Patch puppeteer to not rely on code generation from strings

legrego · legrego · commit ab1d9e4aa47e · 2026-05-21T16:29:29.000-04:00
Changes from security: 3rd-party dependencies

Changes from node scripts/eslint_all_files --no-cache --fix
diff --git a/.buildkite/scripts/steps/security/third_party_packages.txt b/.buildkite/scripts/steps/security/third_party_packages.txt
@@ -1,3 +1,4 @@
+patch-package
 safe-stable-stringify
 ajv-draft-04
 ajv-formats
diff --git a/package.json b/package.json
@@ -2159,6 +2159,7 @@
     "oboe": "2.1.7",
     "openapi-types": "12.1.3",
     "oxlint": "1.56.0",
+    "patch-package": "8.0.1",
     "peggy": "4.2.0",
     "picomatch": "4.0.4",
     "pirates": "4.0.7",
diff --git a/patches/puppeteer-core+24.42.0.patch b/patches/puppeteer-core+24.42.0.patch
@@ -0,0 +1,32 @@
+diff --git a/node_modules/puppeteer-core/lib/cjs/puppeteer/util/Function.js b/node_modules/puppeteer-core/lib/cjs/puppeteer/util/Function.js
+index b5bf30a..81e5f50 100644
+--- a/node_modules/puppeteer-core/lib/cjs/puppeteer/util/Function.js
++++ b/node_modules/puppeteer-core/lib/cjs/puppeteer/util/Function.js
+@@ -18,7 +18,10 @@ const createFunction = (functionValue) => {
+     if (fn) {
+         return fn;
+     }
+-    fn = new Function(`return ${functionValue}`)();
++    fn = function puppeteerBackendPlaceholder() {
++        throw new Error('This function is a serialization placeholder. It should not be called directly in the Node.js process -- it exists only to carry source code to the browser via CDP.');
++    };
++    fn.toString = () => functionValue;
+     createdFunctions.set(functionValue, fn);
+     return fn;
+ };
+diff --git a/node_modules/puppeteer-core/lib/esm/puppeteer/util/Function.js b/node_modules/puppeteer-core/lib/esm/puppeteer/util/Function.js
+index 0ec5465..55c4cc1 100644
+--- a/node_modules/puppeteer-core/lib/esm/puppeteer/util/Function.js
++++ b/node_modules/puppeteer-core/lib/esm/puppeteer/util/Function.js
+@@ -14,7 +14,10 @@ export const createFunction = (functionValue) => {
+     if (fn) {
+         return fn;
+     }
+-    fn = new Function(`return ${functionValue}`)();
++    fn = function puppeteerBackendPlaceholder() {
++        throw new Error('This function is a serialization placeholder. It should not be called directly in the Node.js process -- it exists only to carry source code to the browser via CDP.');
++    };
++    fn.toString = () => functionValue;
+     createdFunctions.set(functionValue, fn);
+     return fn;
+ };
diff --git a/renovate.json b/renovate.json
@@ -2446,6 +2446,15 @@
       "minimumReleaseAge": "14 days",
       "enabled": true
     },
+    {
+      "groupName": "patch-package",
+      "matchDepNames": ["patch-package"],
+      "reviewers": ["team:kibana-security"],
+      "matchBaseBranches": ["main"],
+      "addLabels": ["Team:Security"],
+      "minimumReleaseAge": "7 days",
+      "enabled": true
+    },
     {
       "groupName": "@xyflow/react",
       "matchPackageNames": ["@xyflow/react"],
diff --git a/src/dev/build/tasks/install_dependencies_task.ts b/src/dev/build/tasks/install_dependencies_task.ts
@@ -35,5 +35,9 @@ export const InstallDependencies: Task = {
         cwd: build.resolvePath(),
       }
     );
+
+    await exec(log, 'npx', ['patch-package', '--error-on-fail'], {
+      cwd: build.resolvePath(),
+    });
   },
 };
diff --git a/src/dev/kbn_pm/src/commands/bootstrap/bootstrap_command.mjs b/src/dev/kbn_pm/src/commands/bootstrap/bootstrap_command.mjs
@@ -141,6 +141,20 @@ export const command = {
             await runInstallScripts(log, { quiet });
           })
         : undefined,
+      shouldInstall
+        ? time('apply node_modules patches', async () => {
+            log.info('applying node_modules patches via patch-package');
+            // The patch-package command is used to apply patches to the node_modules directory.
+            // At the time of writing, the following packages are patched:
+            // - zod@4.3.6 => memory regression introduced in 4.x (see https://github.com/colinhacks/zod/issues/5760)
+            // The libraries above should not be updated, as doing so would break the patches.
+            await run('node', ['node_modules/.bin/patch-package', '--error-on-fail'], {
+              pipe: !quiet,
+              description: 'patch-package',
+            });
+            log.success('node_modules patches applied');
+          })
+        : undefined,
     ]);
 
