "third_party/blink/renderer/core/messaging/message_port.h"
  
-@@ -21,4 +22,15 @@ WebMessagePortConverter::DisentangleAndExtractMessagePortChannel(
+@@ -21,4 +22,16 @@ WebMessagePortConverter::DisentangleAndExtractMessagePortChannel(
    return port->Disentangle();
  }
  
 +v8::Local<v8::Value>
 +WebMessagePortConverter::EntangleAndInjectMessagePortChannel(
++    v8::Isolate* isolate,
 +    v8::Local<v8::Context> context,
 +    MessagePortChannel port_channel) {
 +  auto* execution_context = ToExecutionContext(context);
 +  CHECK(execution_context);
 +  auto* port = MakeGarbageCollected<MessagePort>(*execution_context);
 +  port->Entangle(std::move(port_channel));
-+  return port->ToV8(context->GetIsolate(), context->Global());
++  return port->ToV8(isolate, context->Global());
 +}
 +
  }  // namespace blink

patches/chromium/adjust_accessibility_ui_for_electron.patch

@@ -10,7 +10,7 @@ usage of BrowserList and Browser as we subclass related methods and use our
 WindowList.
 
 diff --git a/chrome/browser/ui/webui/accessibility/accessibility_ui.cc b/chrome/browser/ui/webui/accessibility/accessibility_ui.cc
-index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aabbba621cb 100644
+index 8f425bd66fac7b36cee201c3e23c126dd14edf07..6216ad30ed15f11501e1d154258862f57941969e 100644
 --- a/chrome/browser/ui/webui/accessibility/accessibility_ui.cc
 +++ b/chrome/browser/ui/webui/accessibility/accessibility_ui.cc
 @@ -48,6 +48,7 @@
@@ -19,9 +19,9 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
  #include "content/public/browser/web_ui_data_source.h"
 +#include "electron/shell/browser/electron_browser_context.h"
  #include "ui/accessibility/accessibility_features.h"
+ #include "ui/accessibility/ax_mode.h"
  #include "ui/accessibility/ax_updates_and_events.h"
- #include "ui/accessibility/platform/ax_platform.h"
-@@ -173,7 +174,7 @@ base::Value::Dict BuildTargetDescriptor(content::RenderViewHost* rvh) {
+@@ -178,7 +179,7 @@ base::Value::Dict BuildTargetDescriptor(content::RenderViewHost* rvh) {
                                 rvh->GetRoutingID(), accessibility_mode);
  }
  
@@ -30,7 +30,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
  base::Value::Dict BuildTargetDescriptor(Browser* browser) {
    base::Value::Dict target_data;
    target_data.Set(kSessionIdField, browser->session_id().id());
-@@ -197,7 +198,7 @@ void HandleAccessibilityRequestCallback(
+@@ -224,7 +225,7 @@ void HandleAccessibilityRequestCallback(
    auto& browser_accessibility_state =
        *content::BrowserAccessibilityState::GetInstance();
    base::Value::Dict data;
@@ -39,7 +39,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
    ui::AXMode mode = browser_accessibility_state.GetAccessibilityMode();
    bool native = mode.has_mode(ui::AXMode::kNativeAPIs);
    bool web = mode.has_mode(ui::AXMode::kWebContents);
-@@ -258,7 +259,7 @@ void HandleAccessibilityRequestCallback(
+@@ -285,7 +286,7 @@ void HandleAccessibilityRequestCallback(
    data.Set(kIsScreenReaderActive, is_screen_reader_active);
  
    std::string pref_api_type =
@@ -48,7 +48,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
    bool pref_api_type_supported = false;
  
    std::vector<ui::AXApiType::Type> supported_api_types =
-@@ -326,11 +327,11 @@ void HandleAccessibilityRequestCallback(
+@@ -353,11 +354,11 @@ void HandleAccessibilityRequestCallback(
    data.Set(kPagesField, std::move(page_list));
  
    base::Value::List browser_list;
@@ -61,8 +61,8 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
 +#endif
    data.Set(kBrowsersField, std::move(browser_list));
  
