Skip to content

chore(deps): update dependency playwright to v1.55.1 [security] #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency playwright to v1.55.1 [security] #166

wants to merge 1 commit into from

Conversation

svc-secops
Copy link
Contributor

@svc-secops svc-secops commented Oct 20, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
playwright (source) 1.49.1 -> 1.55.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-59288

Improper verification of cryptographic signature in Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

CVE-2025-59288 / GHSA-7mvr-c777-76hp

More information

Details

Improper verification of cryptographic signature in Playwright allows an unauthorized attacker to perform spoofing over an adjacent network.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.https://github.com/microsoft/playwright/issues/371477 - [Regression]: Internal error: step id not foundhttps://github.com/microsoft/playwright/issues/3714646 - [Regression]: HTML reporter displays a broken chip link when there are no projecthttps://github.com/microsoft/playwright/pull/37137137 - Revert "fix(a11y): track inert elements as hiddenhttps://github.com/microsoft/playwright/pull/37532532 - chore: do not use -k option

Browser Versions

  • Chromium 140.0.7339.186
  • Mozilla Firefox 141.0
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 139
  • Microsoft Edge 139

v1.55.0

Compare Source

New APIs

  • New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

  • Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

  • ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

  • Added support for Debian 13 "Trixie".

Browser Versions

  • Chromium 140.0.7339.16
  • Mozilla Firefox 141.0
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 139
  • Microsoft Edge 139

v1.54.2

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error)https://github.com/microsoft/playwright/issues/368288 - [Regression]: Playwright Codegen keeps spamming with selected optiohttps://github.com/microsoft/playwright/issues/3681010 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

  • Chromium 139.0.7258.5
  • Mozilla Firefox 140.0.2
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 140
  • Microsoft Edge 140

v1.54.1

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/36650 - [Regression]: 1.54.0 breaks downloading browsers when an HTTP(S) proxy is used

Browser Versions

  • Chromium 139.0.7258.5
  • Mozilla Firefox 140.0.2
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 140
  • Microsoft Edge 140

v1.54.0

Compare Source

Highlights

  • New cookie property partitionKey in browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.

  • New option noSnippets to disable code snippets in the html report.

    import { defineConfig } from '@​playwright/test';

export default defineConfig({
  reporter: [['html', { noSnippets: true }]]
});

  • New property location in test annotations, for example in testResult.annotations and testInfo.annotations. It shows where the annotation like test.skip or test.fixme was added.

Command Line

  • New option --user-data-dir in multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.

    npx playwright codegen --user-data-dir=./user-data

  • Option -gv has been removed from the npx playwright test command. Use --grep-invert instead.

  • npx playwright open does not open the test recorder anymore. Use npx playwright codegen instead.

Miscellaneous

  • Support for Node.js 16 has been removed.
  • Support for Node.js 18 has been deprecated, and will be removed in the future.

Browser Versions

  • Chromium 139.0.7258.5
  • Mozilla Firefox 140.0.2
  • WebKit 26.0

This version was also tested against the following stable channels:

  • Google Chrome 140
  • Microsoft Edge 140

v1.53.2

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/36317 - [Regression]: Merging pre-1.53 blob reports loses attachmentshttps://github.com/microsoft/playwright/pull/363577 - [Regression (Chromium)]: CDP missing trailing slashttps://github.com/microsoft/playwright/issues/3629292 - [Bug (MSEdge)]: Edge fails to launch when using msRelaunchNoCompatLayer

Browser Versions

  • Chromium 138.0.7204.23
  • Mozilla Firefox 139.0
  • WebKit 18.5

This version was also tested against the following stable channels:

  • Google Chrome 137
  • Microsoft Edge 137

v1.53.1

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/36339 - [Regression]: Click can fail when scrolling requiredhttps://github.com/microsoft/playwright/issues/363077 - [Regression (Chromium)]: Under some scenarios filling a textarea doesn't fill
https://github.com/microsoft/playwright/issues/36294 - [Regression (Firefox)]: setViewportSize times out
https://github.com/microsoft/playwright/pull/36350 - [Fix]: Display HTTP method for fetch trace entries

Browser Versions

  • Chromium 138.0.7204.23
  • Mozilla Firefox 139.0
  • WebKit 18.5

This version was also tested against the following stable channels:

  • Google Chrome 137
  • Microsoft Edge 137

v1.53.0

Compare Source

Trace Viewer and HTML Reporter Updates

  • New Steps in Trace Viewer and HTML reporter: New Trace Viewer Steps

  • New option in 'html' reporter to set the title of a specific test run:

    import { defineConfig } from '@​playwright/test';

export default defineConfig({
  reporter: [['html', { title: 'Custom test run #​1028' }]]
});

Miscellaneous

  • New option kind in testInfo.snapshotPath() controls which snapshot path template is used.

  • New method locator.describe() to describe a locator. Used for trace viewer and reports.

    const button = page.getByTestId('btn-sub').describe('Subscribe button');
await button.click();

  • npx playwright install --list will now list all installed browsers, versions and locations.

Browser Versions

  • Chromium 138.0.7204.4
  • Mozilla Firefox 139.0
  • WebKit 18.5

This version was also tested against the following stable channels:

  • Google Chrome 137
  • Microsoft Edge 137

v1.52.0

Compare Source

Highlights

  • New method expect(locator).toContainClass() to ergonomically assert individual class names on the element.

    await expect(page.getByRole('listitem', { name: 'Ship v1.52' })).toContainClass('done');

  • Aria Snapshots got two new properties: /children for strict matching and /url for links.

    await expect(locator).toMatchAriaSnapshot(`
  - list
    - /children: equal
    - listitem: Feature A
    - listitem:
      - link "Feature B":
        - /url: "https://playwright.dev"
`);

Test Runner

  • New property testProject.workers allows to specify the number of concurrent worker processes to use for a test project. The global limit of property testConfig.workers still applies.
  • New testConfig.failOnFlakyTests option to fail the test run if any flaky tests are detected, similarly to --fail-on-flaky-tests. This is useful for CI/CD environments where you want to ensure that all tests are stable before deploying.
  • New property testResult.annotations contains annotations for each test retry.

Miscellaneous

  • New option maxRedirects in apiRequest.newContext() to control the maximum number of redirects.
  • HTML reporter now supports NOT filtering via !@​my-tag or !my-file.spec.ts or !p:my-project.

Breaking Changes

  • Changes to glob URL patterns in methods like page.route():
    • ? wildcard is not supported any more, it will always match question mark ? character.
    • Ranges/sets [] are not supported anymore. We recommend using regular expressions instead.
  • Method route.continue() does not allow to override the Cookie header anymore. If a Cookie header is provided, it will be ignored, and the cookie will be loaded from the browser's cookie store. To set custom cookies, use browserContext.addCookies().
  • macOS 13 is now deprecated and will no longer receive WebKit updates. Please upgrade to a more recent macOS version to continue benefiting from the latest WebKit improvements.

Browser Versions

  • Chromium 136.0.7103.25
  • Mozilla Firefox 137.0
  • WebKit 18.4

This version was also tested against the following stable channels:

  • Google Chrome 135
  • Microsoft Edge 135

v1.51.1

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/35093 - [Regression]: TimeoutOverflowWarning: 2149630.634 does not fit into a 32-bit signed integer
https://github.com/microsoft/playwright/issues/35138 - [Regression]: TypeError: Cannot read properties of undefined (reading 'expectInfo')

Browser Versions

  • Chromium 134.0.6998.35
  • Mozilla Firefox 135.0
  • WebKit 18.4

This version was also tested against the following stable channels:

  • Google Chrome 133
  • Microsoft Edge 133

v1.51.0

Compare Source

StorageState for indexedDB

  • New option indexedDB for browserContext.storageState() allows to save and restore IndexedDB contents. Useful when your application uses IndexedDB API to store authentication tokens, like Firebase Authentication.

    Here is an example following the authentication guide:

    // tests/auth.setup.ts
import { test as setup, expect } from '@​playwright/test';
import path from 'path';

const authFile = path.join(__dirname, '../playwright/.auth/user.json');

setup('authenticate', async ({ page }) => {
  await page.goto('/');
  // ... perform authentication steps ...

  // make sure to save indexedDB
  await page.context().storageState({ path: authFile, indexedDB: true });
});

Copy prompt

New "Copy prompt" button on errors in the HTML report, trace viewer and UI mode. Click to copy a pre-filled LLM prompt that contains the error message and useful context for fixing the error.

Copy prompt

Filter visible elements

New option visible for locator.filter() allows matching only visible elements.

// example.spec.ts
test('some test', async ({ page }) => {
  // Ignore invisible todo items.
  const todoItems = page.getByTestId('todo-item').filter({ visible: true });
  // Check there are exactly 3 visible ones.
  await expect(todoItems).toHaveCount(3);
});

Git information in HTML report

Set option testConfig.captureGitInfo to capture git information into testConfig.metadata.

