build(deps-dev): bump @playwright/cli from 0.1.1 to 0.1.13

[dependabot]

Bumps @playwright/cli from 0.1.1 to 0.1.13.

Release notes

Sourced from @​playwright/cli's releases.

v0.1.13

Fixes

• fix(mcp): forward browser-level CDP commands in extension mode — cookie-list, state-save, and other browser-scoped commands now work when attached via the Chrome extension. (microsoft/playwright#40706)

v0.1.12

Highlights

• Chrome extension now supports multiple tabs (#373 — tab-new, tab-list, etc. work in attach --extension sessions.

• Multi-screenshot UI Review in the dashboard — collect, annotate, and submit several screenshots in one dashboard session, with a sidebar of frames and per-comment highlight.

Fixes

• fix(mcp): recover from page renderer crash — the current tab is reopened automatically when its renderer crashes. (microsoft/playwright#40617)
• fix(mcp): auto-recover when remote browser disconnects mid-session — the next tool call transparently reconnects. (microsoft/playwright#40652)
• fix(mcp): anchor aria-ref regex in target resolution — locators with e\d+ substrings are no longer misclassified. (microsoft/playwright#40610)
• fix(mcp): skip base64 image when filename is provided — explicit-filename screenshots no longer also embed the image in the response. (microsoft/playwright#40577)

v0.1.11

Fixes

• fix(dashboard): handle null viewport in annotate screenshot — playwright-cli annotate against a headed browser launched with viewport: null produced an empty annotated screenshot; the dashboard now falls back to window.innerWidth/innerHeight. (microsoft/playwright#40569)

v0.1.10

Highlights

• Network inspection split into numbered commands (#377) — network is replaced with:

  • requests — numbered list of requests with stable indexes
  • request <num> — full details for one request
  • request-headers <num>, request-body <num>, response-headers <num>, response-body <num> — pipe-friendly part extractors

  Bodies are no longer inlined; pass --filename on any part-command to save the result to a file. (microsoft/playwright#40447, microsoft/playwright#40454)

• Spec-driven testing skill — a new references/spec-driven-testing.md reference guides agents through a plan / generate / heal workflow for driving Playwright tests from a written spec. (microsoft/playwright#40460)

Behavior changes

• Read-only data-fetching commands (cookie-list, cookie-get, localstorage-list, localstorage-get, sessionstorage-list, sessionstorage-get, route-list, request-headers, request-body, response-headers, response-body) now emit raw output by default — no more ### Result wrapper, no --raw needed. (microsoft/playwright#40473)
• Extension mode now ignores the browser section of any loaded config file (both userDataDir and executablePath); only the browser/channel from --browser or PLAYWRIGHT_MCP_BROWSER applies. (microsoft/playwright#40475)
• requests now appends a hint when static requests are filtered out, telling the user to pass --static to see them. (microsoft/playwright#40454)

Fixes

• fix(cli): resolve initPage/initScript paths and surface load errors (#290) — relative initPage / initScript paths from --config files now resolve against the config dir (matching Vite/Vitest/ESLint), and CLI-flag / env-var entries resolve against cwd. Load errors are no longer silently swallowed. (microsoft/playwright#40451)
• fix(mcp): detect extension in non-default Chrome profiles — the --extension preflight now scans every Profile * subdirectory under the user data dir, not just Default. (microsoft/playwright#40471)
• fix(mcp): surface unhandled rejections instead of crashing the server — async errors from user-installed callbacks (e.g. a page.route handler) are now reported on the next tool response instead of tearing down the MCP transport. (microsoft/playwright#40452)

v0.1.9

Highlights

... (truncated)

Commits

• 3a1bafc chore: mark v0.1.13 (#402)
• fba4d99 chore: roll Playwright to 1.61.0-alpha-1778188671000 (#401)
• 695107b chore: mark v0.1.12 (#400)
• a9785a5 chore: roll Playwright to 1.60.0-alpha-1778101408000 (#399)
• fb2a027 fix(deps): declare playwright-core as direct dependency (#397)
• 212b11d chore: mark v0.1.11 (#395)
• ab6ab40 chore(ci): bump checkout/setup-node to Node 24 versions (#394)
• 6b909c5 chore: roll Playwright to 1.60.0-alpha-1777669338000 (#393)
• 8d95174 chore: mark v0.1.10 (#391)
• cb97fa3 chore: roll Playwright to 1.60.0-alpha-1777575331000 (#392)
• Additional commits viewable in compare view

---

Note

Low Risk
Low risk dependency-only update limited to the dev tooling used for Playwright CLI; main application/runtime code is unchanged.

Overview
Updates the dev dependency @playwright/cli from 0.1.1 to 0.1.13 in package.json and package-lock.json.

The lockfile refresh also pulls in newer bundled Playwright alpha versions and adds playwright-core as a direct dependency of the CLI package.

^{Reviewed by Cursor Bugbot for commit c07645f. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.8
Commit	6d68d66425
Updated	May 22, 2026 at 10:34:20 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.8

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.8")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.8
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.8

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#6d68d664251a67337dff6bbf54172fe90d1da0c5

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "6d68d664251a67337dff6bbf54172fe90d1da0c5")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/playwright/cli-0.1.8
git -C submodules/content-scope-scripts checkout 6d68d664251a67337dff6bbf54172fe90d1da0c5

[cursor]

Stale comment

Web Compatibility Assessment

• package.json (44) — severity: info
  Bumps root devDependency @playwright/cli from ^0.1.1 to ^0.1.8. This does not modify shipped injected code paths (injected/src/**, entry points, wrappers, or feature lifecycle), so there is no direct risk to API surface fidelity, prototype behavior, DOM timing, or platform runtime behavior.

• package-lock.json (21, 1549-1585) — severity: info
  Lockfile churn is scoped to @playwright/cli and its nested playwright/playwright-core versions, plus dependency graph normalization (removal of nested minimist). No unrelated lockfile churn observed beyond the bumped toolchain subtree.

Security Assessment

• package.json (44) and package-lock.json (21, 1549-1585) — severity: info
  Changes are limited to test/dev tooling resolution. No modifications to injected runtime trust boundaries: no captured-globals changes, no message bridge/origin validation changes, no new postMessage usage, no wrapper/proxy/shim mutations, and no config gating changes.

• package-lock.json (1549-1585) — severity: info
  Transitive packages remain integrity-pinned via lockfile hashes. This is standard npm supply-chain hardening for the updated dev-only dependency set.

Risk Level

Low Risk — dependency-only PR scoped to dev tooling, with no runtime code changes in injected/privacy-sensitive components.

Recommendations

1. Keep this PR gated on full CI (lint, test-unit, and at least one integration job) since Playwright internals used by test tooling changed.
2. Optional alternative: if minimizing alpha transitive churn is a goal, evaluate replacing @playwright/cli usage with a stable @playwright/test/playwright CLI path in scripts to reduce pre-release dependency movement.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Findings

1. Medium – Expanded capability in upstream tool without project-level controls
   The bump from @playwright/cli@0.1.1 to 0.1.8 updates its bundled playwright from 1.59.0-alpha-1771104257000 to 1.60.0-alpha-2026-04-14 (visible in package-lock.json), and upstream v0.1.8 adds remote debugging attach to existing local Chrome/Edge profiles (playwright-cli attach --cdp=chrome).

   Threat impact: this increases the blast radius if playwright-cli is invoked in an untrusted automation context, because automation can target an already-authenticated local browser profile instead of an isolated ephemeral context.

2. Low – Dependency appears unused by repository scripts/tests
   In this repo, @playwright/cli is only present in root dependency manifests; no workspace scripts call playwright-cli, while test scripts use playwright test from @playwright/test.

   Threat impact: unnecessary dependency adds avoidable supply-chain surface and continuously tracks alpha Playwright builds.

