build(deps-dev): bump @playwright/cli from 0.1.1 to 0.1.7

[dependabot]

Bumps @playwright/cli from 0.1.1 to 0.1.7.

Release notes

Sourced from @​playwright/cli's releases.

v0.1.7

What's Changed

Fixes

• snapshot: resolve element refs correctly so snapshots taken after navigation no longer fail to look up references (microsoft/playwright#40114)
• kill-all: match the current cliDaemon.js process so playwright-cli kill-all actually terminates running daemons (microsoft/playwright#40165)

v0.1.6

Bug Fixes

• Dashboard: current workspace sessions are shown first and expanded — fixes ordering and expansion of the current workspace group in playwright-cli show when running outside a workspace.

v0.1.5

What's New

Pipe CLI Output with --raw

The new global --raw flag strips page status, generated code, and snapshot sections from the output, returning only the result value. Use it to pipe command output into other tools:

playwright-cli --raw eval "JSON.stringify(performance.timing)" | jq '.loadEventEnd - .navigationStart'
playwright-cli --raw eval "JSON.stringify([...document.querySelectorAll('a')].map(a => a.href))" > links.json
TOKEN=$(playwright-cli --raw cookie-get session_id)
playwright-cli --raw localstorage-get theme
playwright-cli --raw snapshot > before.yml
playwright-cli click e5
playwright-cli --raw snapshot > after.yml
diff before.yml after.yml

Commands that don't produce output return nothing.

---

Attach to Browser via CDP

The attach command now supports connecting to an existing browser via a CDP endpoint URL:

playwright-cli attach --cdp=http://localhost:9222

This makes it easy for coding agents to connect to a browser that's already running (e.g. a dev browser or a remote debugging target) without launching a new one.

---

attach --extension Replaces open --extension

... (truncated)

Commits

• 1a3b1f3 chore: mark v0.1.7 (#357)
• 4282eb9 chore: roll Playwright to 1.60.0-alpha-1775951570000 (#356)
• 5f8ca8b chore: roll Playwright to 1.60.0-alpha-1775931579000 (#355)
• 278fcad chore: mark v0.1.6 (#349)
• 3f43390 chore: roll Playwright to 1.60.0-alpha-1775584683000 (#348)
• a0d5bfd chore: mark v0.1.5 (#342)
• a16657b chore: roll Playwright to 1.60.0-alpha-1775237291000 (#341)
• 4a11584 chore: mark v0.1.4 (#334)
• 084d0c0 chore: mark v0.1.3 (#333)
• 497e857 chore: roll Playwright to 1.60.0-alpha-1774999321000 (#332)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only update affecting dev tooling/testing; potential impact is limited to Playwright CLI behavior and snapshot/test tooling.

Overview
Bumps dev dependency @playwright/cli from 0.1.1 to 0.1.7 in package.json and updates package-lock.json to pull the newer CLI along with its bundled playwright/playwright-core alpha version.

Lockfile resolution also refreshes a GitHub dev dependency reference for @duckduckgo/design-tokens to v0.17.0.

^{Reviewed by Cursor Bugbot for commit 66797b0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.7
Commit	7062cc4d33
Updated	April 13, 2026 at 11:36:18 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.7

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.7")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.7
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.7

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#7062cc4d33cfd9ca7b719d54c4f091b5e1c53dd7

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "7062cc4d33cfd9ca7b719d54c4f091b5e1c53dd7")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.7
git -C submodules/content-scope-scripts checkout 7062cc4d33cfd9ca7b719d54c4f091b5e1c53dd7

[cursor]

Web Compatibility Assessment

• package.json (devDependencies, around lines 41-44) — severity: info. @playwright/cli is bumped from ^0.1.1 to ^0.1.7; this is build/test tooling only and does not modify injected runtime APIs, wrappers, feature lifecycle hooks, or platform entry-point behavior.
• package-lock.json (root devDependencies, around lines 18-25; Playwright tree around lines 1546-1589) — severity: info. Lockfile updates are confined to Playwright CLI/tooling transitive packages (playwright, playwright-core) and do not alter web-exposed API shims, descriptor behavior, prototype patches, or DOM mutation logic.
• package-lock.json (workspace lock entry around line 10888) — severity: warning. The lockfile also changes @duckduckgo/design-tokens resolution text (#<commit> -> #v0.17.0) without a corresponding package.json change in this PR. This is likely lockfile normalization, but it is unrelated dependency drift and should be confirmed to avoid hidden behavior changes in special-pages build assets.

Security Assessment

• package.json and package-lock.json changed only — severity: info. No modifications to captured-globals, wrapper utilities, DDGProxy, message bridge, origin validation, or feature config gating paths; therefore no direct new content-script attack surface was introduced.
• package-lock.json Playwright transitive updates — severity: info. These remain dev dependencies (tooling path), so there is no direct page-context execution risk in shipped injections. Residual risk is limited to CI/local toolchain supply-chain exposure, mitigated by lockfile pinning.

Risk Level

Low Risk — the PR is dependency/tooling-only and does not touch any injected runtime code paths that affect web compatibility or in-page security boundaries.

Recommendations

1. Validate whether the @duckduckgo/design-tokens lockfile delta resolves to the same artifact; if not intentional, revert or split it into a dedicated dependency PR.
2. Keep this PR scoped to tooling updates and ensure CI executes at least unit tests plus existing Playwright smoke/integration coverage to catch any runner-level regressions.
3. No additional web-compat/security runtime tests are required for injected feature logic since no runtime files changed.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Findings

1. Medium: @playwright/cli appears unused by this repository’s build/test pipeline, so this update increases supply-chain surface without local coverage.
   Evidence: repo-wide search only finds this package in manifests/lockfile and internal skill docs; no usage in scripts or .github/workflows.

2. Low: this bump also upgrades the nested playwright/playwright-core bundle from 1.59.0-alpha-* to 1.60.0-alpha-* under @playwright/cli.
   Evidence: package-lock.json diff updates node_modules/@playwright/cli/node_modules/playwright and playwright-core versions.
   Risk: behavior drift in CLI-only workflows plus additional alpha-code footprint.

Uncertain / Requires Validation

• If any external automation relies on playwright-cli (outside repo scripts/workflows), removing it could break those paths.
• There is no in-repo test coverage that directly exercises playwright-cli; validation has to come from the external workflow(s) that invoke it.

Follow-up Fix PR

I did not open a separate fix PR yet because the safe fix depends on whether external workflows require playwright-cli.
If confirmed unused, the recommended fix is a follow-up PR removing @playwright/cli from root devDependencies to reduce attack surface.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

This update pulls in a newer alpha Playwright build under @playwright/cli (1.59.0-alpha-* -> 1.60.0-alpha-*). Since alpha CLI internals can change quickly, please confirm there is a workflow-level validation path for playwright-cli commands (no direct repo test coverage found).

[jonathanKingston]

@noisysocks do we need the dependency here or will your skill work without?

[dependabot]

Superseded by #2643.