chore(deps): update dependency playwright to v1.55.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
playwright (source)	1.47.2 -> 1.55.1

GitHub Vulnerability Alerts

CVE-2025-59288

Summary

Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications.

Details

The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate:

• packages/playwright-core/bin/reinstall_chrome_beta_mac.sh
• packages/playwright-core/bin/reinstall_chrome_stable_mac.sh
• packages/playwright-core/bin/reinstall_msedge_dev_mac.sh
• packages/playwright-core/bin/reinstall_msedge_beta_mac.sh
• packages/playwright-core/bin/reinstall_msedge_stable_mac.sh

In each case, the shell scripts download a browser installer package using curl -k and immediately install it:

curl --retry 3 -o ./<pkg-file> -k <url>
sudo installer -pkg /tmp/<pkg-file> -target /

Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content.

PoC

A high-level exploitation scenario:

1. An attacker performs a MitM attack on a network where the victim runs one of these scripts.
2. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer).
3. Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation.
4. The attacker's code is executed with system privileges, leading to full compromise.

No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough.

Impact

This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments.

Fix

• microsoft/playwright@72c62d8
• https://github.com/microsoft/playwright/pull/37532
• https://github.com/microsoft/playwright/releases/tag/v1.56.0

Credit

• This vulnerability was uncovered by tooling by Socket
• This vulnerability was confirmed by @​evilpacket
• This vulnerability was reported by @​JLLeitschuh at Socket

Disclosure

• September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8
• September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854
• September 11th, 2025 - Microsoft closed report as "Complete - N/A"
• September 18th, 2025 - Following a LinkedIn Post

---

Release Notes

microsoft/playwright (playwright)

v1.55.1

Compare Source

Highlights

#​37479 - [Bug]: Upgrade Chromium to 140.0.7339.186.
#​37147 - [Regression]: Internal error: step id not found.
#​37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects.
#​37137 - Revert "fix(a11y): track inert elements as hidden".
#​37532 - chore: do not use -k option

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.55.0

Compare Source

New APIs

• New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

• Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

• ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

• Added support for Debian 13 "Trixie".

Browser Versions

• Chromium 140.0.7339.16
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.54.2

Compare Source

Highlights

#​36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error)
#​36828 - [Regression]: Playwright Codegen keeps spamming with selected option
#​36810 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.54.1

Compare Source

Highlights

#​36650 - [Regression]: 1.54.0 breaks downloading browsers when an HTTP(S) proxy is used

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.54.0

Compare Source

Highlights

• New cookie property partitionKey in browserContext.cookies() and browserContext.addCookies(). This property allows to save and restore partitioned cookies. See CHIPS MDN article for more information. Note that browsers have different support and defaults for cookie partitioning.

• New option noSnippets to disable code snippets in the html report.

  import { defineConfig } from '@​playwright/test';
  
  export default defineConfig({
    reporter: [['html', { noSnippets: true }]]
  });

• New property location in test annotations, for example in testResult.annotations and testInfo.annotations. It shows where the annotation like test.skip or test.fixme was added.

Command Line

• New option --user-data-dir in multiple commands. You can specify the same user data dir to reuse browsing state, like authentication, between sessions.

  npx playwright codegen --user-data-dir=./user-data

• Option -gv has been removed from the npx playwright test command. Use --grep-invert instead.

• npx playwright open does not open the test recorder anymore. Use npx playwright codegen instead.

Miscellaneous

• Support for Node.js 16 has been removed.
• Support for Node.js 18 has been deprecated, and will be removed in the future.

