Revert "ci: split macos-x64 tests into 3 shards (#50968)"

This reverts commit a57dbb55cc.

.claude/skills/electron-node-upgrade/SKILL.md

@@ -0,0 +1,205 @@
+---
+name: electron-node-upgrade
+description: Guide for performing Node.js version upgrades in the Electron project. Use when working on the roller/node/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Node.js changes, and proper commit formatting for patch fixes.
+---
+
+# Electron Node.js Upgrade: Phase One
+
+## Summary
+
+Run `e sync --3` repeatedly, fixing patch conflicts as they arise, until it succeeds. Then export patches and commit changes atomically.
+
+## Success Criteria
+
+Phase One is complete when:
+- `e sync --3` exits with code 0 (no patch failures)
+- All changes are committed per the commit guidelines
+
+Do not stop until these criteria are met.
+
+**CRITICAL** Do not delete or skip patches unless 100% certain the patch is no longer needed. For major version upgrades, patches that shim deprecated V8 APIs or backport upstream changes are often deletable because the new Node.js version already incorporates them — but verify before removing. Complicated conflicts or hard to resolve issues should be presented to the user after you have exhausted all other options. Do not delete the patch just because you can't solve it.
+
+**CRITICAL** Never use `git am --skip` and then manually recreate a patch by making a new commit. This destroys the original patch's authorship, commit message, and position in the series. If `git am --continue` reports "No changes", investigate why — the changes were likely absorbed by a prior conflict resolution's 3-way merge. Present this situation to the user rather than skipping and recreating.
+
+## Context
+
+The `roller/node/main` branch is created by automation to update Electron's Node.js dependency version in `DEPS`. No work has been done to handle breaking changes between the old and new versions.
+
+There are two types of Node.js version updates:
+- **Bumps** (patch/minor): Automated by `electron-roller[bot]` with commit title `chore: bump node to v{version}`. Trivial patch index updates are handled automatically by `patchup[bot]`. These often land cleanly, but may require manual patch fixes.
+- **Major upgrades** (e.g., v22 → v24): Manual, large PRs with commit title `chore: upgrade Node.js to v{X}.{Y}.{Z}`. These typically involve deleting obsolete patches, adapting many others, and updating `@types/node` in `package.json`.
+
+**Key directories:**
+- Current directory: Electron repo (always run `e` commands here)
+- `../third_party/electron_node`: Node.js repo (where patches apply)
+- `patches/node/`: Patch files for Node.js
+- `docs/development/patches.md`: Patch system documentation
+
+## Pre-flight Checks
+
+Run these once at the start of each upgrade session:
+
+1. **Clear rerere cache** (if enabled): `git rerere clear` in both the electron and `../third_party/electron_node` repos. Stale recorded resolutions from a prior attempt can silently apply wrong merges.
+2. **Ensure pre-commit hooks are installed**: Check that `.git/hooks/pre-commit` exists. If not, run `yarn husky` to install it. The hook runs `lint-staged` which handles clang-format for C++ files.
+
+## Workflow
+
+1. Run `e sync --3` (the `--3` flag enables 3-way merge, always required)
+2. If succeeds → skip to step 5
+3. If patch fails:
+   - Identify target repo and patch from error output
+   - Analyze failure (see references/patch-analysis.md)
+   - Fix conflict in `../third_party/electron_node` working directory
+   - Run `git am --continue` in `../third_party/electron_node`
+   - Repeat until all patches for that repo apply
+   - IMPORTANT: Once `git am --continue` succeeds you MUST run `e patches node` to export fixes
+   - Return to step 1
+4. When `e sync --3` succeeds, run `e patches all`
+5. **Read `references/phase-one-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
+
+## Commands Reference
+
+| Command | Purpose |
+|---------|---------|
+| `e sync --3` | Clone deps and apply patches with 3-way merge |
+| `git am --continue` | Continue after resolving conflict (run in node repo) |
+| `e patches node` | Export commits from node repo to patch files |
+| `e patches all` | Export all patches from all targets |
+| `e patches node --commit-updates` | Export patches and auto-commit trivial changes |
+| `e patches --list-targets` | List targets and config paths |
+
+## Patch System Mental Model
+
+```
+patches/node/*.patch  →  [e sync --3]  →  ../third_party/electron_node commits
+                      ←  [e patches]   ←
+```
+
+## When to Edit Patches
+
+| Situation | Action |
+|-----------|--------|
+| During active `git am` conflict | Fix in node repo, then `git am --continue` |
+| Modifying patch outside conflict | Edit `.patch` file directly |
+| Creating new patch (rare, avoid) | Commit in node repo, then `e patches node` |
+
+Fix existing patches 99% of the time rather than creating new ones.
+
+## Patch Fixing Rules
+
+1. **Preserve authorship**: Keep original author in TODO comments (from patch `From:` field)
+2. **Never change TODO assignees**: `TODO(name)` must retain original name
+3. **Update descriptions**: If upstream changed APIs or macros, update patch commit message to reflect current state
+4. **Never skip-and-recreate a patch**: If `git am --continue` says "No changes — did you forget to use 'git add'?", do NOT run `git am --skip` and create a replacement commit. The patch's changes were already absorbed by a prior 3-way merge resolution. This means an earlier conflict resolution pulled in too many changes. Present the situation to the user for guidance — the correct fix may require re-doing an earlier resolution more carefully to keep each patch's changes separate.
+
+# Electron Node.js Upgrade: Phase Two
+
+## Summary
+
+Run `e build -k 999 -- --quiet` repeatedly, fixing build issues as they arise, until it succeeds. Then run `e start --version` to validate Electron launches and commit changes atomically.
+
+Run Phase Two immediately after Phase One is complete.
+
+## Success Criteria
+
+Phase Two is complete when:
+- `e build -k 999 -- --quiet` exits with code 0 (no build failures)
+- `e start --version` has been run to check Electron launches
+- All changes are committed per the commit guidelines
+
+Do not stop until these criteria are met. Do not delete code or features, never comment out code in order to take short cut. Make all existing code, logic and intention work.
+
+## Context
+
+The `roller/node/main` branch is created by automation to update Electron's Node.js dependency version in `DEPS`. No work has been done to handle breaking changes between the old and new versions. Node.js APIs (especially internal V8 integration, OpenSSL/BoringSSL compatibility, and build system files) frequently change between versions. In every case the code in Electron must be updated to account for the change in Node.js, strongly avoid making changes to the code in Node.js to fix Electron's build.
+
+**Key directories:**
+- Current directory: Electron repo (always run `e` commands here)
+- `../third_party/electron_node`: Node.js repo (do not touch this code to fix build issues, just read it to obtain context)
+
+## Workflow
+
+1. Run `e build -k 999 -- --quiet` (the `--quiet` flag suppresses per-target status lines, showing only errors and the final result)
+2. If succeeds → skip to step 6
+3. If build fails:
+    - Identify underlying file in "electron" from the compilation error message
+    - Analyze failure
+    - Fix build issue by adapting Electron's code for the change in Node.js
+    - Run `e build -t {target_that_failed}.o` to build just the failed target we were specifically fixing
+        - You can identify the target_that_failed from the failure line in the build log. E.g. `FAILED: 2e506007-8d5d-4f38-bdd1-b5cd77999a77 "./obj/electron/shell/browser/api/electron_api_utility_process.o" CXX obj/electron/shell/browser/api/electron_api_utility_process.o` the target name is `obj/electron/shell/browser/api/electron_api_utility_process.o`
+    - **Read `references/phase-two-commit-guidelines.md` NOW**, then commit changes following those instructions exactly.
+    - Return to step 1
+4. **CRITICAL**: After ANY commit (especially patch commits), immediately run `git status` in the electron repo
+    - Look for other modified `.patch` files that only have index/hunk header changes
+    - These are dependent patches affected by your fix
+    - Commit them immediately with: `git commit -am "chore: update patches (trivial only)"`
+5. Return to step 1
+6. When `e build` succeeds, run `e start --version`
+7. Check if you have any pending changes in the Node.js repo by running `git status` in `../third_party/electron_node`
+    - If you have changes follow the instructions below in "A. Patch Fixes" to correctly commit those modifications into the appropriate patch file
+
+## Commands Reference
+
+| Command | Purpose |
+|---------|---------|
+| `e build -k 999 -- --quiet` | Build Electron, continue on errors, suppress status lines |
+| `e build -t {target}.o` | Build just one specific target to verify a fix |
+| `e start --version` | Validate Electron launches after successful build |
+
+## Two Types of Build Fixes
+
+### A. Patch Fixes (for files in patched Node.js files)
+
+When the error is in a file that Electron patches (check with `grep -l "filename" patches/node/*.patch`):
+
+1. Edit the file in the Node.js source tree (`../third_party/electron_node/...`)
+2. Create a fixup commit targeting the original patch commit:
+    ```bash
+    cd ../third_party/electron_node
+    git add <modified-file>
+    git commit --fixup=<original-patch-commit-hash>
+    GIT_SEQUENCE_EDITOR=: git rebase --autosquash --autostash -i <commit>^
+    ```
+3. Export the updated patch: `e patches node`
+4. Commit the updated patch file following `references/phase-one-commit-guidelines.md`.
+
+To find the original patch commit to fixup: `git log --oneline | grep -i "keyword from patch name"`
+
+The base commit for rebase is the Node.js commit before patches were applied. Find it by checking the `refs/patches/upstream-head` ref.
+
+### B. Electron Code Fixes (for files in shell/, electron/, etc.)
+
+When the error is in Electron's own source code:
+
+1. Edit files directly in the electron repo
+2. Commit directly (no patch export needed)
+
+# Critical: Read Before Committing
+
+- Before ANY Phase One commits: Read `references/phase-one-commit-guidelines.md`
+- Before ANY Phase Two commits: Read `references/phase-two-commit-guidelines.md`
+
+# High-Churn Patches
+
+These patches consistently require the most work during Node.js upgrades:
+
+- **`fix_handle_boringssl_and_openssl_incompatibilities.patch`** — Electron uses BoringSSL (via Chromium) while Node.js expects OpenSSL. This patch is large and complex, and upstream OpenSSL API changes frequently break it.
+- **`fix_crypto_tests_to_run_with_bssl.patch`** — Companion to the above; adapts Node.js crypto tests for BoringSSL. Can grow significantly during major upgrades.
+- **`support_v8_sandboxed_pointers.patch`** — V8 sandbox pointer support requires careful adaptation when V8 APIs change.
+- **`build_add_gn_build_files.patch`** — The GN build file patch is large and touches many build targets. Upstream build system changes frequently conflict.
+
+# Major Version Upgrades
+
+Major Node.js version transitions (e.g., v22 → v24) are significantly more involved than patch bumps:
+
+1. **Expect patch deletions.** Electron uses Chromium's V8, which is often ahead of the V8 version bundled in Node.js. Many patches exist to bridge this gap — shimming newer V8 APIs that Chromium's V8 has but Node.js' older V8 doesn't. When Node.js bumps to a newer major version, its V8 catches up to Chromium's, and those bridge patches can be deleted. In the v22 → v24 upgrade, 17 patches were deleted for this reason.
+2. **Update `@types/node`** in `package.json` to match the new major version.
+3. **Post-upgrade regressions are expected.** Even after the upgrade lands, follow-up fix PRs for edge cases (ESM path handling, certificate loading, platform-specific issues) are normal.
+
+# Skill Directory Structure
+This skill has additional reference files in `references/`:
+- patch-analysis.md - How to analyze patch failures
+- phase-one-commit-guidelines.md - Commit format for Phase One
+- phase-two-commit-guidelines.md - Commit format for Phase Two
+
+Read these when referenced in the workflow steps.

.claude/skills/electron-node-upgrade/references/patch-analysis.md

@@ -0,0 +1,112 @@
+# Analyzing Patch Failures
+
+## Investigation Steps
+
+1. **Read the patch file** at `patches/node/{patch_name}.patch`
+
+2. **Examine current state** of the file in the Node.js repo at mentioned line numbers
+
+3. **Check recent upstream changes:**
+   ```bash
+   cd ../third_party/electron_node
+   git log --oneline -10 -- {file}
+   ```
+
+4. **Find Node.js PR** in commit messages:
+   ```
+   PR-URL: https://github.com/nodejs/node/pull/{PR_NUMBER}
+   ```
+
+## Critical: Resolve by Intent, Not by Mechanical Merge
+
+When resolving a patch conflict, do NOT blindly preserve the patch's old code. Instead:
+
+1. **Understand the upstream commit's full scope** — not just the conflicting hunk.
+   Run `git show <commit> --stat` and read diffs for all affected files.
+   Upstream may have removed structs, members, or methods that the patch
+   references in other hunks or files.
+
+2. **Re-read the patch commit message** to understand its *intent* — what
+   behavior does it need to preserve or add?
+
+3. **Implement the intent against the new upstream code.** If the patch's
+   purpose is "add BoringSSL compatibility", add only the compatibility
+   layer — don't also restore old code that upstream separately removed.
+
+### Lesson: Upstream Removals Break Patch References
+
+- **Trigger:** Patch conflict involves an upstream refactor (not just context drift)
+- **Strategy:** After identifying the upstream commit, check its full diff for
+  removed types, members, and methods. If the patch's old code references
+  something removed, the resolution must use the new upstream mechanism.
+
+### Lesson: Separate Patch Purpose from Patch Implementation
+
+- **Trigger:** Conflict between "upstream simplified code" vs "patch has older code"
+- **Strategy:** Identify the *minimal* change the patch needs. If the patch
+  wraps code in a conditional, only add the conditional — don't restore old
+  code that was inside the conditional but was separately cleaned up upstream.
+
+### Lesson: Finish the Adaptation at Conflict Time
+
+- **Trigger:** A patch conflict involves an upstream API removal or replacement
+- **Strategy:** When resolving the conflict, fully adapt the patch to use the
+  new API in the same commit. Don't remove the old code and leave behind stale
+  references that will "be fixed in Phase Two." Each patch fix commit should be
+  a complete resolution.
+
+## Common Failure Patterns
+
+| Pattern | Cause | Solution |
+|---------|-------|----------|
+| Context lines don't match | Surrounding code changed | Update context in patch |
+| File not found | File renamed/moved | Update patch target path |
+| Function not found | Refactored upstream | Find new function name |
+| OpenSSL → BoringSSL mismatch | Crypto API change | Update to BoringSSL-compatible API |
+| GYP/GN build change | Build system refactor | Adapt build patch to new structure |
+| Deleted code | Feature removed | Verify patch still needed |
+| V8 API bridge patch conflicts | Node.js caught up to Chromium's V8 | Patch may be deletable — verify the API is now in Node.js' V8 natively |
+
+## Using Git Blame
+
+To find the commit that changed specific lines:
+
+```bash
+cd ../third_party/electron_node
+git blame -L {start},{end} -- {file}
+git log -1 {commit_sha}  # Look for PR-URL: line
+```
+
+## Verifying Patch Necessity
+
+Before deleting a patch, verify:
+1. The patched functionality was intentionally removed upstream
+2. Electron doesn't need the patch for other reasons
+3. No other code depends on the patched behavior
+
+**V8 bridge patches:** Electron uses Chromium's V8, which is often ahead of the V8 bundled in Node.js. Many patches exist to bridge this version gap — adapting Node.js code to work with newer V8 APIs that Chromium's V8 exposes. During major Node.js upgrades, Node.js' V8 catches up to Chromium's, and these bridge patches often become unnecessary. Check whether the API the patch shims is now available natively in the new Node.js version's V8.
+
+When in doubt, keep the patch and adapt it.
+
+## Phase Two: Build-Time Patch Issues
+
+Sometimes patches that applied successfully in Phase One cause build errors in Phase Two. This can happen when:
+
+1. **Incomplete types**: A patch disables a header include, but new upstream code uses the type
+2. **Missing members**: A patch modifies a class, but upstream added new code referencing the original
+
+### Finding Which Patch Affects a File
+
+```bash
+grep -l "filename.cc" patches/node/*.patch
+```
+
+### Matching Existing Patch Patterns
+
+When fixing build errors in patched files, examine the existing patch to understand its style:
+- Does it use `#if 0` / `#endif` guards?
+- Does it use `#if BUILDFLAG(...)` conditionals?
+- Does it use `#ifndef` / `#ifdef` guards for BoringSSL vs OpenSSL?
+- What's the pattern for disabled functionality?
+
+Apply fixes consistent with the existing patch style.

.claude/skills/electron-node-upgrade/references/phase-one-commit-guidelines.md

@@ -0,0 +1,111 @@
+# Phase One Commit Guidelines
+
+Only follow these instructions if there are uncommitted changes to `patches/` after Phase One succeeds.
+
+Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
+
+## Each Commit Must Be Complete
+
+When resolving a patch conflict, fully adapt the patch to the new upstream code in the same commit. If the upstream change removes an API the patch uses, update the patch to use the replacement API now — don't leave stale references knowing they'll need fixing later. The goal is that each commit represents a finished resolution, not a partial one that defers known work to a future phase.
+
+## Commit Message Style
+
+**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters.
+
+Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
+
+### Patch conflict fixes
+
+Use `fix(patch):` prefix. The title should name the upstream change, not your response to it:
+
+```
+fix(patch): {topic headline}
+
+Ref: {Node.js commit or issue link}
+
+Co-Authored-By: <AI model attribution>
+```
+
+Only add a description body if it provides clarity beyond the title. For straightforward context drift or simple API renames, the title + Ref is sufficient.
+
+Examples:
+- `fix(patch): stop using v8::PropertyCallbackInfo<T>::This()`
+- `fix(patch): BoringSSL and OpenSSL incompatibilities`
+- `fix(patch): refactor module_wrap.cc FixedArray::Get params`
+
+### Upstreamed patch removal
+
+When patches are no longer needed (applied cleanly with "already applied" or confirmed upstreamed), group ALL removals into a single commit:
+
+```
+chore: remove upstreamed patch
+```
+
+or (if multiple):
+
+```
+chore: remove upstreamed patches
+```
+
+Most Node.js patches in Electron are Electron-authored (no upstream `PR-URL:`). If the patch originated from an upstream Node.js PR, no extra `Ref:` is needed. Otherwise, add a `Ref:` pointing to the relevant Node.js issue or commit if one exists.
+
+### Trivial patch updates
+
+After all fix commits, stage remaining trivial changes (index, line numbers, context only):
+
+```bash
+git add patches
+git commit -m "chore: update patches (trivial only)"
+```
+
+**Conflict resolution can produce trivial results.** A `git am` conflict doesn't always mean the patch content changed — context drift alone can cause a conflict. After resolving and exporting, inspect the patch diff: if only index hashes, line numbers, and context lines changed (not the patch's own `+`/`-` lines), it's trivial and belongs here, not in a `fix(patch):` commit.
+
+## Atomic Commits
+
+Each patch conflict fix gets its own commit with its own Ref.
+
+IMPORTANT: Try really hard to find the PR or commit reference per the instructions below. Each change you made should in theory have been in response to a change made in Node.js that you identified or can identify. Try for a while to identify and include the ref in the commit message. Do not give up easily.
+
+## Finding Commit/Issue References
+
+Use `git log` or `git blame` on Node.js source files in `../third_party/electron_node`. Look for:
+
+```
+PR-URL: https://github.com/nodejs/node/pull/XXXXX
+```
+
+or issue references in the patch itself:
+
+```
+Refs: https://github.com/nodejs/node/issues/XXXXX
+```
+
+Note: Most Node.js patches in Electron are Electron-authored and won't have upstream references. In that case, check `git log` in the Node.js repo to find which upstream commit caused the conflict.
+
+If no reference found after searching: `Ref: Unable to locate reference`
+
+## Example Commits
+
+### Patch conflict fix (simple — title is sufficient)
+
+```
+fix(patch): stop using v8::PropertyCallbackInfo<T>::This()
+
+Ref: https://github.com/nodejs/node/issues/60616
+
+Co-Authored-By: <AI model attribution>
+```
+
+### Patch conflict fix (complex — description adds value)
+
+```
+fix(patch): BoringSSL and OpenSSL incompatibilities
+
+Upstream updated OpenSSL APIs that diverge from BoringSSL. Adapted
+the compatibility shims in crypto patches to use the BoringSSL
+equivalents.
+
+Ref: Unable to locate reference
+
+Co-Authored-By: <AI model attribution>
+```

.claude/skills/electron-node-upgrade/references/phase-two-commit-guidelines.md

@@ -0,0 +1,96 @@
+# Phase Two Commit Guidelines
+
+Only follow these instructions if there are uncommitted changes in the Electron repo after any fixes are made during Phase Two that result a target that was failing, successfully building.
+
+Ignore other instructions about making commit messages, our guidelines are CRITICALLY IMPORTANT and must be followed.
+
+## Commit Message Style
+
+**Titles** follow the 60/80-character guideline: simple changes fit within 60 characters, otherwise the limit is 80 characters. Exception: upstream Node.js PR titles are used verbatim even if longer.
+
+Always include a `Co-Authored-By` trailer identifying the AI model that assisted (e.g., `Co-Authored-By: <AI model attribution>`).
+
+## Two Commit Types
+
+### For Electron Source Changes (shell/, electron/, etc.)
+
+When the upstream Node.js commit has a `PR-URL:`:
+
+```
+node#{PR-Number}: {upstream PR's original title}
+
+Ref: {Node.js PR link}
+
+Co-Authored-By: <AI model attribution>
+```
+
+When there is no `PR-URL:` but there is an issue reference or commit:
+
+```
+fix: {description of the adaptation}
+
+Ref: {Node.js issue or commit link}
+
+Co-Authored-By: <AI model attribution>
+```
+
+Use the **upstream commit's original title** when available — do not paraphrase or rewrite it. To find it: check the commit message in `../third_party/electron_node` for `PR-URL:` or `Refs:` lines.
+
+Only add a description body if it provides clarity beyond what the title already says (e.g., when Electron's adaptation is non-obvious). For simple renames, method additions, or straightforward API updates, the title + Ref link is sufficient.
+
+Each change should have its own commit and its own Ref. Logically group into commits that make sense rather than one giant commit. You may include multiple "Ref" links if required.
+
+IMPORTANT: Try really hard to find a reference. Each change you made should in theory have been in response to a change in Node.js. Check `git log` and `git blame` in the Node.js repo. Do not give up easily.
+
+### For Patch Updates (patches/node/*.patch)
+
+Use the same fixup workflow as Phase One and follow `references/phase-one-commit-guidelines.md` for the commit message format (`fix(patch):` prefix, topic style).
+
+## Dependent Patch Header Updates
+
+After any patch modification, check for other affected patches:
+
+```bash
+git status
+# If other .patch files show as modified with only index, line number, and context changes:
+git add patches/
+git commit -m "chore: update patches (trivial only)"
+```
+
+## Finding References
+
+Use `git log` or `git blame` on Node.js source files in `../third_party/electron_node`. Look for:
+
+```
+PR-URL: https://github.com/nodejs/node/pull/XXXXX
+Refs: https://github.com/nodejs/node/issues/XXXXX
+```
+
+Note: Many Node.js patches in Electron are Electron-authored and won't have upstream `PR-URL:` lines. Check the patch's own commit message for `Refs:` lines, or use `git log` in the Node.js repo to find which upstream commit caused the build break.
+
+If no reference found after searching: `Ref: Unable to locate reference`
+
+## Example Commits
+
+### Electron Source Fix (with upstream PR)
+
+```
+node#61898: src: stop using v8::PropertyCallbackInfo<T>::This()
+
+Ref: https://github.com/nodejs/node/pull/61898
+
+Co-Authored-By: <AI model attribution>
+```
+
+### Electron Source Fix (with issue reference, no PR)
+
+```
+fix: adapt to v8::PropertyCallbackInfo<T>::This() removal
+
+Updated NodeBindings to use HolderV2() after upstream Node.js
+stopped using the deprecated This() API.
+
+Ref: https://github.com/nodejs/node/issues/60616
+
+Co-Authored-By: <AI model attribution>
+```

.devcontainer/devcontainer.json

@@ -35,7 +35,7 @@
 				"ms-vscode.cpptools",
 				"mutantdino.resourcemonitor",
 				"dsanders11.vscode-electron-build-tools",
-				"dbaeumer.vscode-eslint",
+				"oxc.oxc-vscode",
 				"shakram02.bash-beautify",
 				"marshallofsound.gnls-electron"
 			],

.eslintrc.json

@@ -1,79 +0,0 @@
-{
-  "root": true,
-  "extends": "standard",
-  "parser": "@typescript-eslint/parser",
-  "plugins": ["@typescript-eslint"],
-  "env": {
-    "browser": true
-  },
-  "rules": {
-    "semi": ["error", "always"],
-    "no-var": "error",
-    "no-unused-vars": "off",
-    "guard-for-in": "error",
-    "@typescript-eslint/no-unused-vars": ["error", {
-      "vars": "all",
-      "args": "after-used",
-      "ignoreRestSiblings": true
-    }],
-    "prefer-const": ["error", {
-      "destructuring": "all"
-    }],
-    "n/no-callback-literal": "off",
-    "import/newline-after-import": "error",
-    "import/order": ["error", {
-      "alphabetize": {
-        "order": "asc"
-      },
-      "newlines-between": "always",
-      "pathGroups": [
-        {
-          "pattern": "@electron/internal/**",
-          "group": "external",
-          "position": "before"
-        },
-        {
-          "pattern": "@electron/**",
-          "group": "external",
-          "position": "before"
-        },
-        {
-          "pattern": "{electron,electron/**}",
-          "group": "external",
-          "position": "before"
-        }
-      ],
-      "pathGroupsExcludedImportTypes": [],
-      "distinctGroup": true,
-      "groups": [
-        "external",
-        "builtin",
-        ["sibling", "parent"],
-        "index",
-        "type"
-      ]
-    }]
-  },
-  "parserOptions": {
-    "ecmaVersion": 6,
-    "sourceType": "module"
-  },
-  "overrides": [
-    {
-      "files": "*.ts",
-      "rules": {
-        "no-undef": "off",
-        "no-redeclare": "off",
-        "@typescript-eslint/no-redeclare": ["error"],
-        "no-use-before-define": "off"
-      }
-    },
-    {
-      "files": "*.d.ts",
-      "rules": {
-        "no-useless-constructor": "off",
-        "@typescript-eslint/no-unused-vars": "off"
-      }
-    }
-  ]
-}

.github/CODEOWNERS

@@ -19,6 +19,7 @@ DEPS                                    @electron/wg-upgrades
 /lib/renderer/security-warnings.ts      @electron/wg-security
 
 # Infra WG
+/.claude/                               @electron/wg-infra
 /.github/actions/                       @electron/wg-infra
 /.github/workflows/*-publish.yml        @electron/wg-infra
 /.github/workflows/build.yml            @electron/wg-infra

.github/PULL_REQUEST_TEMPLATE.md

@@ -5,13 +5,18 @@ Thank you for your Pull Request. Please provide a description above and review
 the requirements below.
 
 Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.md
+
+Using a coding agent / AI? Read the policy: https://github.com/electron/governance/blob/main/policy/ai.md
+
+NOTE: PRs submitted that do not follow this template will be automatically closed.
 -->
 
 #### Checklist
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
-- [ ] PR description included
-- [ ] I have built and tested this PR
+- [ ] I have built and tested this change
+- [ ] I have filled out the PR description
+- [ ] [I have reviewed and verified the changes](https://github.com/electron/governance/blob/main/policy/ai.md)
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)

.github/actions/build-electron/action.yml

@@ -47,6 +47,16 @@ runs:
     - name: Add Clang problem matcher
       shell: bash
       run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
+    - name: Download previous object checksums
+      shell: bash
+      if: ${{ (github.event_name == 'push' || github.event_name == 'pull_request') && inputs.is-asan != 'true' }}
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        ARTIFACT_NAME: object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json
+        SEARCH_BRANCH: ${{ case(github.event_name == 'push', github.ref_name, github.event.pull_request.base.ref) }}
+        REPO: ${{ github.repository }}
+        OUTPUT_PATH: src/previous-object-checksums.json
+      run: node src/electron/.github/actions/build-electron/download-previous-object-checksums.mjs
     - name: Build Electron ${{ inputs.step-suffix }}
       if: ${{ inputs.target-platform != 'win' }}
       shell: bash
@@ -72,12 +82,17 @@ runs:
         cp out/Default/.ninja_log out/electron_ninja_log
         node electron/script/check-symlinks.js
 
-        # Upload build stats to Datadog
-        if ! [ -z $DD_API_KEY ]; then
-          npx node electron/script/build-stats.mjs out/Default/siso.INFO --upload-stats || true          
+        # Build stats and object checksums
+        BUILD_STATS_ARGS="out/Default/siso.INFO --out-dir out/Default --output-object-checksums object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json"
+        if [ -f previous-object-checksums.json ]; then
+          BUILD_STATS_ARGS="$BUILD_STATS_ARGS --input-object-checksums previous-object-checksums.json"
+        fi
+        if ! [ -z "$DD_API_KEY" ]; then
+          BUILD_STATS_ARGS="$BUILD_STATS_ARGS --upload-stats"
         else
           echo "Skipping build-stats.mjs upload because DD_API_KEY is not set"
         fi
+        node electron/script/build-stats.mjs $BUILD_STATS_ARGS || true
     - name: Build Electron (Windows) ${{ inputs.step-suffix }}
       if: ${{ inputs.target-platform == 'win' }}
       shell: powershell
@@ -95,16 +110,21 @@ runs:
         Copy-Item out\Default\.ninja_log out\electron_ninja_log
         node electron\script\check-symlinks.js
 
-        # Upload build stats to Datadog
+        # Build stats and object checksums
+        $statsArgs = @("out\Default\siso.exe.INFO", "--out-dir", "out\Default", "--output-object-checksums", "object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json")
+        if (Test-Path previous-object-checksums.json) {
+          $statsArgs += @("--input-object-checksums", "previous-object-checksums.json")
+        }
         if ($env:DD_API_KEY) {
-          try {
-            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats ; $LASTEXITCODE = 0
-          } catch {
-            Write-Host "Build stats upload failed, continuing..."
-          }
+          $statsArgs += "--upload-stats"
         } else {
           Write-Host "Skipping build-stats.mjs upload because DD_API_KEY is not set"
         }
+        try {
+          & node electron\script\build-stats.mjs @statsArgs ; $LASTEXITCODE = 0
+        } catch {
+          Write-Host "Build stats failed, continuing..."
+        }
     - name: Verify dist.zip ${{ inputs.step-suffix }}
       shell: bash
       run: |
@@ -128,6 +148,9 @@ runs:
         fi
         sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
         sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--reorder-builtins/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--warn-about-builtin-profile-data/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--abort-on-bad-builtin-profile-data/d' out/Default/mksnapshot_args
 
         if [ "${{ inputs.target-platform }}" = "win" ]; then
           cd out/Default
@@ -205,7 +228,17 @@ runs:
       if: ${{ inputs.is-release == 'true' }}
       run: |
         cd src
-        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $GN_EXTRA_ARGS"
+        # Reuse the hermetic mac_sdk_path that `e build` wrote for out/Default so
+        # out/ffmpeg builds against the same SDK instead of the runner's system Xcode.
+        # The path has to live under root_build_dir, so copy the symlink tree and
+        # rewrite Default -> ffmpeg.
+        MAC_SDK_ARG=""
+        if [ "$(uname)" = "Darwin" ]; then
+          mkdir -p out/ffmpeg
+          cp -a out/Default/xcode_links out/ffmpeg/
+          MAC_SDK_ARG=$(sed -n 's|^\(mac_sdk_path = "//out/\)Default/|\1ffmpeg/|p' out/Default/args.gn)
+        fi
+        gn gen out/ffmpeg --args="import(\"//electron/build/args/ffmpeg.gn\") use_remoteexec=true use_siso=true $MAC_SDK_ARG $GN_EXTRA_ARGS"
         e build --target electron:electron_ffmpeg_zip -C ../../out/ffmpeg
     - name: Remove Clang problem matcher
       shell: bash
@@ -274,18 +307,25 @@ runs:
       run: ./src/electron/script/actions/move-artifacts.sh
     - name: Upload Generated Artifacts ${{ inputs.step-suffix }}
       if: always() && !cancelled()
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
     - name: Upload Src Artifacts ${{ inputs.step-suffix }}
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
     - name: Upload Out Gen Artifacts ${{ inputs.step-suffix }}
       if: ${{ inputs.upload-out-gen-artifacts == 'true' }}
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src/out/Default/gen
+    - name: Upload Object Checksums ${{ inputs.step-suffix }}
+      if: ${{ always() && !cancelled() && inputs.is-asan != 'true' }}
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: object_checksums_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
+        path: ./src/object-checksums.${{ inputs.artifact-platform }}_${{ inputs.target-arch }}.json
+        archive: false

.github/actions/build-electron/download-previous-object-checksums.mjs

@@ -0,0 +1,82 @@
+import { Octokit } from '@octokit/rest';
+
+import { writeFileSync } from 'node:fs';
+
+const token = process.env.GITHUB_TOKEN;
+const repo = process.env.REPO;
+const artifactName = process.env.ARTIFACT_NAME;
+const branch = process.env.SEARCH_BRANCH;
+const outputPath = process.env.OUTPUT_PATH;
+
+const required = { GITHUB_TOKEN: token, REPO: repo, ARTIFACT_NAME: artifactName, SEARCH_BRANCH: branch, OUTPUT_PATH: outputPath };
+const missing = Object.entries(required).filter(([, v]) => !v).map(([k]) => k);
+if (missing.length > 0) {
+  console.error(`Missing required environment variables: ${missing.join(', ')}`);
+  process.exit(1);
+}
+
+const [owner, repoName] = repo.split('/');
+const octokit = new Octokit({ auth: token });
+
+async function main () {
+  console.log(`Searching for artifact '${artifactName}' on branch '${branch}'...`);
+
+  // Resolve the "Build" workflow name to an ID, mirroring how `gh run list --workflow` works
+  // under the hood (it uses /repos/{owner}/{repo}/actions/workflows/{id}/runs).
+  const { data: workflows } = await octokit.actions.listRepoWorkflows({ owner, repo: repoName });
+  const buildWorkflow = workflows.workflows.find((w) => w.name === 'Build');
+  if (!buildWorkflow) {
+    console.log('Could not find "Build" workflow, continuing without previous checksums');
+    return;
+  }
+
+  const { data: runs } = await octokit.actions.listWorkflowRuns({
+    owner,
+    repo: repoName,
+    workflow_id: buildWorkflow.id,
+    branch,
+    status: 'completed',
+    event: 'push',
+    per_page: 20,
+    exclude_pull_requests: true
+  });
+
+  for (const run of runs.workflow_runs) {
+    const { data: artifacts } = await octokit.actions.listWorkflowRunArtifacts({
+      owner,
+      repo: repoName,
+      run_id: run.id,
+      name: artifactName
+    });
+
+    if (artifacts.artifacts.length > 0) {
+      const artifact = artifacts.artifacts[0];
+      console.log(`Found artifact in run ${run.id} (artifact ID: ${artifact.id}), downloading...`);
+
+      // Non-archived artifacts are still downloaded from the /zip endpoint
+      const response = await octokit.actions.downloadArtifact({
+        owner,
+        repo: repoName,
+        artifact_id: artifact.id,
+        archive_format: 'zip'
+      });
+
+      if (response.headers['content-type'] !== 'application/json') {
+        console.error(`Unexpected content type for artifact download: ${response.headers['content-type']}`);
+        console.error('Expected application/json, continuing without previous checksums');
+        return;
+      }
+
+      writeFileSync(outputPath, JSON.stringify(response.data));
+      console.log('Downloaded previous object checksums successfully');
+      return;
+    }
+  }
+
+  console.log(`No previous object checksums found in last ${runs.workflow_runs.length} runs, continuing without them`);
+}
+
+main().catch((err) => {
+  console.error('Failed to download previous object checksums, continuing without them:', err.message);
+  process.exit(0);
+});

.github/actions/checkout/action.yml

@@ -28,7 +28,7 @@ runs:
     shell: bash
     run: |
       node src/electron/script/generate-deps-hash.js
-      DEPSHASH="v1-src-cache-$(cat src/electron/.depshash)"
+      DEPSHASH="v2-src-cache-$(cat src/electron/.depshash)"
       echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
       echo "CACHE_FILE=$DEPSHASH.tar" >> $GITHUB_ENV
       if [ "${{ inputs.target-platform }}" = "win" ]; then
@@ -43,7 +43,7 @@ runs:
       curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}&getAccountName=true" > sas-token
   - name: Save SAS Key
     if: ${{ inputs.generate-sas-token == 'true' }}
-    uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+    uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -109,7 +109,7 @@ runs:
         echo "target_os=['$TARGET_OS']" >> ./.gclient
       fi
 
-      ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags -vv
+      ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=0 DEPOT_TOOLS_WIN_TOOLCHAIN=0 ELECTRON_USE_THREE_WAY_MERGE_FOR_PATCHES=1 e d gclient sync --with_branch_heads --with_tags
       if [[ "${{ inputs.is-release }}" != "true" ]]; then
         # Re-export all the patches to check if there were changes.
         python3 src/electron/script/export_all_patches.py src/electron/patches/config.json
@@ -187,21 +187,35 @@ runs:
     shell: bash
     run: |
       echo "Uncompressed src size: $(du -sh src | cut -f1 -d' ')"
-      tar -cf $CACHE_FILE src
+      # Named .tar but zstd-compressed; the sas-sidecar's filename allowlist
+      # only permits .tar/.tgz so we keep the extension and decode on restore.
+      tar -cf - src | zstd -T0 --long=30 -f -o $CACHE_FILE
       echo "Compressed src to $(du -sh $CACHE_FILE | cut -f1 -d' ')"
-      cp ./$CACHE_FILE $CACHE_DRIVE/
   - name: Persist Src Cache
     if: ${{ steps.check-cache.outputs.cache_exists == 'false' && inputs.use-cache == 'true' }}
     shell: bash
     run: |
       final_cache_path=$CACHE_DRIVE/$CACHE_FILE
+      # Upload to a run-unique temp name first so concurrent readers never
+      # observe a partially-written file, and an interrupted copy can't leave
+      # a truncated file at the final path. Orphaned temp files get swept by
+      # the clean-orphaned-cache-uploads workflow.
+      tmp_cache_path=$final_cache_path.upload-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}
+      echo "Uploading to temp path: $tmp_cache_path"
+      cp ./$CACHE_FILE $tmp_cache_path
+
       echo "Using cache key: $DEPSHASH"
-      echo "Checking path: $final_cache_path"
+      if [ -f "$final_cache_path" ]; then
+        echo "Cache already persisted at $final_cache_path by a concurrent run; discarding ours"
+        rm -f $tmp_cache_path
+      else
+        mv -f $tmp_cache_path $final_cache_path
+        echo "Cache key persisted in $final_cache_path"
+      fi
+
       if [ ! -f "$final_cache_path" ]; then
         echo "Cache key not found"
         exit 1
-      else
-        echo "Cache key persisted in $final_cache_path"
       fi
   - name: Wait for active SSH sessions
     shell: bash

.github/actions/cipd-install/action.yml

@@ -22,30 +22,50 @@ runs:
   steps:
     - name: Delete wrong ${{ inputs.dependency }}
       shell: bash
+      env:
+        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
       run : |
-        rm -rf ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }}
+        rm -rf "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}"
     - name: Create ensure file for ${{ inputs.dependency }}
       if: ${{ inputs.dependency-version == '' }}
       shell: bash
+      env:
+        PACKAGE: ${{ inputs.package }}
+        DEPS_FILE: ${{ inputs.deps-file }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
+        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo '${{ inputs.package }}' `e d gclient getdep --deps-file=${{ inputs.deps-file }} -r '${{ inputs.installation-dir }}:${{ inputs.package }}'` > ${{ inputs.dependency }}_ensure_file
-        cat ${{ inputs.dependency }}_ensure_file
+        echo "$PACKAGE" $(e d gclient getdep --deps-file="$DEPS_FILE" -r "${INSTALLATION_DIR}:${PACKAGE}") > "${DEPENDENCY}_ensure_file"
+        cat "${DEPENDENCY}_ensure_file"
 
     - name: Create ensure file for ${{ inputs.dependency }} from dependency-version
       if: ${{ inputs.dependency-version != '' }}
       shell: bash
+      env:
+        PACKAGE: ${{ inputs.package }}
+        DEPENDENCY_VERSION: ${{ inputs.dependency-version }}
+        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo '${{ inputs.package }} ${{ inputs.dependency-version }}'  > ${{ inputs.dependency }}_ensure_file
-        cat ${{ inputs.dependency }}_ensure_file
+        echo "$PACKAGE $DEPENDENCY_VERSION" > "${DEPENDENCY}_ensure_file"
+        cat "${DEPENDENCY}_ensure_file"
     - name: CIPD installation of ${{ inputs.dependency }} (macOS)
       if: ${{ inputs.target-platform != 'win' }}
       shell: bash
+      env:
+        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
+        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo "ensuring ${{ inputs.dependency }}"
-        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
+        echo "ensuring $DEPENDENCY"
+        e d cipd ensure --root "${CIPD_ROOT_PREFIX}${INSTALLATION_DIR}" -ensure-file "${DEPENDENCY}_ensure_file"
     - name: CIPD installation of ${{ inputs.dependency }} (Windows)
       if: ${{ inputs.target-platform == 'win' }}
       shell: powershell
+      env:
+        CIPD_ROOT_PREFIX: ${{ inputs.cipd-root-prefix-path }}
+        INSTALLATION_DIR: ${{ inputs.installation-dir }}
+        DEPENDENCY: ${{ inputs.dependency }}
       run: |
-        echo "ensuring ${{ inputs.dependency }} on Windows"
-        e d cipd ensure --root ${{ inputs.cipd-root-prefix-path }}${{ inputs.installation-dir }} -ensure-file ${{ inputs.dependency }}_ensure_file
+        echo "ensuring $env:DEPENDENCY on Windows"
+        e d cipd ensure --root "$env:CIPD_ROOT_PREFIX$env:INSTALLATION_DIR" -ensure-file "$($env:DEPENDENCY)_ensure_file"

.github/actions/fix-sync/action.yml

@@ -27,6 +27,7 @@ runs:
         python3 src/tools/clang/scripts/update.py
         # Refs https://chromium-review.googlesource.com/c/chromium/src/+/6667681
         python3 src/tools/clang/scripts/update.py --package objdump
+        python3 src/tools/clang/scripts/update.py --package clang-tidy
     - name: Fix esbuild
       if: ${{ inputs.target-platform != 'linux' }}
       uses: ./src/electron/.github/actions/cipd-install

.github/actions/install-build-tools/action.yml

@@ -15,7 +15,7 @@ runs:
         git config --global core.preloadindex true
         git config --global core.longpaths true
       fi
-      export BUILD_TOOLS_SHA=a0cc95a1884a631559bcca0c948465b725d9295a
+      export BUILD_TOOLS_SHA=1b7bd25dae4a780bb3170fff56c9327b53aaf7eb
       npm i -g @electron/build-tools
       # Update depot_tools to ensure python
       e d update_depot_tools
@@ -29,4 +29,4 @@ runs:
       else
         echo "$HOME/.electron_build_tools/third_party/depot_tools" >> $GITHUB_PATH
         echo "$HOME/.electron_build_tools/third_party/depot_tools/python-bin" >> $GITHUB_PATH
-      fi
+      fi

.github/actions/install-dependencies/action.yml

@@ -7,7 +7,7 @@ runs:
     shell: bash
     id: yarn-cache-dir-path
     run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
-  - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+  - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     id: yarn-cache
     with:
       path: ${{ steps.yarn-cache-dir-path.outputs.dir }}

.github/actions/restore-cache-aks/action.yml

@@ -31,7 +31,7 @@ runs:
       fi
 
       mkdir temp-cache
-      tar -xf $cache_path -C temp-cache
+      zstd -d --long=30 -c $cache_path | tar -xf - -C temp-cache
       echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"
 
       if [ -d "temp-cache/src" ]; then

.github/actions/restore-cache-azcopy/action.yml

@@ -8,14 +8,14 @@ runs:
   steps:
   - name: Obtain SAS Key
     continue-on-error: true
-    uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-1
       enableCrossOsArchive: true
   - name: Obtain SAS Key
     continue-on-error: true
-    uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -24,7 +24,7 @@ runs:
     # The cache will always exist here as a result of the checkout job
     # Either it was uploaded to Azure in the checkout job for this commit
     # or it was uploaded in the checkout job for a previous commit.
-    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
     with:
       timeout_minutes: 30
       max_attempts: 3
@@ -61,9 +61,9 @@ runs:
         echo "Cache is empty - exiting"
         exit 1
       fi
-      
+
       mkdir temp-cache
-      tar -xf $DEPSHASH.tar -C temp-cache
+      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
       echo "Unzipped cache is $(du -sh temp-cache/src | cut -f1)"
 
       if [ -d "temp-cache/src" ]; then
@@ -85,23 +85,21 @@ runs:
 
   - name: Unzip and Ensure Src Cache (Windows)
     if: ${{ inputs.target-platform == 'win' }}
-    shell: powershell
+    shell: bash
     run: |
-      $src_cache = "$env:DEPSHASH.tar"
-      $cache_size = $(Get-Item $src_cache).length
-      Write-Host "Downloaded cache is $cache_size"
-      if ($cache_size -eq 0) {
-        Write-Host "Cache is empty - exiting"
+      echo "Downloaded cache is $(du -sh $DEPSHASH.tar | cut -f1)"
+      if [ `du $DEPSHASH.tar | cut -f1` = "0" ]; then
+        echo "Cache is empty - exiting"
         exit 1
-      }
+      fi
 
-      $TEMP_DIR=New-Item -ItemType Directory -Path temp-cache
-      $TEMP_DIR_PATH = $TEMP_DIR.FullName
-      C:\ProgramData\Chocolatey\bin\7z.exe -y -snld20 x $src_cache -o"$TEMP_DIR_PATH"
+      mkdir temp-cache
+      zstd -d --long=30 -c $DEPSHASH.tar | tar -xf - -C temp-cache
+      rm -f $DEPSHASH.tar
 
   - name: Move Src Cache (Windows)
     if: ${{ inputs.target-platform == 'win' }}
-    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
     with:
       timeout_minutes: 30
       max_attempts: 3
@@ -112,9 +110,6 @@ runs:
           Write-Host "Relocating Cache"
           Remove-Item -Recurse -Force src
           Move-Item temp-cache\src src
-
-          Write-Host "Deleting zip file"
-          Remove-Item -Force $src_cache
         }
         if (-Not (Test-Path "src\third_party\blink")) {
           Write-Host "Cache was not correctly restored - exiting"