-   std::string json_string;
-@@ -804,7 +805,8 @@ void AccessibilityUIMessageHandler::SetGlobalString(
+ #if BUILDFLAG(IS_WIN)
+@@ -844,7 +845,8 @@ void AccessibilityUIMessageHandler::SetGlobalString(
    const std::string value = CheckJSValue(data.FindString(kValueField));
  
    if (string_name == kApiTypeField) {
@@ -72,7 +72,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
      pref->SetString(prefs::kShownAccessibilityApiType, value);
    }
  }
-@@ -858,7 +860,8 @@ void AccessibilityUIMessageHandler::RequestWebContentsTree(
+@@ -898,7 +900,8 @@ void AccessibilityUIMessageHandler::RequestWebContentsTree(
                       AXPropertyFilter::ALLOW_EMPTY);
    AddPropertyFilters(property_filters, deny, AXPropertyFilter::DENY);
  
@@ -82,7 +82,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
    ui::AXApiType::Type api_type =
        ui::AXApiType::From(pref->GetString(prefs::kShownAccessibilityApiType));
    std::string accessibility_contents =
-@@ -885,6 +888,7 @@ void AccessibilityUIMessageHandler::RequestNativeUITree(
+@@ -925,6 +928,7 @@ void AccessibilityUIMessageHandler::RequestNativeUITree(
                       AXPropertyFilter::ALLOW_EMPTY);
    AddPropertyFilters(property_filters, deny, AXPropertyFilter::DENY);
  
@@ -90,7 +90,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
    for (Browser* browser : *BrowserList::GetInstance()) {
      if (browser->session_id().id() == session_id) {
        base::Value::Dict result = BuildTargetDescriptor(browser);
-@@ -897,6 +901,7 @@ void AccessibilityUIMessageHandler::RequestNativeUITree(
+@@ -937,6 +941,7 @@ void AccessibilityUIMessageHandler::RequestNativeUITree(
        return;
      }
    }
@@ -98,7 +98,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
  #endif  // !BUILDFLAG(IS_ANDROID)
    // No browser with the specified |session_id| was found.
    base::Value::Dict result;
-@@ -940,11 +945,13 @@ void AccessibilityUIMessageHandler::StopRecording(
+@@ -980,11 +985,13 @@ void AccessibilityUIMessageHandler::StopRecording(
  }
  
  ui::AXApiType::Type AccessibilityUIMessageHandler::GetRecordingApiType() {
@@ -115,7 +115,7 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
    // Check to see if it is in the supported types list.
    if (std::find(supported_types.begin(), supported_types.end(), api_type) ==
        supported_types.end()) {
-@@ -1014,8 +1021,11 @@ void AccessibilityUIMessageHandler::RequestAccessibilityEvents(
+@@ -1054,10 +1061,13 @@ void AccessibilityUIMessageHandler::RequestAccessibilityEvents(
  // static
  void AccessibilityUIMessageHandler::RegisterProfilePrefs(
      user_prefs::PrefRegistrySyncable* registry) {
@@ -127,11 +127,13 @@ index 20ba6b8fa6a7d5edf8ebab80ec15ece93d750000..6c42d825e520982c7fcac52cf3aa8aab
 +  registry->RegisterBooleanPref(prefs::kShowInternalAccessibilityTree, false);
 +#endif
  }
+ 
+ void AccessibilityUIMessageHandler::OnVisibilityChanged(
 diff --git a/chrome/browser/ui/webui/accessibility/accessibility_ui.h b/chrome/browser/ui/webui/accessibility/accessibility_ui.h
-index b171afc941b2b3ef4aeba04a2b1c6eef2774d442..8f431aae69365bc8756e515c603332a7f1648148 100644
+index 4b9d7df73c901c57c14693e9f24a51694ecd375f..93e1c9a79d88c8b4c57b244c9eec1e83c1d1fa0a 100644
 --- a/chrome/browser/ui/webui/accessibility/accessibility_ui.h
 +++ b/chrome/browser/ui/webui/accessibility/accessibility_ui.h
-@@ -27,6 +27,8 @@ namespace content {
+@@ -28,6 +28,8 @@ namespace content {
  class WebContents;
  }  // namespace content
  
@@ -140,7 +142,7 @@ index b171afc941b2b3ef4aeba04a2b1c6eef2774d442..8f431aae69365bc8756e515c603332a7
  namespace user_prefs {
  class PrefRegistrySyncable;
  }  // namespace user_prefs
-@@ -77,6 +79,8 @@ class AccessibilityUIMessageHandler : public content::WebUIMessageHandler {
+@@ -79,6 +81,8 @@ class AccessibilityUIMessageHandler : public content::WebUIMessageHandler,
    static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
  
   private:

patches/chromium/allow_disabling_blink_scheduler_throttling_per_renderview.patch

@@ -6,11 +6,11 @@ Subject: allow disabling blink scheduler throttling per RenderView
 This allows us to disable throttling for hidden windows.
 
