fix: refactoring ffmpeg implementation and removing related npm depen…

…dency (#7495)

.changeset/violet-dots-joke.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: removing ffmpeg dependency due to dependency vulnerability

.github/workflows/test.yaml

@@ -44,10 +44,10 @@ jobs:
         id: changed-files-specific
         uses: tj-actions/changed-files@ce4b8e3cba2220de8132ac9721ff754efd6bb7d7 # v34
         with:
-          files: docker/**
+          files: docker/**/*
 
       - name: Dockerfile has changed, rebuild for tests
-        if: ${{ github.event.inputs.build-docker-locally == 'true' }} || steps.changed-files-specific.outputs.any_changed == 'true'
+        if: steps.changed-files-specific.outputs.any_changed == 'true'
         run: pnpm docker-images
 
       - name: Run tests in docker image
@@ -84,7 +84,7 @@ jobs:
       - name: Setup Tests
         uses: ./.github/actions/pretest
         with:
-          cache-path: ~/Library/Caches/electron
+          cache-path: ~/.cache/electron
           cache-key: v-11.0.0-update-electron
 
       - name: Test

packages/app-builder-lib/package.json

@@ -7,7 +7,6 @@
     "out",
     "templates",
     "scheme.json",
-    "electron-osx-sign",
     "certs/root_certs.keychain"
   ],
   "repository": {
@@ -61,7 +60,6 @@
     "chromium-pickle-js": "^0.2.0",
     "debug": "^4.3.4",
     "ejs": "^3.1.8",
-    "electron-packager-plugin-non-proprietary-codecs-ffmpeg": "^1.0.2",
     "electron-publish": "workspace:*",
     "form-data": "^4.0.0",
     "fs-extra": "^10.1.0",

packages/app-builder-lib/src/electron/ElectronFramework.ts

@@ -14,7 +14,7 @@ import { getTemplatePath } from "../util/pathManager"
 import { createMacApp } from "./electronMac"
 import { computeElectronVersion, getElectronVersionFromInstalled } from "./electronVersion"
 import * as fs from "fs/promises"
-import replaceFFMPEG from "electron-packager-plugin-non-proprietary-codecs-ffmpeg"
+import injectFFMPEG from "./injectFFMPEG"
 
 export type ElectronPlatformName = "darwin" | "linux" | "win32" | "mas"
 
@@ -136,8 +136,7 @@ class ElectronFramework implements Framework {
   async prepareApplicationStageDirectory(options: PrepareApplicationStageDirectoryOptions) {
     await unpack(options, createDownloadOpts(options.packager.config, options.platformName, options.arch, this.version), this.distMacOsAppName)
     if (options.packager.config.downloadAlternateFFmpeg) {
-      log.info(null, "downloading non-proprietary FFMPEG, piping output")
-      await new Promise<void>(resolve => replaceFFMPEG(options.appOutDir, options.version, options.platformName, options.arch, resolve))
+      await injectFFMPEG(options, this.version)
     }
   }
 

packages/app-builder-lib/src/electron/injectFFMPEG.ts

@@ -0,0 +1,49 @@
+import * as fs from "fs"
+import * as path from "path"
+import { ElectronPlatformName } from "./ElectronFramework"
+
+import { log } from "builder-util"
+import { getBin } from "../binDownload"
+import { PrepareApplicationStageDirectoryOptions } from "../Framework"
+
+// NOTE: Adapted from https://github.com/MarshallOfSound/electron-packager-plugin-non-proprietary-codecs-ffmpeg to resolve dependency vulnerabilities
+const downloadFFMPEG = async (electronVersion: string, platform: ElectronPlatformName, arch: string) => {
+  const ffmpegFileName = `ffmpeg-v${electronVersion}-${platform}-${arch}.zip`
+  const url = `https://github.com/electron/electron/releases/download/v${electronVersion}/${ffmpegFileName}`
+
+  log.info({ file: ffmpegFileName }, "downloading non-proprietary FFMPEG")
+  return getBin(ffmpegFileName, url)
+}
+
+const copyFFMPEG = (targetPath: string, platform: ElectronPlatformName) => (sourcePath: string) => {
+  let fileName = "ffmpeg.dll"
+  if (["darwin", "mas"].includes(platform)) {
+    fileName = "libffmpeg.dylib"
+  } else if (platform === "linux") {
+    fileName = "libffmpeg.so"
+  }
+
+  const libPath = path.resolve(sourcePath, fileName)
+  const libTargetPath = path.resolve(targetPath, fileName)
+  log.info({ lib: libPath, target: libTargetPath }, "copying non-proprietary FFMPEG")
+
+  // If the source doesn't exist we have a problem
+  if (!fs.existsSync(libPath)) {
+    throw new Error(`Failed to find FFMPEG library file at path: ${libPath}`)
+  }
+
+  // If we are copying to the source we can stop immediately
+  if (libPath !== libTargetPath) {
+    fs.copyFileSync(libPath, libTargetPath)
+  }
+  return libTargetPath
+}
+
+export default function injectFFMPEG(options: PrepareApplicationStageDirectoryOptions, electrionVersion: string) {
+  let libPath = options.appOutDir
+  if (options.platformName === "darwin") {
+    libPath = path.resolve(options.appOutDir, "Electron.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries")
+  }
+
+  return downloadFFMPEG(electrionVersion, options.platformName, options.arch).then(copyFFMPEG(libPath, options.platformName))
+}