Gathering detailed insights and metrics for @axe-core/puppeteer
Gathering detailed insights and metrics for @axe-core/puppeteer
Installations
npm install @axe-core/puppeteerDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=6.4.0
Node Version
22.16.0
NPM Version
lerna/8.1.3/node@v22.16.0+x64 (linux)
Releases
23
Languages
5
JavaScript
TypeScript
HTML
CSS
Shell
JavaScript (59.3%)
TypeScript (40.49%)
HTML (0.12%)
CSS (0.08%)
Shell (0.01%)
Developer
dequelabs
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MPL-2.0 License
664 Stars
620 Commits
73 Forks
12 Watchers
75 Branches
40 Contributors
Updated on Jul 15, 2025
Maintainers
4
Package Meta Information
Latest Version
4.10.2
Package Id
@axe-core/puppeteer@4.10.2
Unpacked Size
58.57 kB
Size
13.84 kB
File Count
7
NPM Version
lerna/8.1.3/node@v22.16.0+x64 (linux)
Node Version
22.16.0
Published on
Jun 03, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
Peer Dependencies
1
@axe-core/puppeteer
Provides a chainable axe API for Puppeteer and automatically injects into all frames.
Previous versions of this program were maintained at dequelabs/axe-puppeteer.
Getting Started
Install Node.js if you haven't already.
Install Puppeteer: npm install puppeteer
Install @axe-core/puppeteer: npm install @axe-core/puppeteer
Usage
This module uses a chainable API to assist in injecting, configuring and analyzing using axe with Puppeteer. As such, it is required to pass an instance of a Puppeteer Page or Frame.
Here is an example of a script that will drive Puppeteer to this repository, perform analysis and then log results to the console.
1const { AxePuppeteer } = require('@axe-core/puppeteer'); 2const puppeteer = require('puppeteer'); 3 4(async () => { 5 const browser = await puppeteer.launch(); 6 const page = await browser.newPage(); 7 await page.goto('https://dequeuniversity.com/demo/mars/'); 8 9 try { 10 const results = await new AxePuppeteer(page).analyze(); 11 console.log(results); 12 } catch (e) { 13 // do something with the error 14 } 15 16 await browser.close(); 17})();
Note: Usage examples make use of ES2017 async/await. Use of await can only be done in a function
declared async. If your project does not support async/await, you can just directly use the promise
async functions return. Check here for more
information.
Bypassing Content Security Policy
When trying to run axe, you might run into issues if the page you are checking has Content Security Policy enabled. To get around this, you must disable it through Page#setBypassCSP before navigating to the site.
loadPage(browser: Browser, url: string, { opts, source }: { opts?: any, source?: string } = {})
An alternate constructor is available which opens a page and performs the CSP bypass for you.
It closes the page after analyze is called.
1const { loadPage } = require('@axe-core/puppeteer'); 2const puppeteer = require('puppeteer'); 3 4(async () => { 5 const browser = await puppeteer.launch(); 6 const axeBuilder = await loadPage( 7 browser, 8 'https://dequeuniversity.com/demo/mars/' 9 ); 10 const results = await axeBuilder.analyze(); 11 console.log(results); 12 13 await browser.close(); 14})();
AxePuppeteer(page: Frame | Page[, axeSource: string])
Constructor for the AxePuppeteer helper.
You must pass an instance of a Puppeteer Frame or Page as the first argument. Cannot be called without the new keyword.
1const builder = new AxePuppeteer(page);
If you wish to run a specific version of axe-core, you can pass the source axe-core source file in as a string. Doing so will mean axe-puppeteer runs this version of axe-core, instead of the one installed as a dependency of axe-puppeteer.
1const axeSource = fs.readFileSync('./axe-3.0.js', 'utf8'); 2const builder = new AxePuppeteer(page, axeSource);
Note that you might need to bypass the Content Security Policy in some cases.
AxePuppeteer#analyze([callback: (Error | null[, Object]) => void])
Performs analysis and passes any encountered error and/or the result object to the provided callback function or promise function. Does not chain as the operation is asynchronous
Using the returned promise (optional):
1new AxePuppeteer(page) 2 .analyze() 3 .then(function (results) { 4 console.log(results); 5 }) 6 .catch(err => { 7 // Handle error somehow 8 });
Using a callback function
1new AxePuppeteer(page).analyze(function (err, results) { 2 if (err) { 3 // Handle error somehow 4 } 5 console.log(results); 6});
AxePuppeteer#include(selector: string | string[])
Adds a CSS selector to the list of elements to include in analysis
1new AxePuppeteer(page).include('.results-panel');
AxePuppeteer#exclude(selector: string | string[])
Add a CSS selector to the list of elements to exclude from analysis
1new AxePuppeteer(page).include('.results-panel').exclude('.results-panel h2');
AxePuppeteer#options(options: Axe.RunOptions)
Specifies options to be used by axe.run. Will override any other configured options, including calls to withRules and withTags.
