chore(deps): update playwright monorepo 1.58.1

[colinaaa]

Summary by CodeRabbit

• Chores
  • Updated Playwright testing framework from v1.57.0 to v1.58.1 across multiple packages.
  • Updated Model Context Protocol SDK from v1.20.0 to v1.25.2 in MCP server packages.
  • Updated undici HTTP client from v6.22.0 to v6.23.0.
  • Updated GitHub Actions workflow container image to Playwright v1.58.1.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Checklist

• Tests updated (or not required).
• Documentation updated (or not required).
• Changeset added, and when a BREAKING CHANGE occurs, it needs to be clearly marked (or not required).

[changeset-bot]

⚠️ No Changeset found

Latest commit: c115957

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (3)

• packages/web-platform/web-elements/tests/web-elements.spec.ts-snapshots/x-input/style-background-color/initial-webkit-linux.png is excluded by !**/*.png
• packages/web-platform/web-elements/tests/web-elements.spec.ts-snapshots/x-input/style-inherit-color/initial-webkit-linux.png is excluded by !**/*.png
• packages/web-platform/web-elements/tests/web-elements.spec.ts-snapshots/x-input/style-inherit-margin/initial-webkit-linux.png is excluded by !**/*.png

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

📝 Walkthrough

Walkthrough

This PR updates Playwright test dependencies from v1.57.0 to v1.58.1 across multiple web-platform packages, upgrades the Playwright container image in the GitHub Actions workflow, and bumps the MCP SDK and undici dependencies to newer versions.

Changes

Cohort / File(s)	Summary
Playwright Test Dependencies packages/web-platform/playwright-fixtures/package.json, packages/web-platform/web-core-wasm-e2e/package.json, packages/web-platform/web-elements/package.json, packages/web-platform/web-tests/package.json	@playwright/test updated from ^1.57.0 to ^1.58.1 across dev and peer dependencies.
MCP Server SDK Dependencies packages/mcp-servers/devtool-mcp-server/package.json, packages/mcp-servers/docs-mcp-server/package.json	@modelcontextprotocol/sdk updated from ^1.20.0 to ^1.25.2.
Additional Dependencies packages/mcp-servers/docs-mcp-server/package.json	undici updated from ^6.22.0 to ^6.23.0.
GitHub Actions Workflow .github/workflows/workflow-test.yml	Playwright container image bumped from mcr.microsoft.com/playwright:v1.57.0-noble to mcr.microsoft.com/playwright:v1.58.1-noble.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore: add playwright fixtures package with initial configuration and … #2050: Main PR updating Playwright test dependencies and Playwright package versions across web-platform packages
• chore: use docker container to run playwright test to boost ci #1329: Updates GitHub Actions workflow to run Playwright container jobs
• chore(renovate): group Playwright #1854: Adds Renovate automation for detecting and updating Playwright Docker image references in workflows

Suggested labels

platform:Web

Suggested reviewers

• PupilTong
• Sherry-hue

Poem

🐰 Hopping through versions with glee,
Playwright and SDKs dance merrily,
From one point five-seven, we leap to five-eight,
Dependencies fresh—oh, how we celebrate!
Modern tools keep our tests running great! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating Playwright dependencies across multiple packages to version 1.58.1, which is the primary focus of all file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/workflow-test.yml:
- Line 45: Replace the mutable tag reference under the image: key that uses
'mcr.microsoft.com/playwright:v1.58.1-noble' with an immutable digest-pinned
reference; obtain the digest by pulling the image (docker pull
mcr.microsoft.com/playwright:v1.58.1-noble) and inspecting the repo digest
(docker image inspect --format '{{index .RepoDigests 0}}'
mcr.microsoft.com/playwright:v1.58.1-noble), then update the expression that
sets image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.58.1-noble' ||
null }} to use the returned digest string in place of the tag.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows/workflow-test.yml

Repository: lynx-family/lynx-stack

Length of output: 101

---

🏁 Script executed:

cat -n .github/workflows/workflow-test.yml | sed -n '40,50p'

Repository: lynx-family/lynx-stack

Length of output: 484

---

🏁 Script executed:

# Search for all container image references to understand the pattern used
rg 'image:' .github/workflows/workflow-test.yml -A 1 -B 1

Repository: lynx-family/lynx-stack

Length of output: 181

---

🏁 Script executed:

# Check if there are any other container images in the repository to see what pattern is used
rg 'image:' .github/workflows/ -A 1 | head -30

