How far behind is each major Chromium browser?

 (chromium-drift.pages.dev)

96 points | by skaul 1 hour ago

13 comments

  • butz 1 hour ago
    I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.
    [-]
    • waitwhatwhoa 29 minutes ago
      We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)

      1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron

    • captn3m0 1 hour ago
      I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.

      I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.

    • nicoburns 1 hour ago
      I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.
      [-]
      • josefx 50 minutes ago
        Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?
    • panzi 54 minutes ago
      Just wanted to write the same comment!
  • yawndex 7 minutes ago
    In defense of Vivaldi, it is actually up to date, just on the Extended Stable cycle: https://chromiumdash.appspot.com/releases?platform=Mac

    https://chromium.googlesource.com/chromium/src.git/+/main/do...

  • dataflow 1 hour ago
    > Why does Chromium version lag matter?

    > users are exposed to known, already-patched security vulnerabilities

    Then why only focus on major versions? Don't minor versions/revisions have security fixes?

    [-]
    • superjan 22 minutes ago
      In a perfect world, there would be a stable version of chrome, that would get fixes, but would crucially not get the new features that introduce new vulnerabilities. Not a fun job, I know, but with today’s coding agents it wouldn’t even be an unreasonable ask.
    • xeeeeeeeeeeenu 41 minutes ago
      Yes and also stable isn't the only maintained branch of Chromium, there's also extended stable (currently 146.x). LTS exists too (144.x), but I believe it's meant only for ChromeOS.
  • quantumleaper 1 hour ago
    Cool idea, but without longer-term tracking of how long each browser lags for each Chromium release, it's hard to draw any meaningful conclusions. It's also clear that in the case of major vulnerabilities, vendors would fast-track adoption of the patch.

    I would definitely include the fact that "major" versions of Chromium are released every 2 weeks. For instance, Vivaldi is on version 146.0.7680.218 that released this Tuesday [1], only 5 days ago.

    [1] https://chromium.googlesource.com/chromium/src/+/f97d14f8a0a...

    [-]
  • pimlottc 1 hour ago
    Please don’t use green/red schemes, it’s the most common form of colorblindness and it’s especially bad with such pale shades.
    [-]
    • xandrius 30 minutes ago
      It has text supporting the color, so it's fine.
    • shooly 26 minutes ago
      Red/green is the most common way to show bad/good, error/success, etc.

      Using any other color scheme would just confuse everyone instead of only colorblind people... how would that be any better?

      [-]
      • magpi3 18 minutes ago
        White with black text for success and black with white text for failure. People would figure it out.
        [-]
        • shooly 0 minutes ago
          So as I said instead of confusing a minority of people, we confuse everyone instead?
  • UberFly 1 hour ago
    This is somewhat useful, but I know for instance that Vivaldi is often one version behind for the sake of stability, but also will also release incremental security updates in the period before major version updates.
  • Retr0id 32 minutes ago
    Is "uptodown" really the canonical download page for Comet?

    A point-in-time view is interesting but it's less useful than a graph over time.

    Would be fun to add the version shipped in LG smart TVs (hint: it's ancient)

  • mm263 1 hour ago
    Please add Helium
    [-]
    • dotcoma 27 minutes ago
      Helium rocks!
    • wswin 1 hour ago
      and Ungoogled Chromium
    • ece 10 minutes ago
      qutebrowser would be nice too.
    • Yehoshaphat 1 hour ago
      I second this motion.
      [-]
      • mostlyk 6 minutes ago
        I third this motion.
  • ece 16 minutes ago
    Vivaldi does minor releases as needed for security and bugs, so saying 1 major version behind is a bit coarse.
  • jjmarr 1 hour ago
    Shouldn't it also show the version number of the browser the user is currently on?
    [-]
    • koolala 1 hour ago
      Which user?
      [-]
      • catlikesshrimp 43 minutes ago
        The one visiting the website (tfa website)
        [-]
        • koolala 30 minutes ago
          Why? What does tfa mean? I'm visiting it on Firefox.
          [-]
          • edoceo 9 minutes ago
            TFA is: The Fantastic Article. The top thing that was posted.
  • koolala 1 hour ago
    Could add the Meta Quest browser
  • Fokamul 49 minutes ago
    This website, for me, it's named "List of all browsers I will never use".

    Yet another reminder, lawmakers US/EU/Anywhere else, should force all browsers to actively block fingerprinting.

    [-]
    • shooly 20 minutes ago
      What fingerprinting? What does this have to do with anything?
  • crazysim 1 hour ago
    [dead]