Skip to content

chore(deps): update playwright monorepo 1.58.1 #2174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
colinaaa merged 2 commits into from
Feb 2, 2026
Merged

chore(deps): update playwright monorepo 1.58.1 #2174

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
003cbcd
chore(deps): update playwright monorepo 1.58.1
colinaaa Feb 1, 2026
c115957
+ fix
PupilTong Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/workflow-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
runs-on: ${{ inputs.runs-on }}
permissions: {}
container:
image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.57.0-noble' || null }}
image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.58.1-noble' || null }}

Check failure

Code scanning / zizmor

unpinned image references Error

unpinned image references
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows/workflow-test.yml

Repository: lynx-family/lynx-stack

Length of output: 101

🏁 Script executed:

cat -n .github/workflows/workflow-test.yml | sed -n '40,50p'

Repository: lynx-family/lynx-stack

Length of output: 484

🏁 Script executed:

# Search for all container image references to understand the pattern used
rg 'image:' .github/workflows/workflow-test.yml -A 1 -B 1

Repository: lynx-family/lynx-stack

Length of output: 181

🏁 Script executed:

# Check if there are any other container images in the repository to see what pattern is used
rg 'image:' .github/workflows/ -A 1 | head -30

Repository: lynx-family/lynx-stack

Length of output: 238

🌐 Web query:

mcr.microsoft.com/playwright:v1.58.1-noble mutable tag digest pinning container security

💡 Result:

  • Yes, mcr.microsoft.com/playwright:v1.58.1-noble is a tag, and tags are not inherently immutable. In container registries, a tag can be moved to point at a different manifest digest unless the registry/repository enforces immutability. Microsoft’s own Azure Container Registry docs state that tagged images are mutable by default (unless you explicitly lock/prevent writes). [1]

  • For supply-chain/container security, prefer digest pinning (immutable reference), e.g. mcr.microsoft.com/playwright@sha256:<digest>, because a digest identifies the exact image content you reviewed/scanned. Microsoft’s container registry concepts doc explicitly describes pulling by manifest digest. [2]

  • How to get and pin the digest (CLI):

    docker pull mcr.microsoft.com/playwright:v1.58.1-noble
docker image inspect --format '{{index .RepoDigests 0}}' mcr.microsoft.com/playwright:v1.58.1-noble
# then use the printed value in FROM / deployments, e.g.
# FROM mcr.microsoft.com/playwright@sha256:...

    (Equivalent: docker buildx imagetools inspect mcr.microsoft.com/playwright:v1.58.1-noble to see per-arch digests.)

  • Extra Playwright-specific security note: the Playwright Docker docs warn the image is intended for testing/dev and recommend additional hardening (e.g., non-root + seccomp) especially when visiting untrusted sites. [3]

Sources: [1] Microsoft Learn (ACR: tagged images mutable by default) (learn.microsoft.com), [2] Microsoft Learn (pull by digest) (learn.microsoft.com), [3] Playwright Docker docs (security notes & recommendations) (playwright.dev)

Citations:

Pin the Playwright container image by digest.

Line 45 uses a mutable tag reference. Tags can be re-pushed to point to different image content, creating a supply-chain risk. Replace with an immutable digest pin:

Example format 
-      image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.58.1-noble' || null }}
+      image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright@sha256:<digest>' || null }}

To find the digest: docker pull mcr.microsoft.com/playwright:v1.58.1-noble && docker image inspect --format '{{index .RepoDigests 0}}' mcr.microsoft.com/playwright:v1.58.1-noble

🧰 Tools
🪛 GitHub Check: zizmor

[failure] 45-45:
unpinned image references

🤖 Prompt for AI Agents 
In @.github/workflows/workflow-test.yml at line 45, Replace the mutable tag
reference under the image: key that uses
'mcr.microsoft.com/playwright:v1.58.1-noble' with an immutable digest-pinned
reference; obtain the digest by pulling the image (docker pull
mcr.microsoft.com/playwright:v1.58.1-noble) and inspecting the repo digest
(docker image inspect --format '{{index .RepoDigests 0}}'
mcr.microsoft.com/playwright:v1.58.1-noble), then update the expression that
sets image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.58.1-noble' ||
null }} to use the returned digest string in place of the tag.

env:
CI: 1
TURBO_TELEMETRY_DISABLED: 1
Expand Down
2 changes: 1 addition & 1 deletion packages/mcp-servers/devtool-mcp-server/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
},
"devDependencies": {
"@microsoft/api-extractor": "^7.55.2",
"@modelcontextprotocol/sdk": "^1.20.0",
"@modelcontextprotocol/sdk": "^1.25.2",
"@types/debug": "^4.1.12",
"core-js": "^3.47.0",
"debug": "^4.4.3",
Expand Down
4 changes: 2 additions & 2 deletions packages/mcp-servers/docs-mcp-server/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,13 @@
"build": "tsc"
},
"dependencies": {
"@modelcontextprotocol/sdk": "^1.20.0",
"@modelcontextprotocol/sdk": "^1.25.2",
"commander": "^13.1.0",
"debug": "^4.4.3",
"empathic": "^2.0.0",
"mdast-util-from-markdown": "^2.0.2",
"mdast-util-to-markdown": "^2.1.2",
"undici": "^6.22.0"
"undici": "^6.23.0"
},
"devDependencies": {
"@types/debug": "^4.1.12",
Expand Down
4 changes: 2 additions & 2 deletions packages/web-platform/playwright-fixtures/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@
"v8-to-istanbul": "^9.3.0"
},
"devDependencies": {
"@playwright/test": "^1.57.0"
"@playwright/test": "^1.58.1"
},
"peerDependencies": {
"@playwright/test": "^1.57.0"
"@playwright/test": "^1.58.1"
}
}
2 changes: 1 addition & 1 deletion packages/web-platform/web-core-wasm-e2e/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
"@lynx-js/react-rsbuild-plugin": "workspace:*",
"@lynx-js/rspeedy": "workspace:*",
"@lynx-js/web-core-wasm": "workspace:*",
"@playwright/test": "^1.57.0",
"@playwright/test": "^1.58.1",
"@rsbuild/core": "catalog:rsbuild",
"nyc": "^17.1.0"
}
Expand Down
2 changes: 1 addition & 1 deletion packages/web-platform/web-elements/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@
},
"devDependencies": {
"@lynx-js/playwright-fixtures": "workspace:*",
"@playwright/test": "^1.57.0",
"@playwright/test": "^1.58.1",
"@rsbuild/core": "catalog:rsbuild",
"@rsbuild/plugin-source-build": "1.0.3",
"nyc": "^17.1.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/web-platform/web-tests/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
"@lynx-js/web-platform-rsbuild-plugin": "workspace:*",
"@lynx-js/web-rsbuild-server-middleware": "workspace:*",
"@lynx-js/webpack-dev-transport": "workspace:*",
"@playwright/test": "^1.57.0",
"@playwright/test": "^1.58.1",
"@rspack/cli": "catalog:rspack",
"@rspack/core": "catalog:rspack",
"nyc": "^17.1.0",
Expand Down
44 changes: 22 additions & 22 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading