The open-source puppeteer-extra-plugin-stealth alternative
The stealth plugin is the easiest way to bolt evasions onto Puppeteer — but every evasion is a JavaScript patch on a stock Chrome, and JS patches self-reveal. Clearcote sets those values natively in the engine, coherent across workers and iframes, and adds the TLS/HTTP-2 layer the plugin can't touch.
What is puppeteer-extra-plugin-stealth?
puppeteer-extra-plugin-stealth (by berstend, ~660k weekly npm downloads) is a bundle of JavaScript evasion modules injected via page.evaluateOnNewDocument before page scripts run — each patches a single tell (navigator.webdriver, plugins, chrome.runtime, WebGL vendor, iframe, codecs, and more). It's MIT-licensed, hugely popular, and passes the common public test pages.
The structural limit is that these are JS overrides on a stock engine, and JS overrides self-reveal: a patched function leaks via Function.prototype.toString, altered property descriptors, and cross-realm/worker/OOPIF re-reads where the patch isn't present. It doesn't change native values, doesn't touch TLS/JA3-JA4 or HTTP/2, and doesn't fix the Runtime.enable CDP leak. Its own README concedes it's 'probably impossible to prevent all ways to detect headless chromium', and it's been semi-maintained lately (roughly a year since an npm release), so evasions age faster than they're updated.
Clearcote vs puppeteer-extra-plugin-stealth
| Feature | Clearcote | puppeteer-extra-plugin-stealth |
|---|---|---|
| Approach | Engine-level C++ patches — native values | JS evasions injected per document |
| Detectable seam | None — native in every realm (main, workers, iframes) | Self-reveals via toString / descriptors / worker / OOPIF |
| TLS / network coherence | Follows the claimed Chrome (JA3/JA4 + HTTP/2) | None — stock automation network signature |
| Framework | Playwright & Puppeteer (Python + Node) | Puppeteer (Node) |
| Maintenance | Actively maintained | Semi-maintained (~1yr since release) |
| License | Open & permissive | MIT |
| Cost | Free & open | Free & open |
Comparison compiled July 2026. puppeteer-extra-plugin-stealth is open source (mit); details change — check its project for the latest.
Why teams pick Clearcote
Native, not overridden
Every stealth-plugin evasion is a JS override a detector can catch. Clearcote sets the values in the engine, so they read as native — there's no override to find.
Coherent across realms
JS patches applied to the main frame diverge in Web Workers and cross-origin iframes. Engine-level values agree everywhere, closing that class of tell.
The network layer
The plugin has no access to TLS or HTTP/2. Clearcote's handshake follows the claimed Chrome version, so the wire matches the JavaScript.
Maintained and verified
Coherence is checked against open tests each release, rather than relying on a set of evasions that age between updates.
When puppeteer-extra-plugin-stealth might be the better pick
- You already use Puppeteer and want a one-line evasion bundle for lenient targets.
- You need something MIT-licensed to drop into an existing Node scraper.
- For public test pages and older detection, it's quick and often good enough.
FAQ
Why do JavaScript stealth patches get detected?
Because they're overrides on a real function. A detector can stringify it (a native function reads [native code]; an override shows its own source), inspect the property descriptor, or re-read the value from a fresh iframe or Web Worker where the patch isn't applied. Engine-level changes avoid this by making the value native everywhere.
How is Clearcote different from the stealth plugin?
The plugin injects JS evasions into a stock Chrome; Clearcote is a modified Chromium where the values are native in the engine — coherent across workers and iframes — plus a TLS/HTTP-2 persona the plugin has no access to.
Is the stealth plugin still maintained?
It's semi-maintained — roughly a year since a release at the time of writing — and increasingly detected as evasions age. Check its repository for the current status.
Related reading
Try the open-source Chromium alternative
Free and open source, a drop-in for Playwright & Puppeteer, coherent down to the TLS handshake.