Chromium Drift tracks how many versions behind major browsers lag, exposing users to publicly-known, already-patched security vulnerabilities.
Key Takeaways
Browsers shipping older Chromium versions leave users exposed to patched CVEs whose fixes are visible in public Chromium source.
The site provides a version check so users can compare their browser’s Chromium build against current stable.
Lag visibility matters because attackers can reverse-engineer patches from public Chromium commits before downstream browsers ship them.
Hacker News Comment Review
Commenters question the major-version-only focus: minor revisions and point releases also carry security fixes, and some browsers backport patches without bumping major versions.
Vivaldi and similar browsers follow Chromium’s Extended Stable channel (currently 146.x, ~4-week cadence), making them appear behind when they are actually on a supported branch.
The Electron blind spot is the most-cited gap: thousands of shipped desktop apps bundle frozen Chromium runtimes with no update cadence, representing a larger aggregate attack surface than browsers.
Notable Comments
@butz: calls for an equivalent tracker covering Electron apps and their Chromium drift across the ecosystem.
@ccouzens: Samsung Browser (~10% of Chromium browser share) is absent; it holds one version for months then jumps several at once.
@waitwhatwhoa: links a prior multi-year study with instrumentation code showing patched CVE persistence in Electron apps across popular desktop software.
