Skip to content

[Snyk] Security upgrade puppeteer from 18.2.1 to 24.15.0#22

Open
karencapiiro wants to merge 1 commit intoandroidx-mainfrom
snyk-fix-bdfac2f3f4c38a0f9027ef289dff7942
Open

[Snyk] Security upgrade puppeteer from 18.2.1 to 24.15.0#22
karencapiiro wants to merge 1 commit intoandroidx-mainfrom
snyk-fix-bdfac2f3f4c38a0f9027ef289dff7942

Conversation

@karencapiiro
Copy link

@karencapiiro karencapiiro commented Feb 27, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • development/fetchLicenses/package.json
  • development/fetchLicenses/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-MINIMATCH-15353389		   170  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@snyk-bot
fix: development/fetchLicenses/package.json & development/fetchLicens…
4db81a2 
…es/package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-15353389
@karencapiiro
Copy link
Author

karencapiiro commented Feb 27, 2026

Merge Risk: High

This is a major version upgrade from 18.2.1 to 24.15.0 that includes numerous significant breaking changes requiring code and environment modifications.

Key Breaking Changes:

  • Node.js Support: Support for Node.js 16 and older has been dropped. You must be on Node.js 18 or newer.
  • Headless Mode: The default headless mode has changed. Starting in v20, Puppeteer uses "Chrome for Testing". The previous headless: true is now aliased to headless: 'new'. The old headless implementation has been removed.
  • API Removals and Renaming: Many methods have been removed or renamed across major versions. Key examples include:
    • createIncognitoBrowserContext was renamed to createBrowserContext.
    • $x and waitForXpath have been removed.
    • waitForTimeout has been removed.
    • page.emulateMediaType was removed in v21.
    • PUPPETEER_DOWNLOAD_PATH is replaced by PUPPETEER_CACHE_DIR.
  • Browser Download Path: Since v19, the browser cache location has moved from node_modules to a shared global cache (~/.cache/puppeteer), which can affect CI/CD build environments.

Recommendation:
This upgrade will require significant testing and likely code refactoring. It is critical to validate your Node.js environment and review your usage of Puppeteer's launch options, especially regarding headless mode. Carefully review the official changelogs for versions 19 through 24 to identify all applicable API changes.

Source: Puppeteer Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@jit-ci
Copy link

jit-ci bot commented Feb 27, 2026

🛡️ Jit Security Scan Results

CRITICAL HIGH MEDIUM

✅ No security findings were detected in this PR

Security scan by Jit

@socket-security
Copy link

socket-security bot commented Feb 27, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpuppeteer@​18.2.1 ⏵ 24.15.093 +110089 -1195 +45100

View full report

@karencapiiro
Copy link
Author

karencapiiro commented Feb 27, 2026

Logo
Checkmarx One – Scan Summary & Details42182f63-14be-4d38-813e-9112d1861396

New Issues (8) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 HIGH CVE-2026-26996 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.3
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: ayHWMKx%2FgZSx3ZFKCnhuP6gB6wNpL5wj%2BYbSSRrcRWQ%3D
Vulnerable Package
2 HIGH CVE-2026-27606 Npm-rollup-3.27.2
detailsRecommended version: 3.30.0
Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 4ty4YzpZnBzbgI9l%2BQF0JJ%2B8%2BsgVWPHE%2Fun3jSI3z0s%3D
Vulnerable Package
3 HIGH CVE-2026-27606 Npm-rollup-3.26.3
detailsRecommended version: 3.30.0
Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: Q9%2BBdScqesOMGdlRYmuakZEFzF4OPzm3FdV3CB82%2BFo%3D
Vulnerable Package
4 MEDIUM CVE-2025-15284 Npm-qs-6.11.0
detailsRecommended version: 6.14.2
Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 4A6sVRhjD2yXqXUPwk%2Bi7wpkefjGKRcsVPmWbLzTgF8%3D
Vulnerable Package
5 MEDIUM CVE-2026-2391 Npm-qs-6.11.0
detailsRecommended version: 6.14.2
Description: The "arrayLimit" option in qs versions from 6.7.0 through 6.14.1 does not enforce limits for comma-separated values when "comma: true" is enabled, ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: VO5lJW60VVN6GdMxgCL4CMZUYB%2BPkzIioOrFw0g%2FJ1Q%3D
Vulnerable Package
6 MEDIUM CVE-2026-27121 Npm-svelte-4.1.1
detailsRecommended version: 5.51.5
Description: svelte performance-oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to Cross-Site Scripting (XSS) during server-side rende...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: S8OyItIxBUOG8zrdlZItcDaP7TpU4rA4Uultxtekyf8%3D
Vulnerable Package
7 MEDIUM CVE-2026-27122 Npm-svelte-4.1.1
detailsRecommended version: 5.51.5
Description: svelte performance oriented web framework. Prior to 5.51.5, when using "<svelte:element this={tag}>" in server-side rendering, the provided tag nam...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: xin2Iz7dWxfY4BBFgeyHvfT%2Bg%2B9N1qWksOmLi9XGbuk%3D
Vulnerable Package
8 MEDIUM CVE-2026-27125 Npm-svelte-4.1.1
detailsRecommended version: 5.51.5
Description: svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enume...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: XcaK6OsKcU9l5qo%2FQsio5SJOTJfdybrncMtnRcTQ2hM%3D
Vulnerable Package
Fixed Issues (5) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
HIGH CVE-2024-12905 Npm-tar-fs-2.1.1
HIGH CVE-2024-37890 Npm-ws-8.9.0
HIGH CVE-2025-48387 Npm-tar-fs-2.1.1
HIGH CVE-2025-59343 Npm-tar-fs-2.1.1
MEDIUM CVE-2025-13466 Npm-body-parser-1.20.1

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karencapiiro @snyk-bot