.github/actions/set-chromium-cookie/action.yml

@@ -7,7 +7,7 @@ runs:
     if: ${{ runner.os != 'Windows' }}
     shell: bash
     run: |
-      if [[ -z "${{ env.CHROMIUM_GIT_COOKIE }}" ]]; then
+      if [[ -z "$CHROMIUM_GIT_COOKIE" ]]; then
         echo "CHROMIUM_GIT_COOKIE is not set - cannot authenticate."
         exit 0
       fi
@@ -18,9 +18,7 @@ runs:
 
       git config --global http.cookiefile ~/.gitcookies
 
-      tr , \\t <<\__END__ >>~/.gitcookies
-      ${{ env.CHROMIUM_GIT_COOKIE }}
-      __END__
+      echo "$CHROMIUM_GIT_COOKIE" | tr , \\t >>~/.gitcookies
       eval 'set -o history' 2>/dev/null || unsetopt HIST_IGNORE_SPACE 2>/dev/null
 
       RESPONSE=$(curl -s -b ~/.gitcookies https://chromium-review.googlesource.com/a/accounts/self)
@@ -42,7 +40,7 @@ runs:
       )
 
       git config --global http.cookiefile "%USERPROFILE%\.gitcookies"
-      powershell -noprofile -nologo -command Write-Output "${{ env.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }}" >>"%USERPROFILE%\.gitcookies"
+      powershell -noprofile -nologo -command Write-Output $env:CHROMIUM_GIT_COOKIE_WINDOWS_STRING >>"%USERPROFILE%\.gitcookies"
 
       curl -s -b "%USERPROFILE%\.gitcookies" https://chromium-review.googlesource.com/a/accounts/self > response.txt
 

.github/copilot-instructions.md

@@ -81,7 +81,7 @@ When working on the `roller/chromium/main` branch for Chromium upgrades, use `e
 
 - JS/TS files: kebab-case (`file-name.ts`)
 - C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
-- Test files: `api-{module-name}-spec.ts` in `spec/`
+- Test files: `api-{module-name}.spec.ts` in `spec/`
 - Source file lists are maintained in `filenames.gni` (with platform-specific sections)
 
 ### JavaScript/TypeScript

.github/problem-matchers/clang.json

@@ -5,7 +5,7 @@
       "fromPath": "src/out/Default/args.gn",
       "pattern": [
         {
-          "regexp": "^(.+)[(:](\\d+)[:,](\\d+)\\)?:\\s+(warning|error):\\s+(.*)$",
+          "regexp": "^(.+)[(:](\\d+)[:,](\\d+)\\)?:\\s+(warning|fatal error|error):\\s+(.*)$",
           "file": 1,
           "line": 2,
           "column": 3,

.github/problem-matchers/eslint-stylish.json

@@ -1,22 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "eslint-stylish",
-      "pattern": [
-        {
-          "regexp": "^\\s*([^\\s].*)$",
-          "file": 1
-        },
-        {
-          "regexp": "^\\s+(\\d+):(\\d+)\\s+(error|warning|info)\\s+(.*)\\s\\s+(.*)$",
-          "line": 1,
-          "column": 2,
-          "severity": 3,
-          "message": 4,
-          "code": 5,
-          "loop": true
-        }
-      ]
-    }
-  ]
-}

.github/workflows/apply-patches.yml

@@ -26,7 +26,7 @@ jobs:
     # Use dorny/paths-filter instead of the path filter under the on: pull_request: block
     # so that the output can be used to conditionally run the apply-patches job, which lets
     # the job be marked as a required status check (conditional skip counts as a success).
-    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+    - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
       id: filter
       with:
         filters: |

.github/workflows/archaeologist-dig.yml

@@ -21,17 +21,21 @@ jobs:
         with:
           node-version: 24.12.x
       - name: Setting Up Dig Site
+        env:
+          CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          echo "remote: ${{ github.event.pull_request.head.repo.clone_url }}"
-          echo "sha ${{ github.event.pull_request.head.sha }}"
-          echo "base ref ${{ github.event.pull_request.base.ref }}"
-          git clone https://github.com/electron/electron.git electron          
+          echo "remote: $CLONE_URL"
+          echo "sha $HEAD_SHA"
+          echo "base ref $BASE_REF"
+          git clone https://github.com/electron/electron.git electron
           cd electron
           mkdir -p artifacts
-          git remote add fork ${{ github.event.pull_request.head.repo.clone_url }} && git fetch fork
-          git checkout  ${{ github.event.pull_request.head.sha }}
-          git merge-base origin/${{ github.event.pull_request.base.ref }} HEAD > .dig-old
-          echo  ${{ github.event.pull_request.head.sha }} > .dig-new
+          git remote add fork "$CLONE_URL" && git fetch fork
+          git checkout "$HEAD_SHA"
+          git merge-base "origin/$BASE_REF" HEAD > .dig-old
+          echo "$HEAD_SHA" > .dig-new
           cp .dig-old artifacts
 
       - name: Generating Types for SHA in .dig-new

.github/workflows/audit-branch-ci.yml

@@ -87,6 +87,8 @@ jobs:
                       !message.startsWith("The hosted runner lost communication with the server") &&
                       !message.startsWith("Dependabot encountered an error performing the update") &&
                       !message.startsWith("The action 'Run Electron Tests' has timed out") &&
+                      !message.startsWith("The operation was canceled") &&
+                      !message.startsWith("Canceling since") &&
                       !/Unable to make request/.test(message) &&
                       !/The requested URL returned error/.test(message),
                   )

.github/workflows/branch-created.yml

@@ -157,7 +157,7 @@ jobs:
             }))
       - name: Create Release Project Board
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: dsanders11/project-actions/copy-project@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/copy-project@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         id: create-release-board
         with:
           drafts: true
@@ -177,7 +177,7 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
       - name: Find Previous Release Project Board
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: dsanders11/project-actions/find-project@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/find-project@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         id: find-prev-release-board
         with:
           fail-if-project-not-found: false
@@ -185,7 +185,7 @@ jobs:
           token: ${{ steps.generate-token.outputs.token }}
       - name: Close Previous Release Project Board
         if: ${{ steps.find-prev-release-board.outputs.number }}
-        uses: dsanders11/project-actions/close-project@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/close-project@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           project-number: ${{ steps.find-prev-release-board.outputs.number }}
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/build.yml

@@ -61,7 +61,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         ref: ${{ github.event.pull_request.head.sha }}
-    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+    - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
       id: filter
       with:
         filters: |
@@ -269,7 +269,7 @@ jobs:
     needs: checkout-macos
     with:
       build-runs-on: macos-15-xlarge
-      test-runs-on: macos-15
+      test-runs-on: macos-15-xlarge
       target-platform: macos
       target-arch: arm64
       is-release: false
@@ -290,7 +290,7 @@ jobs:
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
       clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
-      test-runs-on: electron-arc-centralus-linux-amd64-4core
+      test-runs-on: electron-arc-centralus-linux-amd64-8core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
@@ -312,7 +312,7 @@ jobs:
     if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
-      test-runs-on: electron-arc-centralus-linux-amd64-4core
+      test-runs-on: electron-arc-centralus-linux-amd64-8core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
@@ -365,6 +365,18 @@ jobs:
       generate-symbols: false
       upload-to-storage: '0'
     secrets: inherit
+    
+  test-linux-arm64-64k:
+    uses: ./.github/workflows/pipeline-segment-electron-test-64k.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    needs: [checkout-linux, linux-arm64]
+    with:
+      test-runs-on: ubuntu-22.04-arm
+      test-container: '{"image":"ghcr.io/electron/test:arm64v8-${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
+    secrets: inherit
 
   windows-x64:
     permissions:
@@ -430,7 +442,7 @@ jobs:
       contents: read
     needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
     if: always() && github.repository == 'electron/electron' && !contains(needs.*.result, 'failure')
-    steps: 
+    steps:
     - name: GitHub Actions Jobs Done
       run: |
         echo "All GitHub Actions Jobs are done"

.github/workflows/clean-orphaned-cache-uploads.yml

@@ -0,0 +1,32 @@
+name: Clean Orphaned Cache Uploads
+
+# Description:
+# Sweeps orphaned in-flight upload temp files left on the src-cache volumes
+# by checkout/action.yml when its cp-to-share step dies before the rename.
+# A successful upload finishes in minutes, so anything older than 4h is dead.
+
+on:
+  schedule:
+    - cron: "0 */4 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  clean-orphaned-uploads:
+    if: github.repository == 'electron/electron'
+    runs-on: electron-arc-centralus-linux-amd64-32core
+    permissions:
+      contents: read
+    container:
+      image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
+      options: --user root
+      volumes:
+        - /mnt/cross-instance-cache:/mnt/cross-instance-cache
+        - /mnt/win-cache:/mnt/win-cache
+    steps:
+    - name: Remove Orphaned Upload Temp Files
+      shell: bash
+      run: |
+        find /mnt/cross-instance-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete
+        find /mnt/win-cache -maxdepth 1 -type f -name '*.tar.upload-*' -mmin +240 -print -delete

.github/workflows/clean-src-cache.yml

@@ -7,6 +7,7 @@ name: Clean Source Cache
 on:
   schedule:
     - cron: "0 0 * * *"
+  workflow_dispatch:
 
 permissions: {}
 
@@ -16,6 +17,8 @@ jobs:
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
+    env:
+      DD_API_KEY: ${{ secrets.DD_API_KEY }}
     container:
       image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
       options: --user root
@@ -23,12 +26,130 @@ jobs:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
         - /mnt/win-cache:/mnt/win-cache
     steps:
+    - name: Get Disk Space Before Cleanup
+      id: disk-before
+      shell: bash
+      run: |
+        echo "Disk space before cleanup:"
+        df -h /mnt/cross-instance-cache
+        df -h /mnt/win-cache
+        CROSS_FREE_BEFORE=$(df -k /mnt/cross-instance-cache | tail -1 | awk '{print $4}')
+        CROSS_TOTAL=$(df -k /mnt/cross-instance-cache | tail -1 | awk '{print $2}')
+        WIN_FREE_BEFORE=$(df -k /mnt/win-cache | tail -1 | awk '{print $4}')
+        WIN_TOTAL=$(df -k /mnt/win-cache | tail -1 | awk '{print $2}')
+        echo "cross_free_kb=$CROSS_FREE_BEFORE" >> $GITHUB_OUTPUT
+        echo "cross_total_kb=$CROSS_TOTAL" >> $GITHUB_OUTPUT
+        echo "win_free_kb=$WIN_FREE_BEFORE" >> $GITHUB_OUTPUT
+        echo "win_total_kb=$WIN_TOTAL" >> $GITHUB_OUTPUT
+
     - name: Cleanup Source Cache
       shell: bash
       run: |
-        df -h /mnt/cross-instance-cache
         find /mnt/cross-instance-cache -type f -mtime +15 -delete
+        find /mnt/win-cache -type f -mtime +15 -delete
+
+    - name: Get Disk Space After Cleanup
+      id: disk-after
+      shell: bash
+      run: |
+        echo "Disk space after cleanup:"
         df -h /mnt/cross-instance-cache
         df -h /mnt/win-cache
-        find /mnt/win-cache -type f -mtime +15 -delete
-        df -h /mnt/win-cache
+        CROSS_FREE_AFTER=$(df -k /mnt/cross-instance-cache | tail -1 | awk '{print $4}')
+        WIN_FREE_AFTER=$(df -k /mnt/win-cache | tail -1 | awk '{print $4}')
+        echo "cross_free_kb=$CROSS_FREE_AFTER" >> $GITHUB_OUTPUT
+        echo "win_free_kb=$WIN_FREE_AFTER" >> $GITHUB_OUTPUT
+
+    - name: Log Disk Space to Datadog
+      if: ${{ env.DD_API_KEY != '' }}
+      shell: bash
+      env:
+        CROSS_FREE_BEFORE: ${{ steps.disk-before.outputs.cross_free_kb }}
+        CROSS_FREE_AFTER: ${{ steps.disk-after.outputs.cross_free_kb }}
+        CROSS_TOTAL: ${{ steps.disk-before.outputs.cross_total_kb }}
+        WIN_FREE_BEFORE: ${{ steps.disk-before.outputs.win_free_kb }}
+        WIN_FREE_AFTER: ${{ steps.disk-after.outputs.win_free_kb }}
+        WIN_TOTAL: ${{ steps.disk-before.outputs.win_total_kb }}
+      run: |
+        TIMESTAMP=$(date +%s)
+
+        CROSS_FREE_BEFORE_GB=$(awk "BEGIN {printf \"%.2f\", $CROSS_FREE_BEFORE / 1024 / 1024}")
+        CROSS_FREE_AFTER_GB=$(awk "BEGIN {printf \"%.2f\", $CROSS_FREE_AFTER / 1024 / 1024}")
+        CROSS_FREED_GB=$(awk "BEGIN {printf \"%.2f\", ($CROSS_FREE_AFTER - $CROSS_FREE_BEFORE) / 1024 / 1024}")
+        CROSS_TOTAL_GB=$(awk "BEGIN {printf \"%.2f\", $CROSS_TOTAL / 1024 / 1024}")
+
+        WIN_FREE_BEFORE_GB=$(awk "BEGIN {printf \"%.2f\", $WIN_FREE_BEFORE / 1024 / 1024}")
+        WIN_FREE_AFTER_GB=$(awk "BEGIN {printf \"%.2f\", $WIN_FREE_AFTER / 1024 / 1024}")
+        WIN_FREED_GB=$(awk "BEGIN {printf \"%.2f\", ($WIN_FREE_AFTER - $WIN_FREE_BEFORE) / 1024 / 1024}")
+        WIN_TOTAL_GB=$(awk "BEGIN {printf \"%.2f\", $WIN_TOTAL / 1024 / 1024}")
+
+        echo "cross-instance-cache: free before=${CROSS_FREE_BEFORE_GB}GB, after=${CROSS_FREE_AFTER_GB}GB, freed=${CROSS_FREED_GB}GB, total=${CROSS_TOTAL_GB}GB"
+        echo "win-cache: free before=${WIN_FREE_BEFORE_GB}GB, after=${WIN_FREE_AFTER_GB}GB, freed=${WIN_FREED_GB}GB, total=${WIN_TOTAL_GB}GB"
+
+        curl -s -X POST "https://api.datadoghq.com/api/v2/series" \
+          -H "Content-Type: application/json" \
+          -H "DD-API-KEY: ${DD_API_KEY}" \
+          -d @- << EOF
+        {
+          "series": [
+            {
+              "metric": "electron.src_cache.disk.free_space_before_cleanup_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_FREE_BEFORE_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:cross-instance-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.free_space_after_cleanup_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_FREE_AFTER_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:cross-instance-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.space_freed_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_FREED_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:cross-instance-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.total_space_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${CROSS_TOTAL_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:cross-instance-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.free_space_before_cleanup_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_FREE_BEFORE_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:win-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.free_space_after_cleanup_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_FREE_AFTER_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:win-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.space_freed_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_FREED_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:win-cache", "platform:linux"]
+            },
+            {
+              "metric": "electron.src_cache.disk.total_space_gb",
+              "points": [{"timestamp": ${TIMESTAMP}, "value": ${WIN_TOTAL_GB}}],
+              "type": 3,
+              "unit": "gigabyte",
+              "tags": ["volume:win-cache", "platform:linux"]
+            }
+          ]
+        }
+        EOF
+
+        echo "Disk space metrics logged to Datadog"

.github/workflows/issue-commented.yml

@@ -34,30 +34,6 @@ jobs:
         run: |
           gh issue edit $ISSUE_URL --remove-label 'blocked/need-repro','blocked/need-info ❌'
   
-  pr-needs-signed-commits-commented:
-    name: Remove needs-signed-commits on comment
-    if: ${{ github.event.issue.pull_request && (contains(github.event.issue.labels.*.name, 'needs-signed-commits')) && (github.event.comment.user.login == github.event.issue.user.login) }}
-    runs-on: ubuntu-slim
-    steps:
-      - name: Get author association
-        id: get-author-association
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: *get-author-association
-      - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
-        id: generate-token
-        with:
-          creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-      - name: Remove label
-        if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          ISSUE_URL: ${{ github.event.issue.html_url }}
-        run: |
-          gh issue edit $ISSUE_URL --remove-label 'needs-signed-commits'
-  
   pr-reviewer-requested:
     name: Maintainer requested reviewer on PR
     if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/request-review') && github.event.comment.user.type != 'Bot' }}

.github/workflows/issue-labeled.yml

@@ -21,7 +21,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Set status
-        uses: dsanders11/project-actions/edit-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/edit-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90
@@ -42,7 +42,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Set status
-        uses: dsanders11/project-actions/edit-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/edit-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90
@@ -61,9 +61,10 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: electron/electron
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
           set -eo pipefail
-          COMMENT_COUNT=$(gh issue view ${{ github.event.issue.number }} --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
+          COMMENT_COUNT=$(gh issue view "$ISSUE_NUMBER" --comments --json comments | jq '[ .comments[] | select(.author.login == "electron-issue-triage" or .authorAssociation == "OWNER" or .authorAssociation == "MEMBER") | select(.body | startswith("<!-- blocked/need-repro -->")) ] | length')
           if [[ $COMMENT_COUNT -eq 0 ]]; then
             echo "SHOULD_COMMENT=1" >> "$GITHUB_OUTPUT"
           fi
@@ -75,7 +76,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
       - name: Create comment
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
+        uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-opened.yml

@@ -20,7 +20,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Add to Issue Triage
-        uses: dsanders11/project-actions/add-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/add-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           field: Reporter
           field-value: ${{ github.event.issue.user.login }}
@@ -146,7 +146,7 @@ jobs:
             }
       - name: Create unsupported major comment
         if: ${{ steps.add-labels.outputs.unsupportedMajor }}
-        uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
+        uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
         with:
           actions: 'create-comment'
           token: ${{ steps.generate-token.outputs.token }}

.github/workflows/issue-transferred.yml

@@ -20,7 +20,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Remove from issue triage
-        uses: dsanders11/project-actions/delete-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/delete-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90

.github/workflows/issue-unlabeled.yml

@@ -16,9 +16,11 @@ jobs:
     steps:
       - name: Check for any blocked labels
         id: check-for-blocked-labels
+        env:
+          LABELS_JSON: ${{ toJSON(github.event.issue.labels.*.name) }}
         run: |
           set -eo pipefail
-          BLOCKED_LABEL_COUNT=$(echo '${{ toJSON(github.event.issue.labels.*.name) }}' | jq '[ .[] | select(startswith("blocked/")) ] | length')
+          BLOCKED_LABEL_COUNT=$(echo "$LABELS_JSON" | jq '[ .[] | select(startswith("blocked/")) ] | length')
           if [[ $BLOCKED_LABEL_COUNT -eq 0 ]]; then
             echo "NOT_BLOCKED=1" >> "$GITHUB_OUTPUT"
           fi
@@ -31,7 +33,7 @@ jobs:
           org: electron
       - name: Set status
         if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: dsanders11/project-actions/edit-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/edit-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 90

.github/workflows/non-maintainer-dependency-change.yml

@@ -10,6 +10,10 @@ on:
       - '.yarn/**'
       - '.yarnrc.yml'
 
+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
 permissions: {}
 
 jobs:
@@ -45,5 +49,23 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
         run: |
-          printf "<!-- disallowed-non-maintainer-change -->\n\nHello @${{ github.event.pull_request.user.login }}! It looks like this pull request touches one of our dependency or CI files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs." | gh pr review $PR_URL -r --body-file=-
+          cat <<'REVIEW_EOF' | sed "s/%AUTHOR%/$PR_AUTHOR/g" | gh pr review $PR_URL -r --body-file=-
+          <!-- disallowed-non-maintainer-change -->
+
+          Hello @%AUTHOR%! It looks like this pull request touches one of our dependency or CI files, and per [our contribution policy](https://github.com/electron/electron/blob/main/CONTRIBUTING.md#dependencies-upgrades-policy) we do not accept these types of changes in PRs.
+
+          To move this PR forward, please:
+
+          1. Revert the dependency/CI file changes from your branch. (e.g. `yarn.lock`, `.yarn/`, `.yarnrc.yml`, `.github/workflows/`, `.github/actions/`)
+          2. Ensure your branch [allows maintainer commits](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork) so a maintainer can push the necessary dependency changes on your behalf.
+          3. Leave a comment letting reviewers know the dependency change is still needed.
+
+          <details>
+          <summary>For maintainers</summary>
+
+          To land this PR, push a verified commit to the contributor's branch with the required dependency/CI changes, then dismiss this review.
+
+          </details>
+          REVIEW_EOF

.github/workflows/pipeline-electron-docs-only.yml

@@ -35,7 +35,7 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
         echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
         echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
     - name: Restore src cache via AKS

.github/workflows/pipeline-electron-lint.yml

@@ -46,7 +46,11 @@ jobs:
       shell: bash
       run: |
         chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
-        gn_version="$(curl -sL -b ~/.gitcookies "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/DEPS?format=TEXT" | base64 -d | grep gn_version | head -n1 | cut -d\' -f4)"
+        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+          echo "::error::Invalid chromium_revision: $chromium_revision"
+          exit 1
+        fi
+        gn_version="$(curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/DEPS" | grep gn_version | head -n1 | cut -d\' -f4)"
 
         cipd ensure -ensure-file - -root . <<-CIPD
         \$ServiceURL https://chrome-infra-packages.appspot.com/
@@ -60,15 +64,18 @@ jobs:
       shell: bash
       run: |
         chromium_revision="$(grep -A1 chromium_version src/electron/DEPS | tr -d '\n' | cut -d\' -f4)"
+        if [[ ! "$chromium_revision" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+          echo "::error::Invalid chromium_revision: $chromium_revision"
+          exit 1
+        fi
 
         mkdir -p src/buildtools
-        curl -sL -b ~/.gitcookies "https://chromium.googlesource.com/chromium/src/+/${chromium_revision}/buildtools/DEPS?format=TEXT" | base64 -d > src/buildtools/DEPS
+        curl -sL "https://raw.githubusercontent.com/chromium/chromium/refs/tags/${chromium_revision}/buildtools/DEPS" > src/buildtools/DEPS
 
         gclient sync --spec="solutions=[{'name':'src/buildtools','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':True},'managed':False}]"
     - name: Add problem matchers
       shell: bash
       run: |
-        echo "::add-matcher::src/electron/.github/problem-matchers/eslint-stylish.json"
         echo "::add-matcher::src/electron/.github/problem-matchers/markdownlint.json"
     - name: Run Lint
       shell: bash

.github/workflows/pipeline-segment-electron-build.yml

@@ -156,7 +156,7 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
         echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
         echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
     - name: Restore src cache via AZCopy

.github/workflows/pipeline-segment-electron-clang-tidy.yml

@@ -80,7 +80,7 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
         echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
         echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
     - name: Restore src cache via AZCopy
@@ -126,7 +126,7 @@ jobs:
         cd src/electron
         git pack-refs
     - name: Download Out Gen Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src/out/${{ env.ELECTRON_OUT_DIR }}/gen

.github/workflows/pipeline-segment-electron-gn-check.yml

@@ -81,7 +81,7 @@ jobs:
     - name: Generate DEPS Hash
       run: |
         node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
         echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
         echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
     - name: Restore src cache via AZCopy

.github/workflows/pipeline-segment-electron-publish.yml

@@ -165,7 +165,7 @@ jobs:
       - name: Generate DEPS Hash
         run: |
           node src/electron/script/generate-deps-hash.js
-          DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+          DEPSHASH=v2-src-cache-$(cat src/electron/.depshash)
           echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
           echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
       - name: Restore src cache via AZCopy

