Skip to content

fix: Support latest Electron Forge API in makers#9622

Draft
kasperisager wants to merge 11 commits into
electron-userland:masterfrom
kasperisager:electron-forge-makers-update
Draft

fix: Support latest Electron Forge API in makers#9622
kasperisager wants to merge 11 commits into
electron-userland:masterfrom
kasperisager:electron-forge-makers-update

Conversation

@kasperisager

@kasperisager kasperisager commented Feb 25, 2026

Copy link
Copy Markdown

The current Electron Forge makers are incompatible with Electron Forge v7. This pull request brings them up to speed with the latest API as described in https://www.electronforge.io/advanced/extending-electron-forge/writing-makers.

@changeset-bot

changeset-bot Bot commented Feb 25, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 0be4c2c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security

socket-security Bot commented Feb 25, 2026

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
HTTP dependency: npm @electron/rebuild depends on https://github.com/electron/node-gyp#06b29aafb7708acef8b3669835c8a7857ebc92d2

Dependency: @electron/node-gyp@https://github.com/electron/node-gyp#06b29aafb7708acef8b3669835c8a7857ebc92d2

Location: Package overview

From: pnpm-lock.yamlnpm/@electron-forge/maker-base@7.11.1npm/@electron/rebuild@3.7.2

ℹ Read more on: This package | This alert | What are http dependencies?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Publish the HTTP URL dependency to a public or private package repository and consume it from there.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@electron/rebuild@3.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @npmcli/move-file

Reason: This functionality has been moved to @npmcli/fs

From: pnpm-lock.yamlnpm/@npmcli/move-file@2.0.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/move-file@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm lodash.get

Reason: This package is deprecated. Use the optional chaining (?.) operator instead.

From: pnpm-lock.yamlnpm/@electron-forge/maker-base@7.11.1npm/lodash.get@4.4.2

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.get@4.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@kasperisager kasperisager marked this pull request as ready for review February 25, 2026 15:41
@kasperisager

Copy link
Copy Markdown
Author

The output path doesn't follow the usual Forge maker pattern, I'll get that sorted.

@kasperisager

Copy link
Copy Markdown
Author

The output directory naming now follows the other single-platform makers, i.e. ${makeDir}/${name}/${targetArch}.

@kasperisager

Copy link
Copy Markdown
Author

@mmaietta This is ready for review. Could you take a look when you're available? Thanks!

@socket-security

socket-security Bot commented Feb 27, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​electron-forge/​maker-base@​7.11.11001006895100

View full report

@kasperisager

Copy link
Copy Markdown
Author

What should I do about the Socket alerts?

@mmaietta

mmaietta commented Mar 3, 2026

Copy link
Copy Markdown
Collaborator

I need to reach out to wg-ecosystem collaborators to determine best next steps. I'll also need to regenerate the updated lockfile as part of the security policies electron-userland and electron follow.

@AndreiRegiani

Copy link
Copy Markdown

@mmaietta any updates on this?

@kasperisager

Copy link
Copy Markdown
Author

This should probably wait until Forge v8 lands (electron/forge#4082) which addresses the dependency issue.

@kasperisager kasperisager marked this pull request as draft April 9, 2026 09:57
@github-actions github-actions Bot added the Stale label Jun 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants