chore(deps): bump electron 41.5.0 -> 42.1.0 and pin packaged version (#9959)

Bumps the desktop runtime to electron 42 (dependabot PR #9945) and
closes a supply-chain gap in the Linux/Mac packaging scripts that
predated this bump.

Why the bump is safe:

  - macOS UNNotification API change — pgAdmin's runtime does not use
    Electron's Notification API (only a UI toast comment in
    src/js/pgadmin.js:211; no `new Notification(...)` anywhere).
  - postinstall no longer downloads electron — production packaging
    fetches the binary directly via wget from GitHub releases, never
    via electron's postinstall script.
  - Offscreen rendering scale-factor change — no OSR usage anywhere
    in runtime/src/js/.

While verifying, found that pkg/linux/build-functions.sh and
pkg/mac/build-functions.sh resolve the packaged electron version
via:

    ELECTRON_VERSION="$(npm info electron version)"

This pulls whatever currently carries the `latest` dist-tag on the
npm registry. Any newly published electron release — including a
hypothetical malicious one — would land in shipped binaries without
review, regardless of what runtime/package.json pins.

Replace with sed-based extraction from runtime/package.json and
fail loudly if extraction returns empty. The Windows installer
(pkg/win32/installer.iss.in) does not have this issue (it bundles a
pre-built tree, no electron download step).

Net change in runtime/yarn.lock is mostly deletions — electron 42
ships with @electron/get 5.x, which dropped a large transitive
dependency tree associated with the old postinstall download path.

Verified:

  - eslint (runtime): clean (silent)
  - yarn install (runtime): resolved to electron 42.2.0 within
    ^42.1.0 range
  - sed extraction smoke-tested: returns 42.1.0 from current
    runtime/package.json

Author: asheshv

pkg/linux/build-functions.sh

@@ -145,7 +145,16 @@ _build_runtime() {
       ELECTRON_ARCH="arm64"
     fi
 
-    ELECTRON_VERSION="$(npm info electron version)"
+    # Resolve the electron version from runtime/package.json, NOT from
+    # `npm info electron version`. The latter fetches whatever currently
+    # carries the `latest` dist-tag on the npm registry, which means any
+    # newly published electron release lands in shipped binaries without
+    # review. Keep the build deterministic and pinned.
+    ELECTRON_VERSION=$(sed -nE 's/.*"electron":[[:space:]]*"\^?([0-9.]+)".*/\1/p' "${SOURCEDIR}/runtime/package.json" | head -1)
+    if [ -z "${ELECTRON_VERSION}" ]; then
+        echo "ERROR: could not resolve electron version from runtime/package.json" >&2
+        exit 1
+    fi
 
     pushd "${BUILDROOT}" > /dev/null || exit
         while true;do

pkg/mac/build-functions.sh

@@ -33,7 +33,16 @@ _build_runtime() {
 
     test -d "${BUILD_ROOT}" || mkdir "${BUILD_ROOT}"
     # Get a fresh copy of electron
-    ELECTRON_VERSION="$(npm info electron version)"
+    # Resolve the electron version from runtime/package.json, NOT from
+    # `npm info electron version`. The latter fetches whatever currently
+    # carries the `latest` dist-tag on the npm registry, which means any
+    # newly published electron release lands in shipped binaries without
+    # review. Keep the build deterministic and pinned.
+    ELECTRON_VERSION=$(sed -nE 's/.*"electron":[[:space:]]*"\^?([0-9.]+)".*/\1/p' "${SOURCE_DIR}/runtime/package.json" | head -1)
+    if [ -z "${ELECTRON_VERSION}" ]; then
+        echo "ERROR: could not resolve electron version from runtime/package.json" >&2
+        exit 1
+    fi
 
     pushd "${BUILD_ROOT}" > /dev/null || exit
         while true;do

runtime/package.json

@@ -13,7 +13,7 @@
   "packageManager": "yarn@4.9.2",
   "devDependencies": {
     "@eslint/js": "^10.0.1",
-    "electron": "^41.5.0",
+    "electron": "^42.1.0",
     "eslint": "^10.4.0",
     "eslint-plugin-unused-imports": "^4.4.1",
     "globals": "^17.6.0"