3. JSReport Puppeteer vulnerabilities

JSReport Puppeteer vulnerabilities

  • S

    Hello JSReport Support Team,

    During our latest AWS Inspector security scan on the JSReport production deployment, multiple critical and high-level vulnerabilities were detected originating from the Puppeteer dependency bundled with JSReport.

    We request guidance on the following:
    • Whether there is a patched/updated JSReport release that resolves the Puppeteer-related vulnerabilities.
    • If there is a recommended workaround or manual upgrade process for Puppeteer versions inside JSReport.
    • Any official security best practices to mitigate this issue while continuing to run JSReport in production?

    This vulnerability is impacting our production security compliance, so we request your assistance as soon as possible.

    Thanks and Regards,

    Gaurav Kelkar

    0

  • The dependencies will be updated with the next release as always.
    https://github.com/jsreport/jsreport?tab=readme-ov-file#vulnerabilities

    The release is scheduled for this week.

    0
  • S

    Hello,

    There are still some puppeteer related vulnerbilities are present.
    All are in high in state so it is possible to provide one more update for this?

    Regards
    0_1765443391554_upload-8cfffd70-40e9-4974-a53c-7e943864f01c

    0

  • We will again update puppeteer/chromium in the next release. As always. Likely soon.

    If you need to update just now, go ahead and update the puppeteer dependency.
    You just need to list the latest puppeteer dependency in your package.json.

    Or build your own Docker image with the updated Chromium. However, note that the latest Chromium with the fix is not yet in the public repository at the time of writing this post.

    0
Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.