fix: replace update-notifier with simple-update notifier due to dependency vulnerability (#7078)

Author: mmaietta

.changeset/fluffy-cobras-beg.md

@@ -0,0 +1,5 @@
+---
+"electron-builder": patch
+---
+
+fix: replace update-notifier with simple-update-notifier due to security alert

packages/electron-builder/package.json

@@ -60,13 +60,12 @@
     "is-ci": "^3.0.0",
     "lazy-val": "^1.0.5",
     "read-config-file": "6.2.0",
-    "update-notifier": "^5.1.0",
-    "yargs": "^17.0.1"
+    "simple-update-notifier": "^1.0.7",
+    "yargs": "^17.5.1"
   },
   "devDependencies": {
     "@types/fs-extra": "9.0.13",
-    "@types/is-ci": "3.0.0",
-    "@types/update-notifier": "5.1.0"
+    "@types/is-ci": "3.0.0"
   },
   "typings": "./out/index.d.ts",
   "publishConfig": {

packages/electron-builder/src/cli/cli.ts

@@ -3,11 +3,10 @@
 import { InvalidConfigurationError, log } from "builder-util"
 import * as chalk from "chalk"
 import { getElectronVersion } from "app-builder-lib/out/electron/electronVersion"
-import { pathExists, readJson } from "fs-extra"
+import { readJson } from "fs-extra"
 import * as isCi from "is-ci"
 import * as path from "path"
 import { loadEnv } from "read-config-file"
-import * as updateNotifier from "update-notifier"
 import { ExecError } from "builder-util/out/util"
 import { build, configureBuildCommand, createYargs } from "../builder"
 import { createSelfSignedCert } from "./create-self-signed-cert"
@@ -47,7 +46,7 @@ void createYargs()
 
 function wrap(task: (args: any) => Promise<any>) {
   return (args: any) => {
-    checkIsOutdated()
+    checkIsOutdated().catch(e => log.warn({ error: e }, "cannot check updates"))
     loadEnv(path.join(process.cwd(), "electron-builder.env"))
       .then(() => task(args))
       .catch(error => {
@@ -63,29 +62,17 @@ function wrap(task: (args: any) => Promise<any>) {
   }
 }
 
-function checkIsOutdated() {
+async function checkIsOutdated() {
   if (isCi || process.env.NO_UPDATE_NOTIFIER != null) {
     return
   }
 
-  readJson(path.join(__dirname, "..", "..", "package.json"))
-    .then(async it => {
-      if (it.version === "0.0.0-semantic-release") {
-        return
-      }
-
-      const packageManager = (await pathExists(path.join(__dirname, "..", "..", "package-lock.json"))) ? "npm" : "yarn"
-
-      const notifier = updateNotifier({ pkg: it })
-      if (notifier.update != null) {
-        notifier.notify({
-          message: `Update available ${chalk.dim(notifier.update.current)}${chalk.reset(" → ")}${chalk.green(notifier.update.latest)} \nRun ${chalk.cyan(
-            `${packageManager} upgrade electron-builder`
-          )} to update`,
-        })
-      }
-    })
-    .catch(e => log.warn({ error: e }, "cannot check updates"))
+  const pkg = await readJson(path.join(__dirname, "..", "..", "package.json"))
+  if (pkg.version === "0.0.0-semantic-release") {
+    return
+  }
+  const UpdateNotifier = require("simple-update-notifier")
+  await UpdateNotifier({ pkg })
 }
 
 async function rebuildAppNativeCode(args: any) {