.github/workflows/pipeline-segment-electron-test-64k.yml

@@ -0,0 +1,65 @@
+name: Pipeline Segment - Electron Test on Linux ARM64 64k
+
+on:
+  workflow_call:
+    inputs:
+      test-runs-on:
+        type: string
+        description: 'What host to run the tests on'
+        required: true
+      test-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+
+concurrency:
+  group: electron-test-linux-64k-${{ github.ref_protected == true && github.run_id || github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+
+permissions: {}
+
+env:
+  ELECTRON_OUT_DIR: Default
+
+jobs:
+  test-linux-arm64-64k:
+    env:
+      BUILD_TYPE: linux
+      TARGET_ARCH: arm64      
+    defaults:
+      run:
+        shell: bash
+    runs-on: ${{ inputs.test-runs-on }}
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    steps:
+    - name: Checkout Electron
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        path: src/electron
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Download Generated Artifacts
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      with:
+        name: generated_artifacts_linux_arm64
+        path: ./generated_artifacts_linux_arm64
+    - name: Restore Generated Artifacts
+      run: ./src/electron/script/actions/restore-artifacts.sh
+    - name: Unzip Dist
+      run: |
+        cd src/out/Default
+        unzip -:o dist.zip
+
+    - name: Run Electron Tests in QEMU 64k Container
+      shell: bash
+      env:
+        ELECTRON_DISABLE_SECURITY_WARNINGS: 1
+        DISPLAY: ':99.0'
+      run: |
+        container=$(echo '${{ inputs.test-container }}' | jq -r '.image')
+        src/electron/script/run-qemu-64k.sh --container $container --testfiles "`pwd`/src"
+        

.github/workflows/pipeline-segment-electron-test.yml

@@ -48,6 +48,8 @@ env:
   ELECTRON_OUT_DIR: Default
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
   ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
+  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
+  SENTRYCLI_SKIP_DOWNLOAD: 1
 
 jobs:
   test:
@@ -64,7 +66,7 @@ jobs:
       fail-fast: false
       matrix:
         build-type: ${{ inputs.target-platform == 'macos' && fromJSON('["darwin","mas"]') || (inputs.target-platform == 'win' && fromJSON('["win"]') || fromJSON('["linux"]')) }}
-        shard: ${{ case(inputs.display-server == 'wayland', fromJSON('[1]'), inputs.target-platform == 'linux', fromJSON('[1, 2, 3]'), fromJSON('[1, 2]')) }}
+        shard: ${{ case(inputs.display-server == 'wayland', fromJSON('[1]'), inputs.is-asan == true, fromJSON('[1, 2]'), inputs.target-platform == 'linux', fromJSON('[1]'), fromJSON('[1, 2]')) }}
     env:
       BUILD_TYPE: ${{ matrix.build-type }}
       TARGET_ARCH: ${{ inputs.target-arch }}
@@ -173,12 +175,12 @@ jobs:
         echo "DISABLE_CRASH_REPORTER_TESTS=true" >> $GITHUB_ENV
         echo "IS_ASAN=true" >> $GITHUB_ENV
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ matrix.build-type }}_${{ inputs.target-arch }}
@@ -214,18 +216,17 @@ jobs:
 
     - name: Run Electron Tests
       shell: bash
-      timeout-minutes: 40
+      timeout-minutes: 60
       env:
-        MOCHA_REPORTER: mocha-multi-reporters
-        MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
         ELECTRON_DISABLE_SECURITY_WARNINGS: 1
         DISPLAY: ':99.0'
         NPM_CONFIG_MSVS_VERSION: '2022'
       run: |
         cd src/electron
-        export ELECTRON_TEST_RESULTS_DIR=`pwd`/junit
+        export ELECTRON_EXTRA_ARGS="--trace-uncaught --enable-logging"
+        JUNIT_ARGS="--reporter=default --reporter=junit --outputFile.junit=junit/test-results-main.xml"
         # Get which tests are on this shard
-        tests_files=$(node script/split-tests ${{ matrix.shard }} ${{ case(inputs.display-server == 'wayland', 1, inputs.target-platform == 'linux', 3, 2) }})
+        tests_files=$(node script/split-tests ${{ matrix.shard }} ${{ case(inputs.display-server == 'wayland', 1, inputs.is-asan == true, 2, inputs.target-platform == 'linux', 1, 2) }})
         if [ "${{ inputs.display-server }}" = "wayland" ]; then
           allowlist_file=script/wayland-test-allowlist.txt
           filtered_tests=""
@@ -249,11 +250,8 @@ jobs:
             if [ "${{ inputs.target-arch }}" = "x86" ]; then
               export npm_config_arch="ia32"
             fi
-            if [ "${{ inputs.target-arch }}" = "arm64" ]; then
-              export ELECTRON_FORCE_TEST_SUITE_EXIT="true"
-            fi
           fi
-          node script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+          node script/yarn.js test $JUNIT_ARGS $tests_files
         else
           chown :builduser .. && chmod g+w ..
           chown -R :builduser . && chmod -R g+w .
@@ -267,21 +265,19 @@ jobs:
             export NSS_DISABLE_ARENA_FREE_LIST=1
             export NSS_DISABLE_UNLOAD=1
             export LLVM_SYMBOLIZER_PATH=$PWD/third_party/llvm-build/Release+Asserts/bin/llvm-symbolizer
-            export MOCHA_TIMEOUT=180000
             echo "Piping output to ASAN_SYMBOLIZE ($ASAN_SYMBOLIZE)"
             cd electron
-            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --trace-uncaught --enable-logging --files $tests_files | $ASAN_SYMBOLIZE
+            runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --testTimeout=180000 $JUNIT_ARGS $tests_files | $ASAN_SYMBOLIZE
           else
             if [ "${{ inputs.target-arch }}" = "arm" ]; then
-              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --skipYarnInstall --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
-            else 
+              runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --skipYarnInstall $JUNIT_ARGS $tests_files
+            else
               if [ "${{ inputs.display-server }}" = "wayland" ]; then
-                runuser -u builduser -- script/actions/run-tests-wayland.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+                runuser -u builduser -- script/actions/run-tests-wayland.sh script/yarn.js test $JUNIT_ARGS $tests_files
               else
-                runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test --runners=main --enableRerun=3 --trace-uncaught --enable-logging --files $tests_files
+                runuser -u builduser -- xvfb-run script/actions/run-tests.sh script/yarn.js test $JUNIT_ARGS $tests_files
               fi
             fi
-            
           fi
         fi
     - name: Take screenshot on timeout or cancellation
@@ -313,7 +309,7 @@ jobs:
       if: always() && !cancelled()
     - name: Upload Test Artifacts
       if: always()
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: ${{ inputs.target-platform == 'linux' && format('test_artifacts_{0}_{1}_{2}', env.ARTIFACT_KEY, inputs.display-server, matrix.shard) || format('test_artifacts_{0}_{1}', env.ARTIFACT_KEY, matrix.shard) }}
         path: src/electron/spec/artifacts

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -36,6 +36,8 @@ env:
   CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }}
   ELECTRON_OUT_DIR: Default
   ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }}
+  # @sentry/cli is only needed by release upload-symbols.py; skip the ~17MB CDN download on test jobs
+  SENTRYCLI_SKIP_DOWNLOAD: 1
 
 jobs:
   node-tests:
@@ -65,12 +67,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}
@@ -121,12 +123,12 @@ jobs:
     - name: Install Dependencies
       uses: ./src/electron/.github/actions/install-dependencies
     - name: Download Generated Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
         path: ./generated_artifacts_${{ env.BUILD_TYPE }}_${{ env.TARGET_ARCH }}
     - name: Download Src Artifacts
-      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
       with:
         name: src_artifacts_linux_${{ env.TARGET_ARCH }}
         path: ./src_artifacts_linux_${{ env.TARGET_ARCH }}

.github/workflows/pr-template-check.yml

@@ -0,0 +1,58 @@
+name: PR Template Check
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review]
+
+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
+permissions: {}
+
+jobs:
+  check-pr-template:
+    if: ${{ github.event.pull_request.head.repo.fork && !github.event.pull_request.draft && !startsWith(github.head_ref, 'roller/') }}
+    name: Check PR Template
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          sparse-checkout: .github/PULL_REQUEST_TEMPLATE.md
+          sparse-checkout-cone-mode: false
+      - name: Check for required sections
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const fs = require('fs');
+            const template = fs.readFileSync('.github/PULL_REQUEST_TEMPLATE.md', 'utf8');
+            const requiredSections = [...template.matchAll(/^(#{1,4} .+)$/gm)].map(
+              (m) => m[1],
+            );
+            if (requiredSections.length === 0) {
+              console.log('No heading sections found in PR template');
+              return;
+            }
+            const body = context.payload.pull_request.body || '';
+            const missingSections = requiredSections.filter(
+              (section) => !body.includes(section),
+            );
+            if (missingSections.length > 0) {
+              const list = missingSections.map((s) => `- \`${s}\``).join('\n');
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                body: `This PR was automatically closed because the PR template was not properly filled out. The following required sections are missing:\n\n${list}\n\nPlease update your PR description to include all required sections and reopen the PR.`,
+              });
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.payload.pull_request.number,
+                state: 'closed',
+              });
+            }

.github/workflows/pr-triage-automation.yml

@@ -6,16 +6,25 @@ on:
   issue_comment:
     types: [created]
 
+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
 permissions: {}
 
 jobs:
   set-needs-review:
     name: Set status to Needs Review
     if: >-
-      (github.event_name == 'pull_request_target' && github.event.action == 'synchronize')
-      || (github.event_name == 'pull_request_target' && github.event.action == 'review_requested')
+      (github.event_name == 'pull_request_target'
+        && github.event.pull_request.state == 'open'
+        && github.event.pull_request.draft != true
+        && !contains(github.event.pull_request.labels.*.name, 'wip ⚒')
+        && (github.event.action == 'synchronize' || github.event.action == 'review_requested'))
       || (github.event_name == 'issue_comment'
           && github.event.issue.pull_request
+          && github.event.issue.state == 'open'
+          && !contains(github.event.issue.labels.*.name, 'wip ⚒')
           && github.event.comment.user.login == github.event.issue.user.login)
     runs-on: ubuntu-slim
     permissions:
@@ -28,7 +37,7 @@ jobs:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Set status to Needs Review
-        uses: dsanders11/project-actions/edit-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/edit-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 118

.github/workflows/pull-request-labeled.yml

@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: [labeled]
 
+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
 permissions: {}
 
 jobs:
@@ -38,7 +42,7 @@ jobs:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
           org: electron
       - name: Set status
-        uses: dsanders11/project-actions/edit-item@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/edit-item@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           token: ${{ steps.generate-token.outputs.token }}
           project-number: 94
@@ -46,7 +50,7 @@ jobs:
           field-value: ✅ Reviewed
   pull-request-labeled-ai-pr:
     name: ai-pr label added
-    if: github.event.label.name == 'ai-pr'
+    if: github.event.label.name == 'ai-pr' && github.event.pull_request.state != 'closed'
     runs-on: ubuntu-latest
     permissions: {}
     steps:
@@ -56,7 +60,7 @@ jobs:
       with:
         creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
     - name: Create comment
-      uses: actions-cool/issues-helper@71b62d7da76e59ff7b193904feb6e77d4dbb2777 # v3.7.6
+      uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
       with:
         actions: 'create-comment'
         token: ${{ steps.generate-token.outputs.token }}
@@ -68,7 +72,7 @@ jobs:
 
           Hello @${{ github.event.pull_request.user.login }}. Due to the high amount of AI spam PRs we receive, if a PR is detected to be majority AI-generated without disclosure and untested, we will automatically close the PR.
 
-          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](http://contributing.md/) carefully before reopening. Thanks for your contribution.
+          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](https://github.com/electron/electron/blob/main/CONTRIBUTING.md) and [AI Tool Policy](https://github.com/electron/governance/blob/main/policy/ai.md) carefully before reopening. Thanks for your contribution.
     - name: Close the pull request
       env:
         GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}

.github/workflows/pull-request-opened-synchronized.yml

@@ -0,0 +1,46 @@
+name: Pull Request Opened/Synchronized
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+# SECURITY: This workflow uses pull_request_target and has access to secrets.
+# Do NOT checkout or run code from the PR head. All code execution must use
+# the base branch only. Adding a ref to PR head would expose secrets to
+# untrusted code.
+permissions: {}
+
+jobs:
+  check-signed-commits:
+    name: Check signed commits in PR
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        with:
+          comment: |
+            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification)
+            for all incoming PRs. To get your PR merged, please sign those commits
+            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch
+            (`git push --force-with-lease`)
+
+            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
+
+      - name: Add needs-signed-commits label
+        if: ${{ failure() }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit $PR_URL --add-label needs-signed-commits
+
+      - name: Remove needs-signed-commits label
+        if: ${{ success() && contains(github.event.pull_request.labels.*.name, 'needs-signed-commits') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit $PR_URL --remove-label needs-signed-commits

.github/workflows/scorecards.yml

@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v3.29.5
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/stable-prep-items.yml

@@ -29,7 +29,7 @@ jobs:
           PROJECT_NUMBER=$(gh project list --owner electron --format json | jq -r '.projects | map(select(.title | test("^[0-9]+-x-y$"))) | max_by(.number) | .number')
           echo "PROJECT_NUMBER=$PROJECT_NUMBER" >> "$GITHUB_OUTPUT"
       - name: Update Completed Stable Prep Items
-        uses: dsanders11/project-actions/completed-by@2134fe7cc71c58b7ae259c82a8e63c6058255678 # v1.7.0
+        uses: dsanders11/project-actions/completed-by@5767984408ccc6742f83acc8b8d8ea5e09f329af # v2.0.0
         with:
           field: Prep Status
           field-value: ✅ Complete

.gitignore

@@ -42,6 +42,7 @@ spec/.hash
 
 # Generated native addon files
 /spec/fixtures/native-addon/echo/build/
+/spec/fixtures/native-addon/dialog-helper/build/
 
 # If someone runs tsc this is where stuff will end up
 ts-gen

.oxfmtrc.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "./node_modules/oxfmt/configuration_schema.json",
+  "printWidth": 120,
+  "tabWidth": 2,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "sortImports": {
+    "newlinesBetween": true,
+    "groups": [
+      "electron-internal",
+      "electron-scoped",
+      "electron",
+      "external",
+      "builtin",
+      ["sibling", "parent"],
+      "index",
+      "type",
+      "unknown"
+    ],
+    "customGroups": [
+      {
+        "groupName": "electron-internal",
+        "elementNamePattern": ["@electron/internal", "@electron/internal/**"]
+      },
+      {
+        "groupName": "electron-scoped",
+        "elementNamePattern": ["@electron/**"]
+      },
+      {
+        "groupName": "electron",
+        "elementNamePattern": ["electron", "electron/**"]
+      }
+    ]
+  },
+  "ignorePatterns": [
+    "node_modules",
+    "out",
+    "ts-gen",
+    "spec/node_modules",
+    "spec/fixtures/native-addon",
+    ".github/workflows/node_modules",
+    "docs/fiddles",
+    "shell/browser/resources/win/resource.h",
+    "shell/common/node_includes.h",
+    "spec/fixtures/pages/jquery-3.6.0.min.js"
+  ]
+}

.oxlintrc.json

@@ -0,0 +1,352 @@
+{
+  "$schema": "./node_modules/oxlint/configuration_schema.json",
+  "plugins": [
+    "typescript",
+    "import",
+    "node",
+    "promise",
+    "unicorn"
+  ],
+  "jsPlugins": [
+    {
+      "name": "no-only-tests",
+      "specifier": "./script/lint-plugins/no-only-tests.mjs"
+    },
+    {
+      "name": "remote-tools-imports",
+      "specifier": "./script/lint-plugins/remote-tools-imports.mjs"
+    },
+    {
+      "name": "no-nested-tests",
+      "specifier": "./script/lint-plugins/no-nested-tests.mjs"
+    },
+    {
+      "name": "no-unawaited-load",
+      "specifier": "./script/lint-plugins/no-unawaited-load.mjs"
+    }
+  ],
+  "categories": {
+    "correctness": "off"
+  },
+  "options": {
+    "typeAware": false
+  },
+  "env": {
+    "builtin": true,
+    "browser": true
+  },
+  "ignorePatterns": [
+    ".github/workflows/node_modules",
+    "spec/node_modules",
+    "spec/fixtures/native-addon",
+    "shell/browser/resources/win/resource.h",
+    "shell/common/node_includes.h",
+    "spec/fixtures/pages/jquery-3.6.0.min.js"
+  ],
+  "rules": {
+    "no-var": "error",
+    "accessor-pairs": [
+      "error",
+      {
+        "setWithoutGet": true,
+        "enforceForClassMembers": true
+      }
+    ],
+    "array-callback-return": [
+      "error",
+      {
+        "allowImplicit": false,
+        "checkForEach": false
+      }
+    ],
+    "constructor-super": "error",
+    "curly": [
+      "error",
+      "multi-line"
+    ],
+    "default-case-last": "error",
+    "eqeqeq": [
+      "error",
+      "always",
+      {
+        "null": "ignore"
+      }
+    ],
+    "new-cap": [
+      "error",
+      {
+        "newIsCap": true,
+        "capIsNew": false,
+        "properties": true
+      }
+    ],
+    "no-array-constructor": "error",
+    "no-async-promise-executor": "error",
+    "no-caller": "error",
+    "no-case-declarations": "error",
+    "no-class-assign": "error",
+    "no-compare-neg-zero": "error",
+    "no-cond-assign": "error",
+    "no-const-assign": "error",
+    "no-constant-condition": [
+      "error",
+      {
+        "checkLoops": false
+      }
+    ],
+    "no-control-regex": "error",
+    "no-debugger": "error",
+    "no-delete-var": "error",
+    "no-dupe-class-members": "error",
+    "no-dupe-keys": "error",
+    "no-duplicate-case": "error",
+    "no-useless-backreference": "error",
+    "no-empty": [
+      "error",
+      {
+        "allowEmptyCatch": true
+      }
+    ],
+    "no-empty-character-class": "error",
+    "no-empty-pattern": "error",
+    "no-eval": "error",
+    "no-ex-assign": "error",
+    "no-extend-native": "error",
+    "no-extra-bind": "error",
+    "no-extra-boolean-cast": "error",
+    "no-fallthrough": "error",
+    "no-func-assign": "error",
+    "no-global-assign": "error",
+    "no-import-assign": "error",
+    "no-invalid-regexp": "error",
+    "no-irregular-whitespace": "error",
+    "no-iterator": "error",
+    "no-labels": [
+      "error",
+      {
+        "allowLoop": false,
+        "allowSwitch": false
+      }
+    ],
+    "no-lone-blocks": "error",
+    "no-loss-of-precision": "error",
+    "no-misleading-character-class": "error",
+    "no-prototype-builtins": "error",
+    "no-useless-catch": "error",
+    "no-useless-constructor": "error",
+    "no-use-before-define": [
+      "error",
+      {
+        "functions": false,
+        "classes": false,
+        "variables": false
+      }
+    ],
+    "no-multi-str": "error",
+    "no-new": "error",
+    "no-new-func": "error",
+    "no-new-wrappers": "error",
+    "no-obj-calls": "error",
+    "no-proto": "error",
+    "no-redeclare": [
+      "error"
+    ],
+    "no-regex-spaces": "error",
+    "no-return-assign": [
+      "error",
+      "except-parens"
+    ],
+    "no-self-assign": [
+      "error",
+      {
+        "props": true
+      }
+    ],
+    "no-self-compare": "error",
+    "no-sequences": "error",
+    "no-shadow-restricted-names": "error",
+    "no-sparse-arrays": "error",
+    "no-template-curly-in-string": "error",
+    "no-this-before-super": "error",
+    "no-throw-literal": "error",
+    "no-unexpected-multiline": "error",
+    "no-unmodified-loop-condition": "error",
+    "no-unneeded-ternary": [
+      "error",
+      {
+        "defaultAssignment": false
+      }
+    ],
+    "no-unreachable": "error",
+    "no-unsafe-finally": "error",
+    "no-unsafe-negation": "error",
+    "no-unused-vars": [
+      "error",
+      {
+        "vars": "all",
+        "args": "after-used",
+        "argsIgnorePattern": "^_",
+        "ignoreRestSiblings": true
+      }
+    ],
+    "no-useless-call": "error",
+    "no-useless-computed-key": "error",
+    "no-useless-escape": "error",
+    "no-useless-rename": "error",
+    "no-useless-return": "error",
+    "no-void": "error",
+    "no-with": "error",
+    "prefer-const": [
+      "error",
+      {
+        "destructuring": "all"
+      }
+    ],
+    "prefer-promise-reject-errors": "error",
+    "symbol-description": "error",
+    "unicode-bom": [
+      "error",
+      "never"
+    ],
+    "use-isnan": [
+      "error",
+      {
+        "enforceForSwitchCase": true,
+        "enforceForIndexOf": true
+      }
+    ],
+    "valid-typeof": [
+      "error",
+      {
+        "requireStringLiterals": true
+      }
+    ],
+    "yoda": [
+      "error",
+      "never"
+    ],
+    "import/export": "error",
+    "import/first": "error",
+    "import/no-absolute-path": [
+      "error",
+      {
+        "esmodule": true,
+        "commonjs": true,
+        "amd": false
+      }
+    ],
+    "import/no-duplicates": "error",
+    "import/no-named-default": "error",
+    "import/no-webpack-loader-syntax": "error",
+    "promise/param-names": "error",
+    "guard-for-in": "error",
+    "node/handle-callback-err": [
+      "error",
+      "^(err|error)$"
+    ],
+    "node/no-exports-assign": "error",
+    "node/no-new-require": "error",
+    "node/no-path-concat": "error"
+  },
+  "overrides": [
+    {
+      "files": ["**/*.ts", "**/*.tsx", "**/*.mts", "**/*.cts"],
+      "rules": {
+        "no-use-before-define": "off"
+      }
+    },
+    {
+      "files": ["lib/browser/**", "lib/utility/**"],
+      "rules": {
+        "no-restricted-imports": [
+          "error",
+          {
+            "paths": ["electron", "electron/renderer"],
+            "patterns": [
+              "./*",
+              "../*",
+              "@electron/internal/isolated_renderer/*",
+              "@electron/internal/renderer/*",
+              "@electron/internal/sandboxed_worker/*",
+              "@electron/internal/worker/*"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "files": [
+        "lib/renderer/**",
+        "lib/worker/**",
+        "lib/preload_realm/**",
+        "lib/sandboxed_renderer/**",
+        "lib/isolated_renderer/**"
+      ],
+      "rules": {
+        "no-restricted-imports": [
+          "error",
+          {
+            "paths": ["electron", "electron/main"],
+            "patterns": ["./*", "../*", "@electron/internal/browser/*"]
+          }
+        ]
+      }
+    },
+    {
+      "files": ["lib/common/**"],
+      "rules": {
+        "no-restricted-imports": [
+          "error",
+          {
+            "paths": ["electron", "electron/main", "electron/renderer"],
+            "patterns": [
+              "./*",
+              "../*",
+              "@electron/internal/browser/*",
+              "@electron/internal/isolated_renderer/*",
+              "@electron/internal/renderer/*",
+              "@electron/internal/sandboxed_worker/*",
+              "@electron/internal/worker/*"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "files": [
+        "build/**",
+        "script/**",
+        "docs/**",
+        "default_app/**",
+        "spec/**"
+      ],
+      "rules": {
+        "unicorn/prefer-node-protocol": "error"
+      }
+    },
+    {
+      "files": ["spec/**/*.ts", "spec/**/*.js", "spec/**/*.mjs"],
+      "rules": {
+        "no-only-tests/no-only-tests": "error",
+        "remote-tools-imports/no-foreign-imports-in-remote-closure": "error",
+        "no-nested-tests/no-nested-tests": "error",
+        "no-unawaited-load/no-unawaited-load": "warn"
+      }
+    },
+    {
+      "files": ["spec/fixtures/**"],
+      "rules": {
+        "no-unawaited-load/no-unawaited-load": "off",
+        "remote-tools-imports/no-foreign-imports-in-remote-closure": "off",
+        "no-nested-tests/no-nested-tests": "off"
+      }
+    },
+    {
+      "files": ["**/*.d.ts"],
+      "rules": {
+        "no-useless-constructor": "off",
+        "no-unused-vars": "off"
+      }
+    }
+  ]
+}