Confirmed vs uncertain

• Confirmed from diff/changelog

  • Dependency change is manifest/lockfile-only.
  • Transitive playwright alpha advanced to a newer build.
  • v0.1.8 changelog introduces remote-debug attach capability.

• Uncertain (needs maintainer validation)

  • Whether this repo intentionally needs @playwright/cli for local agent workflows. skills-lock.json references microsoft/playwright-cli, but repo scripts do not use it directly.

Test coverage assessment

• No project code changed, so existing unit/integration tests do not exercise this dependency update.
• There is no repo-level test coverage for playwright-cli behavior changes (including new attach mode), so risk is controlled only by dependency trust and usage policy.

Suggested follow-up PR (separate)

1. Remove @playwright/cli from root devDependencies if not required by CI/dev workflow.
2. If it is required, document allowed usage and add a guardrail note to avoid attach --cdp=* in automation contexts.
3. Optionally pin exact @playwright/cli version policy explicitly and review bumps as security-sensitive due to alpha transitive Playwright updates.

I’m not blocking on functional regressions in this PR alone, but I do recommend the follow-up dependency-surface hardening PR.

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:34:54 GMT

[cursor]

Stale comment

Web Compatibility Assessment

• File: package.json
  Line range: devDependencies @playwright/cli version bump hunk
  Severity: info
  Assessment: No web-compat regression identified. This is a dev-tool dependency update and does not modify injected runtime code paths, wrappers, shims, lifecycle hooks, or platform feature bundles.

• File: package-lock.json
  Line range: @playwright/cli / transitive playwright + playwright-core lockfile update hunks
  Severity: info
  Assessment: No API-surface/prototype/DOM behavior changes in production code. Changes are confined to lockfile metadata for dev tooling.

Security Assessment

• File: package.json
  Line range: devDependencies @playwright/cli entry
  Severity: info
  Assessment: No new in-page attack surface introduced. No modifications to captured globals, message bridge, wrapper utilities, origin checks, or runtime feature gating.

• File: package-lock.json
  Line range: @playwright/cli dependency tree update hunks
  Severity: warning
  Assessment: Transitive tooling now pulls a newer pre-release Playwright build. This is not a browser-runtime vulnerability for C-S-S, but it is a supply-chain and CI/tooling stability consideration that should be validated in pipeline runs.

Risk Level

Low Risk — PR is dependency-only for development tooling (@playwright/cli) and does not alter injected feature logic or security-sensitive runtime pathways.

Recommendations

1. Run full CI (lint, unit, integration) to confirm no test-runner/tooling regressions from the updated Playwright CLI transitive graph.
2. Consider aligning Playwright-related dev tooling versions (or using only stable-channel Playwright artifacts) to reduce pre-release drift risk in CI.
3. If @playwright/cli is not required by repository scripts, consider removing it and invoking Playwright through existing pinned tooling as a lower-risk alternative.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency Update Review: @playwright/cli 0.1.1 → 0.1.8

Findings (ordered by risk)

1. No direct product/runtime impact in this repo (confirmed, low)

• PR diff only changes package.json and package-lock.json.
• @playwright/cli remains a devDependency.
• Repository search shows no project scripts or source importing/invoking playwright-cli; usage is limited to dependency declarations and agent skill docs.

2. Behavioral surface changed but is currently untested here (confirmed, low-medium process risk)

• Upstream releases between v0.1.1...v0.1.8 add/modify CLI behavior (attach --cdp, daemon/session lifecycle fixes, snapshot behavior, --raw, etc.).
• This repo has no test coverage that exercises playwright-cli commands directly, so regressions in this tool would not be detected by existing CI for this PR.

3. Expanded local browser-attachment capability could increase misuse impact if invoked by automation (uncertain, needs validation)

• Release notes introduce attaching to existing Chrome/Edge sessions (attach --cdp=chrome / extension attach), which can operate against real logged-in profiles.
• This is not exercised by repo code, but if local/agent workflows run playwright-cli, threat exposure depends on sandboxing and command policy in those workflows.