 diff --git a/content/browser/renderer_host/navigation_controller_impl_unittest.cc b/content/browser/renderer_host/navigation_controller_impl_unittest.cc
-index d321fe74be7af24d1246224d7a28c9dede3635b2..af2cb60c42863b1fdad487c28d544b7a7dade805 100644
+index 94a67b61edb0bc2f3faa5db44e99d1493f38d5a0..e4a953c199f8c1e5d68e552f73c593d308946957 100644
 --- a/content/browser/renderer_host/navigation_controller_impl_unittest.cc
 +++ b/content/browser/renderer_host/navigation_controller_impl_unittest.cc
-@@ -167,6 +167,12 @@ class MockPageBroadcast : public blink::mojom::PageBroadcast {
-               (network::mojom::AttributionSupport support),
+@@ -168,6 +168,12 @@ class MockPageBroadcast : public blink::mojom::PageBroadcast {
+               (std::optional<blink::NoiseToken> canvas_noise_token),
                (override));
  
 +  MOCK_METHOD(
@@ -23,10 +23,10 @@ index d321fe74be7af24d1246224d7a28c9dede3635b2..af2cb60c42863b1fdad487c28d544b7a
      return receiver_.BindNewEndpointAndPassDedicatedRemote();
    }
 diff --git a/content/browser/renderer_host/render_view_host_impl.cc b/content/browser/renderer_host/render_view_host_impl.cc
-index 87c448c04f8f164f7b2dca6f21a8ea9cc26db163..e88cfee7ad8495e7733c85efc8d21ad2aef26db0 100644
+index 270750b9180a8ddab4f3cd2508fd398e07bf6377..20b2ae081a3710443ec919f1487dfbfe8f15de11 100644
 --- a/content/browser/renderer_host/render_view_host_impl.cc
 +++ b/content/browser/renderer_host/render_view_host_impl.cc
-@@ -773,6 +773,11 @@ void RenderViewHostImpl::SetBackgroundOpaque(bool opaque) {
+@@ -785,6 +785,11 @@ void RenderViewHostImpl::SetBackgroundOpaque(bool opaque) {
    GetWidget()->GetAssociatedFrameWidget()->SetBackgroundOpaque(opaque);
  }
  
@@ -51,10 +51,10 @@ index 7944fe64e0da112fc670358b75506bb199bb5e4a..0e3c16c6af2a078943e9f39808134ab2
    void SendRendererPreferencesToRenderer(
        const blink::RendererPreferences& preferences);
 diff --git a/content/browser/renderer_host/render_widget_host_view_aura.cc b/content/browser/renderer_host/render_widget_host_view_aura.cc
-index b14f5bc3f023c512a066ce9ec9f681c96b1fafc4..b930145db575eb8c4e84297ddd610bd90fb5d3a8 100644
+index e8a0554c4d84a16fc2122cb3e48199b4f43ecf88..34fca79b7c87b2fd098271fb5a4f83c015eeb2bc 100644
 --- a/content/browser/renderer_host/render_widget_host_view_aura.cc
 +++ b/content/browser/renderer_host/render_widget_host_view_aura.cc
-@@ -580,8 +580,8 @@ void RenderWidgetHostViewAura::ShowImpl(PageVisibilityState page_visibility) {
+@@ -578,8 +578,8 @@ void RenderWidgetHostViewAura::ShowImpl(PageVisibilityState page_visibility) {
    // OnShowWithPageVisibility will not call NotifyHostAndDelegateOnWasShown,
    // which updates `visibility_`, unless the host is hidden. Make sure no update
    // is needed.
@@ -66,10 +66,10 @@ index b14f5bc3f023c512a066ce9ec9f681c96b1fafc4..b930145db575eb8c4e84297ddd610bd9
  
  void RenderWidgetHostViewAura::EnsurePlatformVisibility(
 diff --git a/content/public/browser/render_view_host.h b/content/public/browser/render_view_host.h
-index 20ca763ff7f55e8176b77349b41917b11e051ae6..a50c122064b5f0092f57e3d508fb19389b72203b 100644
+index a599bc306198de0e172134ce4623b32b8fcd72fa..4960c518d49f98b39873d166597bfb4b5619ee02 100644
 --- a/content/public/browser/render_view_host.h
 +++ b/content/public/browser/render_view_host.h
-@@ -75,6 +75,9 @@ class CONTENT_EXPORT RenderViewHost {
+@@ -74,6 +74,9 @@ class CONTENT_EXPORT RenderViewHost {
    virtual void WriteIntoTrace(
        perfetto::TracedProto<TraceProto> context) const = 0;
  
