Still supported?

Question

Still supported?

cpgb85 opened this issue 2 years ago · 7 comments

This hasn't been updated in 8 months, is this active anymore?

I'm not sure why electron insists creating files and folders is bad, almost every program does it.

Answer 1 · 2022-11-14T18:42:38.000Z

The package isn't actively being developed, although I think a few of us follow the issue tracker and try to address problems with usage. This module was meant as a bridge for apps to gradually migrate off of the the remote module.

I'm not sure why electron insists creating files and folders is bad, almost every program does it.

What do you mean by this?

Answer 2 · 2022-11-14T18:57:07.000Z

What do you mean by this?

The reason remote was removed to begin with, is they didn't want you to create files and folders from the browser window. I guess I'm confused as to why this is such a terrible thing.

I tried going with straight up electron on the past, communicating between all these different layers is terrible and cumbersome.

Do you have any suggestions on how I should create a file or folder without having to go through 3 different event listeners?

I need a user to be able to select a working directory, this package made it so convenient for me.

Answer 3 · 2022-11-14T18:59:04.000Z

The reason remote was removed to begin with, is they didn't want you to create files and folders from the browser window. I guess I'm confused as to why this is such a terrible thing.

This is not true. Remote was removed because it is insecure and inherently unsafe

Do you have any suggestions on how I should create a file or folder without having to go through 3 different event listeners?

If your apps security model allows for it you can turn off contextIsolation and enable nodeIntegration, then just do whatever you want from the renderer. The correct / safe way to do it is to use contextBridge + ipc invoke/handle but it's up to you how to implement it.

Answer 4 · 2022-11-14T19:02:32.000Z

This is part of my problem. everybody seems to just keep saying "insecure and unsafe" without describing how this is the case. What is unsafe about this?

Answer 5 · 2022-11-14T19:03:47.000Z

Here was the impetus for this change back in 2019:

Blog post/conf talk: https://nornagon.medium.com/electrons-remote-module-considered-harmful-70d69500f31
GitHub issue: electron/electron#21408
From security researchers: https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html

Answer 6 · 2022-11-14T19:12:20.000Z

So basically some people theorized this could be the case, so our lives got more difficult as a result.

Answer 7 · 2022-11-14T19:32:16.000Z

I don't pretend to also be a security expert, but I don't get why it matters running these processes int he window, or in a round about way in the background. They both achieve the same thing in the end, one is just more simple.