Update to puppeteer 22.15.0

[plocket]

Use response data to detect sign-in success

Context and Problem Statement

Should we update to the newest version of puppeteer, 22.14.0?

Considered Options

• Update to 22.15.0
• Update to 22.12.0, which is the lowest version that would fix our current problems
• Stay with 20.8.2

See pros and cons

Decision Outcome

Update puppeteer from 20.8.2 to 22.15.0

Pros and Cons of the Options

Update at all

Pros:

• Makes the current fix possible

Cons:

• Change in the middle of a complex PR
• A few breaking changes, which includes for us at the very least:
  • "Removes the deprecated $x (replace with $$) and waitForXpath (replace with waitForSelector)." We need to add extra syntax to the start of our selector strings: "xpath//."
  • Replace any page.waitForTimeout with cucumber's version or ours.

Update to to 22.15.0

Pros:

• Has all the most recent bug fixes and features

Cons:

• Exposes us to possible unknown new bugs

Update to to 22.12.0

This is the lowest version that would fix our problem

Pros:

• Avoids possibly unknown new bugs

Cons:

• Doesn't have fixes to already known bugs

Stay with 20.8.2

Opposite of first section entry, "Update at all".

[plocket]

After an update, we have a few new vulnerabilities. These may have already existed, but may be because of the new puppteer version:

npm audit report

axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install axios@1.7.2, which is a breaking change
node_modules/axios

braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg
fix available via npm audit fix
node_modules/braces

follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - GHSA-cxjh-pqwp-8mfp
fix available via npm audit fix
node_modules/follow-redirects

pdfjs-dist <=4.1.392
Severity: high
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - GHSA-wgrm-67xf-hhpq
fix available via npm audit fix --force
Will install pdfjs-dist@4.5.136, which is a breaking change
node_modules/pdfjs-dist

tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - GHSA-f5x3-32g6-xq36
fix available via npm audit fix
node_modules/tar

[plocket]

AVOID UPDATING pdfjs. It switches to mjs and that'll take some configuration shenanigans that I don't want to deal with at the moment. The vulnerability involves PDFs that can inject code, but folks are downloading their own PDFs which should be fine.