Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
puppeteer
Advanced tools
Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. It is primarily used for automating web browser actions, such as taking screenshots, generating pre-rendered content, and automating form submissions, among other things.
Web Scraping
Puppeteer can be used to scrape content from web pages by programmatically navigating to the page and extracting the required data.
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
const data = await page.evaluate(() => document.querySelector('*').outerHTML);
console.log(data);
await browser.close();
})();
Automated Testing
Puppeteer can automate form submissions and simulate user actions for testing web applications.
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://example.com/login');
await page.type('#username', 'user');
await page.type('#password', 'pass');
await page.click('#submit');
// Check for successful login
await page.waitForSelector('#logout');
await browser.close();
})();
PDF Generation
Puppeteer can generate PDFs from web pages, which is useful for creating reports, invoices, and other printable documents.
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://example.com', {waitUntil: 'networkidle2'});
await page.pdf({path: 'example.pdf', format: 'A4'});
await browser.close();
})();
Screenshot Capture
Puppeteer can take screenshots of web pages, either of the full page or specific elements, which is useful for capturing the state of a page for documentation or testing.
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
await page.screenshot({path: 'example.png'});
await browser.close();
})();
Playwright is a Node library to automate the Chromium, WebKit, and Firefox browsers with a single API. It is similar to Puppeteer but adds support for multiple browser types and has additional features like network interception.
Selenium WebDriver is one of the most well-known browser automation tools. It supports multiple browsers and languages, making it more versatile than Puppeteer, but it can be more complex to set up and slower in execution.
Nightmare is a high-level browser automation library. It is simpler and has a more fluent API compared to Puppeteer, but it is less actively maintained and lacks some of the newer features that Puppeteer provides.
WebdriverIO is a custom implementation for selenium's W3C webdriver API. It is designed to be more accessible than the Selenium WebDriver and integrates well with modern web and mobile application testing practices.
Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium.
Most things that you can do manually in the browser can be done using Puppeteer! Here are a few examples to get you started:
Give it a spin: https://try-puppeteer.appspot.com/
To use Puppeteer in your project, run:
npm i puppeteer
# or "yarn add puppeteer"
Note: When you install Puppeteer, it downloads a recent version of Chromium (~170MB Mac, ~282MB Linux, ~280MB Win) that is guaranteed to work with the API. To skip the download, see Environment variables.
Since version 1.7.0 we publish the puppeteer-core
package,
a version of Puppeteer that doesn't download Chromium by default.
npm i puppeteer-core
# or "yarn add puppeteer-core"
puppeteer-core
is intended to be a lightweight version of Puppeteer for launching an existing browser installation or for connecting to a remote one. Be sure that the version of puppeteer-core you install is compatible with the
browser you intend to connect to.
See puppeteer vs puppeteer-core.
Puppeteer follows the latest maintenance LTS version of Node.
Note: Prior to v1.18.1, Puppeteer required at least Node v6.4.0. All subsequent versions rely on Node 8.9.0+. All examples below use async/await which is only supported in Node v7.6.0 or greater.
Puppeteer will be familiar to people using other browser testing frameworks. You create an instance
of Browser
, open pages, and then manipulate them with Puppeteer's API.
Example - navigating to https://example.com and saving a screenshot as example.png:
Save file as example.js
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
await page.screenshot({path: 'example.png'});
await browser.close();
})();
Execute script on the command line
node example.js
Puppeteer sets an initial page size to 800×600px, which defines the screenshot size. The page size can be customized with Page.setViewport()
.
Example - create a PDF.
Save file as hn.js
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://news.ycombinator.com', {waitUntil: 'networkidle2'});
await page.pdf({path: 'hn.pdf', format: 'A4'});
await browser.close();
})();
Execute script on the command line
node hn.js
See Page.pdf()
for more information about creating pdfs.
Example - evaluate script in the context of the page
Save file as get-dimensions.js
const puppeteer = require('puppeteer');
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto('https://example.com');
// Get the "viewport" of the page, as reported by the page.
const dimensions = await page.evaluate(() => {
return {
width: document.documentElement.clientWidth,
height: document.documentElement.clientHeight,
deviceScaleFactor: window.devicePixelRatio
};
});
console.log('Dimensions:', dimensions);
await browser.close();
})();
Execute script on the command line
node get-dimensions.js
See Page.evaluate()
for more information on evaluate
and related methods like evaluateOnNewDocument
and exposeFunction
.
1. Uses Headless mode
Puppeteer launches Chromium in headless mode. To launch a full version of Chromium, set the headless
option when launching a browser:
const browser = await puppeteer.launch({headless: false}); // default is true
2. Runs a bundled version of Chromium
By default, Puppeteer downloads and uses a specific version of Chromium so its API
is guaranteed to work out of the box. To use Puppeteer with a different version of Chrome or Chromium,
pass in the executable's path when creating a Browser
instance:
const browser = await puppeteer.launch({executablePath: '/path/to/Chrome'});
See Puppeteer.launch()
for more information.
See this article
for a description of the differences between Chromium and Chrome. This article
describes some differences for Linux users.
3. Creates a fresh user profile
Puppeteer creates its own Chromium user profile which it cleans up on every run.
Turn off headless mode - sometimes it's useful to see what the browser is
displaying. Instead of launching in headless mode, launch a full version of
the browser using headless: false
:
const browser = await puppeteer.launch({headless: false});
Slow it down - the slowMo
option slows down Puppeteer operations by the
specified amount of milliseconds. It's another way to help see what's going on.
const browser = await puppeteer.launch({
headless: false,
slowMo: 250 // slow down by 250ms
});
Capture console output - You can listen for the console
event.
