pa11y-ci using puppeteer@1.19.0 which has dependency ws@6.2.1 with npm vulnerability 1748

pa11y / pa11y-ci

Pa11y CI is a CI-centric accessibility test runner, built using Pa11y

https://pa11y.org

GNU Lesser General Public License v3.0

519 stars 63 forks source link

pa11y-ci using puppeteer@1.19.0 which has dependency ws@6.2.1 with npm vulnerability 1748 #141

Closed ap-buf closed 2 years ago

ap-buf commented 3 years ago

├─┬ pa11y-ci@2.4.1 │ ├─┬ pa11y@5.3.1 │ │ └─┬ puppeteer@1.19.0 │ │ └── ws@6.2.1 deduped │ └─┬ puppeteer@1.19.0 │ └── ws@6.2.1 deduped

https://www.npmjs.com/advisories/1748

The latest version of puppeteer (10.0.0) is using ws@7.4.6 and does not have this vulnerability.

Would it be possible to include an updated version of puppeteer in your next release. Note also the dependency through pa11y.

masi commented 2 years ago

I'm using BackstopJS which has already upgraded to 10. Thanks to requiring puppeteer again I have now 3 local Chromiums. :(

Cannot pa11y-ci reuse the Chromium that came with pa11y?

josebolos commented 2 years ago

Hi @masi

Your issue seems to be unrelated to this one. Could you please create a new issue and fill up all the details about what version and environment are you using? Thanks.

masi commented 2 years ago

Sorry. Besides the issue of ap-buf about the vulnerability which is also a concern for me I should not have added another problem.

josebolos commented 2 years ago

Version 3 of pa11y-ci is using version 9 of puppeteer, so I'm closing this issue.