puppeteer
A high-level API to control headless Chrome over the DevTools Protocol
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): lilconfig is a well-known, benign cosmiconfig alternative; swap is routine for this package. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Puppeteer's getConfiguration.js reads process.env keys to detect npm_package_config_puppeteer_* config variables — standard config library behavior, not credential harvesting. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Puppeteer's postinstall runs 'node install.mjs' to download the bundled Chromium binary — this is the package's documented, long-standing install flow and is expected for every version. | ai | |
| phantom-deps | phantom-dep:chromium-bidi | AI (phantom-deps): chromium-bidi is a type/config-level dependency in Puppeteer's build system; not directly imported at runtime but legitimately declared. | ai | |
| phantom-deps | phantom-dep:devtools-protocol | AI (phantom-deps): devtools-protocol is used for TypeScript type definitions in Puppeteer; referenced in config/types but not directly imported at runtime. | ai | |
| phantom-deps | phantom-dep:typed-query-selector | AI (phantom-deps): typed-query-selector is a type-only dependency used for TypeScript type augmentation in Puppeteer; not directly imported at runtime. | ai |
Versions (showing 100 of 256)
| Version | Deps | Published |
|---|---|---|
| 25.1.0 | 6 / 1 | |
| 25.0.4 | 6 / 1 | |
| 25.0.3 | 6 / 1 | |
| 25.0.2 | 6 / 1 | |
| 25.0.1 | 6 / 1 | |
| 24.43.1 | 6 / 1 | |
| 24.43.0 | 6 / 1 | |
| 24.29.0 | 6 / 1 | |
| 24.16.1 | 6 / 1 | |
| 24.13.0 | 6 / 1 | |
| 24.11.0 | 6 / 1 | |
| 24.10.2 | 6 / 1 | |
| 24.6.1 | 6 / 1 | |
| 24.5.0 | 6 / 1 | |
| 24.4.0 | 6 / 1 | |
| 24.3.0 | 6 / 1 | |
| 24.2.0 | 6 / 1 | |
| 24.1.1 | 6 / 1 | |
| 22.15.0 | 4 / 1 | |
| 22.13.0 | 4 / 1 | |
| 22.12.1 | 4 / 1 | |
| 22.11.1 | 4 / 1 | |
| 22.11.0 | 4 / 1 | |
| 22.10.0 | 4 / 1 | |
| 22.9.0 | 4 / 1 | |
| 22.8.2 | 4 / 1 | |
| 22.7.0 | 4 / 1 | |
| 22.6.5 | 4 / 1 | |
| 22.6.4 | 4 / 1 | |
| 22.6.3 | 4 / 1 | |
| 22.6.2 | 4 / 1 | |
| 22.6.1 | 4 / 1 | |
| 22.6.0 | 4 / 1 | |
| 22.5.0 | 3 / 1 | |
| 22.4.1 | 3 / 1 | |
| 22.4.0 | 3 / 1 | |
| 22.3.0 | 3 / 1 | |
| 22.2.0 | 3 / 1 | |
| 22.1.0 | 3 / 1 | |
| 22.0.0 | 3 / 1 | |
| 21.11.0 | 3 / 1 | |
| 21.10.0 | 3 / 1 | |
| 21.9.0 | 3 / 1 | |
| 21.8.0 | 3 / 1 | |
| 21.7.0 | 3 / 1 | |
| 21.6.1 | 3 / 1 | |
| 21.6.0 | 3 / 1 | |
| 21.5.2 | 3 / 1 | |
| 21.5.1 | 3 / 1 | |
| 21.5.0 | 3 / 1 | |
| 21.4.1 | 3 / 1 | |
| 21.4.0 | 3 / 1 | |
| 21.3.8 | 3 / 1 | |
| 21.3.7 | 3 / 1 | |
| 21.3.6 | 3 / 1 | |
| 21.3.5 | 3 / 1 | |
| 21.3.4 | 3 / 1 | |
| 21.3.3 | 3 / 1 | |
| 21.3.2 | 3 / 1 | |
| 21.3.1 | 3 / 0 | |
| 21.3.0 | 3 / 0 | |
| 21.2.1 | 3 / 0 | |
| 21.2.0 | 3 / 0 | |
| 21.1.1 | 3 / 0 | |
| 21.1.0 | 3 / 0 | |
| 21.0.3 | 3 / 0 | |
| 21.0.2 | 3 / 0 | |
| 21.0.1 | 3 / 0 | |
| 21.0.0 | 3 / 0 | |
| 20.9.0 | 3 / 0 | |
| 20.8.3 | 3 / 0 | |
| 20.8.2 | 3 / 0 | |
| 20.8.1 | 3 / 0 | |
| 20.8.0 | 3 / 0 | |
| 20.7.4 | 3 / 0 | |
| 20.7.3 | 3 / 0 | |
| 20.7.2 | 3 / 0 | |
| 20.7.1 | 3 / 0 | |
| 20.7.0 | 3 / 0 | |
| 20.6.0 | 3 / 0 | |
| 20.5.0 | 3 / 0 | |
| 20.4.0 | 3 / 0 | |
| 20.3.0 | 3 / 0 | |
| 20.2.1 | 3 / 0 | |
| 20.2.0 | 3 / 0 | |
| 20.1.2 | 3 / 0 | |
| 20.1.1 | 6 / 0 | |
| 20.1.0 | 6 / 0 | |
| 20.0.0 | 6 / 0 | |
| 19.11.1 | 6 / 0 | |
| 19.11.0 | 6 / 0 | |
| 19.10.1 | 6 / 0 | |
| 19.10.0 | 6 / 0 | |
| 19.9.1 | 6 / 0 | |
| 19.9.0 | 6 / 0 | |
| 19.8.5 | 6 / 0 | |
| 19.8.4 | 6 / 0 | |
| 19.8.3 | 6 / 0 | |
| 19.8.2 | 6 / 0 | |
| 19.8.1 | 6 / 0 |
v25.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v25.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.43.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.29.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v24.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v24.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v22.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v22.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v22.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.