This is also handy when debugging code in page.evaluate()
:
page.on('console', msg => console.log('PAGE LOG:', msg.text()));
await page.evaluate(() => console.log(`url is ${location.href}`));
Use debugger in application code browser
There are two execution context: node.js that is running test code, and the browser
running application code being tested. This lets you debug code in the
application code browser; ie code inside evaluate()
.
Use {devtools: true}
when launching Puppeteer:
const browser = await puppeteer.launch({devtools: true});
Change default test timeout:
jest: jest.setTimeout(100000);
jasmine: jasmine.DEFAULT_TIMEOUT_INTERVAL = 100000;
mocha: this.timeout(100000);
(don't forget to change test to use function and not '=>')
Add an evaluate statement with debugger
inside / add debugger
to an existing evaluate statement:
await page.evaluate(() => {debugger;});
The test will now stop executing in the above evaluate statement, and chromium will stop in debug mode.
Use debugger in node.js
This will let you debug test code. For example, you can step over await page.click()
in the node.js script and see the click happen in the application code browser.
Note that you won't be able to run await page.click()
in
DevTools console due to this Chromium bug. So if
you want to try something out, you have to add it to your test file.
debugger;
to your test, eg:
debugger;
await page.click('a[target=_blank]');
headless
to false
node --inspect-brk
, eg node --inspect-brk node_modules/.bin/jest tests
chrome://inspect/#devices
and click inspect
F8
to resume test executiondebugger
will be hit and you can debug in the test browserEnable verbose logging - internal DevTools protocol traffic
will be logged via the debug
module under the puppeteer
namespace.
# Basic verbose logging
env DEBUG="puppeteer:*" node script.js
# Protocol traffic can be rather noisy. This example filters out all Network domain messages
env DEBUG="puppeteer:*" env DEBUG_COLORS=true node script.js 2>&1 | grep -v '"Network'
Debug your Puppeteer (node) code easily, using ndb
npm install -g ndb
(or even better, use npx!)
add a debugger
to your Puppeteer (node) code
add ndb
(or npx ndb
) before your test command. For example:
ndb jest
or ndb mocha
(or npx ndb jest
/ npx ndb mocha
)
debug your test inside chromium like a boss!
Check out contributing guide to get an overview of Puppeteer development.
The Chrome DevTools team maintains the library, but we'd love your help and expertise on the project! See Contributing.
Historically, Puppeteer supported Firefox indirectly through puppeteer-firefox, which relied on a custom, patched version of Firefox. This approach was also known as “Juggler”.
After discussions with Mozilla, we collectively concluded that relying on custom patches was infeasible.
Since then, we have been collaborating with Mozilla on supporting Puppeteer on “stock” Firefox.
From Puppeteer v2.1.0 onwards, as an experimental feature, you can specify puppeteer.launch({product: 'firefox'})
to run your Puppeteer scripts in Firefox, without any additional custom patches.
We will continue collaborating with other browser vendors to bring Puppeteer support to browsers such as Safari. This effort includes exploration of a standard for executing cross-browser commands (instead of relying on the non-standard DevTools Protocol used by Chrome).
The goals of the project are:
We adapt Chromium principles to help us drive product decisions:
No. Both projects are valuable for very different reasons:
That said, you can use Puppeteer to run tests against Chromium, e.g. using the community-driven jest-puppeteer. While this probably shouldn’t be your only testing solution, it does have a few good points compared to WebDriver:
We see Puppeteer as an indivisible entity with Chromium. Each version of Puppeteer bundles a specific version of Chromium – the only version it is guaranteed to work with.
This is not an artificial constraint: A lot of work on Puppeteer is actually taking place in the Chromium repository. Here’s a typical story:
However, oftentimes it is desirable to use Puppeteer with the official Google Chrome rather than Chromium. For this to work, you should install a puppeteer-core
version that corresponds to the Chrome version.
For example, in order to drive Chrome 71 with puppeteer-core, use chrome-71
npm tag:
npm install puppeteer-core@chrome-71
Look for chromium_revision
in package.json. To find the corresponding Chromium commit and version number, search for the revision prefixed by an r
in OmahaProxy's "Find Releases" section.
From Puppeteer’s standpoint, “navigation” is anything that changes a page’s URL. Aside from regular navigation where the browser hits the network to fetch a new document from the web server, this includes anchor navigations and History API usage.
With this definition of “navigation,” Puppeteer works seamlessly with single-page applications.
In browsers, input events could be divided into two big groups: trusted vs. untrusted.
document.createEvent
or element.click()
methods.Websites can distinguish between these two groups:
Event.isTrusted
event flag'click'
event is preceded by 'mousedown'
and 'mouseup'
events.For automation purposes it’s important to generate trusted events. All input events generated with Puppeteer are trusted and fire proper accompanying events. If, for some reason, one needs an untrusted event, it’s always possible to hop into a page context with page.evaluate
and generate a fake event:
await page.evaluate(() => {
document.querySelector('button[type=submit]').click();
});
You may find that Puppeteer does not behave as expected when controlling pages that incorporate audio and video. (For example, video playback/screenshots is likely to fail.) There are two reasons for this:
executablePath
option to puppeteer.launch
. You should only use this configuration if you need an official release of Chrome that supports these media formats.)We have a troubleshooting guide for various operating systems that lists the required dependencies.
You can check out this repo or install the latest prerelease from npm:
npm i --save puppeteer@next
Please note that prerelease may be unstable and contain bugs.
There are many ways to get help on Puppeteer:
Make sure to search these channels before posting your question.
FAQs
A high-level API to control headless Chrome over the DevTools Protocol
We found that puppeteer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.