lgtm,codescanning
* URIs used in the puppeteer library are now recognized as sinks for `js/request-forgery`.
  Affected packages are
    [puppeteer](https://www.npmjs.com/package/puppeteer)