Electron Releases

Back to PR Lookup
GitHubView on GitHub
VerteDinde

#51930: fix: invalidate sandboxed preload code cache when source changes without changing length

Merged
VerteDinde
Created: Jun 8, 2026, 7:04:06 PM
Merged: Jun 8, 2026, 10:52:30 PM
3 comments
Target: main

Description

The sandboxed preload code cache (#51602) relied on V8's CachedData validation to reject stale blobs, but V8's source check hashes only the source length. Updating a preload without changing its byte length made renderers silently run the old version's bytecode.

Cache entries are now bound to the sha256 of the preload source: the renderer ships the hash of what it compiled with the produced blob, and the browser only serves a blob whose recorded hash matches the contents it just read. The browser also rejects cache writes for preload ids not served to the sending frame. Old-format cache files read as a miss and self-heal.

Checklist

  • PR description included
  • npm test passes (preload code cache suite)
  • tests are added/updated

Release Notes

Notes: Fixed sandboxed preload scripts running a stale cached version after the script was modified without its file size changing.

Backports

42-x-y
Merged
PR Number
#51933
Merged At
Jun 9, 2026, 12:39:58 AM
Released In
v42.4.0
Release Date
Jun 9, 2026, 1:06:27 AM
43-x-y
Merged
PR Number
#51932
Merged At
Jun 9, 2026, 12:58:30 AM
Released In
Not yet
Release Date
Not yet

Semver Impact

Major
Breaking changes
Minor
New features
Patch
Bug fixes
None
Docs, tests, etc.

Semantic Versioning helps users understand the impact of updates:

  • Major (X.y.z): Breaking changes that may require code modifications
  • Minor (x.Y.z): New features that maintain backward compatibility
  • Patch (x.y.Z): Bug fixes that don't change the API
  • None: Changes that don't affect using facing parts of Electron