[Snyk] Security upgrade puppeteer from 18.2.1 to 24.10.2

[karencapiiro]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• development/fetchLicenses/package.json
• development/fetchLicenses/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Symlink Following SNYK-JS-TARFS-13045213	60

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Symlink Following

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	puppeteer@​18.2.1 ⏵ 24.10.2	+1		-12

View full report

[rafikmojr]

Checkmarx One – Scan Summary & Details – 337177e2-29ad-4491-9f3d-9459e13d70f4

New Issues (277)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Second_Order_SQL_Injection	/room/room-runtime/src/main/java/androidx/room/util/DBUtil.kt: 74	details The application's query method executes an SQL query with sqLiteQuery, at line 74 of /room/room-runtime/src/main/java/androidx/room/util/DBUtil.k... ID: YFxHBKIaSabz2R5i8%2FLUQfbL%2FTY%3D Attack Vector
	Stored_Command_Injection	/appsearch/exportToFramework.py: 93	details The application's _FormatWrittenFiles method calls an OS (shell) command with check_call, at line 335 of /appsearch/exportToFramework.py, usin... ID: h2woJE%2FE2w%2Bif8DD1M5LUAlczmg%3D Attack Vector
	Stored_Command_Injection	/development/update_library_versions.py: 59	details The application's does_exist_on_gmaven method calls an OS (shell) command with check_output, at line 128 of /development/update_library_ver... ID: WT3xBniIPWLrRwIXql2u4j3VLFw%3D Attack Vector
	Stored_Command_Injection	/privacysandbox/tools/tools-apigenerator/src/main/java/androidx/privacysandbox/tools/apigenerator/PrivacySandboxApiGenerator.kt: 122	details The application's compile method calls an OS (shell) command with start, at line 53 of /privacysandbox/tools/tools-core/src/main/java/androidx/p... ID: Tv3LnZ8UUHrVV%2FoCECrGdxJIL90%3D Attack Vector
	CVE-2024-4068	Npm-braces-3.0.2	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW ID: CuPvt%2BuuCVi3AzAJPWfJbv9Y8MJiyXQD2Vy4%2BfziSWY%3D Vulnerable Package
	CVE-2024-45296	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW ID: qAfMw4tEsETeaDG1Rog6nIrNvs6kG43KJFwlqIdSRis%3D Vulnerable Package
	CVE-2024-45590	Npm-body-parser-1.20.1	details Recommended version: 1.20.3 Description: The body-parser is Node.js body parsing middleware. The body-parser package versions prior to 1.20.3 and 2.0.x prior to 2.0.0 are vulnerable to Den... Attack Vector: NETWORK Attack Complexity: LOW ID: ECTdBmkURGKLovuIx1zGlpWEhfJ%2FByM3qCEfV023%2FfA%3D Vulnerable Package
	CVE-2024-52798	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW ID: GA4wv0GciwM0I4ZmXL18FgKpjK0L1PuIFGkSQzBsHMs%3D Vulnerable Package
	CVE-2025-31125	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite is a frontend tooling framework for javascript. Vite exposes the content of non-allowed files using `?inline&import` or `?raw?import`. Only ap... Attack Vector: NETWORK Attack Complexity: LOW ID: %2BhNzpvle5wVjKhX4ZWuWgLyGvgkSgNJLzaEzjgswKs0%3D Vulnerable Package
	CVE-2024-29041	Npm-express-4.18.2	details Recommended version: 4.20.0 Description: Express.js minimalist web framework for node. Express.js versions prior to 4.19.2, and 5.0.x prior to 5.0.0-beta.3 are affected by an open redirect... Attack Vector: NETWORK Attack Complexity: LOW ID: nfkJLyqztSfHOe%2Fx4I8hB8hgRabsz7lIMSmFoRTnJPg%3D Vulnerable Package
	CVE-2024-31207	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite (French word for "quick", pronounced "/vit/", like "veet") is a frontend build tooling to improve the frontend development experience. "server... Attack Vector: NETWORK Attack Complexity: HIGH ID: zTk2O%2BaVdmao0a3Rnhx1%2FZ0%2FuHta7lHv04n9xFbjn9E%3D Vulnerable Package
