Upgrade dependencies: Electron 35, Sentry 5, TypeScript 5.8, esbuild 0.25

[moudy]

Why

The desktop app dependencies haven't been updated in a long time. Electron 30 shipped Chromium 124 (over a year old) and reached end-of-life in October 2024, meaning users are running on an unpatched browser engine. The Sentry SDK, TypeScript, esbuild, and Electron Forge versions were also significantly outdated with known security vulnerabilities in transitive dependencies. The CI workflows also used deprecated runners and outdated action versions.

What changed

Electron 30 → 35 (Chromium 124 → 134)

• Brings current Chromium security patches and Node 22.x runtime
• Electron 35 is in the current supported release line

@sentry/electron 4 → 5

• Updated import path from @sentry/electron to @sentry/electron/main (v5 splits main/renderer exports)
• Removed manual crashReporter.start() — Sentry v5 handles native crash reporting (minidumps) automatically via built-in integrations

Electron Forge 7.4 → 7.11

• Resolves high-severity CVEs in transitive deps (cross-spawn ReDoS, tar path traversal, minimatch ReDoS, glob command injection)

TypeScript 4.9 → 5.8

• Updated tsconfig target from es2015 to es2020 (Electron 35 supports far beyond ES2015)
• Added skipLibCheck: true for faster type checking

esbuild 0.18 → 0.25

• Updated build target from es2015 to es2020 to match tsconfig

CI workflow updates:

• Node.js 20.10.x → 22.x
• pnpm 8.5.1 → 9
• macOS-12 → macos-13 (macOS-12 deprecated on GitHub Actions, removed June 2025)
• actions/checkout v3 → v4
• actions/setup-node v3 → v4
• pnpm/action-setup v2 → v4

Other dependency updates:

• @typescript-eslint/* 4-6 → 7 (stays compatible with ESLint 8 and .eslintrc config)
• electron-log 5.1.4 → 5.4.x
• electron-winstaller 5.3 → 5.4
• prettier 3.0 → 3.8
• rimraf 5 → 6
• @types/node 20 → 22
• eslint-plugin-prettier, eslint-config-prettier minor bumps
• Node engine requirement loosened from ^20.10.0 to >=20.10.0

Not upgraded (intentionally):

• electron-store stays at v8 — v9+ is ESM-only, incompatible with our CJS build
• eslint stays at v8 — v9+ requires flat config migration (large churn, low user-facing value)
• @sentry/electron stops at v5 not v7 — v7 requires Sentry JS SDK v9 with significant API changes; v5 preserves the same init/setUser/captureException API

Test plan

• pnpm run ci (build + typecheck + lint) passes cleanly
• Verified esbuild produces clean bundles with no warnings
• pnpm audit shows remaining vulnerabilities are all in dev-only transitive dependencies (Electron Forge build toolchain) — none ship in the production app
• CI will run make on the full platform matrix since package.json, tsconfig.json, and workflow files changed

Revertibility

Safe to revert. No data migrations, no protocol changes. Just dependency version bumps, two import path changes in source, and CI config updates.

~ written by Zerg 👾 (commanding-fang-2680)

[Armster15]

can't seem to get a prod build to run. gimme a sec

[sergeichestakov]

thank you @moudy 🙏 you are a hero & a saint 👼

I fully approve of and endorse this wonderful pull request. I no longer have write access to this repo so cannot personally contribute but I will be cheering from the sidelines.

[Armster15]

fixed:

1. pnpm wasn't installing binaries for electron stuff. fixed this by adding it to onlyBuiltDependencies
2. the "Electron failed to install correctly" was happening b/c esbuild was ignoring the --packages=external flag. this was due to the tsconfig. see this GH issue from esbuild: --packages=external does not work in conjunction with typescript path aliases evanw/esbuild#2792

[Armster15]

noticed we're no longer building for intel macs. fine for now considering apple silicon was introduced in 2020 (meaning 6 years have passed). can always bring back if necessary

lgtm otherwise

[moudy]

Oh hi @sergeichestakov!