Vite+Electron = π₯
This is template for secure electron applications. Written following the latest safety requirements, recommendations and best practices.
Under the hood is used Vite β superfast, nextgen bundler, and electron-builder for compilation.
-
This template maintained by Alex Kozack. You can π sponsor him for continued development of this template.
-
Found a problem? Pull requests are welcome.
-
If you have ideas, questions or suggestions - Welcome to discussions. π
Follow these steps to get started with this template:
- Click the Use this template button (you must be logged in) or just clone this repo.
- If you want to use another package manager don't forget edit
.github/workflows
-- it usesnpm
by default.
That's all you need. π
Note: This template uses npm v7 feature β Installing Peer Dependencies Automatically. If you are using a different package manager, you may need to install some peerDependencies manually.
Note: Find more usefull forks here.
- Template use the latest electron version with all the latest security patches.
- The architecture of the application is built according to the security guides and best practices.
- The latest version of the electron-builder is used to compile the application.
- Vite is used to bundle all source codes. This is an extremely fast packer that has a bunch of great features. You can learn more about how it is arranged in this video.
- Vite supports reading
.env
files. You can also specify types of your environment variables intypes/env.d.ts
. - Hot reloads for
Main
andRenderer
processes.
Vite provides you with many useful features, such as: TypeScript
, TSX/JSX
, CSS/JSON Importing
, CSS Modules
, Web Assembly
and much more.
- The Latest TypeScript is used for all source code.
- Vite supports TypeScript out of the box. However, it does not support type checking.
- Code formatting rules follow the latest TypeScript recommendations and best practices thanks to @typescript-eslint/eslint-plugin.
- Automatically create interface declarations for all APIs that have been passed to
electron.contextBridge.exposeInMainWorld
. Thanks dts-for-context-bridge .
See this discussion if you want completly remove TypeScript.
- By default, web pages are built using Vue. However, you can easily change it. Or do not use additional frameworks at all.
- Code formatting rules follow the latest Vue recommendations and best practices thanks to eslint-plugin-vue.
- Installed Vue.js devtools beta with Vue 3 support.
See examples of web pages for different frameworks.
- The configured workflow for check the types for each push and PR.
- The configured workflow for check the code style for each push and PR.
- Automatic tests used Vitest -- A blazing fast test framework powered by Vite.
- Unit tests are placed in each package and run separately.
- End-to-end tests placed in root
tests
directory and used playwright.
- Each time you push changes to the
main
branch,release
workflow starts, which creates release draft.- The version is automatically set based on the current date in the format
yy.mm.dd-minutes
. - Notes are automatically generated and added to the release draft.
- Code signing supported. See
compile
job inrelease
workflow.
- The version is automatically set based on the current date in the format
- Auto-update is supported. After the release will be published, all client applications will download the new version and install updates silently.
The template required a minimum dependencies. Only Vite is used for building, nothing more.
The structure of this template is very similar to the structure of a monorepo.
The entire source code of the program is divided into three modules (packages) that are bundled each independently:
packages/main
Electron main script.packages/preload
Used inBrowserWindow.webPreferences.preload
. See Checklist: Security Recommendations.packages/renderer
Electron web page.
Packages main
and preload
are built in library mode as it is a simple javascript.
renderer
package build as regular web app.
Next step is run packaging and compilation a ready for distribution Electron app for macOS, Windows and Linux with "auto update" support out of the box.
To do this, using the electron-builder:
- In npm script
compile
: This script is configured to compile the application as quickly as possible. It is not ready for distribution, is compiled only for the current platform and is used for debugging. - In GitHub Action: The application is compiled for any platform and ready-to-distribute files are automatically added to the draft GitHub release.
There is one important nuance when working with dependencies. On build stage Vite analyze your code, finds all the imported dependencies, applies tree shaking, optimization and bundle them inside the output source files. So when you write something like that:
// source.ts
import {createApp} from 'vue'
createApp()
It turns into:
// bundle.js
function createApp() { /* ... */ }
createApp()
And there are really no imports left in runtime.
But it doesn't always work. Vite was designed to work with browser-oriented packages. So it is not able to bundle Node built-in modules, or native dependencies, or some Node.js specific packages, or Electron itself.
Modules that Vite is unable to bundle are forced to be supplied as external
in vite.config.js
. External modules are not optimized and their imports remain in runtime.
// source.ts
import {writeFile} from 'fs'
writeFile()
// bundle.js
const {writeFile} = require('fs')
writeFile()
According to Electron's security guidelines, Node.js integration is disabled for remote content. This means that you cannot call any Node.js api in the packages/renderer
directly. This also means you can't import external modules in runtime in renderer:
// renderer.bundle.js
const {writeFile} = require('fs') // ReferenceError: require is not defined
writeFile()
To use external modules in Renderer you must describe the interface in the packages/preload
where Node.js api is allowed:
// packages/preload/src/index.ts
import type {BinaryLike} from 'crypto';
import {createHash} from 'crypto';
contextBridge.exposeInMainWorld('nodeCrypto', {
sha256sum(data: BinaryLike) {
const hash = createHash('sha256');
hash.update(data);
return hash.digest('hex');
},
});
The dts-cb
utility will automatically generate an interface for TS:
// packages/preload/exposedInMainWorld.d.ts
interface Window {
readonly nodeCrypto: { sha256sum(data: import("crypto").BinaryLike): string; };
}
And now, you can safely use the registered method:
// packages/renderer/src/App.vue
window.nodeCrypto.sha256sum('data')
Read more about Security Considerations.
All environment variables set as part of the import.meta
, so you can access them as follows: import.meta.env
.
If you are using a TypeScript and want to get Code completion you must add all the environment variables to the ImportMetaEnv
in types/env.d.ts
.
The mode option is used to specify the value of import.meta.env.MODE
and the corresponding environment variables files that needs to be loaded.
By default, there are two modes:
production
is used by defaultdevelopment
is used bynpm run watch
script
When running building, environment variables are loaded from the following files in your project root:
.env # loaded in all cases
.env.local # loaded in all cases, ignored by git
.env.[mode] # only loaded in specified env mode
.env.[mode].local # only loaded in specified env mode, ignored by git
To prevent accidentally leaking env variables to the client, only variables prefixed with VITE_
are exposed to your Vite-processed code. e.g. the following file:
DB_PASSWORD=foobar
VITE_SOME_KEY=123
Only VITE_SOME_KEY
will be exposed as import.meta.env.VITE_SOME_KEY
to your client source code, but DB_PASSWORD
will not.
See Contributing Guide.