@@ -80,34 +80,34 @@ index 20ca763ff7f55e8176b77349b41917b11e051ae6..a50c122064b5f0092f57e3d508fb1938
    // This interface should only be implemented inside content.
    friend class RenderViewHostImpl;
 diff --git a/content/test/test_page_broadcast.h b/content/test/test_page_broadcast.h
-index 3f4fdfcdf2f701a394e182bd61baf226338ef7f8..f2faa1225e8ca6abb190e6f7a0775545fa3f785d 100644
+index 82ae7ab6279427e492ead6d1d386608eb9d3d844..2b79149bfcc0de968ffb45e310d697c5393f0d43 100644
 --- a/content/test/test_page_broadcast.h
 +++ b/content/test/test_page_broadcast.h
-@@ -51,6 +51,7 @@ class TestPageBroadcast : public blink::mojom::PageBroadcast {
-       network::mojom::AttributionSupport support) override;
-   void UpdateColorProviders(
+@@ -53,6 +53,7 @@ class TestPageBroadcast : public blink::mojom::PageBroadcast {
        const blink::ColorProviderColorMaps& color_provider_colors) override;
+   void UpdateCanvasNoiseToken(
+       std::optional<blink::NoiseToken> canvas_noise_token) override;
 +  void SetSchedulerThrottling(bool allowed) override {}
  
    mojo::AssociatedReceiver<blink::mojom::PageBroadcast> receiver_;
  };
 diff --git a/third_party/blink/public/mojom/page/page.mojom b/third_party/blink/public/mojom/page/page.mojom
-index b6a4e3609af1f090f1f845d77fa0589e5b178d8a..989b2cf76ce88614b57e75ce2fcace101225f43e 100644
+index e7be05ec6dc5f517b4a6f849a262d12dc6c1ca3d..5f4f425c77c8aadf269edfaec658a8d2ad74b2cd 100644
 --- a/third_party/blink/public/mojom/page/page.mojom
 +++ b/third_party/blink/public/mojom/page/page.mojom
-@@ -175,4 +175,7 @@ interface PageBroadcast {
-   // 2. The ColorProvider associated with the WebContents changes as a result
-   // of theme changes.
-   UpdateColorProviders(ColorProviderColorMaps color_provider_colors);
+@@ -182,4 +182,7 @@ interface PageBroadcast {
+   // the noise token at ReadyToCommit time and update blink::WebViews that
+   // were made at request time.
+   UpdateCanvasNoiseToken(blink.mojom.NoiseToken? canvas_noise_token);
 +
 +  // Whether to enable the Renderer scheduler background throttling.
 +  SetSchedulerThrottling(bool allowed);
  };
 diff --git a/third_party/blink/public/web/web_view.h b/third_party/blink/public/web/web_view.h
-index c8d27cfee8ef3fe244291f4667b59df1037c359b..92ed53a689991ec8eca9572bf2f7a212acfc4a38 100644
+index 9c0fe6ad62872f05cfb1179b4b979139008976d2..6aca43e61ef7f1caea74c30e5c3ce4496d4c4188 100644
 --- a/third_party/blink/public/web/web_view.h
 +++ b/third_party/blink/public/web/web_view.h
-@@ -360,6 +360,7 @@ class BLINK_EXPORT WebView {
+@@ -366,6 +366,7 @@ class BLINK_EXPORT WebView {
    // Scheduling -----------------------------------------------------------
  
    virtual PageScheduler* Scheduler() const = 0;
@@ -116,10 +116,10 @@ index c8d27cfee8ef3fe244291f4667b59df1037c359b..92ed53a689991ec8eca9572bf2f7a212
    // Visibility -----------------------------------------------------------
  
