Skip to content

[security](deps-dev): bump playwright from 1.58.1 to 1.58.2 #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
+4 −19
Closed

[security](deps-dev): bump playwright from 1.58.1 to 1.58.2 #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@
"concurrently": "^9.2.1",
"fast-check": "^4.5.3",
"hono": "^4.12.7",
"playwright": "^1.58.1",
"playwright": "^1.58.2",
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep @playwright/test aligned with playwright version

Bumping only playwright here leaves the root test runner on @playwright/test 1.58.1 (same devDependencies block), so frozen installs keep mixed Playwright patch versions in the workspace. That can cause playwright test runs to execute against an older playwright-core than the one this security bump intended to roll out, and it also increases the chance of version-mismatch behavior in CI.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner

@jscraik jscraik Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codex fix

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

  • Aligned the root Playwright test runner dependency with the security bump by changing @playwright/test from ^1.58.1 to ^1.58.2 in package.json, so it matches playwright and avoids mixed patch versions. package.jsonL102-L120
  • Refreshed the lockfile so the root importer now resolves both @playwright/test and playwright to 1.58.2, including the @playwright/test@1.58.2 -> playwright: 1.58.2 snapshot linkage. pnpm-lock.yamlL60-L86 pnpm-lock.yamlL10089-L10092
  • Updated FORJAMIE.md per the repo’s living-map rule (status date, dependency-hygiene note, and a new 2026-03-17 Recent Changes entry for this alignment). FORJAMIE.mdL19-L27 FORJAMIE.mdL70-L76 FORJAMIE.mdL114-L119
  • Committed changes on branch work with commit 0b0d08d and created a follow-up PR via make_pr titled “fix: align @playwright/test with Playwright 1.58.2 security bump.”

Testing

  • source scripts/codex-preflight.sh && preflight_repo
  • mise trust && mise list | head
  • curl -s https://api.github.com/repos/microsoft/playwright/releases/tags/v1.58.2 | jq '.tag_name, .name'
  • cat package.json | jq . > /dev/null && echo OK
  • pnpm up @playwright/test@^1.58.2 --lockfile-only
  • pnpm list @playwright/test playwright --depth 0

View task →

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Align @playwright/test with patched Playwright release

Bumping only playwright here leaves the workspace test runner on @playwright/test 1.58.1, which still resolves playwright/playwright-core 1.58.1 in the lockfile (pnpm-lock.yaml shows @playwright/test at 1.58.1 and playwright: 1.58.1). In environments that execute tests through @playwright/test (CI/local playwright test), this keeps the older Playwright bits installed, so the security update is only partial and versions are mixed.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Owner

@jscraik jscraik Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codex fix

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

  • Addressed the review feedback at package.json by aligning the root Playwright test runner version: @playwright/test is now ^1.58.2 to match playwright ^1.58.2. package.jsonL101-L116
  • Updated the lockfile so the workspace root importer resolves @playwright/test to 1.58.2, and the snapshot now binds it to playwright: 1.58.2 (removing the mixed 1.58.1/1.58.2 state). pnpm-lock.yamlL60-L68 pnpm-lock.yamlL2505-L2508 pnpm-lock.yamlL10089-L10091
  • Updated FORJAMIE.md per the repo’s living-map rule, including a new 2026-03-17 recent-change entry for this dependency-alignment fix and refreshed status metadata date. FORJAMIE.mdL19-L27 FORJAMIE.mdL114-L119
  • Committed as d898a38 and opened a follow-up PR via make_pr with a title/body describing this fix on top of the original Dependabot PR.

Testing

  • source scripts/codex-preflight.sh && preflight_repo
  • mise trust /workspace/Design-System/mise.toml && mise list | head -n 20
  • python - <<'PY' ... registry.npmjs.org ... (verified latest published versions for playwright and @playwright/test are both 1.58.2)
  • pnpm add -Dw @playwright/test@^1.58.2 --lockfile-only
  • cat package.json | jq . >/dev/null
  • rg -n "'@playwright/test'|@playwright/test@1.58.2|playwright: 1.58.2" pnpm-lock.yaml | head -n 20

View task →

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Update FORJAMIE.md for this Playwright bump

Root AGENTS.md:23-39 makes FORJAMIE.md updates mandatory for any tooling/config change in the same change-set. This line bumps the repo’s Playwright toolchain, but FORJAMIE.md still reports Last updated: 2026-03-10 and has no corresponding Recent Changes entry (FORJAMIE.md:19, FORJAMIE.md:114-129), so the required project map is already stale as soon as this commit lands.

Useful? React with 👍 / 👎.

"sharp": "^0.34.5",
"tsx": "^4.21.0",
"typescript": "^5.9.3",
Expand Down
21 changes: 3 additions & 18 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading