chore(deps): update dependency playwright to v1.55.1 [security]

[ZxBot]

This PR contains the following updates:

Package	Type	Update	Change
playwright (source)	devDependencies	minor	1.49.0 -> 1.55.1

GitHub Vulnerability Alerts

CVE-2025-59288

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

• packages/playwright-core/bin/reinstall_chrome_beta_mac.sh
• packages/playwright-core/bin/reinstall_chrome_stable_mac.sh
• packages/playwright-core/bin/reinstall_msedge_dev_mac.sh
• packages/playwright-core/bin/reinstall_msedge_beta_mac.sh
• packages/playwright-core/bin/reinstall_msedge_stable_mac.sh

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

• microsoft/playwright@72c62d8
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/releases/tag/v1.56.0

Credit

• This vulnerability was uncovered by tooling by Socket
• This vulnerability was confirmed by @​evilpacket
• This vulnerability was reported by @​JLLeitschuh at Socket

Disclosure

• September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
• September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
• September 11th, 2025 - Microsoft closed report as "Complete - N/A"
• September 18th, 2025 - Following a LinkedIn Post

---

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.
#​37147 - [Regression]: Internal error: step id not found.
#​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects.
#​37137 - Revert "fix(a11y): track inert elements as hidden".
#​37532 - chore: do not use -k option

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.55.0

Compare Source

New APIs

• New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

• Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

• ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

• Added support for Debian 13 "Trixie".

Browser Versions

• Chromium 140.0.7339.16
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.54.2

Compare Source

Highlights

#​36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error)
#​36828 - [Regression]: Playwright Codegen keeps spamming with selected option
#​36810 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.54.1

Compare Source

Highlights

#​36650 - [Regression]: 1.54.0 breaks downloading browsers when an HTTP(S) proxy is used

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.54.0

Compare Source

Highlights

• New cookie property partitionKey in browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.

• New option noSnippets to disable code snippets in the html report.

  import { defineConfig } from '@​playwright/test';
  
  export default defineConfig({
    reporter: [['html', { noSnippets: true }]]
  });

• New property location in test annotations, for example in testResult.annotations and testInfo.annotations. It shows where the annotation like test.skip or test.fixme was added.

Command Line

• New option --user-data-dir in multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.

  npx playwright codegen --user-data-dir=./user-data

• Option -gv has been removed from the npx playwright test command. Use --grep-invert instead.

• npx playwright open does not open the test recorder anymore. Use npx playwright codegen instead.

Miscellaneous

• Support for Node.js 16 has been removed.
• Support for Node.js 18 has been deprecated, and will be removed in the future.

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.53.2

Compare Source

Highlights

#​36317 - [Regression]: Merging pre-1.53 blob reports loses attachments
#​36357 - [Regression (Chromium)]: CDP missing trailing slash
#​36292 - [Bug (MSEdge)]: Edge fails to launch when using msRelaunchNoCompatLayer

Browser Versions

• Chromium 138.0.7204.23
• Mozilla Firefox 139.0
• WebKit 18.5

This version was also tested against the following stable channels:

• Google Chrome 137
• Microsoft Edge 137

v1.53.1

Compare Source

Highlights

#​36339 - [Regression]: Click can fail when scrolling required
#​36307 - [Regression (Chromium)]: Under some scenarios filling a textarea doesn't fill
#​36294 - [Regression (Firefox)]: setViewportSize times out
#​36350 - [Fix]: Display HTTP method for fetch trace entries

Browser Versions

• Chromium 138.0.7204.23
• Mozilla Firefox 139.0
• WebKit 18.5

This version was also tested against the following stable channels:

• Google Chrome 137
• Microsoft Edge 137

v1.53.0

Compare Source

Trace Viewer and HTML Reporter Updates

• New Steps in Trace Viewer and HTML reporter:

• New option in 'html' reporter to set the title of a specific test run:

  import { defineConfig } from '@​playwright/test';
  
  export default defineConfig({
    reporter: [['html', { title: 'Custom test run #​1028' }]]
  });

Miscellaneous

• New option kind in testInfo.snapshotPath() controls which snapshot path template is used.

• New method locator.describe() to describe a locator. Used for trace viewer and reports.

  const button = page.getByTestId('btn-sub').describe('Subscribe button');
  await button.click();

• npx playwright install --list will now list all installed browsers, versions and locations.

Browser Versions

• Chromium 138.0.7204.4
• Mozilla Firefox 139.0
• WebKit 18.5

This version was also tested against the following stable channels:

• Google Chrome 137
• Microsoft Edge 137

v1.52.0

Compare Source

Highlights

• New method expect(locator).toContainClass() to ergonomically assert individual class names on the element.

  await expect(page.getByRole('listitem', { name: 'Ship v1.52' })).toContainClass('done');

• Aria Snapshots got two new properties: /children for strict matching and /url for links.

  await expect(locator).toMatchAriaSnapshot(`
    - list
      - /children: equal
      - listitem: Feature A
      - listitem:
        - link "Feature B":
          - /url: "https://playwright.dev"
  `);

Test Runner

• New property testProject.workers allows to specify the number of concurrent worker processes to use for a test project. The global limit of property testConfig.workers still applies.
• New testConfig.failOnFlakyTests option to fail the test run if any flaky tests are detected, similarly to --fail-on-flaky-tests. This is useful for CI/CD environments where you want to ensure that all tests are stable before deploying.
• New property testResult.annotations contains annotations for each test retry.

Miscellaneous

• New option maxRedirects in apiRequest.newContext() to control the maximum number of redirects.
• HTML reporter now supports NOT filtering via !@​my-tag or !my-file.spec.ts or !p:my-project.

Breaking Changes

• Changes to glob URL patterns in methods like page.route():
  • ? wildcard is not supported any more, it will always match question mark ? character.
  • Ranges/sets [] are not supported anymore. We recommend using regular expressions instead.
• Method route.continue() does not allow to override the Cookie header anymore. If a Cookie header is provided, it will be ignored, and the cookie will be loaded from the browser's cookie store. To set custom cookies, use browserContext.addCookies().
• macOS 13 is now deprecated and will no longer receive WebKit updates. Please upgrade to a more recent macOS version to continue benefiting from the latest WebKit improvements.

Browser Versions

• Chromium 136.0.7103.25
• Mozilla Firefox 137.0
• WebKit 18.4

This version was also tested against the following stable channels:

• Google Chrome 135
• Microsoft Edge 135

v1.51.1

Compare Source

Highlights

#​35093 - [Regression]: TimeoutOverflowWarning: 2149630.634 does not fit into a 32-bit signed integer
#​35138 - [Regression]: TypeError: Cannot read properties of undefined (reading 'expectInfo')

Browser Versions

• Chromium 134.0.6998.35
• Mozilla Firefox 135.0
• WebKit 18.4

This version was also tested against the following stable channels:

• Google Chrome 133
• Microsoft Edge 133

v1.51.0

Compare Source

StorageState for indexedDB

• New option indexedDB for browserContext.storageState() allows to save and restore IndexedDB contents. Useful when your application uses IndexedDB API to store authentication tokens, like Firebase Authentication.

  Here is an example following the authentication guide:

  // tests/auth.setup.ts
  import { test as setup, expect } from '@​playwright/test';
  import path from 'path';
  
  const authFile = path.join(__dirname, '../playwright/.auth/user.json');
  
  setup('authenticate', async ({ page }) => {
    await page.goto('/');
    // ... perform authentication steps ...
  
    // make sure to save indexedDB
    await page.context().storageState({ path: authFile, indexedDB: true });
  });

Copy prompt

New "Copy prompt" button on errors in the HTML report, trace viewer and UI mode. Click to copy a pre-filled LLM prompt that contains the error message and useful context for fixing the error.

Filter visible elements

New option visible for locator.filter() allows matching only visible elements.

// example.spec.ts
test('some test', async ({ page }) => {
  // Ignore invisible todo items.
  const todoItems = page.getByTestId('todo-item').filter({ visible: true });
  // Check there are exactly 3 visible ones.
  await expect(todoItems).toHaveCount(3);
});

Git information in HTML report

Set option testConfig.captureGitInfo to capture git information into testConfig.metadata.

// playwright.config.ts
import { defineConfig } from '@​playwright/test';

export default defineConfig({
  captureGitInfo: { commit: true, diff: true }
});

HTML report will show this information when available:

Test Step improvements

A new TestStepInfo object is now available in test steps. You can add step attachments or skip the step under some conditions.

test('some test', async ({ page, isMobile }) => {
  // Note the new "step" argument:
  await test.step('here is my step', async step => {
    step.skip(isMobile, 'not relevant on mobile layouts');

    // ...
    await step.attach('my attachment', { body: 'some text' });
    // ...
  });
});

Miscellaneous

• New option contrast for methods page.emulateMedia() and browser.newContext() allows to emulate the prefers-contrast media feature.
• New option failOnStatusCode makes all fetch requests made through the APIRequestContext throw on response codes other than 2xx and 3xx.
• Assertion expect(page).toHaveURL() now supports a predicate.

Browser Versions

• Chromium 134.0.6998.35
• Mozilla Firefox 135.0
• WebKit 18.4

This version was also tested against the following stable channels:

• Google Chrome 133
• Microsoft Edge 133

v1.50.1

Compare Source

Highlights

#​34483 - [Feature]: single aria snapshot for different engines/browsers
#​34497 - [Bug]: Firefox not handling keepalive: true fetch requests
#​34504 - [Bug]: update snapshots not creating good diffs
#​34507 - [Bug]: snapshotPathTemplate doesnt work when multiple projects
#​34462 - [Bug]: updateSnapshots "changed" throws an error

Browser Versions

• Chromium 133.0.6943.16
• Mozilla Firefox 134.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 132
• Microsoft Edge 132

v1.50.0

Compare Source

Test runner

• New option timeout allows specifying a maximum run time for an individual test step. A timed-out step will fail the execution of the test.

  test('some test', async ({ page }) => {
    await test.step('a step', async () => {
      // This step can time out separately from the test
    }, { timeout: 1000 });
  });

• New method test.step.skip() to disable execution of a test step.

  test('some test', async ({ page }) => {
    await test.step('before running step', async () => {
      // Normal step
    });
  
    await test.step.skip('not yet ready', async () => {
      // This step is skipped
    });
  
    await test.step('after running step', async () => {
      // This step still runs even though the previous one was skipped
    });
  });

• Expanded expect(locator).toMatchAriaSnapshot() to allow storing of aria snapshots in separate YAML files.

• Added method expect(locator).toHaveAccessibleErrorMessage() to assert the Locator points to an element with a given aria errormessage.

• Option testConfig.updateSnapshots added the configuration enum changed. changed updates only the snapshots that have changed, whereas all now updates all snapshots, regardless of whether there are any differences.

• New option testConfig.updateSourceMethod defines the way source code is updated when testConfig.updateSnapshots is configured. Added overwrite and 3-way modes that write the changes into source code, on top of existing patch mode that creates a patch file.

  npx playwright test --update-snapshots=changed --update-source-method=3way

• Option testConfig.webServer added a gracefulShutdown field for specifying a process kill signal other than the default SIGKILL.

• Exposed testStep.attachments from the reporter API to allow retrieval of all attachments created by that step.

• New option pathTemplate for toHaveScreenshot and toMatchAriaSnapshot assertions in the testConfig.expect configuration.

UI updates

• Updated default HTML reporter to improve display of attachments.
• New button for picking elements to produce aria snapshots.
• Additional details (such as keys pressed) are now displayed alongside action API calls in traces.
• Display of canvas content in traces is error-prone. Display is now disabled by default, and can be enabled via the Display canvas content UI setting.
• Call and Network panels now display additional time information.

Breaking

• expect(locator).toBeEditable() and locator.isEditable() now throw if the target element is not <input>, <select>, or a number of other editable elements.
• Option testConfig.updateSnapshots now updates all snapshots when set to all, rather than only the failed/changed snapshots. Use the new enum changed to keep the old functionality of only updating the changed snapshots.

Browser Versions

• Chromium 133.0.6943.16
• Mozilla Firefox 134.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 132
• Microsoft Edge 132

v1.49.1

Compare Source

Highlights

#​33802 - [Bug]: Codegen's Clear button doesn't work if not recording
#​33806 - [Bug]: playwright hangs while waiting for pending navigations
#​33787 - [Bug]: VSC extension isn't capturing all entered text
#​33788 - [Regression]: Double clicking the steps in trace viewer doesn't filter actions
#​33772 - [Bug]: aria_snapshot generates invalid yaml when combined with an aria-label attribut
#​33791 - [Bug]: text input with number value raises "container is not iterable" with to_match_aria_snapshot
#​33644 - [Bug]: getByRole can't find element with the accessible name from label element when aria-labelledby is not valid
#​33660 - [Regression]: Unable to open Playwright UI in Dark Mode

Browser Versions

• Chromium 131.0.6778.33
• Mozilla Firefox 132.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 130
• Microsoft Edge 130

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[ZxBot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[ZxBot]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^1.49.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.