[Snyk] Security upgrade puppeteer from 18.2.1 to 24.15.0

[karencapiiro]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• development/fetchLicenses/package.json
• development/fetchLicenses/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-15309438	170

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[karencapiiro]

This is a major version upgrade from 18.2.1 to 24.15.0 that includes numerous significant breaking changes requiring code and environment modifications.

Key Breaking Changes:

• Node.js Support: Support for Node.js 16 and older has been dropped. You must be on Node.js 18 or newer.
• Headless Mode: The default headless mode has changed. Starting in v20, Puppeteer uses "Chrome for Testing". The previous headless: true is now aliased to headless: 'new'. The old headless implementation has been removed.
• API Removals and Renaming: Many methods have been removed or renamed across major versions. Key examples include:
  • createIncognitoBrowserContext was renamed to createBrowserContext.
  • $x and waitForXpath have been removed.
  • waitForTimeout has been removed.
  • page.emulateMediaType was removed in v21.
  • PUPPETEER_DOWNLOAD_PATH is replaced by PUPPETEER_CACHE_DIR.
• Browser Download Path: Since v19, the browser cache location has moved from node_modules to a shared global cache (~/.cache/puppeteer), which can affect CI/CD build environments.

Recommendation:
This upgrade will require significant testing and likely code refactoring. It is critical to validate your Node.js environment and review your usage of Puppeteer's launch options, especially regarding headless mode. Carefully review the official changelogs for versions 19 through 24 to identify all applicable API changes.

Source: Puppeteer Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	puppeteer@​18.2.1 ⏵ 24.15.0	+1		-11	+45

View full report

[karencapiiro]

Checkmarx One – Scan Summary & Details – b29e1f4d-41a6-4282-a985-41655c3a9146

---

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-15284	Npm-qs-6.11.0	details Recommended version: 6.11.3 Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option... Attack Vector: NETWORK Attack Complexity: LOW ID: GtJG3FDAsnxi0cqe2sZjV4vLx1wNj7T%2Fqfs1FnwgTzo%3D Vulnerable Package
2		CVE-2026-2391	Npm-qs-6.11.0	details Recommended version: 6.11.3 Description: ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to c... Attack Vector: NETWORK Attack Complexity: LOW ID: 5CL5XBdWyBQpAGtjopdbZqkJLFQ9wK%2Fj3TdOZe0GcmE%3D Vulnerable Package

---

Fixed Issues (5)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2024-12905	Npm-tar-fs-2.1.1
	CVE-2024-37890	Npm-ws-8.9.0
	CVE-2025-48387	Npm-tar-fs-2.1.1
	CVE-2025-59343	Npm-tar-fs-2.1.1
	CVE-2025-13466	Npm-body-parser-1.20.1

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.