[Snyk] Security upgrade puppeteer from 20.7.3 to 21.3.7

[Jerk400]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: puppeteer

The new version differs by 250 commits.

• 377cd83 chore: release main (#11081)
• 11f7c69 test: update Firefox BiDi expectations (#11082)
• 0c0e516 fix: roll to Chrome 117.0.5938.149 (r1181205) (#11077)
• 163394d chore(deps): Bump actions/checkout from 3.6.0 to 4.1.0 (#11063)
• 67e9a92 chore(deps): Bump postcss from 8.4.16 to 8.4.31 in /website (#11075)
• 54bc80c chore(deps): Bump github/codeql-action from 2.21.8 to 2.21.9 (#11064)
• c5083bb docs: update link to `third_party/README.md` (#11068)
• a3187a0 docs: Update reference to SKIP_CHROMIUM_DOWNLOAD env to SKIP_DOWNLOAD
• 28c1c26 test: crash mocha if unhandled errors occur (#11055)
• c5f2d28 test: move queryObjects to a CDP only tests (#11050)
• 88681a8 test: Remove invalid drag and drop test (#11054)
• eedbb13 chore: release main (#11051)
• b0d7375 fix: remove the flag disabling bfcache (#11047)
• 30bd030 chore: use yargs for mocha runner (#11045)
• 03b22ab chore(deps): Bump glob from 10.3.4 to 10.3.10 (#11043)
• 897fb64 chore(deps): Bump @ swc/core from 1.3.86 to 1.3.90 (#11042)
• f59537e ci: add sharding for chrome (#11038)
• bd6c246 chore: add @ typescript-eslint/no-import-type-side-effects (#11040)
• e853e63 refactor: use common debugError (#11039)
• 48f9382 test: synchronize bidi expectations changes for Bug 1756595 (#11005)
• aa16ab1 chore: use RxJS for wait for Navigation (#11024)
• c502ca8 chore: release main (#11025)
• e0e7e3a test: move cdp only tests to a subfolder (#11033)
• 8993def ci: disable failing doctest (#11035)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[guardrails]

⚠️ We detected 1 security issue in this pull request:

Vulnerable Libraries (1)

Severity	Details
Medium	pkg:npm/[email protected] (t) upgrade to: > 2.7.14

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
puppeteer	20.7.3...21.3.7	None	+27/-29	16.2 MB	google-wombot

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Filesystem access	cosmiconfig	8.3.6	Module: fs Location: dist/ExplorerSync.js +3 more instances...	[email protected] via package.json
Major refactor	urlpattern-polyfill	9.0.0	Change Percentage: 92.98 Current Line Count: 186 Previous Line Count: 2919 Lines Changed: 2887	[email protected] via package.json
Network access	@tootallnate/quickjs-emscripten	0.23.0	Module: globalThis["fetch"] Location: dist/generated/emscripten-module.WASM_RELEASE_SYNC.js +3 more instances...	[email protected] via package.json
No v1	@tootallnate/quickjs-emscripten	0.23.0	Location: Package overview	[email protected] via package.json
Semver anomaly	devtools-protocol	0.0.1179426	Previous Version: [email protected] New Version: [email protected]	[email protected] via package.json

Next steps

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

What is a major refactor?

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Consider waiting before upgrading to see if any issues are discovered, or be prepared to scrutinize any bugs or subtle changes the major refactor may bring. Publishers my consider publishing beta versions of major refactors to limit disruption to parties interested in the new changes.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What is wrong with semver < v1?

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

If the package sees any general use, it should begin releasing at version 1.0.0 or later to benefit from semver.

What are semver anomalies?

Package semver skipped several versions, this could indicate a dependency confusion attack or indicate the intention of disruptive breaking changes or major priority shifts for the project.

Packages should follow semantic versions conventions by not skipping subsequent version numbers. Consumers should research the purpose of the skipped version number.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @tootallnate/[email protected]
• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore [email protected]