[Snyk] Security upgrade puppeteer from 18.2.1 to 22.8.2

[karencapiiro]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• development/fetchLicenses/package.json
• development/fetchLicenses/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	58

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	puppeteer@​18.2.1 ⏵ 22.8.2			-12

View full report

[rafikmojr]

Checkmarx One – Scan Summary & Details – e6792178-9c36-4b4e-b687-1f9951570dc9

New Issues (271)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Second_Order_SQL_Injection	/room/room-runtime/src/main/java/androidx/room/util/DBUtil.kt: 74	details The application's query method executes an SQL query with sqLiteQuery, at line 74 of /room/room-runtime/src/main/java/androidx/room/util/DBUtil.k... ID: YFxHBKIaSabz2R5i8%2FLUQfbL%2FTY%3D Attack Vector
	CVE-2024-12905	Npm-tar-fs-3.0.5	details Recommended version: 3.0.9 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW ID: %2FCDWVWTOagmbfrxmB5C2YuP6sQSNX9yVBVjnfE2btQE%3D Vulnerable Package
	CVE-2024-37890	Npm-ws-8.17.0	details Recommended version: 8.17.1 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW ID: tGXEXjnzkFh9zkpE07JG%2B%2B6R%2FR3o5Dart7SlFym81Z4%3D Vulnerable Package
	CVE-2024-4068	Npm-braces-3.0.2	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW ID: zpVGi1Xhr964mZXBDMp47G%2FFzUsT3ii3ZyxwBvEO6ZA%3D Vulnerable Package
	CVE-2024-45296	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW ID: 2%2Bwa4OYHIdlJyZCeAFtc8rVZLUOIWeihACAFWem%2Bjeo%3D Vulnerable Package
	CVE-2024-45590	Npm-body-parser-1.20.1	details Recommended version: 1.20.3 Description: The body-parser is Node.js body parsing middleware. The body-parser package versions prior to 1.20.3 and 2.0.x prior to 2.0.0 are vulnerable to Den... Attack Vector: NETWORK Attack Complexity: LOW ID: %2F5lBKpcs9%2FUF42gkAXADUZRi2P%2FNbY2W1h%2FU0fkaezI%3D Vulnerable Package
	CVE-2024-52798	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW ID: oEpGqy0rqdSHo1aQwrt7xMfR73quOypClFX1ffxu9D0%3D Vulnerable Package
	CVE-2025-48387	Npm-tar-fs-3.0.5	details Recommended version: 3.0.9 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, have... Attack Vector: NETWORK Attack Complexity: LOW ID: d58dbw2suUDMCSZH2egnikF2eCHmXtIK1KNiaks7ghs%3D Vulnerable Package
	CVE-2024-29041	Npm-express-4.18.2	details Recommended version: 4.20.0 Description: Express.js minimalist web framework for node. Express.js versions prior to 4.19.2, and 5.0.x prior to 5.0.0-beta.3 are affected by an open redirect... Attack Vector: NETWORK Attack Complexity: LOW ID: EwzT72u6Yotn%2B%2Bb2hk%2BFZcE02YXAchfcOuIVPrh8qKo%3D Vulnerable Package
	CVE-2024-31207	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite (French word for "quick", pronounced "/vit/", like "veet") is a frontend build tooling to improve the frontend development experience. "server... Attack Vector: NETWORK Attack Complexity: HIGH ID: v7qI%2BJqegeKcnJILH93fUhGPlypwHvRp8cp2w%2BrV7iE%3D Vulnerable Package
	CVE-2024-4067	Npm-micromatch-4.0.5	details Recommended version: 4.0.8 Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.... Attack Vector: NETWORK Attack Complexity: LOW ID: KQxz1UHjkJB6wCa0lIn9e086KL7p8qrjKnCuM7xoFi0%3D Vulnerable Package
	CVE-2024-43796	Npm-express-4.18.2	details Recommended version: 4.20.0 Description: Express.js minimalist web framework for node. In express versions prior to 4.20.0 and 5.0.x prior to 5.0.0, passing untrusted user input even after... Attack Vector: NETWORK Attack Complexity: HIGH ID: lc7hWmiBANoKqbsJIvg47OyQ7eHhW81kZUbRN2PbXvA%3D Vulnerable Package