.yarnrc.yml

@@ -9,4 +9,8 @@ npmMinimalAgeGate: 10080
 npmPreapprovedPackages:
   - "@electron/*"
 
+httpProxy: "${HTTP_PROXY:-}"
+
+httpsProxy: "${HTTPS_PROXY:-}"
+
 yarnPath: .yarn/releases/yarn-4.12.0.cjs

BUILD.gn

@@ -147,6 +147,25 @@ config("branding") {
 
 config("electron_lib_config") {
   include_dirs = [ "." ]
+  cflags = []
+  if (is_clang && clang_use_chrome_plugins) {
+    # The plugin is built directly into clang, so there's no need to load it
+    # dynamically.
+    cflags += [
+      "-Xclang",
+      "-add-plugin",
+      "-Xclang",
+      "blink-gc-plugin",
+      "-Xclang",
+      "-plugin-arg-blink-gc-plugin",
+      "-Xclang",
+      "check-directory=electron/shell/",
+      "-Xclang",
+      "-plugin-arg-blink-gc-plugin",
+      "-Xclang",
+      "check-directory=gin/",
+    ]
+  }
 }
 
 # We generate the definitions twice here, once in //electron/electron.d.ts
@@ -775,6 +794,7 @@ source_set("electron_lib") {
       "//components/zoom",
       "//extensions/browser",
       "//extensions/browser/api:api_provider",
+      "//extensions/browser/mime_handler:stream_info",
       "//extensions/browser/updater",
       "//extensions/common",
       "//extensions/common:core_api_provider",
@@ -1017,7 +1037,17 @@ if (is_mac) {
     }
   }
 
-  foreach(helper_params, content_mac_helpers) {
+  # Electron defines its own plugin helper (using CHILD_EMBEDDER_FIRST + 1) to
+  # allow loading of unsigned or third-party-signed libraries.
+  _electron_plugin_helper_params = [
+    "plugin",
+    ".plugin",
+    " (Plugin)",
+  ]
+  electron_mac_helpers =
+      content_mac_helpers + [ _electron_plugin_helper_params ]
+
+  foreach(helper_params, electron_mac_helpers) {
     _helper_target = helper_params[0]
     _helper_bundle_id = helper_params[1]
     _helper_suffix = helper_params[2]
@@ -1070,7 +1100,7 @@ if (is_mac) {
       ":stripped_squirrel_framework",
     ]
 
-    foreach(helper_params, content_mac_helpers) {
+    foreach(helper_params, electron_mac_helpers) {
       sources +=
           [ "$root_out_dir/${electron_helper_name}${helper_params[2]}.app" ]
       public_deps += [ ":electron_helper_app_${helper_params[0]}" ]
@@ -1174,7 +1204,7 @@ if (is_mac) {
       deps = [ ":electron_framework" ]
     }
 
-    foreach(helper_params, content_mac_helpers) {
+    foreach(helper_params, electron_mac_helpers) {
       _helper_target = helper_params[0]
       _helper_bundle_id = helper_params[1]
       _helper_suffix = helper_params[2]
@@ -1226,7 +1256,7 @@ if (is_mac) {
         deps += [ ":crashpad_handler_syms" ]
       }
 
-      foreach(helper_params, content_mac_helpers) {
+      foreach(helper_params, electron_mac_helpers) {
         _helper_target = helper_params[0]
         deps += [ ":electron_helper_syms_${_helper_target}" ]
       }
@@ -1633,6 +1663,7 @@ action("node_version_header") {
 action("generate_node_headers") {
   deps = [ ":generate_config_gypi" ]
   script = "script/node/generate_node_headers.py"
+  args = [ rebase_path("$root_gen_dir") ]
   outputs = [ "$root_gen_dir/node_headers.json" ]
 }
 

CLAUDE.md

@@ -1,5 +1,14 @@
 # Electron Development Guide
 
+## Running node_modules binaries
+
+**Never use `npx`.** It is considered dangerous because it can silently fetch and execute arbitrary packages from the registry. Always run binaries through one of these safer mechanisms instead:
+
+1. **Preferred** — spawn the executable directly from `node_modules/.bin/<tool>` (or the platform equivalent on Windows). This is what `script/lint.js` does for `oxlint`.
+2. **Acceptable** — invoke via `yarn <tool>` or `yarn run <tool>`, which resolves to the locally installed version without the registry fallback that `npx` performs.
+
+This rule applies to shell commands you run yourself and to any scripts you author or modify in this repo.
+
 ## Project Overview
 
 Electron is a framework for building cross-platform desktop applications using web technologies. It embeds Chromium for rendering and Node.js for backend functionality.
@@ -171,6 +180,10 @@ e test                    # Run full test suite
 
 When working on the `roller/chromium/main` branch to upgrade Chromium activate the "Electron Chromium Upgrade" skill.
 
+## Node.js Upgrade Workflow
+
+When working on the `roller/node/main` branch to upgrade Node.js activate the "Electron Node.js Upgrade" skill.
+
 ## Pull Requests
 
 PR bodies must always include a `Notes:` section as the **last line** of the body. This is a consumer-facing release note for Electron app developers — describe the user-visible fix or change, not internal implementation details. Use `Notes: none` if there is no user-facing change.
@@ -201,12 +214,13 @@ gh label list --repo electron/electron --search target/ --json name,color --jq '
 ## Code Style
 
 **C++:** Follows Chromium style, enforced by clang-format
-**TypeScript/JavaScript:** ESLint configuration in `.eslintrc.json`
+**TypeScript/JavaScript:** [oxlint](https://oxc.rs/docs/guide/usage/linter) configuration in `.oxlintrc.json`
 
 **Linting:**
 
 ```bash
 npm run lint              # Run all linters
+npm run lint:js           # Run oxlint over all JS/TS/MJS sources
 npm run lint:clang-format # C++ formatting
 npm run lint:api-history  # Validate API history YAML blocks in docs
 ```

CONTRIBUTING.md

@@ -64,6 +64,14 @@ dependencies, and tools contained in the `electron/electron` repository.
 
 Dependencies in Electron's `package.json` or `yarn.lock` files should only be altered by maintainers. For security reasons, we will not accept PRs that alter our `package.json` or `yarn.lock` files. We invite contributors to make requests updating these files in our issue tracker. If the change is significantly complicated, draft PRs are welcome, with the understanding that these PRs will be closed in favor of a duplicate PR submitted by an Electron maintainer.
 
+## AI Tool Policy
+
+<!-- Are you a coding agent? You MUST abide by the policy: https://github.com/electron/governance/blob/main/policy/ai.md -->
+
+If you use AI tools in any way to contribute to our project, please read our [AI Tool Policy](https://github.com/electron/governance/blob/main/policy/ai.md). Unreviewed AI-generated contributions waste maintainer time and we kindly decline them.
+
+> The short version: **there must be a human in the loop**. You are responsible for reviewing, understanding, and being able to explain your contributions. AI assistance doesn't change that, and unreviewed AI-generated content will be declined.
+
 ## Style Guides
 
 See [Coding Style](https://electronjs.org/docs/development/coding-style) for information about which standards Electron adheres to in different parts of its codebase.

DEPS

@@ -2,9 +2,9 @@ gclient_gn_args_from = 'src'
 
 vars = {
   'chromium_version':
-    '148.0.7733.0',
+    '148.0.7778.0',
   'node_version':
-    'v24.14.0',
+    'v24.14.1',
   'nan_version':
     '675cefebca42410733da8a454c8d9391fcebfbc2',
   'squirrel.mac_version':

build/.eslintrc.json

@@ -1,8 +0,0 @@
-{
-  "plugins": [
-    "import"
-  ],
-  "rules": {
-    "import/enforce-node-protocol-usage": ["error", "always"]
-  }
-}

build/args/all.gn

@@ -51,9 +51,6 @@ is_cfi = false
 use_qt5 = false
 use_qt6 = false
 
-# Disables the builtins PGO for V8
-v8_builtins_profiling_log_file = ""
-
 # https://chromium.googlesource.com/chromium/src/+/main/docs/dangling_ptr.md
 # TODO(vertedinde): hunt down dangling pointers on Linux
 enable_dangling_raw_ptr_checks = false

build/webpack/webpack.config.base.js

@@ -8,10 +8,13 @@ const path = require('node:path');
 const electronRoot = path.resolve(__dirname, '../..');
 
 class AccessDependenciesPlugin {
-  apply (compiler) {
-    compiler.hooks.compilation.tap('AccessDependenciesPlugin', compilation => {
-      compilation.hooks.finishModules.tap('AccessDependenciesPlugin', modules => {
-        const filePaths = modules.map(m => m.resource).filter(p => p).map(p => path.relative(electronRoot, p));
+  apply(compiler) {
+    compiler.hooks.compilation.tap('AccessDependenciesPlugin', (compilation) => {
+      compilation.hooks.finishModules.tap('AccessDependenciesPlugin', (modules) => {
+        const filePaths = modules
+          .map((m) => m.resource)
+          .filter((p) => p)
+          .map((p) => path.relative(electronRoot, p));
         console.info(JSON.stringify(filePaths));
       });
     });
@@ -31,7 +34,14 @@ module.exports = ({
     entry = path.resolve(electronRoot, 'lib', target, 'init.js');
   }
 
-  const electronAPIFile = path.resolve(electronRoot, 'lib', loadElectronFromAlternateTarget || target, 'api', 'exports', 'electron.ts');
+  const electronAPIFile = path.resolve(
+    electronRoot,
+    'lib',
+    loadElectronFromAlternateTarget || target,
+    'api',
+    'exports',
+    'electron.ts'
+  );
 
   return (env = {}, argv = {}) => {
     const onlyPrintingGraph = !!env.PRINT_WEBPACK_GRAPH;
@@ -61,49 +71,59 @@ module.exports = ({
     }
 
     if (targetDeletesNodeGlobals) {
-      plugins.push(new webpack.ProvidePlugin({
-        Buffer: ['@electron/internal/common/webpack-provider', 'Buffer'],
-        global: ['@electron/internal/common/webpack-provider', '_global'],
-        process: ['@electron/internal/common/webpack-provider', 'process']
-      }));
+      plugins.push(
+        new webpack.ProvidePlugin({
+          Buffer: ['@electron/internal/common/webpack-provider', 'Buffer'],
+          global: ['@electron/internal/common/webpack-provider', '_global'],
+          process: ['@electron/internal/common/webpack-provider', 'process']
+        })
+      );
     }
 
     // Webpack 5 no longer polyfills process or Buffer.
     if (!alwaysHasNode) {
-      plugins.push(new webpack.ProvidePlugin({
-        Buffer: ['buffer', 'Buffer'],
-        process: 'process/browser'
-      }));
+      plugins.push(
+        new webpack.ProvidePlugin({
+          Buffer: ['buffer', 'Buffer'],
+          process: 'process/browser'
+        })
+      );
     }
 
-    plugins.push(new webpack.ProvidePlugin({
-      Promise: ['@electron/internal/common/webpack-globals-provider', 'Promise']
-    }));
+    plugins.push(
+      new webpack.ProvidePlugin({
+        Promise: ['@electron/internal/common/webpack-globals-provider', 'Promise']
+      })
+    );
 
     plugins.push(new webpack.DefinePlugin(defines));
 
     if (wrapInitWithProfilingTimeout) {
-      plugins.push(new WrapperPlugin({
-        header: 'function ___electron_webpack_init__() {',
-        footer: `
+      plugins.push(
+        new WrapperPlugin({
+          header: 'function ___electron_webpack_init__() {',
+          footer: `
 };
 if ((globalThis.process || binding.process).argv.includes("--profile-electron-init")) {
   setTimeout(___electron_webpack_init__, 0);
 } else {
   ___electron_webpack_init__();
 }`
-      }));
+        })
+      );
     }
 
     if (wrapInitWithTryCatch) {
-      plugins.push(new WrapperPlugin({
-        header: 'try {',
-        footer: `
+      plugins.push(
+        new WrapperPlugin({
+          header: 'try {',
+          footer: `
 } catch (err) {
   console.error('Electron ${outputFilename} script failed to run');
   console.error(err);
 }`
-      }));
+        })
+      );
     }
 
     return {
@@ -133,23 +153,26 @@ if ((globalThis.process || binding.process).argv.includes("--profile-electron-in
         }
       },
       module: {
-        rules: [{
-          test: (moduleName) => !onlyPrintingGraph && ignoredModules.includes(moduleName),
-          loader: 'null-loader'
-        }, {
-          test: /\.ts$/,
-          loader: 'ts-loader',
-          options: {
-            configFile: path.resolve(electronRoot, 'tsconfig.electron.json'),
-            transpileOnly: onlyPrintingGraph,
-            ignoreDiagnostics: [
-              // File '{0}' is not under 'rootDir' '{1}'.
-              6059,
-              // Private field '{0}' must be declared in an enclosing class.
-              1111
-            ]
+        rules: [
+          {
+            test: (moduleName) => !onlyPrintingGraph && ignoredModules.includes(moduleName),
+            loader: 'null-loader'
+          },
+          {
+            test: /\.ts$/,
+            loader: 'ts-loader',
+            options: {
+              configFile: path.resolve(electronRoot, 'tsconfig.electron.json'),
+              transpileOnly: onlyPrintingGraph,
+              ignoreDiagnostics: [
+                // File '{0}' is not under 'rootDir' '{1}'.
+                6059,
+                // Private field '{0}' must be declared in an enclosing class.
+                1111
+              ]
+            }
           }
-        }]
+        ]
       },
       node: {
         __dirname: false,

chromium_src/BUILD.gn

@@ -144,6 +144,8 @@ static_library("chrome") {
     "//chrome/browser/ui/views/overlay/toggle_camera_button.h",
     "//chrome/browser/ui/views/overlay/toggle_microphone_button.cc",
     "//chrome/browser/ui/views/overlay/toggle_microphone_button.h",
+    "//chrome/browser/ui/views/overlay/toggle_mute_button.cc",
+    "//chrome/browser/ui/views/overlay/toggle_mute_button.h",
     "//chrome/browser/ui/views/overlay/video_overlay_window_views.cc",
     "//chrome/browser/ui/views/overlay/video_overlay_window_views.h",
     "//chrome/browser/ui/views/picture_in_picture/picture_in_picture_bounds_change_animation.cc",

default_app/.eslintrc.json

@@ -1,8 +0,0 @@
-{
-  "plugins": [
-    "import"
-  ],
-  "rules": {
-    "import/enforce-node-protocol-usage": ["error", "always"]
-  }
-}

default_app/default_app.ts

@@ -1,5 +1,5 @@
 import { shell } from 'electron/common';
-import { app, dialog, BrowserWindow, ipcMain } from 'electron/main';
+import { app, dialog, BrowserWindow, ipcMain, Menu } from 'electron/main';
 
 import * as path from 'node:path';
 import * as url from 'node:url';
@@ -11,23 +11,62 @@ app.on('window-all-closed', () => {
   app.quit();
 });
 
-function decorateURL (url: string) {
-  // safely add `?utm_source=default_app
-  const parsedUrl = new URL(url);
-  parsedUrl.searchParams.append('utm_source', 'default_app');
-  return parsedUrl.toString();
-}
+const isMac = process.platform === 'darwin';
+
+app.whenReady().then(() => {
+  const helpMenu: Electron.MenuItemConstructorOptions = {
+    role: 'help',
+    submenu: [
+      {
+        label: 'Learn More',
+        click: async () => {
+          await shell.openExternal('https://electronjs.org');
+        }
+      },
+      {
+        label: 'Documentation',
+        click: async () => {
+          const version = process.versions.electron;
+          await shell.openExternal(`https://github.com/electron/electron/tree/v${version}/docs#readme`);
+        }
+      },
+      {
+        label: 'Community Discussions',
+        click: async () => {
+          await shell.openExternal('https://discord.gg/electronjs');
+        }
+      },
+      {
+        label: 'Search Issues',
+        click: async () => {
+          await shell.openExternal('https://github.com/electron/electron/issues');
+        }
+      }
+    ]
+  };
+
+  const macAppMenu: Electron.MenuItemConstructorOptions = { role: 'appMenu' };
+  const template: Electron.MenuItemConstructorOptions[] = [
+    ...(isMac ? [macAppMenu] : []),
+    { role: 'fileMenu' },
+    { role: 'editMenu' },
+    { role: 'viewMenu' },
+    { role: 'windowMenu' },
+    helpMenu
+  ];
+
+  Menu.setApplicationMenu(Menu.buildFromTemplate(template));
+});
 
 // Find the shortest path to the electron binary
 const absoluteElectronPath = process.execPath;
 const relativeElectronPath = path.relative(process.cwd(), absoluteElectronPath);
-const electronPath = absoluteElectronPath.length < relativeElectronPath.length
-  ? absoluteElectronPath
-  : relativeElectronPath;
+const electronPath =
+  absoluteElectronPath.length < relativeElectronPath.length ? absoluteElectronPath : relativeElectronPath;
 
 const indexPath = path.resolve(app.getAppPath(), 'index.html');
 
-function isTrustedSender (webContents: Electron.WebContents) {
+function isTrustedSender(webContents: Electron.WebContents) {
   if (webContents !== (mainWindow && mainWindow.webContents)) {
     return false;
   }
@@ -43,7 +82,7 @@ ipcMain.handle('bootstrap', (event) => {
   return isTrustedSender(event.sender) ? electronPath : null;
 });
 
-async function createWindow (backgroundColor?: string) {
+async function createWindow(backgroundColor?: string) {
   await app.whenReady();
 
   const options: Electron.BrowserWindowConstructorOptions = {
@@ -68,8 +107,8 @@ async function createWindow (backgroundColor?: string) {
   mainWindow = new BrowserWindow(options);
   mainWindow.on('ready-to-show', () => mainWindow!.show());
 
-  mainWindow.webContents.setWindowOpenHandler(details => {
-    shell.openExternal(decorateURL(details.url));
+  mainWindow.webContents.setWindowOpenHandler((details) => {
+    shell.openExternal(details.url);
     return { action: 'deny' };
   });
 

default_app/main.ts

@@ -15,7 +15,7 @@ type DefaultAppOptions = {
   interactive: boolean;
   abi: boolean;
   modules: string[];
-}
+};
 
 // Parse command line options.
 const argv = process.argv.slice(1);
@@ -74,7 +74,7 @@ if (option.modules.length > 0) {
   (Module as any)._preloadModules(option.modules);
 }
 
-async function loadApplicationPackage (packagePath: string) {
+async function loadApplicationPackage(packagePath: string) {
   // Add a flag indicating app is started from default app.
   Object.defineProperty(process, 'defaultApp', {
     configurable: false,
@@ -92,9 +92,11 @@ async function loadApplicationPackage (packagePath: string) {
       const emitWarning = process.emitWarning;
       try {
         process.emitWarning = () => {};
-        packageJson = (await import(url.pathToFileURL(packageJsonPath).toString(), {
-          with: { type: 'json' }
-        })).default;
+        packageJson = (
+          await import(url.pathToFileURL(packageJsonPath).toString(), {
+            with: { type: 'json' }
+          })
+        ).default;
       } catch (e) {
         showErrorMessage(`Unable to parse ${packageJsonPath}\n\n${(e as Error).message}`);
         return;
@@ -143,23 +145,23 @@ async function loadApplicationPackage (packagePath: string) {
   }
 }
 
-function showErrorMessage (message: string) {
+function showErrorMessage(message: string) {
   app.focus();
   dialog.showErrorBox('Error launching app', message);
   process.exit(1);
 }
 
-async function loadApplicationByURL (appUrl: string) {
+async function loadApplicationByURL(appUrl: string) {
   const { loadURL } = await import('./default_app.js');
   loadURL(appUrl);
 }
 
-async function loadApplicationByFile (appPath: string) {
+async function loadApplicationByFile(appPath: string) {
   const { loadFile } = await import('./default_app.js');
   loadFile(appPath);
 }
 
-async function startRepl () {
+async function startRepl() {
   if (process.platform === 'win32') {
     console.error('Electron REPL not currently supported on Windows');
     process.exit(1);
@@ -187,7 +189,7 @@ async function startRepl () {
     process.exit(0);
   });
 
-  function defineBuiltin (context: any, name: string, getter: Function) {
+  function defineBuiltin(context: any, name: string, getter: Function) {
     const setReal = (val: any) => {
       // Deleting the property before re-assigning it disables the
       // getter/setter mechanism.
@@ -225,11 +227,42 @@ async function startRepl () {
   // we only trigger custom tab-completion when no common words are
   // potentially matches.
   const commonWords = [
-    'async', 'await', 'break', 'case', 'catch', 'const', 'continue',
-    'debugger', 'default', 'delete', 'do', 'else', 'export', 'false',
-    'finally', 'for', 'function', 'if', 'import', 'in', 'instanceof', 'let',
-    'new', 'null', 'return', 'switch', 'this', 'throw', 'true', 'try',
-    'typeof', 'var', 'void', 'while', 'with', 'yield'
+    'async',
+    'await',
+    'break',
+    'case',
+    'catch',
+    'const',
+    'continue',
+    'debugger',
+    'default',
+    'delete',
+    'do',
+    'else',
+    'export',
+    'false',
+    'finally',
+    'for',
+    'function',
+    'if',
+    'import',
+    'in',
+    'instanceof',
+    'let',
+    'new',
+    'null',
+    'return',
+    'switch',
+    'this',
+    'throw',
+    'true',
+    'try',
+    'typeof',
+    'var',
+    'void',
+    'while',
+    'with',
+    'yield'
   ];
 
   const electronBuiltins = [...Object.keys(electron), 'original-fs', 'electron'];

default_app/preload.ts

@@ -2,10 +2,10 @@ const { ipcRenderer, contextBridge } = require('electron/renderer');
 
 const policy = window.trustedTypes.createPolicy('electron-default-app', {
   // we trust the SVG contents
-  createHTML: input => input
+  createHTML: (input) => input
 });
 
-async function getOcticonSvg (name: string) {
+async function getOcticonSvg(name: string) {
   try {
     const response = await fetch(`octicon/${name}.svg`);
     const div = document.createElement('div');
@@ -16,7 +16,7 @@ async function getOcticonSvg (name: string) {
   }
 }
 
-async function loadSVG (element: HTMLSpanElement) {
+async function loadSVG(element: HTMLSpanElement) {
   for (const cssClass of element.classList) {
     if (cssClass.startsWith('octicon-')) {
       const icon = await getOcticonSvg(cssClass.substr(8));
@@ -32,9 +32,9 @@ async function loadSVG (element: HTMLSpanElement) {
   }
 }
 
-async function initialize () {
+async function initialize() {
   const electronPath = await ipcRenderer.invoke('bootstrap');
-  function replaceText (selector: string, text: string, link?: string) {
+  function replaceText(selector: string, text: string, link?: string) {
     const element = document.querySelector<HTMLElement>(selector);
     if (element) {
       if (link) {
@@ -51,7 +51,11 @@ async function initialize () {
 
   replaceText('.electron-version', `Electron v${process.versions.electron}`, 'https://electronjs.org/docs');
   replaceText('.chrome-version', `Chromium v${process.versions.chrome}`, 'https://developer.chrome.com/docs/chromium');
-  replaceText('.node-version', `Node v${process.versions.node}`, `https://nodejs.org/docs/v${process.versions.node}/api`);
+  replaceText(
+    '.node-version',
+    `Node v${process.versions.node}`,
+    `https://nodejs.org/docs/v${process.versions.node}/api`
+  );
   replaceText('.v8-version', `v8 v${process.versions.v8}`, 'https://v8.dev/docs');
   replaceText('.command-example', `${electronPath} path-to-app`);
 

docs/.eslintrc.json

@@ -1,35 +0,0 @@
-{
-  "extends": "standard",
-  "plugins": [
-    "import",
-    "markdown"
-  ],
-  "overrides": [
-    {
-      "files": ["*.md", "**/*.md"],
-      "processor": "markdown/markdown"
-    }
-  ],
-  "rules": {
-    "@typescript-eslint/no-unused-vars": "off",
-    "import/order": ["error", {
-      "alphabetize": {
-        "order": "asc"
-      },
-      "newlines-between": "always",
-      "pathGroups": [
-        {
-          "pattern": "{electron,electron/**}",
-          "group": "builtin",
-          "position": "before"
-        }
-      ],
-      "pathGroupsExcludedImportTypes": []
-    }],
-    "n/no-callback-literal": "off",
-    "no-undef": "off",
-    "no-unused-expressions": "off",
-    "no-unused-vars": "off",
-    "import/enforce-node-protocol-usage": ["error", "always"]
-  }
-}

docs/api/app.md

@@ -615,7 +615,11 @@ Returns `string` - The current application directory.
     by default is the `appData` directory appended with your app's name. By
     convention files storing user data should be written to this directory, and
     it is not recommended to write large files here because some environments
-    may backup this directory to cloud storage.
+    may backup this directory to cloud storage. It is recommended to store
+    app-specific files within a subdirectory of `userData` (e.g.,
+    `path.join(app.getPath('userData'), 'my-app-data')`) rather than directly
+    in `userData` itself, to avoid naming conflicts with Chromium's own
+    subdirectories (such as `Cache`, `GPUCache`, and `Local Storage`).
   * `sessionData` The directory for storing data generated by `Session`, such
     as localStorage, cookies, disk cache, downloaded dictionaries, network
     state, DevTools files. By default this points to `userData`. Chromium may

docs/api/dialog.md

@@ -28,7 +28,10 @@ added:
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
   * `title` string (optional)
-  * `defaultPath` string (optional)
+  * `defaultPath` string (optional) - Absolute directory path, absolute file
+    path, or file name to use by default. If not provided, the dialog will
+    default to the user's Downloads folder, or their home directory if Downloads
+    doesn't exist.
   * `buttonLabel` string (optional) - Custom label for the confirmation button, when
     left empty the default label will be used.
   * `filters` [FileFilter[]](structures/file-filter.md) (optional)
@@ -109,7 +112,10 @@ changes:
 * `window` [BaseWindow](base-window.md) (optional)
 * `options` Object
   * `title` string (optional)
-  * `defaultPath` string (optional)
+  * `defaultPath` string (optional) - Absolute directory path, absolute file
+    path, or file name to use by default. If not provided, the dialog will
+    default to the user's Downloads folder, or their home directory if Downloads
+    doesn't exist.
   * `buttonLabel` string (optional) - Custom label for the confirmation button, when
     left empty the default label will be used.
   * `filters` [FileFilter[]](structures/file-filter.md) (optional)
@@ -198,7 +204,9 @@ added:
 * `options` Object
   * `title` string (optional) - The dialog title. Cannot be displayed on some _Linux_ desktop environments.
   * `defaultPath` string (optional) - Absolute directory path, absolute file
-    path, or file name to use by default.
+    path, or file name to use by default. If not provided, the dialog will
+    default to the user's Downloads folder, or their home directory if Downloads
+    doesn't exist.
   * `buttonLabel` string (optional) - Custom label for the confirmation button, when
     left empty the default label will be used.
   * `filters` [FileFilter[]](structures/file-filter.md) (optional)
@@ -238,7 +246,9 @@ changes:
 * `options` Object
   * `title` string (optional) - The dialog title. Cannot be displayed on some _Linux_ desktop environments.
   * `defaultPath` string (optional) - Absolute directory path, absolute file
-    path, or file name to use by default.
+    path, or file name to use by default. If not provided, the dialog will
+    default to the user's Downloads folder, or their home directory if Downloads
+    doesn't exist.
   * `buttonLabel` string (optional) - Custom label for the confirmation button, when
     left empty the default label will be used.
   * `filters` [FileFilter[]](structures/file-filter.md) (optional)

docs/api/dock.md

@@ -56,6 +56,9 @@ Returns `string` - The badge string of the dock.
 
 Hides the dock icon.
 
+> [!IMPORTANT]
+> **Known issue:** Calling `dock.hide()` within one second of a previous call will have no effect. As a workaround, ensure at least one second has elapsed between calls — for example, by deferring with a `setTimeout` of 1100ms or more after a previous call.
+
 #### `dock.show()` _macOS_
 
 Returns `Promise<void>` - Resolves when the dock icon is shown.

docs/api/global-shortcut.md

@@ -148,3 +148,34 @@ added:
 -->
 
 Unregisters all of the global shortcuts.
+
+### `globalShortcut.setSuspended(suspended)`
+
+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/50425
+```
+-->
+
+* `suspended` boolean - Whether global shortcut handling should be suspended.
+
+Suspends or resumes global shortcut handling. When suspended, all registered
+global shortcuts will stop listening for key presses. When resumed, all
+previously registered shortcuts will begin listening again. New shortcut
+registrations will fail while handling is suspended.
+
+This can be useful when you want to temporarily allow the user to press key
+combinations without your application intercepting them, for example while
+displaying a UI to rebind shortcuts.
+
+### `globalShortcut.isSuspended()`
+
+<!--
+```YAML history
+added:
+  - pr-url: https://github.com/electron/electron/pull/50425
+```
+-->
+
+Returns `boolean` - Whether global shortcut handling is currently suspended.

docs/api/menu-item.md

@@ -44,8 +44,8 @@ See [`Menu`](menu.md) for examples.
     menu items.
   * `registerAccelerator` boolean (optional) _Linux_ _Windows_ - If false, the accelerator won't be registered
     with the system, but it will still be displayed. Defaults to true.
-  * `sharingItem` SharingItem (optional) _macOS_ - The item to share when the `role` is `shareMenu`.
-  * `submenu` (MenuItemConstructorOptions[] | [Menu](menu.md)) (optional) - Should be specified
+  * `sharingItem` [SharingItem](structures/sharing-item.md) (optional) _macOS_ - The item to share when the `role` is `shareMenu`.
+  * `submenu` ([MenuItemConstructorOptions](#new-menuitemoptions)[] | [Menu](menu.md)) (optional) - Should be specified
     for `submenu` type menu items. If `submenu` is specified, the `type: 'submenu'` can be omitted.
     If the value is not a [`Menu`](menu.md) then it will be automatically converted to one using
     `Menu.buildFromTemplate`.
@@ -89,7 +89,7 @@ A `Function` that is fired when the MenuItem receives a click event.
 It can be called with `menuItem.click(event, focusedWindow, focusedWebContents)`.
 
 * `event` [KeyboardEvent](structures/keyboard-event.md)
-* `focusedWindow` [BaseWindow](browser-window.md)
+* `focusedWindow` [BaseWindow](base-window.md)
 * `focusedWebContents` [WebContents](web-contents.md)
 
 #### `menuItem.submenu`
@@ -110,11 +110,11 @@ A `string` (optional) indicating the item's role, if set. Can be `undo`, `redo`,
 
 #### `menuItem.accelerator`
 
-An `Accelerator | null` indicating the item's accelerator, if set.
+An [`Accelerator | null`](../tutorial/keyboard-shortcuts.md#accelerators) indicating the item's accelerator, if set.
 
 #### `menuItem.userAccelerator` _Readonly_ _macOS_
 
-An `Accelerator | null` indicating the item's [user-assigned accelerator](https://developer.apple.com/documentation/appkit/nsmenuitem/1514850-userkeyequivalent?language=objc) for the menu item.
+An [`Accelerator | null`](../tutorial/keyboard-shortcuts.md#accelerators) indicating the item's [user-assigned accelerator](https://developer.apple.com/documentation/appkit/nsmenuitem/1514850-userkeyequivalent?language=objc) for the menu item.
 
 > [!NOTE]
 > This property is only initialized after the `MenuItem` has been added to a `Menu`. Either via `Menu.buildFromTemplate` or via `Menu.append()/insert()`.  Accessing before initialization will just return `null`.
@@ -170,7 +170,7 @@ This property can be dynamically changed.
 
 #### `menuItem.sharingItem` _macOS_
 
-A `SharingItem` indicating the item to share when the `role` is `shareMenu`.
+A [`SharingItem`](structures/sharing-item.md) indicating the item to share when the `role` is `shareMenu`.
 
 This property can be dynamically changed.
 

docs/api/menu.md

@@ -46,7 +46,7 @@ this has the additional effect of removing the menu bar from the window.
 
 > [!NOTE]
 > The default menu will be created automatically if the app does not set one.
-> It contains standard items such as `File`, `Edit`, `View`, `Window` and `Help`.
+> It contains standard items such as `File`, `Edit`, `View`, and `Window`.
 
 #### `Menu.getApplicationMenu()`
 
@@ -70,7 +70,7 @@ for more information on macOS' native actions.
 
 #### `Menu.buildFromTemplate(template)`
 
-- `template` (MenuItemConstructorOptions | [MenuItem](menu-item.md))[]
+- `template` ([MenuItemConstructorOptions](menu-item.md#new-menuitemoptions) | [MenuItem](menu-item.md))[]
 
 Returns [`Menu`](menu.md)
 
@@ -162,7 +162,7 @@ Emitted when a popup is closed either manually or with `menu.closePopup()`.
 
 #### `menu.items`
 
-A `MenuItem[]` array containing the menu's items.
+A [`MenuItem[]`](menu-item.md) array containing the menu's items.
 
 Each `Menu` consists of multiple [`MenuItem`](menu-item.md) instances and each `MenuItem`
 can nest a `Menu` into its `submenu` property.

docs/api/native-theme.md

@@ -84,3 +84,7 @@ Currently, Windows high contrast is the only system setting that triggers forced
 ### `nativeTheme.prefersReducedTransparency` _Readonly_
 
 A `boolean` that indicates whether the user has chosen via system accessibility settings to reduce transparency at the OS level.
+
+### `nativeTheme.shouldDifferentiateWithoutColor` _macOS_ _Readonly_
+
+A `boolean` that indicates whether the user prefers UI that differentiates items using something other than color alone (e.g. shapes or labels). This maps to [NSWorkspace.accessibilityDisplayShouldDifferentiateWithoutColor](https://developer.apple.com/documentation/appkit/nsworkspace/accessibilitydisplayshoulddifferentiatewithoutcolor).

docs/api/notification.md

@@ -79,22 +79,27 @@ app.whenReady().then(() => {
 ### `new Notification([options])`
 
 * `options` Object (optional)
-  * `id` string (optional) _macOS_ - A unique identifier for the notification, mapping to `UNNotificationRequest`'s [`identifier`](https://developer.apple.com/documentation/usernotifications/unnotificationrequest/identifier) property. Defaults to a random UUID if not provided or if an empty string is passed. This can be used to remove or update previously delivered notifications.
-  * `groupId` string (optional) _macOS_ - A string identifier used to visually group notifications together in Notification Center. Maps to `UNNotificationContent`'s [`threadIdentifier`](https://developer.apple.com/documentation/usernotifications/unnotificationcontent/threadidentifier) property.
+  * `id` string (optional) _macOS_ _Windows_ - A unique identifier for the notification. On macOS, maps to `UNNotificationRequest`'s [`identifier`](https://developer.apple.com/documentation/usernotifications/unnotificationrequest/identifier) property. On Windows, maps to the toast notification's [`Tag`](https://learn.microsoft.com/en-us/uwp/api/windows.ui.notifications.toastnotification.tag) property. Defaults to a random UUID if not provided or if an empty string is passed. This can be used to remove or update previously delivered notifications.
+  * `groupId` string (optional) _macOS_ _Windows_ - A string identifier used to visually group notifications together in Notification Center / Action Center. On macOS, maps to `UNNotificationContent`'s [`threadIdentifier`](https://developer.apple.com/documentation/usernotifications/unnotificationcontent/threadidentifier) property. On Windows, maps to the toast notification's [`Group`](https://learn.microsoft.com/en-us/uwp/api/windows.ui.notifications.toastnotification.group) property.
+  * `groupTitle` string (optional) _Windows_ - A title for the notification group header. When both `groupId` and `groupTitle` are specified, Windows will display a header above the notification that groups related notifications together. Maps to the toast notification's [`header`](https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/toast-headers) element.
   * `title` string (optional) - A title for the notification, which will be displayed at the top of the notification window when it is shown.
   * `subtitle` string (optional) _macOS_ - A subtitle for the notification, which will be displayed below the title.
   * `body` string (optional) - The body text of the notification, which will be displayed below the title or subtitle.
   * `silent` boolean (optional) - Whether or not to suppress the OS notification noise when showing the notification.
   * `icon` (string | [NativeImage](native-image.md)) (optional) - An icon to use in the notification. If a string is passed, it must be a valid path to a local icon file.
-  * `hasReply` boolean (optional) _macOS_ - Whether or not to add an inline reply option to the notification.
+  * `hasReply` boolean (optional) _macOS_ _Windows_ - Whether or not to add an inline reply option to the notification.
   * `timeoutType` string (optional) _Linux_ _Windows_ - The timeout duration of the notification. Can be 'default' or 'never'.
-  * `replyPlaceholder` string (optional) _macOS_ - The placeholder to write in the inline reply input field.
+  * `replyPlaceholder` string (optional) _macOS_ _Windows_ - The placeholder to write in the inline reply input field.
   * `sound` string (optional) _macOS_ - The name of the sound file to play when the notification is shown.
-  * `urgency` string (optional) _Linux_ - The urgency level of the notification. Can be 'normal', 'critical', or 'low'.
-  * `actions` [NotificationAction[]](structures/notification-action.md) (optional) _macOS_ - Actions to add to the notification. Please read the available actions and limitations in the `NotificationAction` documentation.
+  * `urgency` string (optional) _Linux_ _Windows_ - The urgency level of the notification. Can be 'normal', 'critical', or 'low'.
+  * `actions` [NotificationAction[]](structures/notification-action.md) (optional) _macOS_ _Windows_ - Actions to add to the notification. Please read the available actions and limitations in the `NotificationAction` documentation.
   * `closeButtonText` string (optional) _macOS_ - A custom title for the close button of an alert. An empty string will cause the default localized text to be used.
   * `toastXml` string (optional) _Windows_ - A custom description of the Notification on Windows superseding all properties above. Provides full customization of design and behavior of the notification.
 
+> [!NOTE]
+> On Windows, `urgency` type 'critical' sorts the notification higher in Action Center (above default priority notifications), but does not prevent auto-dismissal. To prevent auto-dismissal, you should also set
+> `timeoutType` to 'never'.
+
 ### Instance Events
 
 Objects created with `new Notification` emit the following events:
@@ -325,13 +330,17 @@ app.whenReady().then(() => {
 
 ### Instance Properties
 
-#### `notification.id` _macOS_ _Readonly_
+#### `notification.id` _macOS_ _Windows_ _Readonly_
 
 A `string` property representing the unique identifier of the notification. This is set at construction time — either from the `id` option or as a generated UUID if none was provided.
 
-#### `notification.groupId` _macOS_ _Readonly_
+#### `notification.groupId` _macOS_ _Windows_ _Readonly_
 
-A `string` property representing the group identifier of the notification. Notifications with the same `groupId` will be visually grouped together in Notification Center.
+A `string` property representing the group identifier of the notification. Notifications with the same `groupId` will be visually grouped together in Notification Center (macOS) or Action Center (Windows).
+
+#### `notification.groupTitle` _Windows_ _Readonly_
+
+A `string` property representing the title of the notification group header.
 
 #### `notification.title`
 

docs/api/protocol.md

@@ -56,6 +56,15 @@ app.whenReady().then(() => {
 })
 ```
 
+## Protocol names
+
+[RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) defines what a valid
+protocol name is:
+
+> Scheme names consist of a sequence of characters beginning with a letter and followed
+> by any combination of letters, digits, plus ("+"), period ("."), or hyphen ("-").
+> Although schemes are case-insensitive, the canonical form is lowercase […].
+
 ## Methods
 
 The `protocol` module has the following methods:

docs/api/safe-storage.md

@@ -59,7 +59,12 @@ On Windows, returns true once the app has emitted the `ready` event.
 
 ### `safeStorage.isAsyncEncryptionAvailable()`
 
-Returns `Promise<Boolean>` - Whether encryption is available for asynchronous safeStorage operations.
+Returns `Promise<boolean>` - Resolves with whether encryption is available for
+asynchronous safeStorage operations.
+
+The asynchronous encryptor is initialized lazily the first time this method,
+`encryptStringAsync`, or `decryptStringAsync` is called after the app is ready.
+The returned promise resolves once initialization completes.
 
 ### `safeStorage.encryptString(plainText)`
 

docs/api/structures/custom-scheme.md

@@ -11,3 +11,5 @@
   * `stream` boolean (optional) - Default false.
   * `codeCache` boolean (optional) - Enable V8 code cache for the scheme, only
     works when `standard` is also set to true. Default false.
+  * `allowExtensions` boolean (optional) - Allow Chrome extensions to be used
+    on pages served over this protocol. Default false.

docs/api/structures/web-preferences.md

@@ -94,6 +94,7 @@
     The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
     * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
     * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
+    * `nv12` - The requested output texture format is 12bpp with Y plane followed by a 2x2 interleaved UV plane, with REC709 color space.
   * `deviceScaleFactor` number (optional) _Experimental_ - The device scale factor of the offscreen rendering output. If not set, will use `1` as default.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
   the specified `preload` script in a separate JavaScript context. Defaults

docs/api/window-open.md

@@ -33,10 +33,14 @@ because it is invoked in the main process.
 Returns [`Window`](https://developer.mozilla.org/en-US/docs/Web/API/Window) | null
 
 `features` is a comma-separated key-value list, following the standard format of
-the browser. Electron will parse [`BrowserWindowConstructorOptions`](structures/browser-window-options.md) out of this
-list where possible, for convenience. For full control and better ergonomics,
-consider using `webContents.setWindowOpenHandler` to customize the
-BrowserWindow creation.
+the browser. For convenience, Electron will parse a subset of presentational
+[`BrowserWindowConstructorOptions`](structures/browser-window-options.md) out of
+this list (such as `width`, `height`, `x`, `y`, `show`, `frame`, `title`,
+`backgroundColor`). Because the renderer is untrusted, options that cause the
+main process to access the filesystem or that are otherwise privileged (such as
+`icon`) are ignored. For full control and better ergonomics, use
+`webContents.setWindowOpenHandler` to customize the BrowserWindow creation from
+the main process.
 
 A subset of [`WebPreferences`](structures/web-preferences.md) can be set directly,
 unnested, from the features string: `zoomFactor`, `nodeIntegration`, `javascript`,
@@ -56,9 +60,10 @@ window.open('https://github.com', '_blank', 'top=500,left=200,frame=false,nodeIn
   enabled on the parent window.
 * JavaScript will always be disabled in the opened `window` if it is disabled on
   the parent window.
-* Non-standard features (that are not handled by Chromium or Electron) given in
-  `features` will be passed to any registered `webContents`'s
-  `did-create-window` event handler in the `options` argument.
+* Features that are not handled by Chromium and not in Electron's allowlist of
+  presentational `BrowserWindowConstructorOptions` are ignored. The raw
+  `features` string is still available to the main process via
+  `setWindowOpenHandler`.
 * `frameName` follows the specification of `target` located in the [native documentation](https://developer.mozilla.org/en-US/docs/Web/API/Window/open#parameters).
 * When opening `about:blank`, the child window's [`WebPreferences`](structures/web-preferences.md) will be copied
   from the parent window, and there is no way to override it because Chromium

docs/breaking-changes.md

@@ -12,6 +12,34 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.
 
+## Planned Breaking API Changes (43.0)
+
+### Behavior Changed: Dialog methods default to Downloads directory
+
+The `defaultPath` option for the following methods now defaults to the user's Downloads folder (or their home directory if Downloads doesn't exist) when not explicitly provided:
+
+* `dialog.showOpenDialog`
+* `dialog.showOpenDialogSync`
+* `dialog.showSaveDialog`
+* `dialog.showSaveDialogSync`
+
+Previously, when no `defaultPath` was provided, the underlying OS file dialog would determine the initial directory — typically remembering the last directory the user navigated to, or falling back to an OS-specific default. Now, Electron explicitly sets the initial directory to Downloads, which also means the OS will no longer track and restore the last-used directory between dialog invocations.
+
+To preserve the old behavior, you can track the last-used directory yourself and pass it as `defaultPath`:
+
+```js
+const path = require('node:path')
+
+let lastUsedPath
+const result = await dialog.showOpenDialog({
+  defaultPath: lastUsedPath
+})
+
+if (!result.canceled && result.filePaths.length > 0) {
+  lastUsedPath = path.dirname(result.filePaths[0])
+}
+```
+
 ## Planned Breaking API Changes (42.0)
 
 ### Behavior Changed: macOS notifications now use `UNNotification` API
@@ -70,6 +98,9 @@ npm install electron --save-dev
 ELECTRON_INSTALL_PLATFORM=mas npx electron . --no
 ```
 
+This also means the `ELECTRON_SKIP_BINARY_DOWNLOAD` environment variable is no
+longer supported, as its primary purpose was to prevent the `postinstall` script from running.
+
 ### Removed: `quotas` object from `Session.clearStorageData(options)`
 
 When calling `Session.clearStorageData(options)`, the `options.quotas` object is no longer supported because it has been

docs/development/coding-style.md

@@ -3,7 +3,7 @@
 These are the style guidelines for coding in Electron.
 
 You can run `npm run lint` to show any style issues detected by `cpplint` and
-`eslint`.
+`oxlint`.
 
