How far behind is each major Chromium browser?

5/3/2026 at 5:19:25 PM

I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.

by butz

5/3/2026 at 6:30:29 PM

We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)

1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron

by waitwhatwhoa

5/3/2026 at 5:37:52 PM

I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.

I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.

by captn3m0

5/3/2026 at 5:24:42 PM

I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.

by nicoburns

5/3/2026 at 7:31:13 PM

Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.

by nolist_policy

5/4/2026 at 3:11:56 AM

I guess an elephant-sized exception to this are the popular code editors that support extensions? Or perhaps such editors’ extensions typically aren’t constrained at all anyway.

by no-name-here

5/4/2026 at 6:54:46 AM

The last one. It would make sense to have a sandbox system, but they don’t.

by Filligree

5/3/2026 at 6:09:35 PM

Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?

by josefx

5/4/2026 at 2:13:03 AM

Isn’t the threat model for these desktop apps entirely different?

by stingraycharles

5/3/2026 at 6:05:41 PM

Just wanted to write the same comment!

by panzi

5/3/2026 at 5:25:30 PM

> Why does Chromium version lag matter?

> users are exposed to known, already-patched security vulnerabilities

Then why only focus on major versions? Don't minor versions/revisions have security fixes?

by dataflow

5/3/2026 at 6:18:36 PM

Yes and also stable isn't the only maintained branch of Chromium, there's also extended stable (currently 146.x). LTS exists too (144.x), but I believe it's meant only for ChromeOS.

by xeeeeeeeeeeenu

5/4/2026 at 9:41:38 AM

The Vivaldi build I have locally explicitly mentions "Extended Stable channel (may also include additional security patches)" on its "About" page.

by crashingintoyou

5/3/2026 at 6:37:28 PM

In a perfect world, there would be a stable version of chrome, that would get fixes, but would crucially not get the new features that introduce new vulnerabilities. Not a fun job, I know, but with today’s coding agents it wouldn’t even be an unreasonable ask.

by superjan

5/3/2026 at 6:53:26 PM

In defense of Vivaldi, it is actually up to date, just on the Extended Stable cycle: https://chromiumdash.appspot.com/releases?platform=Mac

https://chromium.googlesource.com/chromium/src.git/+/main/do...

by yawndex

5/3/2026 at 5:24:02 PM

Cool idea, but without longer-term tracking of how long each browser lags for each Chromium release, it's hard to draw any meaningful conclusions. It's also clear that in the case of major vulnerabilities, vendors would fast-track adoption of the patch.

I would definitely include the fact that "major" versions of Chromium are released every 2 weeks. For instance, Vivaldi is on version 146.0.7680.218 that released this Tuesday [1], only 5 days ago.

[1] https://chromium.googlesource.com/chromium/src/+/f97d14f8a0a...

by quantumleaper

5/3/2026 at 5:43:41 PM

More like 4 weeks than 2.

https://chromestatus.com/roadmap

by dopa42365

5/3/2026 at 7:21:29 PM

You are right, I misremembered this announcement [1]. They are switching from a 4-week to a 2-week release schedule this September.

[1] https://developer.chrome.com/blog/chrome-two-week-release

by quantumleaper

5/3/2026 at 5:45:25 PM

Please don’t use green/red schemes, it’s the most common form of colorblindness and it’s especially bad with such pale shades.

by pimlottc

5/3/2026 at 7:25:04 PM

On the topic of accessibility, the contrast of the text in the "up to date" bubbles is very low. I can barely see the yellow one, let alone read it without significant eye strain.

Firefox's dev tools have an Accessibility tab where you can see warnings about low contrast and simulate different forms of color blindness.

by sgtlaggy

5/3/2026 at 7:34:25 PM

This website, while cool data, is just awful for me who is very red/green colorblind. Unusable.

by richwater

5/3/2026 at 8:20:10 PM

Sorry about that! I've fixed the colors and contrast now.

by skaul

5/3/2026 at 6:29:44 PM

It has text supporting the color, so it's fine.

by xandrius

5/3/2026 at 7:33:57 PM

Some of the text is undereadable on the background.

by richwater

5/3/2026 at 8:19:53 PM

Thanks, fixed now.

by skaul

5/3/2026 at 6:33:48 PM

Red/green is the most common way to show bad/good, error/success, etc.

Using any other color scheme would just confuse everyone instead of only colorblind people... how would that be any better?

by shooly

5/3/2026 at 6:41:46 PM

White with black text for success and black with white text for failure. People would figure it out.

by magpi3

5/3/2026 at 6:59:49 PM

So as I said instead of confusing a minority of people, we confuse everyone instead?

by shooly

5/3/2026 at 7:19:25 PM

There are always creative ways to present data. Dismissing the needs of a minority of people just because we don't share their visual impairment is lazy, and we can do better.

by magpi3

5/3/2026 at 8:44:37 PM

It would be good if Samsung browser were listed. It has about 10% market share of chromium browsers and is on version 136. It sticks to one version for months at a time and then jumps several versions. Going by historical data it's due for another jump soon.

by ccouzens

5/3/2026 at 5:30:08 PM

This is somewhat useful, but I know for instance that Vivaldi is often one version behind for the sake of stability, but also will also release incremental security updates in the period before major version updates.

by UberFly

5/3/2026 at 5:11:07 PM

Please add Helium

by mm263

5/3/2026 at 5:56:09 PM

and Ungoogled Chromium

by wswin

5/3/2026 at 6:32:51 PM

Helium rocks!

by dotcoma

5/3/2026 at 6:49:57 PM

qutebrowser would be nice too.

by ece

5/3/2026 at 5:50:24 PM

I second this motion.

by Yehoshaphat

5/3/2026 at 6:53:55 PM

I third this motion.

by mostlyk

5/3/2026 at 6:28:06 PM

Is "uptodown" really the canonical download page for Comet?

