The puppeteer failing the build due to audit issue.

[hadaabhi201]

Steps to reproduce

Tell us about your environment:

• Puppeteer version:2.1.1
• Platform / OS version: MacOS Mojave (10.14.6)
• URLs (if applicable):
• Node.js version: v12.12.0

What steps will reproduce the problem?

$ npm init -y
$ npm install puppeteer --save
$ npm audit

What is the expected result?
Pass the audit with 0 vulnerability

What happens instead?

Fails the build:

Moderate : Prototype Pollution
Package : minimist
Patched in : >=0.2.1 <1.0.0 || >=1.2.3
Dependency of : puppeteer
Path : puppeteer > extract-zip > mkdirp > minimist
More info : https://npmjs.com/advisories/1179

found 1 moderate severity vulnerability in 51 scanned packages
1 vulnerability requires manual review. See the full report for details.

[prios-ben-beckerman]

See max-mapper/extract-zip#85

[taewookim]

having same issue.. (and not a node guy)
what's the work around?

[taewookim]

tried downgrading to 2.1.1 and 2.1.0.. and even 2.0.0

All having same issues

[taewookim]

Related issue

@aslushnikov - ANy thoughts on this issue?

[cyclingzealot]

I'm waiting on pull request max-mapper/extract-zip#85 to happen. But that repo has had no activity since May 2018. https://github.com/SakiiCode/extract-zip/ has that pull request done (https://github.com/SakiiCode/extract-zip/commit/921fa811f7b6dcda82736dce18a69b960051dc96).

In npm, is there any way to tell the npm package manager to use a different repo for a dependency of a dependency?

[taewookim]

Ditto @cyclingzealot

BTW that repo looks hostaged (one issue that GitHub should take notice but won't take any action). Seen this happen with with other repos. Maybe it's better to fork and install directly from your own repo?

[cyclingzealot]

SakiiCode has heard you can change the source of a transitive dependency with https://www.npmjs.com/package/npm-force-resolutions , but he hasn't checked that out yet.

[taewookim]

@aslushnikov I noticed you're on the playwright project.

Random tangent questions about playright

1. is it a "drop-in" replacement for puppeteer?
2. are you spending more time on that? should we be transitioning over to that?

Regarding q2... looking at pup contributors vs playwright contribturos .. seems like the major contributors migrated over

[stale]

We're marking this issue as unconfirmed because it has not had recent activity and we weren't able to confirm it yet. It will be closed if no further activity occurs within the next 30 days.

[cyclingzealot]

I prefer documenting resolution over letting staleness auto-close. I think this can be closed. I used npm-force-resolutions and then later on an upgrade to extract-zip was made.

[stale]

We are closing this issue. If the issue still persists in the latest version of Puppeteer, please reopen the issue and update the description. We will try our best to accomodate it!