Browser Versions

• Chromium 139.0.7258.5
• Mozilla Firefox 140.0.2
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 140
• Microsoft Edge 140

v1.53.2

Compare Source

Highlights

#​36317 - [Regression]: Merging pre-1.53 blob reports loses attachments
#​36357 - [Regression (Chromium)]: CDP missing trailing slash
#​36292 - [Bug (MSEdge)]: Edge fails to launch when using msRelaunchNoCompatLayer

Browser Versions

• Chromium 138.0.7204.23
• Mozilla Firefox 139.0
• WebKit 18.5

This version was also tested against the following stable channels:

• Google Chrome 137
• Microsoft Edge 137

v1.53.1

Compare Source

Highlights

#​36339 - [Regression]: Click can fail when scrolling required
#​36307 - [Regression (Chromium)]: Under some scenarios filling a textarea doesn't fill
#​36294 - [Regression (Firefox)]: setViewportSize times out
#​36350 - [Fix]: Display HTTP method for fetch trace entries

Browser Versions

• Chromium 138.0.7204.23
• Mozilla Firefox 139.0
• WebKit 18.5

This version was also tested against the following stable channels:

• Google Chrome 137
• Microsoft Edge 137

v1.53.0

Compare Source

Trace Viewer and HTML Reporter Updates

• New Steps in Trace Viewer and HTML reporter:

• New option in 'html' reporter to set the title of a specific test run:

  import { defineConfig } from '@​playwright/test';
  
  export default defineConfig({
    reporter: [['html', { title: 'Custom test run #​1028' }]]
  });

Miscellaneous

• New option kind in testInfo.snapshotPath() controls which snapshot path template is used.

• New method locator.describe() to describe a locator. Used for trace viewer and reports.

  const button = page.getByTestId('btn-sub').describe('Subscribe button');
  await button.click();

• npx playwright install --list will now list all installed browsers, versions and locations.

Browser Versions

• Chromium 138.0.7204.4
• Mozilla Firefox 139.0
• WebKit 18.5

This version was also tested against the following stable channels:

• Google Chrome 137
• Microsoft Edge 137

v1.52.0

Compare Source

Highlights

• New method expect(locator).toContainClass() to ergonomically assert individual class names on the element.

  await expect(page.getByRole('listitem', { name: 'Ship v1.52' })).toContainClass('done');

• Aria Snapshots got two new properties: /children for strict matching and /url for links.

  await expect(locator).toMatchAriaSnapshot(`
    - list
      - /children: equal
      - listitem: Feature A
      - listitem:
        - link "Feature B":
          - /url: "https://playwright.dev"
  `);

Test Runner

• New property testProject.workers allows to specify the number of concurrent worker processes to use for a test project. The global limit of property testConfig.workers still applies.
• New testConfig.failOnFlakyTests option to fail the test run if any flaky tests are detected, similarly to --fail-on-flaky-tests. This is useful for CI/CD environments where you want to ensure that all tests are stable before deploying.
• New property testResult.annotations contains annotations for each test retry.

Miscellaneous

• New option maxRedirects in apiRequest.newContext() to control the maximum number of redirects.
• HTML reporter now supports NOT filtering via !@​my-tag or !my-file.spec.ts or !p:my-project.

Breaking Changes

• Changes to glob URL patterns in methods like page.route():
  • ? wildcard is not supported any more, it will always match question mark ? character.
  • Ranges/sets [] are not supported anymore. We recommend using regular expressions instead.
• Method route.continue() does not allow to override the Cookie header anymore. If a Cookie header is provided, it will be ignored, and the cookie will be loaded from the browser's cookie store. To set custom cookies, use browserContext.addCookies().
• macOS 13 is now deprecated and will no longer receive WebKit updates. Please upgrade to a more recent macOS version to continue benefiting from the latest WebKit improvements.

Browser Versions

• Chromium 136.0.7103.25
• Mozilla Firefox 137.0
• WebKit 18.4

This version was also tested against the following stable channels:

• Google Chrome 135
• Microsoft Edge 135

v1.51.1

Compare Source

Highlights

#​35093 - [Regression]: TimeoutOverflowWarning: 2149630.634 does not fit into a 32-bit signed integer
#​35138 - [Regression]: TypeError: Cannot read properties of undefined (reading 'expectInfo')

Browser Versions

• Chromium 134.0.6998.35
• Mozilla Firefox 135.0
• WebKit 18.4

This version was also tested against the following stable channels:

• Google Chrome 133
• Microsoft Edge 133

v1.51.0

Compare Source

StorageState for indexedDB

• New option indexedDB for browserContext.storageState() allows to save and restore IndexedDB contents. Useful when your application uses IndexedDB API to store authentication tokens, like Firebase Authentication.

