chore(security): upgrade Playwright to 1.55.1 and remove patched core override#158
Open
darcyYe wants to merge 1 commit intoyemq-audit-fix-20260215from
Open
chore(security): upgrade Playwright to 1.55.1 and remove patched core override#158darcyYe wants to merge 1 commit intoyemq-audit-fix-20260215from
darcyYe wants to merge 1 commit intoyemq-audit-fix-20260215from
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses a high-severity security vulnerability in Playwright by upgrading from version 1.48.2 to 1.55.1 and removing a local patch that is no longer needed. The vulnerability (CVE-2025-59288 / GHSA-7mvr-c777-76hp) was discovered via pnpm audit and the fix is verified by the absence of high-level audit warnings after the upgrade.
Changes:
- Upgraded
playwrightfrom 1.48.2 to 1.55.1 to address CVE-2025-59288 - Removed the local patch for
playwright-core@1.48.2which addressed insecure curl-kflags, now fixed upstream - Updated all transitive dependency references in the lockfile to use the new Playwright version
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Updated playwright version to 1.55.1 and removed patchedDependencies configuration |
| pnpm-lock.yaml | Updated all playwright and playwright-core references to 1.55.1, including transitive dependencies through rehype-mermaid and mermaid-isomorphic |
| patches/playwright-core@1.48.2.patch | Deleted the patch file that removed insecure -k flags from curl commands (now fixed upstream) |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
darcyYe
had a problem deploying
to
cloudflare-pages
GitHub Actions
Failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a high-severity Playwright vulnerability by upgrading
playwrightto1.55.1and removing the old local patch forplaywright-core@1.48.2.Why this issue was not shown in GitHub Security tab
When we checked repository Dependabot alerts, only
axiosalert#69was listed as open.The Playwright advisory (
GHSA-7mvr-c777-76hp) exists in the GitHub Advisory Database, but it was not surfaced as an active Dependabot alert for this repo at that time.In practice, this can happen due to differences in alert surfacing between tools/data pipelines (Dependabot alert presentation vs
npm/pnpm auditadvisory resolution timing and matching).How we found it
We ran:
It reported:
How we determined the fix
The audit output and advisory both specify >=1.55.1 as the patched version.
So we upgraded playwright from 1.48.2 to 1.55.1, regenerated the lockfile, and removed the now-unnecessary local playwright-core patch.
Verification
pnpm audit --audit-level high-> No known vulnerabilities foundpnpm why playwright-> resolves to 1.55.1pnpm astro check-> no errors