node-export-server icon indicating copy to clipboard operation
node-export-server copied to clipboard
verified publisher icon highcharts

CVE alerts for google/puppeteer

Open nishokvg opened this issue 7 months ago • 4 comments

The bundled puppeteer version is too old and throws a bunch of CVE alerts

google/puppeteer

  1. CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  2. CVE-2024-9369 Insufficient data validation in Mojo in Google Chrome prior to 129.0.6668.89 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

https://github.com/highcharts/node-export-server/blame/master/package.json#L75 this is used for High-chart package.lock for 5.0.0 @PaulDalek can we able to fix this?

nishokvg avatar May 01 '25 20:05 nishokvg

Hi @nishokvg,

Thanks for reporting this, we should update the Puppeteer version soon.

PaulDalek avatar May 30 '25 15:05 PaulDalek

@PaulDalek Thanks, When can we expect the changes? are you gonna cherry pick for this release?

nishokvg avatar May 30 '25 16:05 nishokvg

@nishokvg I'm not sure about the exact date. As for the changes, we simply will update the Puppeteer version.

PaulDalek avatar Jun 02 '25 09:06 PaulDalek

Do you have any updates regarding this issue? When will the new release be available?

FreskimAliu avatar Sep 22 '25 23:09 FreskimAliu