Skip to content

chore: remove unused @playwright/cli dependency#2652

Open
cursor[bot] wants to merge 3 commits into
mainfrom
jkt/auto/dependency-update-review-e7b1
Open

chore: remove unused @playwright/cli dependency#2652
cursor[bot] wants to merge 3 commits into
mainfrom
jkt/auto/dependency-update-review-e7b1

Conversation

@cursor
Copy link
Copy Markdown
Contributor

@cursor cursor Bot commented Apr 20, 2026
edited
Loading

Asana Task/Github Issue: N/A

Description

Removes @playwright/cli from root devDependencies and lockfile entries because it is not used by repository scripts/tests.

This reduces dependency surface and avoids tracking alpha transitive playwright versions through an unused package.

Testing Steps

  • Run npm install --package-lock-only from repo root and confirm lockfile remains consistent.

Checklist

Please tick all that apply:

  • I have tested this change locally
  • I have tested this change locally in all supported browsers
  • This change will be visible to users
  • I have added automated tests that cover this change
  • I have ensured the change is gated by config
  • This change was covered by a ship review
  • This change was covered by a tech design
  • Any dependent config has been merged
Open in Web View Automation 

Note

Low Risk
Low risk: this only removes an unused devDependency and its lockfile entries, with no runtime code changes. The main risk is CI/scripts that implicitly relied on @playwright/cli, but no usages were found in repo scripts.

Overview
Removes the unused @playwright/cli devDependency from package.json and deletes its associated package-lock.json entries (including the alpha playwright/playwright-core transitive versions it pulled in).

No code or test logic changes; Playwright testing remains via @playwright/test.

Reviewed by Cursor Bugbot for commit 72837a4. Bugbot is set up for automated code reviews on this repo. Configure here.

dependabot Bot and others added 2 commits April 20, 2026 12:20
@dependabot
build(deps-dev): bump @playwright/cli from 0.1.1 to 0.1.8
dcf4ae7 
Bumps [@playwright/cli](https://github.com/microsoft/playwright-cli) from 0.1.1 to 0.1.8.
- [Release notes](https://github.com/microsoft/playwright-cli/releases)
- [Commits](microsoft/playwright-cli@v0.1.1...v0.1.8)

---
updated-dependencies:
- dependency-name: "@playwright/cli"
  dependency-version: 0.1.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@cursoragent @jonathanKingston
chore: remove unused @playwright/cli dependency
a3817e9 
Co-authored-by: Jonathan Kingston <jonathanKingston@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026
edited
Loading

Build Branch
Branch pr-releases/jkt/auto/dependency-update-review-e7b1
Commit b5ad691563
Updated April 23, 2026 at 10:56:45 PM UTC

Static preview entry points

QR codes (mobile preview)
Entry point QR code
Docs QR for docs preview
Static pages QR for static pages preview
Integration pages QR for integration pages preview

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/jkt/auto/dependency-update-review-e7b1

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/jkt/auto/dependency-update-review-e7b1")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/dependency-update-review-e7b1
git -C submodules/content-scope-scripts checkout origin/pr-releases/jkt/auto/dependency-update-review-e7b1
Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#b5ad6915636bef20a59d73ec37191565963ac80f

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "b5ad6915636bef20a59d73ec37191565963ac80f")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/dependency-update-review-e7b1
git -C submodules/content-scope-scripts checkout b5ad6915636bef20a59d73ec37191565963ac80f

@github-actions github-actions Bot added the semver-patch Bug fix / internal — no release needed label Apr 20, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026
edited
Loading

[Beta] Generated file diff

Time updated: Thu, 23 Apr 2026 22:57:14 GMT

@jonathanKingston jonathanKingston marked this pull request as ready for review April 23, 2026 22:56
@jonathanKingston jonathanKingston requested a review from a team as a code owner April 23, 2026 22:56
cursor[bot]
cursor Bot commented Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@cursor cursor Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Web Compatibility Assessment

  • File: package.json
    Line range: 42-45
    Severity: info
    Removal of @playwright/cli from devDependencies does not alter injected feature code, wrapper utilities, platform entry points, or runtime API shims. No web API surface, descriptor, prototype, DOM, or timing behavior changes are introduced.

  • File: package-lock.json
    Line range: 18-26, 1544-1598
    Severity: info
    Lockfile-only cleanup removes the corresponding @playwright/cli and nested alpha Playwright package entries. This is build/dependency metadata and does not change browser-injected JavaScript behavior.

Security Assessment

  • File: package.json
    Line range: 42-45
    Severity: info
    No changes to captured globals, message bridge, transport origin checks, or any content-script runtime execution paths. Threat model boundaries remain unchanged.

  • File: package-lock.json
    Line range: 1544-1598
    Severity: info
    Dependency reduction removes an unnecessary package tree (including a nested alpha Playwright dependency), slightly reducing supply-chain surface in development tooling. No new exfiltration or injection vectors are introduced.

Risk Level

Low Risk — manifest/lockfile dependency cleanup only; no modifications to injected runtime logic, compatibility shims, or security-sensitive messaging/proxy layers.

Recommendations

  1. Run CI validation for tooling paths that may have referenced playwright-cli (if any local scripts existed outside npm workspaces).
  2. Keep @playwright/test as the single Playwright dependency to avoid future dual-version drift in lockfile.
  3. Optional hardening: add an automated dependency hygiene check (unused dev dependency detection) to prevent reintroduction.
Open in Web View Automation 

Sent by Cursor Automation: Web compat and sec

cursor[bot]
cursor Bot commented Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Web Compatibility Assessment

  • No compatibility regressions found in this diff.
  • package.json (devDependencies block), severity: info
    Removal of @playwright/cli only affects local/dev tooling dependency resolution; there are no changes to injected runtime code paths (injected/src/**), API shims, wrapper utilities, feature lifecycle (load/init/urlChanged), or platform entry points.
  • package-lock.json (removed node_modules/@playwright/cli subtree), severity: info
    Lockfile updates are consistent with the dependency removal and do not alter browser-executed JS behavior, prototype overrides, or DOM interaction logic.

Security Assessment

  • No security vulnerabilities introduced by the changed lines.
  • package.json / package-lock.json, severity: info
    This is a dev-dependency cleanup only; it does not touch message bridge trust boundaries, captured globals, origin validation, exemption logic, or any injected feature code. As a positive side effect, removing an unused package reduces supply-chain exposure in the development toolchain.

Risk Level

Low Risk — the PR is dependency-only (@playwright/cli removal) and does not modify runtime injected scripts, compatibility-sensitive wrappers, or security-critical subsystems.

Recommendations

  1. Run CI integration tests that rely on Playwright to confirm no script/tooling invocation still assumes @playwright/cli binaries.
  2. Keep Playwright usage standardized on @playwright/test to avoid future parallel CLI dependency drift.
Open in Web View Automation 

Sent by Cursor Automation: Web compat and sec

@jonathanKingston jonathanKingston added this pull request to the merge queue Apr 23, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonathanKingston jonathanKingston jonathanKingston approved these changes

Assignees

No one assigned

Labels

semver-patch Bug fix / internal — no release needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathanKingston @cursoragent