I noticed today that most electron-based apps I have installed on my Mac don’t use the latest version of electron, but what was more shocking was that Mullvad, Proton Pass, and FreeTube were all using an end-of-life version. How concerned should we be about this?
2 Likes
It largely depends on the app. I would say it’s concerning for things that display or handle untrusted user content. Mullvad, for example, should really only be showing static content shipped with the app (AFAIK), so it’s not really as big of a deal. Freetube is rendering media uploaded by random users so I would be just as or even potentially more concerned about this as using an outdated version of Chrome, personally.
Luckily for PeerTube specifically I think YouTube should be reencoding videos between upload and download, which would probably break any exploits in videos themselves, but you need a lot of trust in that process and there are probably other attack vectors that could be used so I personally don’t think that helps mitigate the situation much.
I wonder if other people feel the same? Can anyone speak to this at all? I think it’s an important point of discussion considering the fact that we currently recommend Freetube as a frontend.
You can install the Freetube nightly build which uses an updated electron version.