Bump @playwright/test from 1.37.1 to 1.56.1

[dependabot]

Bumps @playwright/test from 1.37.1 to 1.56.1.

Release notes

Sourced from @​playwright/test's releases.

v1.56.1

Highlights

#37871 chore: allow local-network-access permission in chromium #37891 fix(agents): remove workspaceFolder ref from vscode mcp #37759 chore: rename agents to test agents #37757 chore(mcp): fallback to cwd when resolving test config

Browser Versions

• Chromium 141.0.7390.37
• Mozilla Firefox 142.0.1
• WebKit 26.0

v1.56.0

Playwright Agents

Introducing Playwright Agents, three custom agent definitions designed to guide LLMs through the core process of building a Playwright test:

• 🎭 planner explores the app and produces a Markdown test plan
• 🎭 generator transforms the Markdown plan into the Playwright Test files
• 🎭 healer executes the test suite and automatically repairs failing tests

Run npx playwright init-agents with your client of choice to generate the latest agent definitions:

# Generate agent files for each agentic loop
# Visual Studio Code
npx playwright init-agents --loop=vscode
# Claude Code
npx playwright init-agents --loop=claude
# opencode
npx playwright init-agents --loop=opencode

[!NOTE] VS Code v1.105 (currently on the VS Code Insiders channel) is needed for the agentic experience in VS Code. It will become stable shortly, we are a bit ahead of times with this functionality!

Learn more about Playwright Agents

New APIs

• New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page
• New method page.requests() for retrieving the most recent network requests from the page
• Added --test-list and --test-list-invert to allow manual specification of specific tests from a file

UI Mode and HTML Reporter

• Added option to 'html' reporter to disable the "Copy prompt" button
• Added option to 'html' reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list
• Added option to UI Mode mirroring the --update-snapshots options
• Added option to UI Mode to run only a single worker at a time

... (truncated)

Commits

• 54c7115 chore: revert "minimal vscode version notice" (#37892)
• 7d45eb3 chore: mark v1.56.1 (#37784)
• e6ef697 cherry-pick(#37871): chore: allow local-network-access permission in chromium
• 932542c cherry-pick(#37891): fix(agents): remove workspaceFolder ref from vscode mcp
• 0662dd2 cherry-pick(#37759): chore: rename agents to test agents
• 919549e cherry-pick(#37758): docs: mention VS Code insiders in the agents docs
• e593c64 cherry-pick(#37757): chore(mcp): fallback to cwd when resolving test config
• a8a6e10 cherry-pick(#37755): chore(mcp): minimal vscode version notice
• f36b2ee cherry-pick(#37731): docs: add agents video to agents page (#37733)
• b6af258 cherry-pick(#37727): devops: fix NPM release step (#37728)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​playwright/test since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​playwright/​test@​1.37.1 ⏵ 1.56.1	+5		+24	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		playwright@1.56.1 has a License Policy Violation. License: CC-BY-4.0 (package/ThirdPartyNotices.txt) License: CC-BY-4.0 (package/ThirdPartyNotices.txt) License: CC-BY-4.0 (package/ThirdPartyNotices.txt) License: CC-BY-4.0 (package/ThirdPartyNotices.txt) License: CC-BY-4.0 (package/ThirdPartyNotices.txt) License: CC-BY-4.0 (package/ThirdPartyNotices.txt) License: CC-BY-4.0 (package/ThirdPartyNotices.txt) From: package-lock.json → npm/@playwright/test@1.56.1 → npm/playwright@1.56.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.56.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		playwright-core@1.56.1 is a AI-detected potential code anomaly. Notes: The code appears to be a legitimate component of a Playwright-like automation framework, focusing on page bindings, event-driven dispatch, and frame/viewport/evaluation orchestration. There is no immediate malware indication, but the binding/dispatch mechanism introduces a moderate security risk contingent on the trustworthiness of bindings and payloads. Primary recommendations: enforce strict binding registration controls, validate all payloads, sandbox binding executions, and minimize/log-filter any sensitive data in logs. Overall risk is moderate with targeted improvements needed around payload trust boundaries. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@playwright/test@1.56.1 → npm/playwright-core@1.56.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright-core@1.56.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		playwright@1.56.1 is a AI-detected potential code anomaly. Notes: The fragment implements a legitimate Playwright MCP bridge with two-way WebSocket signaling and an external browser extension bridge. No explicit malware detected. Main security considerations are token handling and logging exposure, as well as safe spawning of external processes. Mitigations include restricting token exposure, sanitizing logs, and validating external process provenance and sandboxing. Overall, moderate risk due to sensitive data in URLs/logs and external process control, but no active malicious behavior identified. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@playwright/test@1.56.1 → npm/playwright@1.56.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.56.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		playwright@1.56.1 is a AI-detected potential code anomaly. Notes: The analyzed code implements a standard factory pattern to create a Playwright-based extension context using a CDP relay. There is no clear evidence of malicious activity, data exfiltration, hardcoded secrets, or backdoors within this fragment. The primary security considerations relate to the proper securing of the local HTTP/CDP relay and ensuring abort handling does not leak sensitive data via logs. Overall, this appears to be legitimate infrastructure for automated browser extension contexts rather than malware. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@playwright/test@1.56.1 → npm/playwright@1.56.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.56.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report