Get the top HN stories in your inbox every day.
butz
waitwhatwhoa
We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)
1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron
captn3m0
I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.
I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.
nicoburns
I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.
nolist_policy
Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.
no-name-here
I guess an elephant-sized exception to this are the popular code editors that support extensions? Or perhaps such editors’ extensions typically aren’t constrained at all anyway.
Filligree
The last one. It would make sense to have a sandbox system, but they don’t.
josefx
Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?
stingraycharles
Isn’t the threat model for these desktop apps entirely different?
panzi
Just wanted to write the same comment!
dataflow
> Why does Chromium version lag matter?
> users are exposed to known, already-patched security vulnerabilities
Then why only focus on major versions? Don't minor versions/revisions have security fixes?
xeeeeeeeeeeenu
Yes and also stable isn't the only maintained branch of Chromium, there's also extended stable (currently 146.x). LTS exists too (144.x), but I believe it's meant only for ChromeOS.
crashingintoyou
The Vivaldi build I have locally explicitly mentions "Extended Stable channel (may also include additional security patches)" on its "About" page.
uxjw
The most recent updates says it includes the 147 security fixes too "[Chromium] Update to 146.0.7680.218 ESR (includes security fixes from 147.0.7727.137/138)" https://vivaldi.com/blog/desktop/minor-update-eight-7-9/
port11
The website does seem fairly misleading, if you and GP are correct.
superjan
In a perfect world, there would be a stable version of chrome, that would get fixes, but would crucially not get the new features that introduce new vulnerabilities. Not a fun job, I know, but with today’s coding agents it wouldn’t even be an unreasonable ask.
yawndex
In defense of Vivaldi, it is actually up to date, just on the Extended Stable cycle: https://chromiumdash.appspot.com/releases?platform=Mac
https://chromium.googlesource.com/chromium/src.git/+/main/do...
quantumleaper
Cool idea, but without longer-term tracking of how long each browser lags for each Chromium release, it's hard to draw any meaningful conclusions. It's also clear that in the case of major vulnerabilities, vendors would fast-track adoption of the patch.
I would definitely include the fact that "major" versions of Chromium are released every 2 weeks. For instance, Vivaldi is on version 146.0.7680.218 that released this Tuesday [1], only 5 days ago.
[1] https://chromium.googlesource.com/chromium/src/+/f97d14f8a0a...
dopa42365
More like 4 weeks than 2.
quantumleaper
You are right, I misremembered this announcement [1]. They are switching from a 4-week to a 2-week release schedule this September.
[1] https://developer.chrome.com/blog/chrome-two-week-release
pimlottc
Please don’t use green/red schemes, it’s the most common form of colorblindness and it’s especially bad with such pale shades.
sgtlaggy
On the topic of accessibility, the contrast of the text in the "up to date" bubbles is very low. I can barely see the yellow one, let alone read it without significant eye strain.
Firefox's dev tools have an Accessibility tab where you can see warnings about low contrast and simulate different forms of color blindness.
xandrius
It has text supporting the color, so it's fine.
richwater
Some of the text is undereadable on the background.
skaul
Thanks, fixed now.
shooly
Red/green is the most common way to show bad/good, error/success, etc.
Using any other color scheme would just confuse everyone instead of only colorblind people... how would that be any better?
ccouzens
It would be good if Samsung browser were listed. It has about 10% market share of chromium browsers and is on version 136. It sticks to one version for months at a time and then jumps several versions. Going by historical data it's due for another jump soon.
UberFly
This is somewhat useful, but I know for instance that Vivaldi is often one version behind for the sake of stability, but also will also release incremental security updates in the period before major version updates.
mm263
Please add Helium
wswin
and Ungoogled Chromium
dotcoma
Helium rocks!
ece
qutebrowser would be nice too.
dismalaf
Why is Vivaldi listed as behind when it's on the extended stable branch, which is a maintained branch?
Also, aside from that, it also perpetuates a silly idea that's popular in tech which is that security patches can't be backported or added by someone who forks software.
Like, the founder of Brave is one of the OG Mozilla guys, founder of Vivaldi did Opera, Edge is MS... These aren't dumb teams.
dizhn
The page says old chromium means insecure. Isn't anybody backporting fixes anymore?
mistrial9
"your browser is no longer supported" is just so terribly useful, for so many ..
Retr0id
Is "uptodown" really the canonical download page for Comet?
A point-in-time view is interesting but it's less useful than a graph over time.
Would be fun to add the version shipped in LG smart TVs (hint: it's ancient)
skaul
It's not but given that Perplexity doesn't have an API and blocks automated downloads, I'm not sure what else to use. Explained in the docs: https://github.com/ShivanKaul/chromium-drift/blob/main/docs/...
Retr0id
How does comet update itself?
Edit: approximately like so:
curl -sS -X POST -H 'Content-Type: application/json' -d '{"request":{"protocol":"4.0","updater":"CometUpdater","updaterversion":"0","os":{"platform":"win","version":"10","arch":"x64"},"apps":[{"appid":"{42e10078-e377-4166-965f-c14ad958a146}","version":"0.0.0.0","updatechecks":[{}]}]}}' https://www.perplexity.ai/rest/browser/update2 | sed "s/^)]}'//" | jq -r '.response.apps[0].updatecheck.nextversion'Retr0id
fwiw this should work the same for just about all chromium forks - protocol is documented here: https://github.com/chromium/chromium/blob/6eb6252d5671bca378...
undefined
darkwater
I use Firefox, btw
ciupicri
Firefox has its own forks, by the way: GNU IceWeasel → IceCat, LibreWolf etc.
xethos
Fennec, for Android too. The unfortunate part is that it doesn't (by default, on F-Droid) use Firefox Beta - meaning custom extension packs can't be used
This matters for things like Redirector (www.reddit -> old.reddit), Greasemonkey (hckrnews dark theme), and (for my keyboard-equipped Android) Vimium
Get the top HN stories in your inbox every day.
I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.