// playwright.config.ts
import { defineConfig } from '@​playwright/test';

export default defineConfig({
  captureGitInfo: { commit: true, diff: true }
});

HTML report will show this information when available:

Git information in the report

Test Step improvements

A new TestStepInfo object is now available in test steps. You can add step attachments or skip the step under some conditions.

test('some test', async ({ page, isMobile }) => {
  // Note the new "step" argument:
  await test.step('here is my step', async step => {
    step.skip(isMobile, 'not relevant on mobile layouts');

    // ...
    await step.attach('my attachment', { body: 'some text' });
    // ...
  });
});

Miscellaneous

Browser Versions

  • Chromium 134.0.6998.35
  • Mozilla Firefox 135.0
  • WebKit 18.4

This version was also tested against the following stable channels:

  • Google Chrome 133
  • Microsoft Edge 133

v1.50.1

Compare Source

Highlights

https://github.com/microsoft/playwright/issues/34483 - [Feature]: single aria snapshot for different engines/browsershttps://github.com/microsoft/playwright/issues/344977 - [Bug]: Firefox not handling keepalive: true fetch requesthttps://github.com/microsoft/playwright/issues/3450404 - [Bug]: update snapshots not creating good difhttps://github.com/microsoft/playwright/issues/34507507 - [Bug]: snapshotPathTemplate doesnt work when multiple projehttps://github.com/microsoft/playwright/issues/344624462 - [Bug]: updateSnapshots "changed" throws an error

Browser Versions

  • Chromium 133.0.6943.16
  • Mozilla Firefox 134.0
  • WebKit 18.2

This version was also tested against the following stable channels:

  • Google Chrome 132
  • Microsoft Edge 132

v1.50.0

Compare Source

Test runner

  • New option timeout allows specifying a maximum run time for an individual test step. A timed-out step will fail the execution of the test.

    test('some test', async ({ page }) => {
  await test.step('a step', async () => {
    // This step can time out separately from the test
  }, { timeout: 1000 });
});

  • New method test.step.skip() to disable execution of a test step.

    test('some test', async ({ page }) => {
  await test.step('before running step', async () => {
    // Normal step
  });

  await test.step.skip('not yet ready', async () => {
    // This step is skipped
  });

  await test.step('after running step', async () => {
    // This step still runs even though the previous one was skipped
  });
});

  • Expanded expect(locator).toMatchAriaSnapshot() to allow storing of aria snapshots in separate YAML files.

  • Added method expect(locator).toHaveAccessibleErrorMessage() to assert the Locator points to an element with a given aria errormessage.

  • Option testConfig.updateSnapshots added the configuration enum changed. changed updates only the snapshots that have changed, whereas all now updates all snapshots, regardless of whether there are any differences.

  • New option testConfig.updateSourceMethod defines the way source code is updated when testConfig.updateSnapshots is configured. Added overwrite and 3-way modes that write the changes into source code, on top of existing patch mode that creates a patch file.

    npx playwright test --update-snapshots=changed --update-source-method=3way

  • Option testConfig.webServer added a gracefulShutdown field for specifying a process kill signal other than the default SIGKILL.

  • Exposed testStep.attachments from the reporter API to allow retrieval of all attachments created by that step.

  • New option pathTemplate for toHaveScreenshot and toMatchAriaSnapshot assertions in the testConfig.expect configuration.

UI updates

  • Updated default HTML reporter to improve display of attachments.
  • New button for picking elements to produce aria snapshots.
  • Additional details (such as keys pressed) are now displayed alongside action API calls in traces.
  • Display of canvas content in traces is error-prone. Display is now disabled by default, and can be enabled via the Display canvas content UI setting.
  • Call and Network panels now display additional time information.

Breaking

Browser Versions

  • Chromium 133.0.6943.16
  • Mozilla Firefox 134.0
  • WebKit 18.2

This version was also tested against the following stable channels:

  • Google Chrome 132
  • Microsoft Edge 132

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

@svc-secops svc-secops enabled auto-merge (squash) October 20, 2025 15:19
@changeset-bot
Copy link

changeset-bot bot commented Oct 20, 2025

⚠️ No Changeset found

Latest commit: 2b7a896

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@svc-secops
Copy link
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
/usr/local/bin/node: line 19: 13467 Killed                  /opt/containerbase/tools/node/22.16.0/bin/node "$@"

@netlify
Copy link

netlify bot commented Oct 20, 2025
edited
Loading

Deploy Preview for graphql-testing-library canceled.

Name Link
🔨 Latest commit 2b7a896
🔍 Latest deploy log https://app.netlify.com/projects/graphql-testing-library/deploys/68f652f5d4e6b30008a7c563

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🎄 dependencies vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@svc-secops