 ## General Code
 

docs/development/patches.md

@@ -79,7 +79,7 @@ $ ../../electron/script/git-import-patches ../../electron/patches/node
 $ ../../electron/script/git-export-patches -o ../../electron/patches/node
 ```
 
-Note that `git-import-patches` will mark the commit that was `HEAD` when it was run as `refs/patches/upstream-head`. This lets you keep track of which commits are from Electron patches (those that come after `refs/patches/upstream-head`) and which commits are in upstream (those before `refs/patches/upstream-head`).
+Note that `git-import-patches` will mark the commit that was `HEAD` when it was run as `refs/patches/upstream-head` (and a checkout-specific `refs/patches/upstream-head-<hash>` so that gclient worktrees sharing a `.git/refs` directory don't clobber each other). This lets you keep track of which commits are from Electron patches (those that come after `refs/patches/upstream-head`) and which commits are in upstream (those before `refs/patches/upstream-head`).
 
 #### Resolving conflicts
 

docs/tutorial/fuses.md

@@ -146,13 +146,15 @@ The extra privileges granted to the `file://` protocol by this fuse are incomple
 The `wasmTrapHandlers` fuse controls whether V8 will use signal handlers to trap Out of Bounds memory
 access from WebAssembly. The feature works by surrounding the WebAssembly memory with large guard regions
 and then installing a signal handler that traps attempt to access memory in the guard region. The feature
-is only supported on the following 64-bit systems.
+is only supported on the following 64-bit systems:
 
-Linux. MacOS, Windows - x86_64
-Linux, MacOS - aarch64
+* Linux, macOS, Windows - x86_64
+* Linux, macOS - aarch64
 
+```text
 | Guard Pages | WASM heap | Guard Pages |
 |-----8GB-----|           |-----8GB-----|
+```
 
 When the fuse is disabled V8 will use explicit bound checks in the generated WebAssembly code to ensure
 memory safety. However, this method has some downsides

docs/tutorial/installation.md

@@ -25,16 +25,6 @@ included in the `electron` package:
 npx install-electron --no
 ```
 
-If you want to install your project's dependencies but don't need to use
-Electron functionality, you can set the `ELECTRON_SKIP_BINARY_DOWNLOAD` environment
-variable to prevent the binary from being downloaded. For instance, this feature can
-be useful in continuous integration environments when running unit tests that mock
-out the `electron` module.
-
-```sh
-ELECTRON_SKIP_BINARY_DOWNLOAD=1 npm install
-```
-
 ## Running Electron ad-hoc
 
 If you're in a pinch and would prefer to not use `npm install` in your local

docs/tutorial/launch-app-from-url-in-another-app.md

@@ -87,6 +87,13 @@ if (!gotTheLock) {
   // Create mainWindow, load the rest of the app, etc...
   app.whenReady().then(() => {
     createWindow()
+    // Check for deep link on cold start
+    if (process.argv.length >= 2) {
+      const lastArg = process.argv[process.argv.length - 1]
+      if (lastArg.startsWith('electron-fiddle://')) {
+        dialog.showErrorBox('Welcome Back', `You arrived from: ${lastArg}`)
+      }
+    }
   })
 }
 ```

docs/tutorial/native-code-and-electron-cpp-linux.md

@@ -1097,7 +1097,8 @@ public:
     Napi::Function func = DefineClass(env, "CppLinuxAddon", {
       InstanceMethod("helloWorld", &CppAddon::HelloWorld),
       InstanceMethod("helloGui", &CppAddon::HelloGui),
-      InstanceMethod("on", &CppAddon::On)
+      InstanceMethod("on", &CppAddon::On),
+      InstanceMethod("destroy", &CppAddon::Destroy)
     });
 
     Napi::FunctionReference *constructor = new Napi::FunctionReference();
@@ -1139,11 +1140,12 @@ private:
 
 Here, we create a C++ class that inherits from `Napi::ObjectWrap<CppAddon>`:
 
-`static Napi::Object Init` defines our JavaScript interface with three methods:
+`static Napi::Object Init` defines our JavaScript interface with four methods:
 
 * `helloWorld`: A simple function to test the bridge
 * `helloGui`: The function to launch our GTK3 UI
 * `on`: A method to register event callbacks
+* `destroy`: A method to release all persistent references before app quit
 
 The constructor initializes:
 
@@ -1354,7 +1356,8 @@ public:
     Napi::Function func = DefineClass(env, "CppLinuxAddon", {
       InstanceMethod("helloWorld", &CppAddon::HelloWorld),
       InstanceMethod("helloGui", &CppAddon::HelloGui),
-      InstanceMethod("on", &CppAddon::On)
+      InstanceMethod("on", &CppAddon::On),
+      InstanceMethod("destroy", &CppAddon::Destroy)
     });
 
     Napi::FunctionReference *constructor = new Napi::FunctionReference();
@@ -1497,6 +1500,20 @@ private:
     callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
     return env.Undefined();
   }
+
+  Napi::Value Destroy(const Napi::CallbackInfo &info)
+  {
+    callbacks.Reset();
+    emitter.Reset();
+
+    if (tsfn_ != nullptr)
+    {
+      napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+      tsfn_ = nullptr;
+    }
+
+    return info.Env().Undefined();
+  }
 };
 
 Napi::Object Init(Napi::Env env, Napi::Object exports)
@@ -1547,6 +1564,10 @@ class CppLinuxAddon extends EventEmitter {
     return this.addon.helloGui()
   }
 
+  destroy() {
+    this.addon.destroy()
+  }
+
   // Parse JSON and convert date to JavaScript Date object
   parse(payload) {
     const parsed = JSON.parse(payload)
@@ -1569,8 +1590,12 @@ This wrapper:
 * Only loads on Linux platforms
 * Forwards events from C++ to JavaScript
 * Provides clean methods to call into C++
+* Provides a `destroy()` method to release native resources
 * Converts JSON data into proper JavaScript objects
 
+> [!IMPORTANT]
+> You must call `destroy()` before the app quits (e.g. in the `will-quit` or `before-quit` event handler). Without this, persistent references to callbacks and the threadsafe function will prevent the native addon's destructor from running, causing Electron to hang on quit.
+
 ## 7) Building and testing the addon
 
 With all files in place, you can build the addon:

docs/tutorial/native-code-and-electron-cpp-win32.md

@@ -1099,7 +1099,8 @@ static Napi::Object Init(Napi::Env env, Napi::Object exports) {
     Napi::Function func = DefineClass(env, "CppWin32Addon", {
         InstanceMethod("helloWorld", &CppAddon::HelloWorld),
         InstanceMethod("helloGui", &CppAddon::HelloGui),
-        InstanceMethod("on", &CppAddon::On)
+        InstanceMethod("on", &CppAddon::On),
+        InstanceMethod("destroy", &CppAddon::Destroy)
     });
 
     // ... rest of Init function
@@ -1117,9 +1118,21 @@ Napi::Value On(const Napi::CallbackInfo& info) {
     callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
     return env.Undefined();
 }
+
+Napi::Value Destroy(const Napi::CallbackInfo& info) {
+    callbacks.Reset();
+    emitter.Reset();
+
+    if (tsfn_ != nullptr) {
+        napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+        tsfn_ = nullptr;
+    }
+
+    return info.Env().Undefined();
+}
 ```
 
-This allows JavaScript to register callbacks for specific event types.
+This allows JavaScript to register callbacks for specific event types. The `Destroy` method releases all persistent references and aborts the threadsafe function, which must be called before the app quits to prevent the process from hanging.
 
 ### Putting the bridge together
 
@@ -1261,6 +1274,18 @@ private:
         callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
         return env.Undefined();
     }
+
+    Napi::Value Destroy(const Napi::CallbackInfo& info) {
+        callbacks.Reset();
+        emitter.Reset();
+
+        if (tsfn_ != nullptr) {
+            napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+            tsfn_ = nullptr;
+        }
+
+        return info.Env().Undefined();
+    }
 };
 
 Napi::Object Init(Napi::Env env, Napi::Object exports) {
@@ -1309,6 +1334,10 @@ class CppWin32Addon extends EventEmitter {
     this.addon.helloGui()
   }
 
+  destroy() {
+    this.addon.destroy()
+  }
+
   #parse(payload) {
     const parsed = JSON.parse(payload)
 
@@ -1323,6 +1352,9 @@ if (process.platform === 'win32') {
 }
 ```
 
+> [!IMPORTANT]
+> You must call `destroy()` before the app quits (e.g. in the `will-quit` or `before-quit` event handler). Without this, persistent references to callbacks and the threadsafe function will prevent the native addon's destructor from running, causing Electron to hang on quit.
+
 ## 7) Building and Testing the Addon
 
 With all files in place, you can build the addon:

docs/tutorial/native-code-and-electron-objc-macos.md

@@ -753,7 +753,8 @@ public:
         Napi::Function func = DefineClass(env, "ObjcMacosAddon", {
             InstanceMethod("helloWorld", &ObjcAddon::HelloWorld),
             InstanceMethod("helloGui", &ObjcAddon::HelloGui),
-            InstanceMethod("on", &ObjcAddon::On)
+            InstanceMethod("on", &ObjcAddon::On),
+            InstanceMethod("destroy", &ObjcAddon::Destroy)
         });
 
         Napi::FunctionReference* constructor = new Napi::FunctionReference();
@@ -915,6 +916,18 @@ Napi::Value On(const Napi::CallbackInfo& info) {
     callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
     return env.Undefined();
 }
+
+Napi::Value Destroy(const Napi::CallbackInfo& info) {
+    callbacks.Reset();
+    emitter.Reset();
+
+    if (tsfn_ != nullptr) {
+        napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+        tsfn_ = nullptr;
+    }
+
+    return info.Env().Undefined();
+}
 ```
 
 Let's take a look at what we've added in this step:
@@ -922,10 +935,11 @@ Let's take a look at what we've added in this step:
 * `HelloWorld()`: Takes a string input, calls our Objective-C function, and returns the result
 * `HelloGui()`:  A simple wrapper around the Objective-C `hello_gui` function
 * `On`: Allows JavaScript to register event listeners that will be called when native events occur
+* `Destroy`: Releases all persistent references (callbacks and emitter) and aborts the threadsafe function, allowing the addon to be properly cleaned up on quit
 
 The `On` method is particularly important as it creates the event system that our JavaScript code will use to receive notifications from the native UI.
 
-Together, these three components form a complete bridge between our Objective-C code and the JavaScript world, allowing bidirectional communication. Here's what the finished file should look like:
+Together, these four components form a complete bridge between our Objective-C code and the JavaScript world, allowing bidirectional communication. Here's what the finished file should look like:
 
 ```objc title='src/objc_addon.mm'
 #include <napi.h>
@@ -938,7 +952,8 @@ public:
         Napi::Function func = DefineClass(env, "ObjcMacosAddon", {
             InstanceMethod("helloWorld", &ObjcAddon::HelloWorld),
             InstanceMethod("helloGui", &ObjcAddon::HelloGui),
-            InstanceMethod("on", &ObjcAddon::On)
+            InstanceMethod("on", &ObjcAddon::On),
+            InstanceMethod("destroy", &ObjcAddon::Destroy)
         });
 
         Napi::FunctionReference* constructor = new Napi::FunctionReference();
@@ -1061,6 +1076,18 @@ private:
         callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
         return env.Undefined();
     }
+
+    Napi::Value Destroy(const Napi::CallbackInfo& info) {
+        callbacks.Reset();
+        emitter.Reset();
+
+        if (tsfn_ != nullptr) {
+            napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+            tsfn_ = nullptr;
+        }
+
+        return info.Env().Undefined();
+    }
 };
 
 Napi::Object Init(Napi::Env env, Napi::Object exports) {
@@ -1101,6 +1128,10 @@ class ObjcMacosAddon extends EventEmitter {
     this.addon.helloGui()
   }
 
+  destroy () {
+    this.addon.destroy()
+  }
+
   parse (payload) {
     const parsed = JSON.parse(payload)
 
@@ -1122,7 +1153,11 @@ This wrapper:
 3. Loads the native addon
 4. Sets up event listeners and forwards them
 5. Provides a clean API for our functions
-6. Parses JSON payloads and converts timestamps to JavaScript Date objects
+6. Provides a `destroy()` method to release native resources
+7. Parses JSON payloads and converts timestamps to JavaScript Date objects
+
+> [!IMPORTANT]
+> You must call `destroy()` before the app quits (e.g. in the `will-quit` or `before-quit` event handler). Without this, persistent references to callbacks and the threadsafe function will prevent the native addon's destructor from running, causing Electron to hang on quit.
 
 ## 7) Building and Testing the Addon
 

docs/tutorial/native-code-and-electron-swift-macos.md

@@ -752,7 +752,8 @@ public:
         Napi::Function func = DefineClass(env, "SwiftAddon", {
             InstanceMethod("helloWorld", &SwiftAddon::HelloWorld),
             InstanceMethod("helloGui", &SwiftAddon::HelloGui),
-            InstanceMethod("on", &SwiftAddon::On)
+            InstanceMethod("on", &SwiftAddon::On),
+            InstanceMethod("destroy", &SwiftAddon::Destroy)
         });
 
         Napi::FunctionReference* constructor = new Napi::FunctionReference();
@@ -770,7 +771,7 @@ This first part:
 
 1. Defines a C++ class that inherits from `Napi::ObjectWrap`
 2. Creates a static `Init` method to register our class with Node.js
-3. Defines three methods: `helloWorld`, `helloGui`, and `on`
+3. Defines four methods: `helloWorld`, `helloGui`, `on`, and `destroy`
 
 ### Callback Mechanism
 
@@ -919,6 +920,18 @@ private:
         callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
         return env.Undefined();
     }
+
+    Napi::Value Destroy(const Napi::CallbackInfo& info) {
+        callbacks.Reset();
+        emitter.Reset();
+
+        if (tsfn_ != nullptr) {
+            napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+            tsfn_ = nullptr;
+        }
+
+        return info.Env().Undefined();
+    }
 };
 
 Napi::Object Init(Napi::Env env, Napi::Object exports) {
@@ -934,7 +947,8 @@ This final part does multiple things:
 2. The HelloWorld method implementation takes a string input from JavaScript, passes it to the Swift code, and returns the processed result back to the JavaScript environment.
 3. The `HelloGui` method implementation provides a simple wrapper that calls the Swift UI creation function to display the native macOS window.
 4. The `On` method implementation allows JavaScript code to register callback functions that will be invoked when specific events occur in the native Swift code.
-5. The code sets up the module initialization process that registers the addon with Node.js and makes its functionality available to JavaScript.
+5. The `Destroy` method releases all persistent references (callbacks and emitter) and aborts the threadsafe function. This must be called before the app quits to allow the destructor to run and prevent the process from hanging.
+6. The code sets up the module initialization process that registers the addon with Node.js and makes its functionality available to JavaScript.
 
 The final and full `src/swift_addon.mm` should look like:
 
@@ -949,7 +963,8 @@ public:
         Napi::Function func = DefineClass(env, "SwiftAddon", {
             InstanceMethod("helloWorld", &SwiftAddon::HelloWorld),
             InstanceMethod("helloGui", &SwiftAddon::HelloGui),
-            InstanceMethod("on", &SwiftAddon::On)
+            InstanceMethod("on", &SwiftAddon::On),
+            InstanceMethod("destroy", &SwiftAddon::Destroy)
         });
 
         Napi::FunctionReference* constructor = new Napi::FunctionReference();
@@ -1074,6 +1089,18 @@ private:
         callbacks.Value().Set(info[0].As<Napi::String>(), info[1].As<Napi::Function>());
         return env.Undefined();
     }
+
+    Napi::Value Destroy(const Napi::CallbackInfo& info) {
+        callbacks.Reset();
+        emitter.Reset();
+
+        if (tsfn_ != nullptr) {
+            napi_release_threadsafe_function(tsfn_, napi_tsfn_abort);
+            tsfn_ = nullptr;
+        }
+
+        return info.Env().Undefined();
+    }
 };
 
 Napi::Object Init(Napi::Env env, Napi::Object exports) {
@@ -1122,6 +1149,10 @@ class SwiftAddon extends EventEmitter {
     this.addon.helloGui()
   }
 
+  destroy () {
+    this.addon.destroy()
+  }
+
   parse (payload) {
     const parsed = JSON.parse(payload)
 
@@ -1143,7 +1174,11 @@ This wrapper:
 3. Loads the native addon
 4. Sets up event listeners and forwards them
 5. Provides a clean API for our functions
-6. Parses JSON payloads and converts timestamps to JavaScript Date objects
+6. Provides a `destroy()` method to release native resources
+7. Parses JSON payloads and converts timestamps to JavaScript Date objects
+
+> [!IMPORTANT]
+> You must call `destroy()` before the app quits (e.g. in the `will-quit` or `before-quit` event handler). Without this, persistent references to callbacks and the threadsafe function will prevent the native addon's destructor from running, causing Electron to hang on quit.
 
 ## 7) Building and Testing the Addon
 

docs/tutorial/tutorial-2-first-app.md

@@ -83,17 +83,6 @@ dependency.
 npm install electron --save-dev
 ```
 
-:::warning
-
-In order to correctly install Electron, you need to ensure that its `postinstall` lifecycle
-script is able to run. This means avoiding the `--ignore-scripts` flag on npm and allowlisting
-`electron` to run build scripts on other package managers.
-
-This is likely to change in a future version of Electron. See
-[electron/rfcs#22](https://github.com/electron/rfcs/pull/22) for more details.
-
-:::
-
 Your package.json file should look something like this after initializing your package
 and installing Electron. You should also now have a `node_modules` folder containing
 the Electron executable, as well as a `package-lock.json` lockfile that specifies

filenames.gni

@@ -680,6 +680,7 @@ filenames = {
     "shell/common/gin_helper/wrappable.cc",
     "shell/common/gin_helper/wrappable.h",
     "shell/common/gin_helper/wrappable_base.h",
+    "shell/common/gin_helper/wrappable_pointer_tags.h",
     "shell/common/heap_snapshot.cc",
     "shell/common/heap_snapshot.h",
     "shell/common/key_weak_map.h",
@@ -734,6 +735,8 @@ filenames = {
     "shell/renderer/electron_sandboxed_renderer_client.h",
     "shell/renderer/electron_smooth_round_rect.cc",
     "shell/renderer/electron_smooth_round_rect.h",
+    "shell/renderer/oom_stack_trace.cc",
+    "shell/renderer/oom_stack_trace.h",
     "shell/renderer/preload_realm_context.cc",
     "shell/renderer/preload_realm_context.h",
     "shell/renderer/preload_utils.cc",
@@ -781,6 +784,8 @@ filenames = {
     "shell/browser/extensions/electron_extension_system_factory.h",
     "shell/browser/extensions/electron_extension_system.cc",
     "shell/browser/extensions/electron_extension_system.h",
+    "shell/browser/extensions/electron_extension_tab_util.cc",
+    "shell/browser/extensions/electron_extension_tab_util.h",
     "shell/browser/extensions/electron_extension_web_contents_observer.cc",
     "shell/browser/extensions/electron_extension_web_contents_observer.h",
     "shell/browser/extensions/electron_extensions_api_client.cc",
@@ -793,8 +798,6 @@ filenames = {
     "shell/browser/extensions/electron_kiosk_delegate.h",
     "shell/browser/extensions/electron_messaging_delegate.cc",
     "shell/browser/extensions/electron_messaging_delegate.h",
-    "shell/browser/extensions/electron_navigation_ui_data.cc",
-    "shell/browser/extensions/electron_navigation_ui_data.h",
     "shell/browser/extensions/electron_process_manager_delegate.cc",
     "shell/browser/extensions/electron_process_manager_delegate.h",
     "shell/common/extensions/electron_extensions_api_provider.cc",

lib/browser/.eslintrc.json

@@ -1,21 +0,0 @@
-{
-  "rules": {
-    "no-restricted-imports": [
-      "error",
-      {
-        "paths": [
-          "electron",
-          "electron/renderer"
-        ],
-        "patterns": [
-          "./*",
-          "../*",
-          "@electron/internal/isolated_renderer/*",
-          "@electron/internal/renderer/*",
-          "@electron/internal/sandboxed_worker/*",
-          "@electron/internal/worker/*"
-        ]
-      }
-    ]
-  }
-}

lib/browser/api/app.ts

@@ -41,7 +41,8 @@ Object.assign(app, {
   commandLine: {
     hasSwitch: (theSwitch: string) => commandLine.hasSwitch(String(theSwitch)),
     getSwitchValue: (theSwitch: string) => commandLine.getSwitchValue(String(theSwitch)),
-    appendSwitch: (theSwitch: string, value?: string) => commandLine.appendSwitch(String(theSwitch), typeof value === 'undefined' ? value : String(value)),
+    appendSwitch: (theSwitch: string, value?: string) =>
+      commandLine.appendSwitch(String(theSwitch), typeof value === 'undefined' ? value : String(value)),
     appendArgument: (arg: string) => commandLine.appendArgument(String(arg)),
     removeSwitch: (theSwitch: string) => commandLine.removeSwitch(String(theSwitch))
   } as Electron.CommandLine
@@ -50,10 +51,10 @@ Object.assign(app, {
 // we define this here because it'd be overly complicated to
 // do in native land
 Object.defineProperty(app, 'applicationMenu', {
-  get () {
+  get() {
     return Menu.getApplicationMenu();
   },
-  set (menu: Electron.Menu | null) {
+  set(menu: Electron.Menu | null) {
     return Menu.setApplicationMenu(menu);
   }
 });
@@ -116,17 +117,22 @@ for (const name of events) {
 }
 
 app._clientCertRequestPasswordHandler = null;
-app.setClientCertRequestPasswordHandler = function (handler: (params: Electron.ClientCertRequestParams) => Promise<string>) {
+app.setClientCertRequestPasswordHandler = function (
+  handler: (params: Electron.ClientCertRequestParams) => Promise<string>
+) {
   app._clientCertRequestPasswordHandler = handler;
 };
 
-app.on('-client-certificate-request-password', async (event: Electron.Event<Electron.ClientCertRequestParams>, callback: (password: string) => void) => {
-  event.preventDefault();
-  const { hostname, tokenName, isRetry } = event;
-  if (!app._clientCertRequestPasswordHandler) {
-    callback('');
-    return;
+app.on(
+  '-client-certificate-request-password',
+  async (event: Electron.Event<Electron.ClientCertRequestParams>, callback: (password: string) => void) => {
+    event.preventDefault();
+    const { hostname, tokenName, isRetry } = event;
+    if (!app._clientCertRequestPasswordHandler) {
+      callback('');
+      return;
+    }
+    const password = await app._clientCertRequestPasswordHandler({ hostname, tokenName, isRetry });
+    callback(password);
   }
-  const password = await app._clientCertRequestPasswordHandler({ hostname, tokenName, isRetry });
-  callback(password);
-});
+);

lib/browser/api/auto-updater/auto-updater-msix.ts

@@ -135,7 +135,7 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
   allowAnyVersion: boolean = false;
 
   // Private: Validate that the URL points to an MSIX file (following redirects)
-  private async validateMsixUrl (url: string): Promise<void> {
+  private async validateMsixUrl(url: string): Promise<void> {
     try {
       // Make a HEAD request to follow redirects and get the final URL
       const response = await net.fetch(url, {
@@ -153,7 +153,9 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
       const hasMsixExtension = pathname.endsWith('.msix') || pathname.endsWith('.msixbundle');
 
       if (!hasMsixExtension) {
-        throw new Error(`Update URL does not point to an MSIX file. Expected .msix or .msixbundle extension, got final URL: ${finalUrl}`);
+        throw new Error(
+          `Update URL does not point to an MSIX file. Expected .msix or .msixbundle extension, got final URL: ${finalUrl}`
+        );
       }
     } catch (error) {
       if (error instanceof TypeError) {
@@ -164,7 +166,7 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
   }
 
   // Private: Check if URL is a direct MSIX file (following redirects)
-  private async isDirectMsixUrl (url: string, emitError: boolean = false): Promise<boolean> {
+  private async isDirectMsixUrl(url: string, emitError: boolean = false): Promise<boolean> {
     try {
       await this.validateMsixUrl(url);
       return true;
@@ -178,12 +180,12 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
 