 diff --git a/third_party/blink/renderer/core/exported/web_view_impl.cc b/third_party/blink/renderer/core/exported/web_view_impl.cc
-index b0a8c14c845a69c72ab823af1eccad22b27f1ad6..6ba55d345d4b18c9c76e26a8a1eb3835dd692581 100644
+index c542810213430164308d8cde71130b0b337996b4..bd09aa1967d04e0be240de38aabdaa9d74f60336 100644
 --- a/third_party/blink/renderer/core/exported/web_view_impl.cc
 +++ b/third_party/blink/renderer/core/exported/web_view_impl.cc
-@@ -2485,6 +2485,10 @@ void WebViewImpl::SetPageLifecycleStateInternal(
+@@ -2507,6 +2507,10 @@ void WebViewImpl::SetPageLifecycleStateInternal(
    TRACE_EVENT2("navigation", "WebViewImpl::SetPageLifecycleStateInternal",
                 "old_state", old_state, "new_state", new_state);
  
@@ -130,7 +130,7 @@ index b0a8c14c845a69c72ab823af1eccad22b27f1ad6..6ba55d345d4b18c9c76e26a8a1eb3835
    bool storing_in_bfcache = new_state->is_in_back_forward_cache &&
                              !old_state->is_in_back_forward_cache;
    bool restoring_from_bfcache = !new_state->is_in_back_forward_cache &&
-@@ -3986,10 +3990,23 @@ PageScheduler* WebViewImpl::Scheduler() const {
+@@ -4019,10 +4023,23 @@ PageScheduler* WebViewImpl::Scheduler() const {
    return GetPage()->GetPageScheduler();
  }
  
@@ -155,10 +155,10 @@ index b0a8c14c845a69c72ab823af1eccad22b27f1ad6..6ba55d345d4b18c9c76e26a8a1eb3835
    // Do not throttle if the page should be painting.
    bool is_visible =
 diff --git a/third_party/blink/renderer/core/exported/web_view_impl.h b/third_party/blink/renderer/core/exported/web_view_impl.h
-index 5c8a5d7f9b675a460740643fc26d778a08ef7112..2ebae3e0a5b76eb9551d286af1ed64e1e58b9de4 100644
+index 83e4be6692496d1d05dcd4110009c68763683128..f8deed2f22387c5dcc35d93c7b45ba54a77625e5 100644
 --- a/third_party/blink/renderer/core/exported/web_view_impl.h
 +++ b/third_party/blink/renderer/core/exported/web_view_impl.h
-@@ -445,6 +445,7 @@ class CORE_EXPORT WebViewImpl final : public WebView,
+@@ -452,6 +452,7 @@ class CORE_EXPORT WebViewImpl final : public WebView,
    LocalDOMWindow* PagePopupWindow() const;
  
    PageScheduler* Scheduler() const override;
@@ -166,7 +166,7 @@ index 5c8a5d7f9b675a460740643fc26d778a08ef7112..2ebae3e0a5b76eb9551d286af1ed64e1
    void SetVisibilityState(mojom::blink::PageVisibilityState visibility_state,
                            bool is_initial_state) override;
    mojom::blink::PageVisibilityState GetVisibilityState() override;
-@@ -935,6 +936,8 @@ class CORE_EXPORT WebViewImpl final : public WebView,
+@@ -945,6 +946,8 @@ class CORE_EXPORT WebViewImpl final : public WebView,
    // If true, we send IPC messages when |preferred_size_| changes.
    bool send_preferred_size_changes_ = false;
  

patches/chromium/allow_electron_to_depend_on_components_os_crypt_sync.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Kleinschmidt <jkleinsc@electronjs.org>
+Date: Mon, 15 Sep 2025 15:52:55 -0400
+Subject: Allow electron to depend on components/os_crypt/sync.
+
+This is necessary after
+https://chromium-review.googlesource.com/c/chromium/src/+/6944749
+landed.  That CL notes that "new code should use os_crypt async",
+so we can remove this patch once we migrate our code to use
+os_crypt async.
+
+diff --git a/components/os_crypt/sync/BUILD.gn b/components/os_crypt/sync/BUILD.gn
+index 81fc444043b67858371142075f98ad9aff162fc3..7ab1c6d1422e19afa603d9b3eeeb30044fb9c7b3 100644
+--- a/components/os_crypt/sync/BUILD.gn
++++ b/components/os_crypt/sync/BUILD.gn
+@@ -10,6 +10,7 @@ import("//components/os_crypt/sync/features.gni")
+ component("sync") {
+   # New code should use os_crypt async.
+   visibility = [
++    "//electron:*",
+     "//chrome/browser",
+     "//chrome/browser/prefs:impl",
+     "//chrome/browser/ui",

patches/chromium/allow_in-process_windows_to_have_different_web_prefs.patch

@@ -8,7 +8,7 @@ WebPreferences of in-process child windows, rather than relying on
 process-level command line switches, as before.
 
 diff --git a/third_party/blink/common/web_preferences/web_preferences_mojom_traits.cc b/third_party/blink/common/web_preferences/web_preferences_mojom_traits.cc
-index 545a854789199a6f3056bf507f882446a5e11235..e733581553328010275c85465ee3a97a950afe4d 100644
+index c0362530043cdaffc008d0c90d55cb9522db1557..3eb37d797feccdbb2a9d4b4f26e222b6f837b802 100644
 --- a/third_party/blink/common/web_preferences/web_preferences_mojom_traits.cc
 +++ b/third_party/blink/common/web_preferences/web_preferences_mojom_traits.cc
 @@ -148,6 +148,19 @@ bool StructTraits<blink::mojom::WebPreferencesDataView,
@@ -32,7 +32,7 @@ index 545a854789199a6f3056bf507f882446a5e11235..e733581553328010275c85465ee3a97a
    out->accelerated_video_decode_enabled =
        data.accelerated_video_decode_enabled();
 diff --git a/third_party/blink/public/common/web_preferences/web_preferences.h b/third_party/blink/public/common/web_preferences/web_preferences.h
-index 3283422f7b6da21e6e9c6f35a52a643ba26a5e29..962d10f8166c3765b8d7434ecf941922981e3ce8 100644
+index 30572628d5d221e58159391f6bfd8e01525291bd..6020cce84810b9515298b65880091ebb97559688 100644
 --- a/third_party/blink/public/common/web_preferences/web_preferences.h
 +++ b/third_party/blink/public/common/web_preferences/web_preferences.h
 @@ -9,6 +9,7 @@
@@ -43,9 +43,9 @@ index 3283422f7b6da21e6e9c6f35a52a643ba26a5e29..962d10f8166c3765b8d7434ecf941922
  #include "build/build_config.h"
  #include "net/nqe/effective_connection_type.h"
  #include "third_party/blink/public/common/common_export.h"
-@@ -456,6 +457,19 @@ struct BLINK_COMMON_EXPORT WebPreferences {
-   // Whether fingerprinting protection based on page content is enabled.
-   bool content_based_fingerprinting_protection_enabled = false;
+@@ -464,6 +465,19 @@ struct BLINK_COMMON_EXPORT WebPreferences {
+   bool increment_local_surface_id_for_mainframe_same_doc_navigation = true;
+ #endif  // BUILDFLAG(IS_ANDROID)
  
 +  // Begin Electron-specific WebPreferences.
 +  bool context_isolation = false;
@@ -64,7 +64,7 @@ index 3283422f7b6da21e6e9c6f35a52a643ba26a5e29..962d10f8166c3765b8d7434ecf941922
    // chrome, except for the cases where it would require lots of extra work for
    // the embedder to use the same default value.
 diff --git a/third_party/blink/public/common/web_preferences/web_preferences_mojom_traits.h b/third_party/blink/public/common/web_preferences/web_preferences_mojom_traits.h
-index 49b374461da896943cd3da55ebcd8814098eeba9..13789a02f03dcfdbad798875d109882d9e548dff 100644
+index ccba9b7353c87d2e2bced7770920c976865c0d65..4d93ef8c1976cf533c32bc9c17dbf6b81f2b59c6 100644
 --- a/third_party/blink/public/common/web_preferences/web_preferences_mojom_traits.h
 +++ b/third_party/blink/public/common/web_preferences/web_preferences_mojom_traits.h
 @@ -8,6 +8,7 @@
@@ -129,7 +129,7 @@ index 49b374461da896943cd3da55ebcd8814098eeba9..13789a02f03dcfdbad798875d109882d
      return r.cookie_enabled;
    }
 diff --git a/third_party/blink/public/mojom/webpreferences/web_preferences.mojom b/third_party/blink/public/mojom/webpreferences/web_preferences.mojom
-index 60432eee506ddfcb02c5eef396494bea4dc3e263..76c0de3cc8095ab834950e117f8f12fd51e94978 100644
+index 9827715ad3cd306a0ec18fb6b2936ecf8677af21..66cbaf3a5b19a38295cad04d0e978de417984370 100644
 --- a/third_party/blink/public/mojom/webpreferences/web_preferences.mojom
 +++ b/third_party/blink/public/mojom/webpreferences/web_preferences.mojom
 @@ -8,9 +8,11 @@ import "third_party/blink/public/mojom/css/preferred_color_scheme.mojom";