	CVE-2024-43799	Npm-send-0.18.0	details Recommended version: 0.19.0 Description: Send is a library for streaming files from the file system as an HTTP response. Send passes untrusted user input to "SendStream.redirect()" which e... Attack Vector: NETWORK Attack Complexity: HIGH ID: Gm13wG5qS5Bd5nDGtNtied1bW%2BFFbcWwlLw4OsvcuVY%3D Vulnerable Package
	CVE-2024-43800	Npm-serve-static-1.15.0	details Recommended version: 1.16.0 Description: serve-static serves static files. serve-static passes untrusted user input even after sanitizing it to "redirect()" and may execute untrusted code.... Attack Vector: NETWORK Attack Complexity: HIGH ID: kgzGq56TuNVqStSryll5EwlpzwS%2F4um5pW9xq%2FTGzRQ%3D Vulnerable Package
	CVE-2024-45047	Npm-svelte-4.1.1	details Recommended version: 4.2.19 Description: Svelte is a performance-oriented web framework. A potential mXSS vulnerability exists in Svelte for versions through 4.2.18, 5.0.0-next.1 through 5... Attack Vector: NETWORK Attack Complexity: LOW ID: bP0ZFX7DFROJg%2FwUzwmlanRSV9pt45ZxSbsEWbZy6AM%3D Vulnerable Package
	CVE-2024-45811	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite a frontend build tooling framework for JavaScript. In versions through 3.2.10, 4.0.0-alpha.0 through 4.5.3, 5.0.0-beta.0 through 5.1.7, 5.2.0-... Attack Vector: ADJACENT NETWORK Attack Complexity: HIGH ID: VTUL2wTEjQCQYJ9eBKL0klFYIzIbR2E2vJPLyBsDwl8%3D Vulnerable Package
	CVE-2024-45812	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite a frontend build tooling framework for javascript. In vite versions through 3.2.10, 4.0.0-alpha.0 through 4.5.3, 5.0.0-beta.0 through 5.1.7, 5... Attack Vector: NETWORK Attack Complexity: HIGH ID: eqbqGRfOf4Nf5rSuCALLCHr9XAqS1RDbE9H7eRd52us%3D Vulnerable Package
	CVE-2024-47068	Npm-rollup-3.26.3	details Recommended version: 3.29.5 Description: Rollup is a module bundler for JavaScript. In rollup versions prior to 2.79.2, 3.x prior to 3.29.5, and 4.x prior to 4.22.4 are susceptible to a DO... Attack Vector: NETWORK Attack Complexity: LOW ID: 7bMF%2F9YAZiMG6Fs%2BDsuuvHviDO%2FN5YllVJNKJ8cvMcI%3D Vulnerable Package
	CVE-2024-47068	Npm-rollup-3.27.2	details Recommended version: 3.29.5 Description: Rollup is a module bundler for JavaScript. In rollup versions prior to 2.79.2, 3.x prior to 3.29.5, and 4.x prior to 4.22.4 are susceptible to a DO... Attack Vector: NETWORK Attack Complexity: LOW ID: fOMKM1LmRoSIGgTXwFgtf28iX4CB%2FGTpLWjT2ILddKs%3D Vulnerable Package
	CVE-2024-47764	Npm-cookie-0.5.0	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW ID: r%2FXL7yQapr65qU1113wI9En369EDbsQNBAqQocldPQs%3D Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.3.6	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW ID: lrmx9f8ml7zOKhiiDTtzfmFIJnTXj5Wuic6UXtp%2BxXQ%3D Vulnerable Package
	CVE-2025-24010	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite is a frontend tooling framework for JavaScript. Vite allowed any websites to send any requests to the development server and read the response... Attack Vector: NETWORK Attack Complexity: LOW ID: 4anLUqhaVY8DaYivkfjP7ZFfEIMw2gFmTQR7vpawpy8%3D Vulnerable Package
	CVE-2025-30208	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite, a provider of frontend development tooling, has a vulnerability in versions through 4.5.9, 5.0.0 through 5.4.14, 6.0.0 through 6.0.11, 6.1.0 ... Attack Vector: NETWORK Attack Complexity: HIGH ID: DQyB33KiOC2fop%2BwnXomLZJ3nbKapsTRSNIHlwDiMgA%3D Vulnerable Package
	CVE-2025-31125	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite is a frontend tooling framework for javascript. Vite exposes the content of non-allowed files using `?inline&import` or `?raw?import`. Only ap... Attack Vector: NETWORK Attack Complexity: HIGH ID: yl9kv%2BYp1Ah5dwzH%2Ffsqq5m21SRhH7VxrHKy7vQtvJA%3D Vulnerable Package
