chore(deps-dev): bump @playwright/test from 1.60.0 to 1.61.0 in the dev-minor-and-patch group across 1 directory#64
Merged
linusdevx merged 1 commit intoJun 23, 2026
Conversation
dependabot
Bot
added
the
dependencies
Contributor
Deploying xsltdebugx with
|
| Latest commit: |
3fe2020
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://a908f8a4.xsltdebugx.pages.dev |
| Branch Preview URL: | https://dependabot-npm-and-yarn-dev.xsltdebugx.pages.dev |
Bumps the dev-minor-and-patch group with 1 update in the / directory: [@playwright/test](https://github.com/microsoft/playwright). Updates `@playwright/test` from 1.60.0 to 1.61.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/dev-minor-and-patch-98d9b91858
branch
from
9288b19 to
3fe2020
Compare
linusdevx
deleted the
dependabot/npm_and_yarn/dev-minor-and-patch-98d9b91858
branch
linusdevx
added a commit
that referenced
this pull request
Jun 23, 2026
* chore(dependabot): target dev, ignore major bumps After enabling Dependabot, it immediately opened 8 PRs against main — including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that need human review and would have skipped the normal dev → main flow. - target-branch: dev — PRs go through dev like any other change - ignore semver-major — automated PRs are patch/minor only; majors are reviewed by a human when needed - Security advisories still open PRs regardless of these ignore rules * fix(editor): handle --!> when stripping XML comment markers The toggle-comment command stripped --> but not --!>, the rare-but-legal HTML comment-end-bang form. Browsers (and the HTML spec) treat both as valid comment terminators; toggling-off a buffer that used the bang form would leave a stray --!> on the line. Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line. The alert was technically a false positive — the regex output is fed into Monaco's text buffer, never rendered as HTML — but the underlying incompleteness was real, so it's worth fixing rather than dismissing. * chore(ci): harden workflows for OpenSSF Scorecard (#67) - Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload. * chore(deps): bump the actions-minor-and-patch group with 2 updates (#69) Bumps the actions-minor-and-patch group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/checkout` from 4.2.2 to 4.3.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...34e1148) Updates `actions/upload-artifact` from 4.4.3 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b4b15b8...ea165f8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.3.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch - dependency-name: actions/upload-artifact dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @playwright/test (#64) Bumps the dev-minor-and-patch group with 1 update in the / directory: [@playwright/test](https://github.com/microsoft/playwright). Updates `@playwright/test` from 1.60.0 to 1.61.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(security): add SRI integrity to CDN-loaded scripts (#70) Adds sha384 integrity hashes and crossorigin=anonymous to the three CDN-hosted dependencies in index.html: - pako@2.1.0 (compression for share URLs) - lucide@1.14.0 (icon library) - monaco-editor@0.44.0 loader Mitigates the supply-chain risk of a tampered CDN response — the browser refuses to execute any script whose content doesn't match the hash. Resolves the only real CodeQL alert (js/functionality-from-untrusted-source) on index.html:51-53. Maintenance note: each version bump now requires regenerating the hash: curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the dev-minor-and-patch group with 1 update in the / directory: @playwright/test.
Updates
@playwright/testfrom 1.60.0 to 1.61.0Release notes
Sourced from @playwright/test's releases.
... (truncated)
Commits
1cc5a90cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...a6772bdcherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...8133dcfcherry-pick(#41283): docs: add Ubuntu 26.04 and Node.js 26.x to system requir...812432echore: mark v1.61.0 (#41277)ac05145fix(fetch): report serverAddr and securityDetails for reused sockets (#41267)056efc9fix(trace-viewer): add keyboard navigation toNetworkFilterscomponent (#41...41f7b9achore: fixes uncovered by the .NET 1.61 roll (#41266)ba50778fix(mcp): assign caps as array for legacy --vision flag (#41253)b8ee5aedocs: release notes for v1.61 (#41261)49c1f69fix(trace viewer): load trace from a local file (#41263)