chromium version stuck on 114.0.5720.0?

[J-Zeitler]

Rod Version: v0.114.3

I noticed that the chromium registry used in Rod does not contain updates after 2023-04-21. This one being the latest (as far as I can see): https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/Linux_x64/1133702/. That's also the default specified in https://github.com/go-rod/rod/blob/main/lib/launcher/revision.go#L6 (on closer inspection: it's not exactly the same)

I'm investigating impact from https://nvd.nist.gov/vuln/detail/CVE-2023-4863. Would it be possible to use some other repository listing to utilize a more recent version of the browser?

For now I use the custom launch option to mitigate the CVE in the meantime.

[ysmood]

Rod github action cron job to auto update revision.

I think some OS doesn't update the revision somehow, this is the algorithm:

rod/lib/launcher/revision/main.go

Line 88 in 6b4ac72

func largestCommonRevision(revLists [][]int) int {

[J-Zeitler]

Saw that, I guess regardless how we query the mirror if they have not updated the registry we're just going to be stuck until they do:

rod/lib/launcher/revision/main.go

Lines 19 to 22 in 6b4ac72

	const mirror = "https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/"
	func main() {
	list := getList(mirror)

On a similar note, the Playwright registry seems to be updated past the CVE above at least: https://raw.githubusercontent.com/microsoft/playwright/v1.38.1/packages/playwright-core/browsers.json

[creativeprojects]

I believe it's also possible to get this information from https://chromiumdash.appspot.com/

Using this endpoint https://chromiumdash.appspot.com/fetch_releases?channel=Stable&platform=Linux&num=1&offset=0 returns:

[
  {
    "channel": "Stable",
    "chromium_main_branch_position": 1181205,
    "hashes": {
      "angle": "be854a0aa2c5ca2a3c00d1ba1df4101dfb434556",
      "chromium": "e3344ddefa12e60436fa28c81cf207c1afb4d0a9",
      "dawn": "0bb4f2362aab025f0221188d70f8b352da8a83c2",
      "devtools": "785d618a9556d5b6e8b3423721a93391afb8e519",
      "pdfium": "df6fed9f3cbc13b656562b4775ea330c91732c71",
      "skia": "beb4d7d77fba1e7c44b82653090e176bac161d63",
      "v8": "1add2a3f621ccbce65daacc6067fe3b440884557",
      "webrtc": "70aa7e99e4af06e9a2273793179dfcfddad11898"
    },
    "milestone": 117,
    "platform": "Linux",
    "previous_version": "117.0.5938.132",
    "time": 1696445220000,
    "version": "117.0.5938.149"
  }
]

[ysmood]

@creativeprojects Nice catch!

[ysmood]

The problem is where to download them, the npm registry also provides binary download link.

[creativeprojects]

The number in the field chromium_main_branch_position is the one called Revision in *launcher.Browser.
I have a script that always download the latest version using this 👍🏻

[ysmood]

Could you show us the script?

[creativeprojects]

🤔 you're right, there's something wrong.

It totally worked last week with version 117, but it doesn't work today with version 118 😢

[creativeprojects]

Right, I was looking at this again this morning and I found out that google is now releasing testing versions at the same time as the full version. Apparently the testing version doesn't include auto-update, and maybe other things.

It's easier to find the binary because it's actually using the version tag:

https://googlechromelabs.github.io/chrome-for-testing/