	CVE-2025-31486	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: A vulnerability in Vite allows the contents of arbitrary files to be returned to the browser. By appending "?.svg" along with "?.wasm?init" or sett... Attack Vector: NETWORK Attack Complexity: HIGH ID: lbTSBwkjnj8KDfOECRT%2Bszv4jFWYCdmu1wVQOitHSkc%3D Vulnerable Package
	CVE-2025-32395	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite is a frontend tooling framework for JavaScript. The contents of arbitrary files can be returned to the browser if the dev server is running on... Attack Vector: NETWORK Attack Complexity: LOW ID: VUpb%2FZnAV55Cy4FCUr0YlHkA2frZmhm%2FpmPSSG20Kj0%3D Vulnerable Package
	CVE-2025-46565	Npm-vite-4.4.7	details Recommended version: 4.5.14 Description: Vite is a frontend tooling framework for javascript. In vite package versions through 4.5.13, 5.0.0-beta.0 through 5.4.18, 6.0.0-alpha.0 through 6.... Attack Vector: NETWORK Attack Complexity: LOW ID: QyKrOWRiJbup8VzH8gXysyd4SMqFtKZ8oDrTCKWMxN0%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.18.16	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: 9uWp8bn0QUhKRzI%2F6rK4mluf88lS5G3mEEsRHrJraFw%3D Vulnerable Package
	Parameter_Tampering	/camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/foldable/FoldableCameraActivity.kt: 402	details Method showCamerasAndDisplayInfo at line 402 of /camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/fol... ID: Ae9wHJfpnTsV0oP%2Fl5j4fp8%2F48k%3D Attack Vector
	Parameter_Tampering	/camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/foldable/FoldableCameraActivity.kt: 402	details Method showCamerasAndDisplayInfo at line 402 of /camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/fol... ID: 3C%2BFO2fqH3cGkmaheOXEVRbIvcM%3D Attack Vector
	Parameter_Tampering	/camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/foldable/FoldableCameraActivity.kt: 402	details Method showCamerasAndDisplayInfo at line 402 of /camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/fol... ID: GJ%2FpWxj3HsXan4tWY3Z32Zzz4wo%3D Attack Vector
	Privacy_Violation	/compose/material3/material3/samples/src/main/java/androidx/compose/material3/samples/TextFieldSamples.kt: 198	details Method PasswordTextField at line 198 of /compose/material3/material3/samples/src/main/java/androidx/compose/material3/samples/TextFieldSamples.kt ... ID: yI4sbDRsOS3XKEG7wlAonNPIlVk%3D Attack Vector
	Privacy_Violation	/compose/material/material/samples/src/main/java/androidx/compose/material/samples/TextFieldSamples.kt: 170	details Method PasswordTextField at line 170 of /compose/material/material/samples/src/main/java/androidx/compose/material/samples/TextFieldSamples.kt sen... ID: Dal6B4jp8zQf2MwsYHYB45tJh4w%3D Attack Vector
	Privacy_Violation	/room/room-compiler/src/test/test-data/kotlinCodeGen/queryResultAdapter_array.kt: 47	details Method queryOfArray at line 47 of /room/room-compiler/src/test/test-data/kotlinCodeGen/queryResultAdapter_array.kt sends user information outsi... ID: ngxGvZ%2BrMK9NmJYqZFtjY1khlOQ%3D Attack Vector
	Privacy_Violation	/room/room-compiler/src/test/test-data/kotlinCodeGen/pojoRowAdapter_enum.kt: 75	details Method getEntity at line 75 of /room/room-compiler/src/test/test-data/kotlinCodeGen/pojoRowAdapter_enum.kt sends user information outside the a... ID: 26%2F07yt9D%2FJRoL%2FRd7Ob5s4DNWI%3D Attack Vector
	Privacy_Violation	/room/room-compiler/src/test/test-data/kotlinCodeGen/pojoRowAdapter_enum.kt: 70	details Method getEntity at line 70 of /room/room-compiler/src/test/test-data/kotlinCodeGen/pojoRowAdapter_enum.kt sends user information outside the a... ID: GA3uUjmbVNVpw08KRrGJzI%2BKvvo%3D Attack Vector