     await time('sort package json', async () => {
diff --git a/src/dev/precommit_hook/exceptions.json b/src/dev/precommit_hook/exceptions.json
@@ -229,6 +229,7 @@
     "x-pack/platform/plugins/shared/index_management/public/application/components/mappings_editor/components/document_fields/common/listItemStyle.ts": "'listItemStyle.ts' should be snake_case"
   },
   "@elastic/kibana-operations": {
+    "patches/puppeteer-core+24.42.0.patch": "'puppeteer-core+24.42.0.patch' should be snake_case",
     "packages/kbn-ts-projects/config-paths.json": "'config-paths.json' should be snake_case",
     "src/platform/packages/private/kbn-repo-packages/package-map.json": "'package-map.json' should be snake_case",
     "src/platform/packages/shared/kbn-test/jest_integration_node/jest-preset.js": "'jest-preset.js' should be snake_case",
diff --git a/x-pack/platform/plugins/shared/screenshotting/server/browsers/chromium/driver.ts b/x-pack/platform/plugins/shared/screenshotting/server/browsers/chromium/driver.ts
@@ -196,10 +196,6 @@ export class HeadlessChromiumDriver {
    * statically.
    */
   private async injectScreenshottingErrorHeader(error: Error, containerSelector: string) {
-    // FIXME This relies on code generation from strings.
-    if (true) {
-      return;
-    }
     await this.page.evaluate(
       (selector: string, text: string) => {
         let container = document.querySelector(selector);
diff --git a/yarn.lock b/yarn.lock
@@ -18500,7 +18500,7 @@ chromium-bidi@14.0.0:
     mitt "^3.0.1"
     zod "^3.24.1"
 
-ci-info@^3.2.0:
+ci-info@^3.2.0, ci-info@^3.7.0:
   version "3.8.0"
   resolved "https://registry.yarnpkg.com/ci-info/-/ci-info-3.8.0.tgz#81408265a5380c929f0bc665d62256628ce9ef91"
   integrity sha512-eXTggHWSooYhq49F2opQhuHWgzucfF2YgODK4e1566GQs5BIfP30B0oenwBJHfWxAs2fyPB1s7Mg949zLf61Yw==
@@ -22613,6 +22613,13 @@ find-up@^8.0.0:
     locate-path "^8.0.0"
     unicorn-magic "^0.3.0"
 
+find-yarn-workspace-root@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/find-yarn-workspace-root/-/find-yarn-workspace-root-2.0.0.tgz#f47fb8d239c900eb78179aa81b66673eac88f7bd"
+  integrity sha512-1IMnbjt4KzsQfnhnzNd8wUEgXZ44IzZaZmnLYx7D5FZlaHt2gW20Cri8Q+E/t5tIj4+epTBub+2Zxu/vNILzqQ==
+  dependencies:
+    micromatch "^4.0.2"
+
 fix-esm@1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/fix-esm/-/fix-esm-1.0.1.tgz#e0e2199d841e43ff7db9b5f5ba7496bc45130ebb"
@@ -23477,7 +23484,7 @@ gpt-tokenizer@2.6.2:
   resolved "https://registry.yarnpkg.com/gpt-tokenizer/-/gpt-tokenizer-2.6.2.tgz#90e6932c7b5f73df7c13d360802edb43a2776586"
   integrity sha512-OznIET3z069FiwbLtLFXJ9pVESYAa8EnX0BMogs6YJ4Fn2FIcyeZYEbxsp2grPiK0DVaqP1f+0JR/8t9R7/jlg==
 