patches/chromium/band-aid_over_an_issue_with_using_deprecated_nsopenpanel_api.patch

@@ -1,108 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Avi Drissman <avi@chromium.org>
-Date: Thu, 21 Aug 2025 07:33:53 -0700
-Subject: Band-aid over an issue with using deprecated NSOpenPanel API
-
-Because deprecated and broken NSOpenPanel API is used, the open panel
-will sometimes incorrectly misunderstand a folder to be a package and
-return it as a user selection when folders are disallowed from
-selection. In that case, skip it.
-
-Bug: 40861123
-Bug: 41275486
-Bug: 440106155
-Change-Id: Ia0459a2bb76a30f4e126bd83069d7e13894d62f6
-Fixed: 438779953
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6867298
-Commit-Queue: Avi Drissman <avi@chromium.org>
-Reviewed-by: Christine Hollingsworth <christinesm@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#1504534}
-
-diff --git a/components/remote_cocoa/app_shim/select_file_dialog_bridge.mm b/components/remote_cocoa/app_shim/select_file_dialog_bridge.mm
-index f0b8108a7f8a63f66664c6c5ad3ada0bf60805b3..67380a76c699d1c2db0d3a96671bb92657c4a6d3 100644
---- a/components/remote_cocoa/app_shim/select_file_dialog_bridge.mm
-+++ b/components/remote_cocoa/app_shim/select_file_dialog_bridge.mm
-@@ -225,7 +225,7 @@ - (void)popupAction:(id)sender {
-   // Unfortunately, there's no great way to do strict type matching with
-   // NSOpenPanel. Setting explicit extensions via -allowedFileTypes is
-   // deprecated, and there's no way to specify that strict type equality should
--  // be used for -allowedContentTypes (FB13721802).
-+  // be used for -allowedContentTypes (https://crbug.com/41275486, FB13721802).
-   //
-   // -[NSOpenSavePanelDelegate panel:shouldEnableURL:] could be used to enforce
-   // strict type matching, however its presence on the delegate means that all
-@@ -235,6 +235,10 @@ - (void)popupAction:(id)sender {
-   //
-   // Therefore, use the deprecated API, because it's the only way to remain
-   // performant while achieving strict type matching.
-+  //
-+  // TODO(https://crbug.com/440106155): Possibly reconsider using
-+  // -panel:shouldEnableURL: if the speed impact is judged to be acceptable
-+  // nowadays.
- 
- #pragma clang diagnostic push
- #pragma clang diagnostic ignored "-Wdeprecated-declarations"
-@@ -479,8 +483,8 @@ - (void)popupAction:(id)sender {
- 
-       // See -[ExtensionDropdownHandler popupAction:] as to why file extensions
-       // are collected here rather than being converted to UTTypes.
--      // TODO(FB13721802): Use UTTypes when strict type matching can be
--      // specified.
-+      // TODO(https://crbug.com/440106155, FB13721802): Use UTTypes when strict
-+      // type matching can be specified.
-       NSString* ext_ns = base::SysUTF8ToNSString(ext);
-       if (![file_extensions_array containsObject:ext_ns]) {
-         [file_extensions_array addObject:ext_ns];
-@@ -571,18 +575,46 @@ - (void)popupAction:(id)sender {
-         }
-         NSString* path = url.path;
- 
--        // There is a bug in macOS where, despite a request to disallow file
--        // selection, files/packages are able to be selected. If indeed file
--        // selection was disallowed, drop any files selected.
--        // https://crbug.com/40861123, FB11405008
--        if (!open_panel.canChooseFiles) {
-+        if (base::mac::MacOSMajorVersion() < 14) {
-+          // There is a bug in macOS (https://crbug.com/40861123, FB11405008)
-+          // where, despite a request to disallow file selection, files/packages
-+          // are able to be selected. If indeed file selection was disallowed,
-+          // drop any files selected. This issue is fixed in macOS 14, so only
-+          // do the workaround on previous releases.
-+          if (!open_panel.canChooseFiles) {
-+            BOOL is_directory;
-+            BOOL exists =
-+                [NSFileManager.defaultManager fileExistsAtPath:path
-+                                                   isDirectory:&is_directory];
-+            BOOL is_package =
-+                [NSWorkspace.sharedWorkspace isFilePackageAtPath:path];
-+            if (!exists || !is_directory || is_package) {
-+              continue;
-+            }
-+          }
-+        }
-+
-+        // As long as FB13721802 remains unfixed, this class uses extensions to
-+        // filter what files are available rather than UTTypes. This deprecated
-+        // API has a problem, however. If you specify an extension to be shown
-+        // as available, then the NSOpenPanel will assume that any directory
-+        // that has that extension is a package, and will offer it to the user
-+        // for selection even if directory selection isn't otherwise allowed.
-+        // Therefore, if directories are disallowed, filter out any that find
-+        // their way in if they're not actually packages.
-+        //
-+        // TODO(https://crbug.com/440106155, FB13721802): Possibly reconsider
-+        // using -panel:shouldEnableURL: if the speed impact is judged to be
-+        // acceptable nowadays, and drop this band-aid.
-+        if (!open_panel.canChooseDirectories) {
-           BOOL is_directory;
-           BOOL exists =
-               [NSFileManager.defaultManager fileExistsAtPath:path
-                                                  isDirectory:&is_directory];
-           BOOL is_package =
-               [NSWorkspace.sharedWorkspace isFilePackageAtPath:path];
--          if (!exists || !is_directory || is_package) {
-+          if (!exists || (is_directory && !is_package)) {
-+            NSLog(@"dropping %@", path);
-             continue;
-           }
-         }