Changelog/lockfile impact summary

• Transitive playwright inside @playwright/cli moved from 1.59.0-alpha-1771104257000 to 1.60.0-alpha-2026-04-14.
• Nested minimist dependency was removed (slight dependency-surface reduction).

Separate PR needed?

• No mandatory fix PR needed for this dependency bump PR based on current evidence.
• Optional hardening follow-up (separate PR):
  1. Add a minimal CI smoke step for playwright-cli --version (or one no-op command) if this tool is operationally required.
  2. Or remove @playwright/cli from repo devDependencies if it is only needed in external agent environments.

Overall: no blocking security/regression concern found for merging this PR as-is, with the above optional hardening path.

  

_{Sent by Cursor Automation: Review dependabot}

[dependabot]

A newer version of @​playwright/cli exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[jonathanKingston]

@dependabot recreate

[cursor]

Web Compatibility Assessment

• package.json lines 44-44 — severity: info
  No web-compat regression identified. The changed dependency is a root devDependency (@playwright/cli ^0.1.1 -> ^0.1.13) and does not modify injected runtime code, wrapper utilities, shims, feature lifecycle, DOM behavior, or platform entry points.

• package-lock.json lines 21-21 and 1796-1839 — severity: info
  Lockfile churn is scoped to @playwright/cli and its nested playwright/playwright-core packages. No API-surface fidelity, prototype-chain, DOM-readiness, SPA timing, or platform-runtime behavior changes are introduced.

Security Assessment

• package.json lines 44-44 — severity: info
  No new in-page security surface found. There are no changes to captured-globals, message bridge validation, origin checks, postMessage, config gating, or wrapper/proxy behavior.

• package-lock.json lines 1796-1839 — severity: warning
  The dependency remains dev-only, but @playwright/cli@0.1.13 brings a nested pre-release Playwright toolchain (playwright/playwright-core@1.61.0-alpha-1778188671000) alongside the existing stable test runner dependency (@playwright/test@1.58.2). This is not a C-S-S runtime vulnerability, but it is a CI/local-tooling supply-chain and stability consideration.

Risk Level

Low Risk — dependency-only PR scoped to development tooling, with no changes to injected/privacy-sensitive runtime components.

Recommendations

1. Keep full CI as the merge gate; I verified npm ci, npx playwright-cli --version, and the installed Playwright dependency graph locally.
2. If @playwright/cli is not intentionally required by repo-local agent workflows, consider removing it in a follow-up to avoid carrying a separate alpha Playwright toolchain.
3. If it is required, keep it documented as dev/agent tooling rather than test-runner infrastructure; repo scripts currently use @playwright/test/playwright test, not playwright-cli.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency update review found one tooling compatibility issue.

Confirmed: this is a devDependency-only bump, and I found no product/runtime imports or npm-audit findings tied to @playwright/cli/Playwright. The skipped upstream releases do include CLI behavior changes, though: v0.1.10 replaced network with requests/request, and the checked-in Playwright CLI skill docs still tell agents to run the removed command. After npm ci --ignore-scripts, npx playwright-cli network returns Unknown command: network.

Tests/validation run: npm ci --ignore-scripts, npx playwright-cli --help, npx playwright-cli network, npm audit --json.

I did not push changes to this PR. I also did not open a separate fix PR from this run because the clean fix should either be included with this dependency bump or be opened as a stacked follow-up after this PR lands: sync/update .agents/skills/playwright-cli and skills-lock.json to the microsoft/playwright-cli v0.1.13 skill contents, or remove the checked-in skill dependency if agents should rely only on the package-provided/global CLI docs.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

This version jump crosses an upstream behavior change that invalidates checked-in repo guidance. The v0.1.10 release notes say network inspection was split from network into requests / request / part-specific commands, and with this lockfile installed npx playwright-cli network now fails with Unknown command: network. However .agents/skills/playwright-cli/SKILL.md still documents playwright-cli network in the DevTools section. Please sync/update the checked-in Playwright CLI skill docs (and skills-lock.json if that lock tracks the skill source) as part of this bump, or keep the CLI pinned until those docs are refreshed so automation does not invoke removed commands.