-graceful-fs@^4.1.15, graceful-fs@^4.1.2, graceful-fs@^4.1.6, graceful-fs@^4.2.0, graceful-fs@^4.2.10, graceful-fs@^4.2.11, graceful-fs@^4.2.4, graceful-fs@^4.2.6, graceful-fs@^4.2.8, graceful-fs@^4.2.9:
+graceful-fs@^4.1.11, graceful-fs@^4.1.15, graceful-fs@^4.1.2, graceful-fs@^4.1.6, graceful-fs@^4.2.0, graceful-fs@^4.2.10, graceful-fs@^4.2.11, graceful-fs@^4.2.4, graceful-fs@^4.2.6, graceful-fs@^4.2.8, graceful-fs@^4.2.9:
   version "4.2.11"
   resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.11.tgz#4183e4e8bf08bb6e05bbb2f7d2e0c8f712ca40e3"
   integrity sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==
@@ -25265,7 +25272,7 @@ is-word-character@^1.0.0:
   resolved "https://registry.yarnpkg.com/is-word-character/-/is-word-character-1.0.1.tgz#5a03fa1ea91ace8a6eb0c7cd770eb86d65c8befb"
   integrity sha1-WgP6HqkazopusMfNdw64bWXIvvs=
 
-is-wsl@^2.2.0:
+is-wsl@^2.1.1, is-wsl@^2.2.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/is-wsl/-/is-wsl-2.2.0.tgz#74a4c76e77ca9fd3f932f290c17ea326cd157271"
   integrity sha512-fKzAra0rGJUUBwGBgNkHZuToZcn+TtXHpeCgmkMJMMYx1sQDYaCSyjJBSCa2nH1DGm7s3n1oBnohoVTBaN7Lww==
@@ -26100,7 +26107,7 @@ json-stable-stringify-without-jsonify@^1.0.1:
   resolved "https://registry.yarnpkg.com/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz#9db7b59496ad3f3cfef30a75142d2d930ad72651"
   integrity sha1-nbe1lJatPzz+8wp1FC0tkwrXJlE=
 
-json-stable-stringify@^1.0.1:
+json-stable-stringify@^1.0.1, json-stable-stringify@^1.0.2:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/json-stable-stringify/-/json-stable-stringify-1.3.0.tgz#8903cfac42ea1a0f97f35d63a4ce0518f0cc6a70"
   integrity sha512-qtYiSSFlwot9XHtF9bD9c7rwKjr+RecWT//ZnPvSmEjpV5mmPOCN4j8UjY5hbjNkOwZ/jQv3J6R1/pL7RwgMsg==
@@ -26329,6 +26336,13 @@ kind-of@^6.0.0, kind-of@^6.0.2, kind-of@^6.0.3:
   resolved "https://registry.yarnpkg.com/kind-of/-/kind-of-6.0.3.tgz#07c05034a6c349fa06e24fa35aa76db4580ce4dd"
   integrity sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==
 
+klaw-sync@^6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/klaw-sync/-/klaw-sync-6.0.0.tgz#1fd2cfd56ebb6250181114f0a581167099c2b28c"
+  integrity sha512-nIeuVSzdCCs6TDPTqI8w1Yre34sSq7AkZ4B3sfOBbI2CgVSB4Du4aLQijFU2+lhAFCwt9+42Hel6lQNIv6AntQ==
+  dependencies:
+    graceful-fs "^4.1.11"
+
 kleur@^3.0.3:
   version "3.0.3"
   resolved "https://registry.yarnpkg.com/kleur/-/kleur-3.0.3.tgz#a79c9ecc86ee1ce3fa6206d1216c501f147fc07e"
@@ -29115,6 +29129,14 @@ open@^10.0.3:
     is-inside-container "^1.0.0"
     is-wsl "^3.1.0"
 