	CVE-2024-4067	Npm-micromatch-4.0.5	details Recommended version: 4.0.8 Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.... Attack Vector: NETWORK Attack Complexity: LOW ID: Djd0g7jy6iZDNhd3ZNMxcNiLqXqU7SLxikAJd7U0z6E%3D Vulnerable Package
	CVE-2024-43796	Npm-express-4.18.2	details Recommended version: 4.20.0 Description: Express.js minimalist web framework for node. In express versions prior to 4.20.0 and 5.0.x prior to 5.0.0, passing untrusted user input even after... Attack Vector: NETWORK Attack Complexity: HIGH ID: wjMvDI2k7B5TJvWg9MZmLNHPGk62Sjlc%2FSNg%2B%2FzNOzM%3D Vulnerable Package
	CVE-2024-43799	Npm-send-0.18.0	details Recommended version: 0.19.0 Description: Send is a library for streaming files from the file system as an HTTP response. Send passes untrusted user input to "SendStream.redirect()" which e... Attack Vector: NETWORK Attack Complexity: HIGH ID: 3XXOs4vqzJugSZsxHRQXQILKywFT7LQSF68JyiTlk94%3D Vulnerable Package
	CVE-2024-43800	Npm-serve-static-1.15.0	details Recommended version: 1.16.0 Description: serve-static serves static files. serve-static passes untrusted user input even after sanitizing it to "redirect()" and may execute untrusted code.... Attack Vector: NETWORK Attack Complexity: HIGH ID: X8DBZz2H3SyVhzaLAnyx3xXQbbbsyktqRkcWZ48XRQU%3D Vulnerable Package
	CVE-2024-45047	Npm-svelte-4.1.1	details Recommended version: 4.2.19 Description: Svelte is a performance-oriented web framework. A potential mXSS vulnerability exists in Svelte for versions through 4.2.18, 5.0.0-next.1 through 5... Attack Vector: NETWORK Attack Complexity: LOW ID: KkMPUjn2%2FVzn6obo35GPcou02CwNno5KEHZpIWBzRA4%3D Vulnerable Package
	CVE-2024-45811	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite a frontend build tooling framework for JavaScript. In versions through 3.2.10, 4.0.0-alpha.0 through 4.5.3, 5.0.0-beta.0 through 5.1.7, 5.2.0-... Attack Vector: ADJACENT NETWORK Attack Complexity: HIGH ID: w5GtO03%2Fdhn%2FidRGRie0aEPz1GfdkwpWn41hpSfx4pQ%3D Vulnerable Package
	CVE-2024-45812	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite a frontend build tooling framework for javascript. In vite versions through 3.2.10, 4.0.0-alpha.0 through 4.5.3, 5.0.0-beta.0 through 5.1.7, 5... Attack Vector: NETWORK Attack Complexity: HIGH ID: YBN3m7ERj8%2B1sQk%2FCQ1lAxsG9Z17LyaTRQ7nRh1k3JU%3D Vulnerable Package
	CVE-2024-47068	Npm-rollup-3.26.3	details Recommended version: 3.29.5 Description: Rollup is a module bundler for JavaScript. In rollup versions prior to 2.79.2, 3.x prior to 3.29.5, and 4.x prior to 4.22.4 are susceptible to a DO... Attack Vector: NETWORK Attack Complexity: LOW ID: Izz%2F2tblel0dqjEWmctwxMALYSItKK9I%2FEvbomgqeyg%3D Vulnerable Package
	CVE-2024-47068	Npm-rollup-3.27.2	details Recommended version: 3.29.5 Description: Rollup is a module bundler for JavaScript. In rollup versions prior to 2.79.2, 3.x prior to 3.29.5, and 4.x prior to 4.22.4 are susceptible to a DO... Attack Vector: NETWORK Attack Complexity: LOW ID: TLZnMpWdJm5ZE19pomjWuTv9%2FAya9wlLUpbEBj3d2%2Bs%3D Vulnerable Package
	CVE-2024-47764	Npm-cookie-0.5.0	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW ID: CBTvfuTWxwaVamMEQXUwIb38ahlUE57XOVPGWjzs240%3D Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.3.6	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW ID: UJxbqGk%2BfGwowB6Dh%2Fk2mbCdi3v%2FXLfZXheRfs92Nqs%3D Vulnerable Package
	CVE-2025-24010	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. Vite allowed any websites to send any requests to the development server and read the response... Attack Vector: NETWORK Attack Complexity: LOW ID: avoWZZz%2B0F6OV5X%2FhAwJcne%2Fg%2BBtJTuqKgJE%2Bim03Vs%3D Vulnerable Package