More results are available on the CxOne platform

Fixed Issues (1755)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Buffer_Improper_Index_Access	/graphics/graphics-core/src/main/cpp/sc_test_utils.cpp: 29
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 643
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 633
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 623
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 211
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 201
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 191
	Buffer_Overflow_Unbounded_Format	/benchmark/benchmark-common/src/main/cpp/androidx_benchmark_CpuCounter.cpp: 66
	Buffer_Overflow_Unbounded_Format	/benchmark/benchmark-common/src/main/cpp/androidx_benchmark_CpuCounter.cpp: 66
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 148
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 148
	Code_Injection	/wear/watchface/watchface-editor/src/androidTest/java/androidx/wear/watchface/editor/EditorSessionTest.kt: 336
	Code_Injection	/wear/watchface/watchface-editor/src/androidTest/java/androidx/wear/watchface/editor/EditorSessionTest.kt: 336
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Command_Injection	/development/update_tracing_perfetto.py: 188
	Command_Injection	/development/file-utils/diff-filterer.py: 970
	Command_Injection	/development/update_library_versions.py: 59
	Command_Injection	/appsearch/exportToFramework.py: 376
	Command_Injection	/appsearch/exportToFramework.py: 377
	Command_Injection	/development/update_tracing_perfetto.py: 188
	Command_Injection	/development/update_tracing_perfetto.py: 188
	Command_Injection	/development/project-creator/create_project.py: 663
	Cx89601373-08db	Npm-debug-2.6.9
	Cx89601373-08db	Npm-debug-3.2.7
	Cxab55612e-3a56	Npm-braces-3.0.2
	Cxca84a1c2-1f12	Npm-micromatch-4.0.5
	Cxf6e7f2c1-dc59	Npm-yauzl-2.10.0
	OS_Access_Violation	/development/file-utils/diff-filterer.py: 970
	OS_Access_Violation	/development/copy_screenshots_to_golden_repo.py: 22
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	OS_Access_Violation	/appsearch/exportToFramework.py: 377
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/offlinifyDocs/offlinify_dackka_docs.py: 31
	OS_Access_Violation	/development/offlinifyDocs/offlinify_dackka_docs.py: 72
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	Off_by_One_Error	/graphics/graphics-core/src/main/cpp/sc_test_utils.cpp: 29
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 643
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 633
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 623
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 211
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 201
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 191
	Reflected_XSS	/compose/ui/ui-text/benchmark/src/androidTest/java/androidx/compose/ui/text/benchmark/input/EditProcessorBenchmark.kt: 96

More results are available on the CxOne platform