Closed plocket closed 1 month ago
After an update, we have a few new vulnerabilities. These may have already existed, but may be because of the new puppteer version:
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install axios@1.7.2, which is a breaking change
node_modules/axios
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via npm audit fix
node_modules/braces
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via npm audit fix
node_modules/follow-redirects
pdfjs-dist <=4.1.392
Severity: high
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - https://github.com/advisories/GHSA-wgrm-67xf-hhpq
fix available via npm audit fix --force
Will install pdfjs-dist@4.5.136, which is a breaking change
node_modules/pdfjs-dist
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via npm audit fix
node_modules/tar
AVOID UPDATING pdfjs. It switches to mjs and that'll take some configuration shenanigans that I don't want to deal with at the moment. The vulnerability involves PDFs that can inject code, but folks are downloading their own PDFs which should be fine.
Use response data to detect sign-in success
Context and Problem Statement
Should we update to the newest version of puppeteer, 22.14.0?
Considered Options
See pros and cons
Decision Outcome
Update puppeteer from 20.8.2 to 22.15.0
Pros and Cons of the Options
Update at all
Pros:
Cons:
$x
(replace with$$
) andwaitForXpath
(replace withwaitForSelector
)." We need to add extra syntax to the start of our selector strings: "xpath//."page.waitForTimeout
with cucumber's version or ours.Update to to 22.15.0
Pros:
Cons:
Update to to 22.12.0
This is the lowest version that would fix our problem
Pros:
Cons:
Stay with 20.8.2
Opposite of first section entry, "Update at all".