I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.
We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)
I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.
Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.
Yes and also stable isn't the only maintained branch of Chromium, there's also extended stable (currently 146.x). LTS exists too (144.x), but I believe it's meant only for ChromeOS.
In a perfect world, there would be a stable version of chrome, that would get fixes, but would crucially not get the new features that introduce new vulnerabilities. Not a fun job, I know, but with today’s coding agents it wouldn’t even be an unreasonable ask.
Cool idea, but without longer-term tracking of how long each browser lags for each Chromium release, it's hard to draw any meaningful conclusions. It's also clear that in the case of major vulnerabilities, vendors would fast-track adoption of the patch.
I would definitely include the fact that "major" versions of Chromium are released every 2 weeks. For instance, Vivaldi is on version 146.0.7680.218 that released this Tuesday [1], only 5 days ago.
On the topic of accessibility, the contrast of the text in the "up to date" bubbles is very low. I can barely see the yellow one, let alone read it without significant eye strain.
Firefox's dev tools have an Accessibility tab where you can see warnings about low contrast and simulate different forms of color blindness.
There are always creative ways to present data. Dismissing the needs of a minority of people just because we don't share their visual impairment is lazy, and we can do better.
This is somewhat useful, but I know for instance that Vivaldi is often one version behind for the sake of stability, but also will also release incremental security updates in the period before major version updates.
It would be good if Samsung browser were listed. It has about 10% market share of chromium browsers and is on version 136. It sticks to one version for months at a time and then jumps several versions. Going by historical data it's due for another jump soon.
The problem is: we all are behind Google. Google sits in the driver seat here.
This is really, really bad ...
Edit: Ok, almost all of us. There are some non-Google browsers such as firefox, but Google dished out money to Mozilla for many years, which made real competition impossible.
1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron
I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.
> users are exposed to known, already-patched security vulnerabilities
Then why only focus on major versions? Don't minor versions/revisions have security fixes?
I would definitely include the fact that "major" versions of Chromium are released every 2 weeks. For instance, Vivaldi is on version 146.0.7680.218 that released this Tuesday [1], only 5 days ago.
[1] https://chromium.googlesource.com/chromium/src/+/f97d14f8a0a...
https://chromestatus.com/roadmap
[1] https://developer.chrome.com/blog/chrome-two-week-release
Firefox's dev tools have an Accessibility tab where you can see warnings about low contrast and simulate different forms of color blindness.
Using any other color scheme would just confuse everyone instead of only colorblind people... how would that be any better?
https://chromium.googlesource.com/chromium/src.git/+/main/do...
A point-in-time view is interesting but it's less useful than a graph over time.
Would be fun to add the version shipped in LG smart TVs (hint: it's ancient)
Edit: approximately like so:
This is really, really bad ...
Edit: Ok, almost all of us. There are some non-Google browsers such as firefox, but Google dished out money to Mozilla for many years, which made real competition impossible.
Yet another reminder, lawmakers US/EU/Anywhere else, should force all browsers to actively block fingerprinting.
That won't happen.