  Here is an example following the authentication guide:

  // tests/auth.setup.ts
  import { test as setup, expect } from '@​playwright/test';
  import path from 'path';
  
  const authFile = path.join(__dirname, '../playwright/.auth/user.json');
  
  setup('authenticate', async ({ page }) => {
    await page.goto('/');
    // ... perform authentication steps ...
  
    // make sure to save indexedDB
    await page.context().storageState({ path: authFile, indexedDB: true });
  });

Copy prompt

New "Copy prompt" button on errors in the HTML report, trace viewer and UI mode. Click to copy a pre-filled LLM prompt that contains the error message and useful context for fixing the error.

Filter visible elements

New option visible for locator.filter() allows matching only visible elements.

// example.spec.ts
test('some test', async ({ page }) => {
  // Ignore invisible todo items.
  const todoItems = page.getByTestId('todo-item').filter({ visible: true });
  // Check there are exactly 3 visible ones.
  await expect(todoItems).toHaveCount(3);
});

Git information in HTML report

Set option testConfig.captureGitInfo to capture git information into testConfig.metadata.

// playwright.config.ts
import { defineConfig } from '@​playwright/test';

export default defineConfig({
  captureGitInfo: { commit: true, diff: true }
});

HTML report will show this information when available:

Test Step improvements

A new TestStepInfo object is now available in test steps. You can add step attachments or skip the step under some conditions.

test('some test', async ({ page, isMobile }) => {
  // Note the new "step" argument:
  await test.step('here is my step', async step => {
    step.skip(isMobile, 'not relevant on mobile layouts');

    // ...
    await step.attach('my attachment', { body: 'some text' });
    // ...
  });
});

Miscellaneous

• New option contrast for methods page.emulateMedia() and browser.newContext() allows to emulate the prefers-contrast media feature.
• New option failOnStatusCode makes all fetch requests made through the APIRequestContext throw on response codes other than 2xx and 3xx.
• Assertion expect(page).toHaveURL() now supports a predicate.

Browser Versions

• Chromium 134.0.6998.35
• Mozilla Firefox 135.0
• WebKit 18.4

This version was also tested against the following stable channels:

• Google Chrome 133
• Microsoft Edge 133

v1.50.1

Compare Source

Highlights

#​34483 - [Feature]: single aria snapshot for different engines/browsers
#​34497 - [Bug]: Firefox not handling keepalive: true fetch requests
#​34504 - [Bug]: update snapshots not creating good diffs
#​34507 - [Bug]: snapshotPathTemplate doesnt work when multiple projects
#​34462 - [Bug]: updateSnapshots "changed" throws an error

Browser Versions

• Chromium 133.0.6943.16
• Mozilla Firefox 134.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 132
• Microsoft Edge 132

v1.50.0

Compare Source

Test runner

• New option timeout allows specifying a maximum run time for an individual test step. A timed-out step will fail the execution of the test.

  test('some test', async ({ page }) => {
    await test.step('a step', async () => {
      // This step can time out separately from the test
    }, { timeout: 1000 });
  });

• New method test.step.skip() to disable execution of a test step.

  test('some test', async ({ page }) => {
    await test.step('before running step', async () => {
      // Normal step
    });
  
    await test.step.skip('not yet ready', async () => {
      // This step is skipped
    });
  
    await test.step('after running step', async () => {
      // This step still runs even though the previous one was skipped
    });
  });

• Expanded expect(locator).toMatchAriaSnapshot() to allow storing of aria snapshots in separate YAML files.

• Added method expect(locator).toHaveAccessibleErrorMessage() to assert the Locator points to an element with a given aria errormessage.