patches/chromium/blink_local_frame.patch

@@ -15,7 +15,7 @@ Refs changes in:
 This patch reverts the changes to fix associated crashes in Electron.
 
 diff --git a/third_party/blink/renderer/core/frame/frame.cc b/third_party/blink/renderer/core/frame/frame.cc
-index c9f34fa47702504ccdefb8d61c55f5eaae501085..26df03d777c9ea487cae37f3df91d1df233b75e2 100644
+index cdb5b9246087b5678cf6a0f2713f6238dafc13de..7efbe7524c5ddd3785fff0e2d8901f931f024f48 100644
 --- a/third_party/blink/renderer/core/frame/frame.cc
 +++ b/third_party/blink/renderer/core/frame/frame.cc
 @@ -134,14 +134,6 @@ bool Frame::Detach(FrameDetachType type) {
@@ -49,10 +49,10 @@ index c9f34fa47702504ccdefb8d61c55f5eaae501085..26df03d777c9ea487cae37f3df91d1df
    // its owning reference back to our owning LocalFrame.
    client_->Detached(type);
 diff --git a/third_party/blink/renderer/core/frame/local_frame.cc b/third_party/blink/renderer/core/frame/local_frame.cc
-index f4386917072e83f8797d0dbed5f1e2c72659ce80..800a904a8fa47e0a36d8393e11b3e7d7c4a3550e 100644
+index dc1464afab92e4148d8c61f2098d5172e236651b..e96fca375fc3eb2504dd6f82e5be2c025d23089e 100644
 --- a/third_party/blink/renderer/core/frame/local_frame.cc
 +++ b/third_party/blink/renderer/core/frame/local_frame.cc
-@@ -738,10 +738,6 @@ bool LocalFrame::DetachImpl(FrameDetachType type) {
+@@ -746,10 +746,6 @@ bool LocalFrame::DetachImpl(FrameDetachType type) {
    }
    DCHECK(!view_ || !view_->IsAttached());
  
@@ -63,7 +63,7 @@ index f4386917072e83f8797d0dbed5f1e2c72659ce80..800a904a8fa47e0a36d8393e11b3e7d7
    if (!Client())
      return false;
  
-@@ -795,6 +791,11 @@ bool LocalFrame::DetachImpl(FrameDetachType type) {
+@@ -803,6 +799,11 @@ bool LocalFrame::DetachImpl(FrameDetachType type) {
    DCHECK(!view_->IsAttached());
    Client()->WillBeDetached();