	CVE-2025-30208	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite, a provider of frontend development tooling, has a vulnerability in versions through 4.5.9, 5.0.0 through 5.4.14, 6.0.0 through 6.0.11, 6.1.0 ... Attack Vector: NETWORK Attack Complexity: HIGH ID: 6QzpHh8WPml2hXaSeXzZMkpG2YAqPzi6ydsf05sKJ0M%3D Vulnerable Package
	CVE-2025-31486	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: A vulnerability in Vite allows the contents of arbitrary files to be returned to the browser. By appending "?.svg" along with "?.wasm?init" or sett... Attack Vector: NETWORK Attack Complexity: HIGH ID: rgtRKVNHuEVykkPJJ6lokFACInL6rnWxs8cxjNAtw2w%3D Vulnerable Package
	CVE-2025-32395	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite is a frontend tooling framework for JavaScript. The contents of arbitrary files can be returned to the browser if the dev server is running on... Attack Vector: NETWORK Attack Complexity: LOW ID: StOP43AYzKJ%2FxIqPSnkzZXJrH8qVT0TWcwoAHM3lq3s%3D Vulnerable Package
	CVE-2025-46565	Npm-vite-4.4.7	details Recommended version: 5.4.20 Description: Vite is a frontend tooling framework for javascript. In vite package versions through 4.5.13, 5.0.0-beta.0 through 5.4.18, 6.0.0-alpha.0 through 6.... Attack Vector: NETWORK Attack Complexity: LOW ID: RX8QlKWko3Ej45H1HgPXWTI7JSVNMvSfTRb3%2FYt4k9c%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.18.16	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: C%2B%2Fyxj3f%2B7%2FzqhzrhpJEQLCA1b59vGxNEYo1aSVWP5M%3D Vulnerable Package
	Parameter_Tampering	/camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/foldable/FoldableCameraActivity.kt: 402	details Method showCamerasAndDisplayInfo at line 402 of /camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/fol... ID: Ae9wHJfpnTsV0oP%2Fl5j4fp8%2F48k%3D Attack Vector
	Parameter_Tampering	/camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/foldable/FoldableCameraActivity.kt: 402	details Method showCamerasAndDisplayInfo at line 402 of /camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/fol... ID: 3C%2BFO2fqH3cGkmaheOXEVRbIvcM%3D Attack Vector
	Parameter_Tampering	/camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/foldable/FoldableCameraActivity.kt: 402	details Method showCamerasAndDisplayInfo at line 402 of /camera/integration-tests/uiwidgetstestapp/src/main/java/androidx/camera/integration/uiwidgets/fol... ID: GJ%2FpWxj3HsXan4tWY3Z32Zzz4wo%3D Attack Vector
	Privacy_Violation	/compose/material3/material3/samples/src/main/java/androidx/compose/material3/samples/TextFieldSamples.kt: 198	details Method PasswordTextField at line 198 of /compose/material3/material3/samples/src/main/java/androidx/compose/material3/samples/TextFieldSamples.kt ... ID: yI4sbDRsOS3XKEG7wlAonNPIlVk%3D Attack Vector
	Privacy_Violation	/compose/material/material/samples/src/main/java/androidx/compose/material/samples/TextFieldSamples.kt: 170	details Method PasswordTextField at line 170 of /compose/material/material/samples/src/main/java/androidx/compose/material/samples/TextFieldSamples.kt sen... ID: Dal6B4jp8zQf2MwsYHYB45tJh4w%3D Attack Vector
	Privacy_Violation	/room/room-compiler/src/test/test-data/kotlinCodeGen/queryResultAdapter_array.kt: 47	details Method queryOfArray at line 47 of /room/room-compiler/src/test/test-data/kotlinCodeGen/queryResultAdapter_array.kt sends user information outsi... ID: ngxGvZ%2BrMK9NmJYqZFtjY1khlOQ%3D Attack Vector
	Privacy_Violation	/room/room-compiler/src/test/test-data/kotlinCodeGen/pojoRowAdapter_enum.kt: 75	details Method getEntity at line 75 of /room/room-compiler/src/test/test-data/kotlinCodeGen/pojoRowAdapter_enum.kt sends user information outside the a... ID: 26%2F07yt9D%2FJRoL%2FRd7Ob5s4DNWI%3D Attack Vector

