deps: update playwright to fix CI#833
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
phil-arcjet
changed the title
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![arcjet-review[bot]](https://avatars.githubusercontent.com/u/24397786?s=60&v=4){kind=small}
There was a problem hiding this comment.
Arcjet Review — 🟡 Medium Risk
Decision: Reviewers Assigned
Rationale: This PR updates Playwright dev dependencies and changes analytics consent behavior for PostHog. The dependency change fires the dependency escalation trigger, and the versions were changed from exact pins to caret ranges without a corresponding lockfile update in the diff. The PostHog change appears intended to improve consent handling by defaulting capture off and opting in only after HubSpot analytics consent, but it should be manually verified against the HubSpot callback contract and PostHog initialization behavior. No specific reviewers are configured.
Summary of Changes
Updates @playwright/test and playwright from 1.58.2 to ^1.60.0, and gates PostHog capture behind the HubSpot privacy consent listener by defaulting PostHog capture to opt-out until analytics consent is present.
Escalation Triggers
- Dependency Changes: package.json modifies devDependency versions for @playwright/test and playwright.
Security Flags
- [LOW] Supply Chain (package.json:80): Playwright dependencies were changed from exact versions to caret ranges, which can allow future unreviewed minor/patch updates if the lockfile is regenerated or absent. Playwright packages also include install/browser tooling, so reproducible pinning is preferable.
Review Focus Areas
- Should @playwright/test and playwright remain pinned to exact versions instead of using caret ranges?
Exact pins reduce supply-chain and CI reproducibility risk, especially for tooling that may download or manage browser binaries. - Was the project lockfile intentionally omitted from this diff, and does CI install Playwright 1.60.0 consistently?
Dependency updates should normally include lockfile changes so reviewers can inspect the resolved package graph and CI uses the reviewed versions. - Does the HubSpot privacy consent listener always call back with a consent object containing categories.analytics, including first page load, consent revocation, and users with prior cross-subdomain consent?
If the callback contract differs, analytics capture may remain disabled unexpectedly or the callback may throw, breaking consent synchronization. - Has it been verified that posthog.init with opt_out_capturing_by_default: true sends no events or identifiers before the HubSpot analytics consent callback opts in?
The privacy guarantee depends on PostHog not capturing page views, autocapture, or identifying data before consent is granted.
Notes
Automated review did not identify hardcoded secrets or injection risks in the shown diff. Manual review should focus on dependency reproducibility and privacy/consent behavior.
Path filtering: 1 file excluded by ignore paths. 2 of 3 files included in review.
Review: 0be0a05f | Model: openai/gpt-5.5 | Powered by Arcjet Review
arcjet-review
Bot
requested review from
arcjet-rei,
davidmytton,
estellajaysong and
qw-in
phil-arcjet
force-pushed
the
phil-arcjet/update-playwright
branch
from
1b6d8e2 to
4d9aa6b
Compare
arcjet-review
Bot
added
ai-review-in-progress
and removed
ai-review
There was a problem hiding this comment.
Arcjet Review — 🟢 Low Risk
Decision: Approved
Rationale: Scope has narrowed since the previous review — the PostHog analytics consent change is no longer part of this diff, leaving only a Playwright dev dependency bump from 1.58.2 to ^1.60.0 to fix CI. Playwright is a dev-only test dependency, the change is well-scoped, and the repo presumably has a lockfile that pins the exact resolved version. The remaining concern (caret vs. exact pin) is minor and stylistic; downgrading severity and approving with an inline note.
Summary of Changes
Bumps @playwright/test and playwright dev dependencies from 1.58.2 to ^1.60.0 to fix CI. Dev-only dependency update.
Escalation Triggers
- Dependency Changes: package.json modified to bump Playwright versions
Notes
Previous review's PostHog/analytics consent concern is no longer present in the diff — scope is now limited to the Playwright bump. Assumes pnpm-lock/package-lock is updated in the PR (not shown via path filtering).
Path filtering: 1 file excluded by ignore paths. 1 of 2 files included in review.
Review: 8117c892 | Model: anthropic/claude-opus-4-7 | Powered by Arcjet Review
qw-in
left a comment
qw-in
left a comment
There was a problem hiding this comment.
Thanks! I would expect you'll need to regenerate some of the screenshots either locally or via the action to get it passing
phil-arcjet
force-pushed
the
phil-arcjet/update-playwright
branch
from
2db4428 to
5a69049
Compare
Regenerated by .github/workflows/playwright-update.yml. Run: https://github.com/arcjet/arcjet-docs/actions/runs/27436061739
2 participants
No description provided.