   // Supports both  versioning (x.y.z) and Windows version format (x.y.z.a)
   // Returns: 1 if v1 > v2, -1 if v1 < v2, 0 if v1 === v2
-  private compareVersions (v1: string, v2: string): number {
-    const parts1 = v1.split('.').map(part => {
+  private compareVersions(v1: string, v2: string): number {
+    const parts1 = v1.split('.').map((part) => {
       const parsed = parseInt(part, 10);
       return isNaN(parsed) ? 0 : parsed;
     });
-    const parts2 = v2.split('.').map(part => {
+    const parts2 = v2.split('.').map((part) => {
       const parsed = parseInt(part, 10);
       return isNaN(parsed) ? 0 : parsed;
     });
@@ -203,9 +205,12 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
 
   // Private: Parse the static releases array format
   // This is a static JSON file containing all releases
-  private parseStaticReleasFile (json: any, currentVersion: string): { ok: boolean; available: boolean; url?: string; name?: string; notes?: string; pub_date?: string } {
+  private parseStaticReleasFile(
+    json: any,
+    currentVersion: string
+  ): { ok: boolean; available: boolean; url?: string; name?: string; notes?: string; pub_date?: string } {
     if (!Array.isArray(json.releases) || !json.currentRelease || typeof json.currentRelease !== 'string') {
-      this.emitError(new Error('Invalid releases format. Expected \'releases\' array and \'currentRelease\' string.'));
+      this.emitError(new Error("Invalid releases format. Expected 'releases' array and 'currentRelease' string."));
       return { ok: false, available: false };
     }
 
@@ -234,14 +239,18 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
     const releaseEntry = json.releases.find((r: any) => r.version === currentReleaseVersion);
 
     if (!releaseEntry || !releaseEntry.updateTo) {
-      this.emitError(new Error(`Release entry for version '${currentReleaseVersion}' not found or missing 'updateTo' property.`));
+      this.emitError(
+        new Error(`Release entry for version '${currentReleaseVersion}' not found or missing 'updateTo' property.`)
+      );
       return { ok: false, available: false };
     }
 
     const updateTo = releaseEntry.updateTo;
 
     if (!updateTo.url) {
-      this.emitError(new Error(`Invalid release entry. 'updateTo.url' is missing for version ${currentReleaseVersion}.`));
+      this.emitError(
+        new Error(`Invalid release entry. 'updateTo.url' is missing for version ${currentReleaseVersion}.`)
+      );
       return { ok: false, available: false };
     }
 
@@ -255,15 +264,22 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
     };
   }
 
-  private parseDynamicReleasFile (json: any): { ok: boolean; available: boolean; url?: string; name?: string; notes?: string; pub_date?: string } {
+  private parseDynamicReleasFile(json: any): {
+    ok: boolean;
+    available: boolean;
+    url?: string;
+    name?: string;
+    notes?: string;
+    pub_date?: string;
+  } {
     if (!json.url) {
-      this.emitError(new Error('Invalid releases format. Expected \'url\' string property.'));
+      this.emitError(new Error("Invalid releases format. Expected 'url' string property."));
       return { ok: false, available: false };
     }
     return { ok: true, available: true, url: json.url, name: json.name, notes: json.notes, pub_date: json.pub_date };
   }
 
-  private async fetchSquirrelJson (url: string) {
+  private async fetchSquirrelJson(url: string) {
     const headers: Record<string, string> = {
       ...this.updateHeaders,
       Accept: 'application/json' // Always set Accept header, overriding any user-provided Accept
@@ -299,8 +315,8 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
     }
   }
 
-  private async getUpdateInfo (url: string): Promise<UpdateInfo> {
-    if (url && await this.isDirectMsixUrl(url)) {
+  private async getUpdateInfo(url: string): Promise<UpdateInfo> {
+    if (url && (await this.isDirectMsixUrl(url))) {
       return { ok: true, available: true, updateUrl: url, releaseDate: new Date() };
     } else {
       const updateJson = await this.fetchSquirrelJson(url);
@@ -321,7 +337,7 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
         const releaseName = updateJson.name ?? '';
         releaseDate = releaseDate ?? new Date();
 
-        if (!await this.isDirectMsixUrl(updateUrl, true)) {
+        if (!(await this.isDirectMsixUrl(updateUrl, true))) {
           return { ok: false };
         } else {
           return {
@@ -337,11 +353,11 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
     }
   }
 
-  getFeedURL () {
+  getFeedURL() {
     return this.updateURL ?? '';
   }
 
-  setFeedURL (options: { url: string; headers?: Record<string, string>; allowAnyVersion?: boolean } | string) {
+  setFeedURL(options: { url: string; headers?: Record<string, string>; allowAnyVersion?: boolean } | string) {
     let updateURL: string;
     let headers: Record<string, string> | undefined;
     let allowAnyVersion: boolean | undefined;
@@ -351,23 +367,23 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
         headers = options.headers;
         allowAnyVersion = options.allowAnyVersion;
       } else {
-        throw new TypeError('Expected options object to contain a \'url\' string property in setFeedUrl call');
+        throw new TypeError("Expected options object to contain a 'url' string property in setFeedUrl call");
       }
     } else if (typeof options === 'string') {
       updateURL = options;
     } else {
-      throw new TypeError('Expected an options object with a \'url\' property to be provided');
+      throw new TypeError("Expected an options object with a 'url' property to be provided");
     }
     this.updateURL = updateURL;
     this.updateHeaders = headers ?? null;
     this.allowAnyVersion = allowAnyVersion ?? false;
   }
 
-  getPackageInfo (): MSIXPackageInfo {
+  getPackageInfo(): MSIXPackageInfo {
     return msixUpdate.getPackageInfo() as MSIXPackageInfo;
   }
 
-  async checkForUpdates () {
+  async checkForUpdates() {
     const url = this.updateURL;
     if (!url) {
       return this.emitError(new Error('Update URL is not set'));
@@ -382,7 +398,11 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
     // If appInstallerUri is set, Windows App Installer manages updates automatically
     // Prevent updates here to avoid conflicts
     if (packageInfo.appInstallerUri) {
-      return this.emitError(new Error('Auto-updates are managed by Windows App Installer. Updates are not allowed when installed via Application Manifest.'));
+      return this.emitError(
+        new Error(
+          'Auto-updates are managed by Windows App Installer. Updates are not allowed when installed via Application Manifest.'
+        )
+      );
     }
 
     this.emit('checking-for-update');
@@ -405,18 +425,26 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
           forceUpdateFromAnyVersion: this.allowAnyVersion
         } as UpdateMsixOptions);
 
-        this.emit('update-downloaded', {}, msixUrlInfo.releaseNotes, msixUrlInfo.releaseName, msixUrlInfo.releaseDate, msixUrlInfo.updateUrl, () => {
-          this.quitAndInstall();
-        });
+        this.emit(
+          'update-downloaded',
+          {},
+          msixUrlInfo.releaseNotes,
+          msixUrlInfo.releaseName,
+          msixUrlInfo.releaseDate,
+          msixUrlInfo.updateUrl,
+          () => {
+            this.quitAndInstall();
+          }
+        );
       }
     } catch (error) {
       this.emitError(error as Error);
     }
   }
 
-  async quitAndInstall () {
+  async quitAndInstall() {
     if (!this.updateAvailable) {
-      this.emitError(new Error('No update available, can\'t quit and install'));
+      this.emitError(new Error("No update available, can't quit and install"));
       app.quit();
       return;
     }
@@ -441,7 +469,7 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
 
   // Private: Emit both error object and message, this is to keep compatibility
   // with Old APIs.
-  emitError (error: Error) {
+  emitError(error: Error) {
     this.emit('error', error, error.message);
   }
 }

lib/browser/api/auto-updater/auto-updater-win.ts

@@ -8,40 +8,40 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
   updateAvailable: boolean = false;
   updateURL: string | null = null;
 
-  quitAndInstall () {
+  quitAndInstall() {
     if (!this.updateAvailable) {
-      return this.emitError(new Error('No update available, can\'t quit and install'));
+      return this.emitError(new Error("No update available, can't quit and install"));
     }
     squirrelUpdate.processStart();
     app.quit();
   }
 
-  getFeedURL () {
+  getFeedURL() {
     return this.updateURL ?? '';
   }
 
-  getPackageInfo () {
+  getPackageInfo() {
     // Squirrel-based Windows apps don't have MSIX package information
     return undefined;
   }
 
-  setFeedURL (options: { url: string } | string) {
+  setFeedURL(options: { url: string } | string) {
     let updateURL: string;
     if (typeof options === 'object') {
       if (typeof options.url === 'string') {
         updateURL = options.url;
       } else {
-        throw new TypeError('Expected options object to contain a \'url\' string property in setFeedUrl call');
+        throw new TypeError("Expected options object to contain a 'url' string property in setFeedUrl call");
       }
     } else if (typeof options === 'string') {
       updateURL = options;
     } else {
-      throw new TypeError('Expected an options object with a \'url\' property to be provided');
+      throw new TypeError("Expected an options object with a 'url' property to be provided");
     }
     this.updateURL = updateURL;
   }
 
-  async checkForUpdates () {
+  async checkForUpdates() {
     const url = this.updateURL;
     if (!url) {
       return this.emitError(new Error('Update URL is not set'));
@@ -72,7 +72,7 @@ class AutoUpdater extends EventEmitter implements Electron.AutoUpdater {
 
   // Private: Emit both error object and message, this is to keep compatibility
   // with Old APIs.
-  emitError (error: Error) {
+  emitError(error: Error) {
     this.emit('error', error, error.message);
   }
 }

lib/browser/api/auto-updater/msix-update-win.ts

@@ -1,4 +1,5 @@
-const { updateMsix, registerPackage, registerRestartOnUpdate, getPackageInfo } =
-  process._linkedBinding('electron_browser_msix_updater');
+const { updateMsix, registerPackage, registerRestartOnUpdate, getPackageInfo } = process._linkedBinding(
+  'electron_browser_msix_updater'
+);
 
 export { updateMsix, registerPackage, registerRestartOnUpdate, getPackageInfo };

lib/browser/api/auto-updater/squirrel-update-win.ts

@@ -34,8 +34,12 @@ const spawnUpdate = async function (args: string[], options: { detached: boolean
     let stdout = '';
     let stderr = '';
 
-    spawnedProcess.stdout.on('data', (data) => { stdout += data; });
-    spawnedProcess.stderr.on('data', (data) => { stderr += data; });
+    spawnedProcess.stdout.on('data', (data) => {
+      stdout += data;
+    });
+    spawnedProcess.stderr.on('data', (data) => {
+      stderr += data;
+    });
 
     spawnedProcess.on('error', (error) => {
       spawnedProcess = undefined;
@@ -59,12 +63,12 @@ const spawnUpdate = async function (args: string[], options: { detached: boolean
 };
 
 // Start an instance of the installed app.
-export function processStart () {
+export function processStart() {
   spawnUpdate(['--processStartAndWait', exeName], { detached: true });
 }
 
 // Download the releases specified by the URL and write new results to stdout.
-export async function checkForUpdate (updateURL: string): Promise<any> {
+export async function checkForUpdate(updateURL: string): Promise<any> {
   const stdout = await spawnUpdate(['--checkForUpdate', updateURL], { detached: false });
   try {
     // Last line of output is the JSON details about the releases
@@ -76,12 +80,12 @@ export async function checkForUpdate (updateURL: string): Promise<any> {
 }
 
 // Update the application to the latest remote version specified by URL.
-export async function update (updateURL: string): Promise<void> {
+export async function update(updateURL: string): Promise<void> {
   await spawnUpdate(['--update', updateURL], { detached: false });
 }
 
 // Is the Update.exe installed with the current application?
-export function supported () {
+export function supported() {
   try {
     fs.accessSync(updateExe, fs.constants.R_OK);
     return true;

lib/browser/api/base-window.ts

@@ -25,88 +25,156 @@ BaseWindow.prototype.setTouchBar = function (touchBar) {
 // Properties
 
 Object.defineProperty(BaseWindow.prototype, 'autoHideMenuBar', {
-  get: function () { return this.isMenuBarAutoHide(); },
-  set: function (autoHide) { this.setAutoHideMenuBar(autoHide); }
+  get: function () {
+    return this.isMenuBarAutoHide();
+  },
+  set: function (autoHide) {
+    this.setAutoHideMenuBar(autoHide);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'visibleOnAllWorkspaces', {
-  get: function () { return this.isVisibleOnAllWorkspaces(); },
-  set: function (visible) { this.setVisibleOnAllWorkspaces(visible); }
+  get: function () {
+    return this.isVisibleOnAllWorkspaces();
+  },
+  set: function (visible) {
+    this.setVisibleOnAllWorkspaces(visible);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'fullScreen', {
-  get: function () { return this.isFullScreen(); },
-  set: function (full) { this.setFullScreen(full); }
+  get: function () {
+    return this.isFullScreen();
+  },
+  set: function (full) {
+    this.setFullScreen(full);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'simpleFullScreen', {
-  get: function () { return this.isSimpleFullScreen(); },
-  set: function (simple) { this.setSimpleFullScreen(simple); }
+  get: function () {
+    return this.isSimpleFullScreen();
+  },
+  set: function (simple) {
+    this.setSimpleFullScreen(simple);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'focusable', {
-  get: function () { return this.isFocusable(); },
-  set: function (focusable) { this.setFocusable(focusable); }
+  get: function () {
+    return this.isFocusable();
+  },
+  set: function (focusable) {
+    this.setFocusable(focusable);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'kiosk', {
-  get: function () { return this.isKiosk(); },
-  set: function (kiosk) { this.setKiosk(kiosk); }
+  get: function () {
+    return this.isKiosk();
+  },
+  set: function (kiosk) {
+    this.setKiosk(kiosk);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'documentEdited', {
-  get: function () { return this.isDocumentEdited(); },
-  set: function (edited) { this.setDocumentEdited(edited); }
+  get: function () {
+    return this.isDocumentEdited();
+  },
+  set: function (edited) {
+    this.setDocumentEdited(edited);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'shadow', {
-  get: function () { return this.hasShadow(); },
-  set: function (shadow) { this.setHasShadow(shadow); }
+  get: function () {
+    return this.hasShadow();
+  },
+  set: function (shadow) {
+    this.setHasShadow(shadow);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'representedFilename', {
-  get: function () { return this.getRepresentedFilename(); },
-  set: function (filename) { this.setRepresentedFilename(filename); }
+  get: function () {
+    return this.getRepresentedFilename();
+  },
+  set: function (filename) {
+    this.setRepresentedFilename(filename);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'minimizable', {
-  get: function () { return this.isMinimizable(); },
-  set: function (min) { this.setMinimizable(min); }
+  get: function () {
+    return this.isMinimizable();
+  },
+  set: function (min) {
+    this.setMinimizable(min);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'title', {
-  get: function () { return this.getTitle(); },
-  set: function (title) { this.setTitle(title); }
+  get: function () {
+    return this.getTitle();
+  },
+  set: function (title) {
+    this.setTitle(title);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'maximizable', {
-  get: function () { return this.isMaximizable(); },
-  set: function (max) { this.setMaximizable(max); }
+  get: function () {
+    return this.isMaximizable();
+  },
+  set: function (max) {
+    this.setMaximizable(max);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'resizable', {
-  get: function () { return this.isResizable(); },
-  set: function (res) { this.setResizable(res); }
+  get: function () {
+    return this.isResizable();
+  },
+  set: function (res) {
+    this.setResizable(res);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'menuBarVisible', {
-  get: function () { return this.isMenuBarVisible(); },
-  set: function (visible) { this.setMenuBarVisibility(visible); }
+  get: function () {
+    return this.isMenuBarVisible();
+  },
+  set: function (visible) {
+    this.setMenuBarVisibility(visible);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'fullScreenable', {
-  get: function () { return this.isFullScreenable(); },
-  set: function (full) { this.setFullScreenable(full); }
+  get: function () {
+    return this.isFullScreenable();
+  },
+  set: function (full) {
+    this.setFullScreenable(full);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'closable', {
-  get: function () { return this.isClosable(); },
-  set: function (close) { this.setClosable(close); }
+  get: function () {
+    return this.isClosable();
+  },
+  set: function (close) {
+    this.setClosable(close);
+  }
 });
 
 Object.defineProperty(BaseWindow.prototype, 'movable', {
-  get: function () { return this.isMovable(); },
-  set: function (move) { this.setMovable(move); }
+  get: function () {
+    return this.isMovable();
+  },
+  set: function (move) {
+    this.setMovable(move);
+  }
 });
 
 BaseWindow.getFocusedWindow = () => {

lib/browser/api/browser-view.ts

@@ -1,4 +1,11 @@
-import { BrowserWindow, AutoResizeOptions, Rectangle, WebContentsView, WebPreferences, WebContents } from 'electron/main';
+import {
+  BrowserWindow,
+  AutoResizeOptions,
+  Rectangle,
+  WebContentsView,
+  WebPreferences,
+  WebContents
+} from 'electron/main';
 
 const v8Util = process._linkedBinding('electron_common_v8_util');
 
@@ -10,10 +17,10 @@ export default class BrowserView {
 
   // AutoResize state
   #resizeListener: ((...args: any[]) => void) | null = null;
-  #lastWindowSize: {width: number, height: number} = { width: 0, height: 0 };
+  #lastWindowSize: { width: number; height: number } = { width: 0, height: 0 };
   #autoResizeFlags: AutoResizeOptions = {};
 
-  constructor (options: {webPreferences: WebPreferences, webContents?: WebContents} = { webPreferences: {} }) {
+  constructor(options: { webPreferences: WebPreferences; webContents?: WebContents } = { webPreferences: {} }) {
     const { webPreferences = {}, webContents } = options;
     if (webContents) {
       v8Util.setHiddenValue(webPreferences, 'webContents', webContents);
@@ -25,21 +32,21 @@ export default class BrowserView {
     this.#webContentsView.webContents.once('destroyed', this.#destroyListener);
   }
 
-  get webContents () {
+  get webContents() {
     return this.#webContentsView.webContents;
   }
 
-  setBounds (bounds: Rectangle) {
+  setBounds(bounds: Rectangle) {
     this.#webContentsView.setBounds(bounds);
     this.#autoHorizontalProportion = null;
     this.#autoVerticalProportion = null;
   }
 
-  getBounds () {
+  getBounds() {
     return this.#webContentsView.getBounds();
   }
 
-  setAutoResize (options: AutoResizeOptions) {
+  setAutoResize(options: AutoResizeOptions) {
     if (options == null || typeof options !== 'object') {
       throw new Error('Invalid auto resize options');
     }
@@ -55,19 +62,19 @@ export default class BrowserView {
     this.#autoVerticalProportion = null;
   }
 
-  setBackgroundColor (color: string) {
+  setBackgroundColor(color: string) {
     this.#webContentsView.setBackgroundColor(color);
   }
 
   // Internal methods
-  get ownerWindow (): BrowserWindow | null {
+  get ownerWindow(): BrowserWindow | null {
     return this.#ownerWindow;
   }
 
   // We can't rely solely on the webContents' owner window because
   // a webContents can be closed by the user while the BrowserView
   // remains alive and attached to a BrowserWindow.
-  set ownerWindow (w: BrowserWindow | null) {
+  set ownerWindow(w: BrowserWindow | null) {
     this.#removeResizeListener();
 
     if (this.webContents && !this.webContents.isDestroyed()) {
@@ -77,7 +84,7 @@ export default class BrowserView {
     this.#ownerWindow = w;
     if (w) {
       this.#lastWindowSize = w.getBounds();
-      w.on('resize', this.#resizeListener = this.#autoResize.bind(this));
+      w.on('resize', (this.#resizeListener = this.#autoResize.bind(this)));
       w.on('closed', () => {
         this.#removeResizeListener();
         this.#ownerWindow = null;
@@ -86,25 +93,25 @@ export default class BrowserView {
     }
   }
 
-  #onDestroy () {
+  #onDestroy() {
     // Ensure that if #webContentsView's webContents is destroyed,
     // the WebContentsView is removed from the view hierarchy.
     this.#ownerWindow?.contentView.removeChildView(this.webContentsView);
   }
 
-  #removeResizeListener () {
+  #removeResizeListener() {
     if (this.#ownerWindow && this.#resizeListener) {
       this.#ownerWindow.off('resize', this.#resizeListener);
       this.#resizeListener = null;
     }
   }
 
-  #autoHorizontalProportion: {width: number, left: number} | null = null;
-  #autoVerticalProportion: {height: number, top: number} | null = null;
-  #autoResize () {
+  #autoHorizontalProportion: { width: number; left: number } | null = null;
+  #autoVerticalProportion: { height: number; top: number } | null = null;
+  #autoResize() {
     if (!this.ownerWindow) {
       throw new Error('Electron bug: #autoResize called without owner window');
-    };
+    }
 
     if (this.#autoResizeFlags.horizontal && this.#autoHorizontalProportion == null) {
       const viewBounds = this.#webContentsView.getBounds();
@@ -158,7 +165,7 @@ export default class BrowserView {
     };
   }
 
-  get webContentsView () {
+  get webContentsView() {
     return this.#webContentsView;
   }
 }

lib/browser/api/browser-window.ts

@@ -40,10 +40,14 @@ BrowserWindow.prototype._init = function (this: BWT) {
   let unresponsiveEvent: NodeJS.Timeout | null = null;
   const emitUnresponsiveEvent = () => {
     unresponsiveEvent = null;
-    if (!this.isDestroyed() && this.isEnabled()) { this.emit('unresponsive'); }
+    if (!this.isDestroyed() && this.isEnabled()) {
+      this.emit('unresponsive');
+    }
   };
   this.webContents.on('unresponsive', () => {
-    if (!unresponsiveEvent) { unresponsiveEvent = setTimeout(emitUnresponsiveEvent, 50); }
+    if (!unresponsiveEvent) {
+      unresponsiveEvent = setTimeout(emitUnresponsiveEvent, 50);
+    }
   });
   this.webContents.on('responsive', () => {
     if (unresponsiveEvent) {
@@ -83,16 +87,16 @@ BrowserWindow.prototype._init = function (this: BWT) {
   this._browserViews = [];
 
   this.on('closed', () => {
-    this._browserViews.forEach(b => b.webContents?.close({ waitForBeforeUnload: true }));
+    this._browserViews.forEach((b) => b.webContents?.close({ waitForBeforeUnload: true }));
   });
 
   // Notify the creation of the window.
-  app.emit('browser-window-created', { preventDefault () {} }, this);
+  app.emit('browser-window-created', { preventDefault() {} }, this);
 
   Object.defineProperty(this, 'devToolsWebContents', {
     enumerable: true,
     configurable: false,
-    get () {
+    get() {
       return this.webContents.devToolsWebContents;
     }
   });
@@ -104,7 +108,7 @@ const isBrowserWindow = (win: any) => {
 
 BrowserWindow.fromId = (id: number) => {
   const win = BaseWindow.fromId(id);
-  return isBrowserWindow(win) ? win as any as BWT : null;
+  return isBrowserWindow(win) ? (win as any as BWT) : null;
 };
 
 BrowserWindow.getAllWindows = () => {
@@ -214,10 +218,12 @@ BrowserWindow.prototype.addBrowserView = function (browserView: BrowserView) {
 };
 
 BrowserWindow.prototype.setBrowserView = function (browserView: BrowserView) {
-  this._browserViews.forEach(bv => {
+  this._browserViews.forEach((bv) => {
     this.removeBrowserView(bv);
   });
-  if (browserView) { this.addBrowserView(browserView); }
+  if (browserView) {
+    this.addBrowserView(browserView);
+  }
 };
 
 BrowserWindow.prototype.removeBrowserView = function (browserView: BrowserView) {