+open@^7.4.2:
+  version "7.4.2"
+  resolved "https://registry.yarnpkg.com/open/-/open-7.4.2.tgz#b8147e26dcf3e426316c730089fd71edd29c2321"
+  integrity sha512-MVHddDVweXZF3awtlAS+6pgKLlm/JgxZ90+/NBurBoQctVOOB/zDdVjcyPzQ+0laDGbsWgrRkflI65sQeOgT9Q==
+  dependencies:
+    is-docker "^2.0.0"
+    is-wsl "^2.1.1"
+
 open@^8.0.4, open@^8.4.0, open@~8.4.0:
   version "8.4.2"
   resolved "https://registry.yarnpkg.com/open/-/open-8.4.2.tgz#5b5ffe2a8f793dcd2aad73e550cb87b59cb084f9"
@@ -29684,6 +29706,26 @@ patch-console@^2.0.0:
   resolved "https://registry.yarnpkg.com/patch-console/-/patch-console-2.0.0.tgz#9023f4665840e66f40e9ce774f904a63167433bb"
   integrity sha512-0YNdUceMdaQwoKce1gatDScmMo5pu/tfABfnzEqeG0gtTmd7mh/WcwgUjtAeOU7N8nFFlbQBnFK2gXW5fGvmMA==
 
+patch-package@8.0.1:
+  version "8.0.1"
+  resolved "https://registry.yarnpkg.com/patch-package/-/patch-package-8.0.1.tgz#79d02f953f711e06d1f8949c8a13e5d3d7ba1a60"
+  integrity sha512-VsKRIA8f5uqHQ7NGhwIna6Bx6D9s/1iXlA1hthBVBEbkq+t4kXD0HHt+rJhf/Z+Ci0F/HCB2hvn0qLdLG+Qxlw==
+  dependencies:
+    "@yarnpkg/lockfile" "^1.1.0"
+    chalk "^4.1.2"
+    ci-info "^3.7.0"
+    cross-spawn "^7.0.3"
+    find-yarn-workspace-root "^2.0.0"
+    fs-extra "^10.0.0"
+    json-stable-stringify "^1.0.2"
+    klaw-sync "^6.0.0"
+    minimist "^1.2.6"
+    open "^7.4.2"
+    semver "^7.5.3"
+    slash "^2.0.0"
+    tmp "^0.2.4"
+    yaml "^2.2.2"
+
 path-browserify@1.0.1, path-browserify@^1.0.0, path-browserify@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/path-browserify/-/path-browserify-1.0.1.tgz#d98454a9c3753d5790860f16f68867b9e46be1fd"
@@ -34751,7 +34793,7 @@ tmp@^0.0.33:
   dependencies:
     os-tmpdir "~1.0.2"
 
-tmp@^0.2.5, tmp@~0.2.4:
+tmp@^0.2.4, tmp@^0.2.5, tmp@~0.2.4:
   version "0.2.5"
   resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.5.tgz#b06bcd23f0f3c8357b426891726d16015abfd8f8"
   integrity sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==
@@ -37088,6 +37130,11 @@ yaml@^2.0.0, yaml@^2.2.1:
   resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.3.4.tgz#53fc1d514be80aabf386dc6001eb29bf3b7523b2"
   integrity sha512-8aAvwVUSHpfEqTQ4w/KMlf3HcRdt50E5ODIQJBw1fQ5RL34xabzxtUlzTXVqc4rkZsPbvrXKWnABCD7kWSmocA==
 
+yaml@^2.2.2:
+  version "2.9.0"
+  resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.9.0.tgz#78274afd93598a1dfdd6130df6a566defcbf9aa4"
+  integrity sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==
+
 yargs-parser@^18.1.2:
   version "18.1.3"
   resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-18.1.3.tgz#be68c4975c6b2abf469236b0c870362fab09a7b0"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+patch-package`
`1`	`2`	`safe-stable-stringify`
`2`	`3`	`ajv-draft-04`
`3`	`4`	`ajv-formats`