A point-in-time view is interesting but it's less useful than a graph over time.

Would be fun to add the version shipped in LG smart TVs (hint: it's ancient)

by Retr0id

5/3/2026 at 8:22:22 PM

It's not but given that Perplexity doesn't have an API and blocks automated downloads, I'm not sure what else to use. Explained in the docs: https://github.com/ShivanKaul/chromium-drift/blob/main/docs/...

by skaul

5/3/2026 at 8:37:59 PM

How does comet update itself?

Edit: approximately like so:

    curl -sS -X POST -H 'Content-Type: application/json' -d '{"request":{"protocol":"4.0","updater":"CometUpdater","updaterversion":"0","os":{"platform":"win","version":"10","arch":"x64"},"apps":[{"appid":"{42e10078-e377-4166-965f-c14ad958a146}","version":"0.0.0.0","updatechecks":[{}]}]}}' https://www.perplexity.ai/rest/browser/update2 | sed "s/^)]}'//" | jq -r '.response.apps[0].updatecheck.nextversion'

by Retr0id

5/3/2026 at 8:47:29 PM

fwiw this should work the same for just about all chromium forks - protocol is documented here: https://github.com/chromium/chromium/blob/6eb6252d5671bca378...

by Retr0id

5/3/2026 at 7:18:56 PM

I use Firefox, btw

by darkwater

5/3/2026 at 8:00:18 PM

Firefox has its own forks, by the way: GNU IceWeasel → IceCat, LibreWolf etc.

by ciupicri

5/4/2026 at 3:51:37 AM

Fennec, for Android too. The unfortunate part is that it doesn't (by default, on F-Droid) use Firefox Beta - meaning custom extension packs can't be used

This matters for things like Redirector (www.reddit -> old.reddit), Greasemonkey (hckrnews dark theme), and (for my keyboard-equipped Android) Vimium

by xethos

5/3/2026 at 8:55:21 PM

The page says old chromium means insecure. Isn't anybody backporting fixes anymore?

by dizhn

5/3/2026 at 8:40:31 PM

Credit to bsclifton for the idea!

by skaul

5/3/2026 at 9:09:27 PM

What if I see a browser being "behind" as a benefit? (CVEs excepted)

by nofunsir

5/3/2026 at 5:20:25 PM

Shouldn't it also show the version number of the browser the user is currently on?

by jjmarr

5/3/2026 at 5:59:51 PM

Which user?

by koolala

5/3/2026 at 6:17:15 PM

The one visiting the website (tfa website)

by catlikesshrimp

5/3/2026 at 6:30:21 PM

Why? What does tfa mean? I'm visiting it on Firefox.

by koolala

5/3/2026 at 6:50:50 PM

TFA is: The Fantastic Article. The top thing that was posted.

by edoceo

5/4/2026 at 12:01:36 AM

Why is this list missing Supermium?

by rkagerer

5/3/2026 at 5:59:10 PM

Could add the Meta Quest browser

by koolala

5/3/2026 at 6:43:38 PM

Vivaldi does minor releases as needed for security and bugs, so saying 1 major version behind is a bit coarse.

by ece

5/3/2026 at 7:23:56 PM

The problem is: we all are behind Google. Google sits in the driver seat here.

This is really, really bad ...

Edit: Ok, almost all of us. There are some non-Google browsers such as firefox, but Google dished out money to Mozilla for many years, which made real competition impossible.

by shevy-java

5/3/2026 at 10:34:13 PM

A lot of people are stuck with safari on iOS where there's not even another browser since apple bans them.

People choose to download Chrome over firefox, to ditch their custom browser engine (microsoft & opera) in favor of chromium.

We've centralized development effort on a large open source project.

Why exactly is this really really bad?

I find the safari situation bad because I can't use various web standards, it's closed source, etc, but the chromium one doesn't bother me. I just install firefox.

by TheDong

5/3/2026 at 6:10:42 PM

This website, for me, it's named "List of all browsers I will never use".

Yet another reminder, lawmakers US/EU/Anywhere else, should force all browsers to actively block fingerprinting.

by Fokamul

5/3/2026 at 6:39:51 PM

What fingerprinting? What does this have to do with anything?

by shooly

5/3/2026 at 8:10:05 PM

> lawmakers US/EU/Anywhere else, should force all browsers to actively block fingerprinting.

That won't happen.

by notenlish

5/3/2026 at 5:20:34 PM

[dead]

by crazysim