• Option testConfig.updateSnapshots added the configuration enum changed. changed updates only the snapshots that have changed, whereas all now updates all snapshots, regardless of whether there are any differences.

• New option testConfig.updateSourceMethod defines the way source code is updated when testConfig.updateSnapshots is configured. Added overwrite and 3-way modes that write the changes into source code, on top of existing patch mode that creates a patch file.

  npx playwright test --update-snapshots=changed --update-source-method=3way

• Option testConfig.webServer added a gracefulShutdown field for specifying a process kill signal other than the default SIGKILL.

• Exposed testStep.attachments from the reporter API to allow retrieval of all attachments created by that step.

• New option pathTemplate for toHaveScreenshot and toMatchAriaSnapshot assertions in the testConfig.expect configuration.

UI updates

• Updated default HTML reporter to improve display of attachments.
• New button for picking elements to produce aria snapshots.
• Additional details (such as keys pressed) are now displayed alongside action API calls in traces.
• Display of canvas content in traces is error-prone. Display is now disabled by default, and can be enabled via the Display canvas content UI setting.
• Call and Network panels now display additional time information.

Breaking

• expect(locator).toBeEditable() and locator.isEditable() now throw if the target element is not <input>, <select>, or a number of other editable elements.
• Option testConfig.updateSnapshots now updates all snapshots when set to all, rather than only the failed/changed snapshots. Use the new enum changed to keep the old functionality of only updating the changed snapshots.

Browser Versions

• Chromium 133.0.6943.16
• Mozilla Firefox 134.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 132
• Microsoft Edge 132

v1.49.1

Compare Source

Highlights

#​33802 - [Bug]: Codegen's Clear button doesn't work if not recording
#​33806 - [Bug]: playwright hangs while waiting for pending navigations
#​33787 - [Bug]: VSC extension isn't capturing all entered text
#​33788 - [Regression]: Double clicking the steps in trace viewer doesn't filter actions
#​33772 - [Bug]: aria_snapshot generates invalid yaml when combined with an aria-label attribut
#​33791 - [Bug]: text input with number value raises "container is not iterable" with to_match_aria_snapshot
#​33644 - [Bug]: getByRole can't find element with the accessible name from label element when aria-labelledby is not valid
#​33660 - [Regression]: Unable to open Playwright UI in Dark Mode

Browser Versions

• Chromium 131.0.6778.33
• Mozilla Firefox 132.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 130
• Microsoft Edge 130

v1.49.0

Compare Source

Aria snapshots

New assertion expect(locator).toMatchAriaSnapshot() verifies page structure by comparing to an expected accessibility tree, represented as YAML.

await page.goto('https://playwright.dev');
await expect(page.locator('body')).toMatchAriaSnapshot(`
  - banner:
    - heading /Playwright enables reliable/ [level=1]
    - link "Get started"
    - link "Star microsoft/playwright on GitHub"
  - main:
    - img "Browsers (Chromium, Firefox, WebKit)"
    - heading "Any browser • Any platform • One API"
`);

You can generate this assertion with Test Generator and update the expected snapshot with --update-snapshots command line flag.

Learn more in the aria snapshots guide.

Test runner

• New option testConfig.tsconfig allows to specify a single tsconfig to be used for all tests.
• New method test.fail.only() to focus on a failing test.
• Options testConfig.globalSetup and testConfig.globalTeardown now support multiple setups/teardowns.
• New value 'on-first-failure' for testOptions.screenshot.
• Added "previous" and "next" buttons to the HTML report to quickly switch between test cases.
• New properties testInfoError.cause and testError.cause mirroring Error.cause.

Breaking: channels chrome, msedge and similar switch to new headless

This change affects you if you're using one of the following channels in your playwright.config.ts:

• chrome, chrome-dev, chrome-beta, or chrome-canary
• msedge, msedge-dev, msedge-beta, or msedge-canary

What do I need to do?