[cursor]

Dependency review complete.

Confirmed concern: this bump changes the playwright-cli command/skill surface, but the committed agent skill remains on the older command set. CI is green, but it exercises playwright test through @playwright/test@1.58.2, not the playwright-cli binary.

Evidence checked:

• PR diff only changes package.json/package-lock.json.
• Upstream compare v0.1.1...v0.1.13 has 35 commits, mostly Playwright alpha rolls, plus fix: include skills/ directory in npm package, fix(deps): remove unused minimist dependency, and fix(deps): declare playwright-core as direct dependency.
• Package diff changes the bin from require('playwright/lib/cli/client/program') to playwright-core/lib/tools/cli-client/program, drops minimist, adds direct playwright-core, and rolls nested playwright/playwright-core from 1.59.0-alpha to 1.61.0-alpha.
• rg did not find in-repo npm scripts invoking playwright-cli; usages are in committed agent-skill docs.

I did not push changes to this PR. A separate fix PR, if desired, should either refresh .agents/skills/playwright-cli/skills-lock.json to match @playwright/cli@0.1.13, or remove/explain the dependency if the committed skill is no longer intended to rely on the local binary.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

This bump should probably update the committed Playwright CLI skill at the same time. The 0.1.13 package now ships a different skills/playwright-cli tree and the CLI help no longer lists some commands that our committed .agents/skills/playwright-cli/SKILL.md still instructs agents to use, e.g. playwright-cli network and playwright-cli open --extension; 0.1.13 documents requests/request ... and attach --extension instead.

The normal CI in this repo will not catch that mismatch: the npm scripts and workflows invoke playwright test via the root @playwright/test@1.58.2, while this dependency installs a nested playwright@1.61.0-alpha-1778188671000 only for the playwright-cli binary. If we keep this dependency for agent workflows, please refresh .agents/skills/playwright-cli and skills-lock.json from the updated package (or land that as a companion PR before merging this). If the dependency is not used for that, the lower-risk path is to remove it rather than continue installing a second alpha Playwright toolchain.

[cursor]

Dependency review for @playwright/cli 0.1.1 -> 0.1.13:

Confirmed issues: none found.

Impact / changelog notes:

• The PR only changes root package.json and package-lock.json.
• The updated CLI now carries nested playwright/playwright-core 1.61.0-alpha-1778188671000; the repo's test runner remains @playwright/test 1.58.2, and after npm ci the root playwright binary still resolves to 1.58.2, not the CLI's alpha Playwright.
• Upstream behavior changes affect manual/agent playwright-cli use: attach now requires an explicit target, network was split into numbered request commands, several read-only cookie/storage/network commands emit raw output by default, and extension mode ignores browser.userDataDir/executablePath from config. I found no repo scripts or source paths invoking those commands.
• Threat surface is limited to dev tooling, but the new CLI capabilities can attach to local browsers and extract cookies/storage/network data when explicitly invoked. Avoid using those commands in automation that logs output or runs against real browser profiles.

Dependency necessity: I only found @playwright/cli in root package metadata and skills-lock.json; repo test scripts use playwright from @playwright/test. If this dependency is not intentionally kept for local/agent tooling, a separate cleanup PR could remove it and rely on the external skill/tooling instead. I did not draft that PR because I don't see a confirmed breakage or security fix required here.

Validation:

• npm ci
• npm ls @playwright/cli @playwright/test playwright playwright-core --depth=2
• npx playwright --version -> 1.58.2; npx playwright-cli --version -> 0.1.13
• npm run build
• npm run test-unit
• PR CI gate and integration-test checks are green at review time.

  

_{Sent by Cursor Automation: Review dependabot}