Repository: lynx-family/lynx-stack

Length of output: 238

---

🌐 Web query:

mcr.microsoft.com/playwright:v1.58.1-noble mutable tag digest pinning container security

💡 Result:

• Yes, mcr.microsoft.com/playwright:v1.58.1-noble is a tag, and tags are not inherently immutable. In container registries, a tag can be moved to point at a different manifest digest unless the registry/repository enforces immutability. Microsoft’s own Azure Container Registry docs state that tagged images are mutable by default (unless you explicitly lock/prevent writes). [1]

• For supply-chain/container security, prefer digest pinning (immutable reference), e.g. mcr.microsoft.com/playwright@sha256:<digest>, because a digest identifies the exact image content you reviewed/scanned. Microsoft’s container registry concepts doc explicitly describes pulling by manifest digest. [2]

• How to get and pin the digest (CLI):

  docker pull mcr.microsoft.com/playwright:v1.58.1-noble
  docker image inspect --format '{{index .RepoDigests 0}}' mcr.microsoft.com/playwright:v1.58.1-noble
  # then use the printed value in FROM / deployments, e.g.
  # FROM mcr.microsoft.com/playwright@sha256:...

  (Equivalent: docker buildx imagetools inspect mcr.microsoft.com/playwright:v1.58.1-noble to see per-arch digests.)

• Extra Playwright-specific security note: the Playwright Docker docs warn the image is intended for testing/dev and recommend additional hardening (e.g., non-root + seccomp) especially when visiting untrusted sites. [3]

Sources: [1] Microsoft Learn (ACR: tagged images mutable by default) (learn.microsoft.com), [2] Microsoft Learn (pull by digest) (learn.microsoft.com), [3] Playwright Docker docs (security notes & recommendations) (playwright.dev)

Citations:

• 1: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-image-lock?utm_source=openai
• 2: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-concepts?utm_source=openai
• 3: https://playwright.dev/docs/docker?utm_source=openai

---

Pin the Playwright container image by digest.

Line 45 uses a mutable tag reference. Tags can be re-pushed to point to different image content, creating a supply-chain risk. Replace with an immutable digest pin:

Example format

-      image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.58.1-noble' || null }}
+      image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright@sha256:<digest>' || null }}

To find the digest: docker pull mcr.microsoft.com/playwright:v1.58.1-noble && docker image inspect --format '{{index .RepoDigests 0}}' mcr.microsoft.com/playwright:v1.58.1-noble

🧰 Tools

🪛 GitHub Check: zizmor

[failure] 45-45:
unpinned image references

🤖 Prompt for AI Agents

In @.github/workflows/workflow-test.yml at line 45, Replace the mutable tag
reference under the image: key that uses
'mcr.microsoft.com/playwright:v1.58.1-noble' with an immutable digest-pinned
reference; obtain the digest by pulling the image (docker pull
mcr.microsoft.com/playwright:v1.58.1-noble) and inspecting the repo digest
(docker image inspect --format '{{index .RepoDigests 0}}'
mcr.microsoft.com/playwright:v1.58.1-noble), then update the expression that
sets image: ${{ inputs.is-web && 'mcr.microsoft.com/playwright:v1.58.1-noble' ||
null }} to use the returned digest string in place of the tag.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[codspeed-hq]

CodSpeed Performance Report

Merging this PR will not alter performance

_{Comparing colinaaa:colin/0201/playwright (c115957) with main (6ec0b1d)}

Summary

✅ 63 untouched benchmarks
⏩ 3 skipped benchmarks¹

Footnotes

1. 3 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[relativeci]

Web Explorer

#7518 Bundle Size — 383.67KiB (0%).

c115957(current) vs 6ec0b1d main#7517(baseline)

Bundle metrics   1 change

	Current #7518	Baseline #7517
Initial JS	154.83KiB	154.83KiB
Initial CSS	35.05KiB	35.05KiB
Cache Invalidation	0%	0%
Chunks	8	8
Assets	8	8
Modules	238(-0.42%)	239
Duplicate Modules	16	16
Duplicate Code	2.99%	2.99%
Packages	4	4
Duplicate Packages	0	0

Bundle size by type  no changes

	Current #7518	Baseline #7517
JS	252.78KiB	252.78KiB
Other	95.85KiB	95.85KiB
CSS	35.05KiB	35.05KiB

Bundle analysis report Branch colinaaa:colin/0201/playwright Project dashboard

---

^{Generated by RelativeCI Documentation Report issue}