After updating to Playwright v1.49, run your test suite. If it still passes, you're good to go. If not, you will probably need to update your snapshots, and adapt some of your test code around PDF viewers and extensions. See issue #​33566 for more details.

Other breaking changes

• There will be no more updates for WebKit on Ubuntu 20.04 and Debian 11. We recommend updating your OS to a later version.
• Package @playwright/experimental-ct-vue2 will no longer be updated.
• Package @playwright/experimental-ct-solid will no longer be updated.

Try new Chromium headless

You can opt into the new headless mode by using 'chromium' channel. As official Chrome documentation puts it:

New Headless on the other hand is the real Chrome browser, and is thus more authentic, reliable, and offers more features. This makes it more suitable for high-accuracy end-to-end web app testing or browser extension testing.

See issue #​33566 for the list of possible breakages you could encounter and more details on Chromium headless. Please file an issue if you see any problems after opting in.

import { defineConfig, devices } from '@​playwright/test';

export default defineConfig({
  projects: [
    {
      name: 'chromium',
      use: { ...devices['Desktop Chrome'], channel: 'chromium' },
    },
  ],
});

Miscellaneous

• <canvas> elements inside a snapshot now draw a preview.
• New method tracing.group() to visually group actions in the trace.
• Playwright docker images switched from Node.js v20 to Node.js v22 LTS.

Browser Versions

• Chromium 131.0.6778.33
• Mozilla Firefox 132.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 130
• Microsoft Edge 130

v1.48.2

Compare Source

Highlights

#​33141 - [Bug]: UI Mode crashed
#​33219 - [BUG] Trace Viewer PWA crashes with "Aw, Snap!"
#​33086 - [Bug]: UI Mode Memory problem
#​33000 - [Regression]: Inspector and Browser doesn't close on CTRL+C
#​33204 - [Bug]: Chrome tab and inspector not closing after terminating session in terminal

Browser Versions

• Chromium 130.0.6723.19
• Mozilla Firefox 130.0
• WebKit 18.0

This version was also tested against the following stable channels:

• Google Chrome 129
• Microsoft Edge 129

v1.48.1

Compare Source

Highlights

#​33023 - [Bug]: command line flag --headed has no effect in ui mode
#​33107 - [REGRESSION]: page.waitForRequest does not get resolved since 1.48.0
#​33085 - [Bug]: WebSocket route does not handle full URLs in Playwright
#​33052 - [Regression]: Inspector not showing recorded steps
#​33132 - [Bug]: Wrong Ubuntu release name in Dockerfile.noble
#​32996 - [BUG] Trace attachments have small unusable height

Browser Versions

• Chromium 130.0.6723.19
• Mozilla Firefox 130.0
• WebKit 18.0

This version was also tested against the following stable channels:

• Google Chrome 129
• Microsoft Edge 129

v1.48.0

Compare Source

WebSocket routing

New methods page.routeWebSocket() and browserContext.routeWebSocket() allow to intercept, modify and mock WebSocket connections initiated in the page. Below is a simple example that mocks WebSocket communication by responding to a "request" with a "response".

await page.routeWebSocket('/ws', ws => {
  ws.onMessage(message => {
    if (message === 'request')
      ws.send('response');
  });
});

See WebSocketRoute for more details.

UI updates

• New "copy" buttons for annotations and test location in the HTML report.
• Route method calls like route.fulfill() are not shown in the report and trace viewer anymore. You can see which network requests were routed in the network tab instead.
• New "Copy as cURL" and "Copy as fetch" buttons for requests in the network tab.

Miscellaneous

• Option form and similar ones now accept FormData.
• New method page.requestGC() may help detect memory leaks.
• New option location to pass custom step location.
• Requests made by APIRequestContext now record detailed timing and security information in the HAR.

Browser Versions

• Chromium 130.0.6723.19
• Mozilla Firefox 130.0
• WebKit 18.0

This version was also tested against the following stable channels:

• Google Chrome 129
• Microsoft Edge 129

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c7a07d2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@sec-ant/readable-stream@96

commit: c7a07d2