More results are available on the CxOne platform

Fixed Issues (1766)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Buffer_Improper_Index_Access	/graphics/graphics-core/src/main/cpp/sc_test_utils.cpp: 29
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 643
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 633
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 623
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 211
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 201
	Buffer_Improper_Index_Access	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 191
	Buffer_Overflow_Unbounded_Format	/benchmark/benchmark-common/src/main/cpp/androidx_benchmark_CpuCounter.cpp: 66
	Buffer_Overflow_Unbounded_Format	/benchmark/benchmark-common/src/main/cpp/androidx_benchmark_CpuCounter.cpp: 66
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 168
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 148
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 148
	Code_Injection	/wear/watchface/watchface-editor/src/androidTest/java/androidx/wear/watchface/editor/EditorSessionTest.kt: 336
	Code_Injection	/wear/watchface/watchface-editor/src/androidTest/java/androidx/wear/watchface/editor/EditorSessionTest.kt: 336
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 149
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 164
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Code_Injection	/wear/watchface/watchface-editor/src/main/java/androidx/wear/watchface/editor/WatchFaceEditorContract.kt: 151
	Command_Injection	/development/update_tracing_perfetto.py: 188
	Command_Injection	/development/file-utils/diff-filterer.py: 970
	Command_Injection	/development/update_library_versions.py: 59
	Command_Injection	/appsearch/exportToFramework.py: 376
	Command_Injection	/appsearch/exportToFramework.py: 377
	Command_Injection	/development/update_tracing_perfetto.py: 188
	Command_Injection	/development/update_tracing_perfetto.py: 188
	Command_Injection	/development/project-creator/create_project.py: 663
	Cx89601373-08db	Npm-debug-2.6.9
	Cx89601373-08db	Npm-debug-3.2.7
	Cxab55612e-3a56	Npm-braces-3.0.2
	Cxca84a1c2-1f12	Npm-micromatch-4.0.5
	Cxf6e7f2c1-dc59	Npm-yauzl-2.10.0
	OS_Access_Violation	/development/file-utils/diff-filterer.py: 970
	OS_Access_Violation	/development/copy_screenshots_to_golden_repo.py: 22
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	OS_Access_Violation	/appsearch/exportToFramework.py: 377
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/offlinifyDocs/offlinify_dackka_docs.py: 31
	OS_Access_Violation	/development/offlinifyDocs/offlinify_dackka_docs.py: 72
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/project-creator/create_project.py: 663
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	OS_Access_Violation	/development/simplify-build-failure/impl/explode.py: 211
	Off_by_One_Error	/graphics/graphics-core/src/main/cpp/sc_test_utils.cpp: 29
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 643
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 633
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 623
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 211
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 201
	Off_by_One_Error	/camera/camera-core/src/main/cpp/image_processing_util_jni.cc: 191
	Reflected_XSS	/compose/ui/ui-text/benchmark/src/androidTest/java/androidx/compose/ui/text/benchmark/input/EditProcessorBenchmark.kt: 96

More results are available on the CxOne platform

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR