Vite + Electron = π₯
This is a secure template for Electron applications based on the latest security requirements, recommendations and best practices.
Under the hood an insanely fast next-gen bundler Vite is used for both development and production bundling, along with
electron-builder
for compilation.
-
This template is forked from Vite Electron Builder, maintained by Alex Kozack. You can π sponsor him for continued development of this template.
-
Found a problem? Pull requests are welcome.
-
If you have ideas, questions or suggestions - Welcome to discussions. π
Follow these steps to get started with this template:
- Click the Use this template button (you must be logged in) or just clone this repo.
- If you want use another package manager don't forget to edit relevant
.github/workflows
-- they usenpm
by default.
That's all you need. π
Note: This template uses NPM v7, and as such
installs peerDependencies
automatically.
If you are using a different package manager, you may need to install your peerDependencies
manually.
- Template use the latest electron version with all the latest security patches.
- The architecture of the application is built according to the security guids and best practices.
- The latest version of the electron-builder is used to compile the application.
- Vite is used to bundle all source code. This is an extremely fast bundler with several great features. You can learn more about how it is arranged in this video.
- Vite supports reading
.env
files. This template has a separate command to generate type declaration files with your environment variables.
- The Latest TypeScript is used for all source code.
- Vite supports TypeScript out of the box. However, it does not support type checking.
- Code formatting rules follow the latest TypeScript recommendations and best practices thanks to @typescript-eslint/eslint-plugin.
See this discussion if you want completly remove TypeScript.
- By default, web pages are built using React. However, you can easily change it. Or do not use additional frameworks at all. (See the original repository for a Vue example)
- Code formatting rules adhere to the default Prettier config.
- Installed React Developer Tools with React 17 support.
There are a few Github Action workflows triggered against PRs or pushes to the main
branch.
- Check types for main, preload, and renderer code
- Lint all codecode
- Run automated tests with spectron
- Has the main window been created, and is it visible?
- Is the main window not empty?
- Is devtools closed?
- The
release
workflow is triggered on every push to themain
branch. This workflow creates a release draft.- The version is automatically set based on the current date in the format "yy.mm.dd".
- Notes are automatically generated and added to the release draft.
- Code signing supported. See the
compile
job in therelease
workflow.
- Auto-update is supported. After a new release is published, all client applications will download the new version and install updates silently.
This template was created to make my work easier. It may not be universal, but I try to keep it that way.
I am actively involved in its development, but I do not guarantee that this template will be maintained in the future.
At the moment, there are the following problems:
- β Some files require refactoring.
- β Release notes are created automatically based on commit history.
.github/actions/release-notes
is used for generation. It may not provide some scenarios. If you encounter a problem - write about it. - β³ I want to migrate all code base to ESM. But because Nodejs ecosystem is unprepared I have not known whether this will give more benefits or more inconvenience.
Some improvement or problems can be listed in issues.
Pull requests are welcome.
Run npm install
to get all the dependencies.
The structure of this template is very similar to the structure of a monorepo.
The entire source code of the program is divided into three modules (packages) that are bundled each independently:
packages/main
Electron main script.packages/preload
Used inBrowserWindow.webPreferences.preload
. See Checklist: Security Recommendations.packages/renderer
Electron web page.
The main
and preload
modules are built in library mode they are simple Node.js-based, well, libraries. The renderer
module is built as full-fledged web app.
Building production web resources is handled by scripts/build.js
, which calls vite build
sequentially for each package.
electron-builder will package and compile a distribution for your desired target platforms (macOS, Windows, and Linux). Auto-update support is included out-of-the-box.
To do this, using the electron-builder:
npm run compile
: This script is configured to compile the application as quickly as possible. It is not ready for distribution, is compiled only for the current platform and is used for debugging.- In GitHub Action: The application is compiled for any platform and ready-to-distribute files are automatically added to the draft GitHub release.
According to
Electron's security guidelines,
Node.js integration should be disabled for any views that render remote content. This means that you cannot call any
Node.js api in the packages/renderer
code directly. To do this, you must describe the interface in the
packages/preload
where Node.js api is allowed:
// packages/preload/src/index.ts
import { readFile } from 'fs/promises';
const api = {
readConfig: () => readFile('/path/to/config.json', { encoding: 'utf-8' }),
};
contextBridge.exposeInMainWorld('electron', api);
// packages/renderer/src/App.tsx
import { useElectron } from '/@/use/electron';
const { readConfig } = useElectron();
Read more about Security Considerations.
Note: Context isolation disabled for test
environment. See
#693.
All environment variables set as part of the import.meta
, so you can access them as follows: import.meta.env
.
You can also build type definitions of your variables by running scripts/buildEnvTypes.js
. This command will create
types/env.d.ts
file with describing all environment variables for all modes.
The mode option is used to specify the value of import.meta.env.MODE
and the corresponding environment variables files
that needs to be loaded.
By default, there are two modes:
production
is used by defaultdevelopment
is used bynpm run watch
scripttest
is used bynpm test
script
When running building, environment variables are loaded from the following files in your project root:
.env # loaded in all cases
.env.local # loaded in all cases, ignored by git
.env.[mode] # only loaded in specified env mode
.env.[mode].local # only loaded in specified env mode, ignored by git
Note: only variables prefixed with VITE_
are exposed to your code (e.g. VITE_SOME_KEY=123
) and SOME_KEY=123
will not. you can access VITE_SOME_KEY
using import.meta.env.VITE_SOME_KEY
. This is because the .env
files may be
used by some users for server-side or build scripts and may contain sensitive information that should not be exposed in
code shipped to browsers.
See Contributing Guide.