[Snyk] Security upgrade puppeteer from 24.43.1 to 25.0.2

[sestinj]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• core/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-EXTRACTZIP-17660777	716

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[sestinj]

The upgrade from Puppeteer v24 to v25 is a major version with significant breaking changes that require developer action.

Key Breaking Changes:

• ESM Only: Puppeteer and its related packages are now ESM-only. This means you must update your import statements from const puppeteer = require('puppeteer') to import puppeteer from 'puppeteer'. Your project may need to be configured to handle ESM modules (e.g., by setting "type": "module" in your package.json).

• Node.js Version: The minimum required Node.js version has been increased to v20.19+. Projects running on older Node.js versions will fail.

• API Removals & Changes:

  • Several deprecated methods have been removed, including Puppeteer.product, MouseOptions.clickCount, and Browser.isConnected().
  • executablePath() and defaultArgs() now return a Promise and must be awaited.
  • Header handling has changed: newline-separated headers are now normalized to a comma-separated format.

Recommendation:
This upgrade requires significant code and environment changes. Before merging, you must:

1. Update your import syntax to ESM (import).
2. Ensure your environment is running Node.js v20.19 or newer.
3. Review your codebase for usage of the removed APIs (.product, .clickCount, .isConnected()) and update calls to executablePath() and defaultArgs() to use await.

Source: Puppeteer Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="core/package.json">

<violation number="1" location="core/package.json:106">
P0: Puppeteer 25.x requires Node.js 22.12+ but this project targets Node.js >=20.20.1. This upgrade will break at runtime on Node 20.x.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P0: Puppeteer 25.x requires Node.js 22.12+ but this project targets Node.js >=20.20.1. This upgrade will break at runtime on Node 20.x.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/package.json, line 106:

<comment>Puppeteer 25.x requires Node.js 22.12+ but this project targets Node.js >=20.20.1. This upgrade will break at runtime on Node 20.x.</comment>

<file context>
@@ -103,7 +103,7 @@
     "pg": "^8.11.3",
     "plist": "^3.1.0",
-    "puppeteer": "^24.15.0",
+    "puppeteer": "^25.0.2",
     "puppeteer-chromium-resolver": "^23.0.0",
     "quick-lru": "^7.0.0",
</file context>