See axe-core API documentation
for information on its structure.
1new AxePuppeteer(page).options({ 2 checks: { 'valid-lang': ['orcish'] } 3});
AxePuppeteer#withRules(rules: string | string[])
Limits analysis to only those with the specified rule IDs. Accepts a String of a single rule ID or an Array of multiple rule IDs. Subsequent calls to AxePuppeteer#options, AxePuppeteer#withRules or AxePuppeteer#withRules will override specified options.
1new AxePuppeteer(page).withRules('html-lang');1new AxePuppeteer(page).withRules(['html-lang', 'image-alt']);AxePuppeteer#withTags(tags: string | string[])
Limits analysis to only those with the specified tag or tags. Accepts a String of a single tag or an Array of multiple tags. Subsequent calls to AxePuppeteer#options, AxePuppeteer#withRules or AxePuppeteer#withRules will override specified options.
1new AxePuppeteer(page).withTags('wcag2a');1new AxePuppeteer(page).withTags(['wcag2a', 'wcag2aa']);AxePuppeteer#disableRules(rules: string | string[])
Skips verification of the rules provided. Accepts a String of a single rule ID or an Array of multiple rule IDs. Subsequent calls to AxePuppeteer#options, AxePuppeteer#disableRules will override specified options.
1new AxePuppeteer(page).disableRules('color-contrast');or use it combined with some specified tags:
1new AxePuppeteer(page)
2 .withTags(['wcag2a', 'wcag2aa'])
3 .disableRules('color-contrast');AxePuppeteer#disableFrame(selector: string)
Skips specific frame with selector provided. Accepts a String of a single selector. Subsequent calls to AxePuppeteer#options, AxePuppeteer#disableFrame will override specified options.
1new AxePuppeteer(page).disableFrame('#my-frame');or use it combined with some specified tags:
1new AxePuppeteer(page)
2 .withTags(['wcag2a', 'wcag2aa'])
3 .disableFrame('#my-frame');AxePuppeteer#configure(config: Axe.Spec)
Inject an axe configuration object to modify the ruleset before running Analyze. Subsequent calls to this method will invalidate previous ones by calling axe.configure and replacing the config object. See axe-core API documentation for documentation on the object structure.
1const config = { 2 checks: [Object], 3 rules: [Object] 4}; 5const results = await new AxePuppeteer(page).configure(config).analyze(); 6console.log(results);
AxePuppeteer#setLegacyMode(legacyMode: boolean = true)
Set the frame testing method to "legacy mode". In this mode, axe will not open a blank page in which to aggregate its results. This can be used in an environment where opening a blank page is causes issues.
With legacy mode turned on, axe will fall back to its test solution prior to the 4.3 release, but with cross-origin frame testing disabled. The frame-tested rule will report which frames were untested.
Important Use of .setLegacyMode() is a last resort. If you find there is no other solution, please report this as an issue.
1const axe = new AxePuppeteer(page).setLegacyMode(); 2const result = await axe.analyze(); 3axe.setLegacyMode(false); // Disables legacy mode
Caveat
Due to axe-core needing to be injected into the page and executed we are unable to do the following:
1await page.setJavaScriptEnabled(false);
No vulnerabilities found.
Reason
all changesets reviewed
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
14 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0
Reason
dependency not pinned by hash detected -- score normalized to 5
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-patch-release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/auto-patch-release.yml/develop?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/create-release-candidate.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/create-release-candidate.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/deploy.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/deploy.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/deploy.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/deploy.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/deploy.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/deploy.yml/develop?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-pr-footer.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/semantic-pr-footer.yml/develop?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-pr-title.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/semantic-pr-title.yml/develop?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-master-develop.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/sync-master-develop.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:177: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/tests.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-axe-core.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/update-axe-core.yml/develop?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-axe-core.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/update-axe-core.yml/develop?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-axe-core.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/dequelabs/axe-core-npm/update-axe-core.yml/develop?enable=pin
- Info: 0 out of 28 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 6 third-party GitHubAction dependencies pinned
- Info: 13 out of 13 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/auto-patch-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-release-candidate.yml:1
- Warn: no topLevel permission defined: .github/workflows/deploy.yml:1
- Warn: no topLevel permission defined: .github/workflows/semantic-pr-footer.yml:1
- Warn: no topLevel permission defined: .github/workflows/semantic-pr-title.yml:1
- Warn: no topLevel permission defined: .github/workflows/sync-master-develop.yml:1
- Warn: no topLevel permission defined: .github/workflows/tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-axe-core.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
14 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
5.9
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More