Electron 33 → 39 upgrade blocked by better-sqlite3 ABI (defer to v0.1.x or v0.2)

[hqhq1025]

Status

Deferred. PR #103 attempted Electron 33.2.1 → 39.8.x and was closed because better-sqlite3@11.10.0 ships no prebuilt for Electron 39's Node ABI on darwin-arm64.

What this fixes when done

17 dependabot Electron alerts (4 high, 12 medium, 1 low):

• 4 high: use-after-free in PowerMonitor / WebContents permission callbacks / offscreen child window paint / renderer command-line switch injection
• Others: AppleScript injection, IPC spoofing, origin permission scoping, etc.

Plus brings Chromium from 130 → 142, unlocking newer CSS (@scope, @container, anchor positioning, text-wrap: balance mature) — relevant for our generated artifacts.

Three solutions, pick one when picking back up

A. Wait for better-sqlite3 upstream

Watch https://github.com/WiseLibs/better-sqlite3/releases for an Electron-39 prebuild. Zero work when it ships. Cost: indefinite delay.

B. Source-compile via @electron/rebuild postinstall

Replace prebuild-install path in apps/desktop/scripts/install-sqlite-bindings.cjs with a compile step. Cost: every dev install now needs Python + node-gyp + Xcode CLT; first install slow (~60s); brittle on user machines.

C. Switch to node:sqlite (Node 22.5+ built-in)

Rewrite apps/desktop/src/main/snapshots-db.ts to use Node's built-in sqlite module. Cost: ~50 LOC change; some sqlite behavior microdiffs to verify; no native binding ABI problem ever again.

Recommendation: C when revisiting. Pre-1.0 (pre-release), the cleanup pays off forever. Persistence is core; we want it to stop being a versioning hot zone.

Trigger to revisit

• Targeting v0.2 release publicly OR
• A specific high CVE becomes exploitable in our threat model OR
• We want a Chromium 142+ CSS feature for generated artifacts (e.g. anchor positioning for popovers/tooltips)

Hard constraint

Whichever option ships, must NOT use Electron 41.x — CLAUDE.md ban (cross-origin isolation regression).

Related

• PR chore(deps): bump electron 33 → 39 (PR-A: dependency bump only) #103 (closed, 2026-04-19): the bump-only PR that surfaced the blocker
• PR fix(desktop): dual-ABI prebuilt for better-sqlite3 (Node + Electron) #96: dual-ABI postinstall infrastructure that this work would replace
• PR chore(deps): bump happy-dom to fix 6 security advisories #98: happy-dom security upgrade (separate dev-only fix that already landed)

[github-actions]

Thanks for documenting this so clearly.

What I can verify from the current codebase is:

• Desktop is still pinned to Electron 33 (^33.2.1 in package.json; lock currently resolves to 33.4.11).
• Snapshot persistence is still built around better-sqlite3 with runtime-specific native bindings selected at startup.
• The postinstall path currently downloads prebuilt binaries via prebuild-install for Node/Electron ABIs; there is no source-compile fallback in that script.
• CLAUDE.md still explicitly bans Electron 41.x.

Given that this repo is still in pre-alpha/v0.x, we should keep expectations aligned that some roadmap items are tracked but not fully implemented yet.

Relevant code:

• apps/desktop/package.json:43 — Electron dependency (^33.2.1)
• pnpm-lock.yaml:7284 — lockfile currently at electron@33.4.11
• apps/desktop/package.json:27 — better-sqlite3 dependency
• apps/desktop/package.json:8 — postinstall uses install-sqlite-bindings.cjs
• apps/desktop/scripts/install-sqlite-bindings.cjs:54 — prebuild-install download path
• apps/desktop/scripts/install-sqlite-bindings.cjs:140 — Electron runtime prebuild fetch (no compile branch)
• apps/desktop/src/main/snapshots-db.ts:37 — selects Node/Electron-specific native binding
• CLAUDE.md:48 — Electron latest stable, but NOT 41.x
• README.md:65 — v0.1 pre-release note

Need more info:

• Should we keep this issue in deferred state for v0.1.x and revisit at v0.2 planning, or reopen now to implement one option immediately?

---

open-codesign Bot

[github-actions]

Thank you for documenting this clearly. After checking the current codebase, I can confirm that the Electron upgrade block appears to be resolved:

• apps/desktop/package.json now pins electron at ^39.8.9 (lockfile resolves to 39.8.9)
• better-sqlite3 is at ^12.9.0 (lockfile 12.9.0), which ships prebuilt binaries for Electron 39's Node ABI on darwin-arm64
• The root package.json still has "neverBuiltDependencies": ["better-sqlite3"], confirming prebuild-only usage
• CLAUDE.md still bans Electron 41.x, so the current 39.x is within the allowed range

Since the version bottleneck no longer exists, this tech debt item may be closeable. The recommended approach (Option C — node:sqlite) remains a valid future refinement for ABI independence, but the immediate blocker is cleared.

Need more info:

• Should we close this issue as resolved, or keep it open to track the eventual migration to node:sqlite?

---

Open-CoDesign Bot

[Sun-sunshine06]

Current main is on Electron 39 and the v0.2 storage path has removed the old better-sqlite3 ABI blocker. The immediate Electron 33 -> 39 upgrade blocker is no longer present.

The upcoming v0.2 packaged release will include this. Closing as resolved.