playwright-core
A high-level API to automate web browsers
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/vite/traceViewer/index.BCnMPevh.js | AI (source-diff): Vite-bundled trace viewer entry; standard minified build output. | ai | |
| source-diff | net-exec-file:lib/vite/traceViewer/assets/defaultSettingsView-D31xz8zv.js | AI (source-diff): Bundled React app with fetch for modulepreload; not malicious network+exec. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/assets/defaultSettingsView-D31xz8zv.js | AI (source-diff): Vite-bundled React UI; standard minified build output for this package. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/assets/codeMirrorModule-Ds_H_9Yq.js | AI (source-diff): Vite-bundled CodeMirror; standard minified build output for this package. | ai | |
| source-diff | obfuscated-file:lib/vite/recorder/assets/codeMirrorModule-BHYmBp6h.js | AI (source-diff): Vite-bundled CodeMirror; standard minified build output for this package. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/uiMode.C2Efnu2P.js | AI (source-diff): Vite-bundled UI mode entry; standard minified build output. | ai | |
| source-diff | obfuscated-file:lib/vite/dashboard/assets/index-DpEq2p62.js | AI (source-diff): Vite-bundled React UI; standard minified build output for this package. | ai | |
| source-diff | obfuscated-file:lib/vite/recorder/assets/index-DA10QRaq.js | AI (source-diff): Vite-bundled React UI; standard minified build output for this package. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the legitimate namespace-reservation stub for the canonical Playwright package, published 6+ years ago with 50.7M weekly downloads across 5458 versions. | ai | |
| provenance | no-provenance | AI (provenance): playwright-core is an established Microsoft package predating Sigstore provenance adoption on npm; absence of attestation is expected for this version. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Constructs a localhost URL (127.0.0.1) for an internal HTTP server — standard practice for Playwright's local browser automation server. | ai | |
| install-scripts | install-script:install | AI (install-scripts): playwright-core's install script downloads browser binaries — this is the package's documented and expected install flow, stable across all versions. | ai | |
| semgrep | semgrep:http-module-request | AI (semgrep): HTTP requests in browserFetcher.js are used to download browser binaries from CDN — core functionality of this browser automation package, not exfiltration. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/index.Dtstcb7U.js | AI (source-diff): Vite-bundled frontend asset for Playwright Trace Viewer UI. Hash-suffixed filenames are standard Vite content-hash output. Code is minified React/UI code, not malicious obfuscation. | ai | |
| bogus-package | bogus-package | AI (bogus-package): playwright-core is a large Microsoft framework; no keywords and no declared deps are structural choices, not spam indicators. README is at playwright.dev. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): PrintDeps.exe is a documented Playwright utility for inspecting Windows DLL dependencies during browser binary management. Legitimate and stable across versions. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decode in utilsBundleImpl is part of bundled dotenv/debug string parsing logic, not malicious payload handling. False positive for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning child processes is core to Playwright's browser automation functionality. Confirmed legitimate use in debug mode launcher. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/assets/codeMirrorModule-DS0FLvoc.js | AI (source-diff): Vite-bundled frontend asset for Playwright's Trace Viewer UI. Minified CodeMirror editor code — expected for this package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in bundled zod library — standard JS metaprogramming, not evasion. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Environment enumeration in a bundled utility — standard config/logging behavior in this framework. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require used to load package.json from browser reference directories — benign metadata reading. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding used for WebSocket message handling between browser page and Playwright server — expected protocol behavior. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used in javascript.js for JS expression validation before evaluation — legitimate use in a browser automation tool. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env when spawning browser child processes is standard and expected for a browser automation framework. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Playwright-core must launch browser processes via child_process — this is core functionality, not malicious. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/uiMode.Vipi55dB.js | AI (source-diff): Vite-bundled UI mode asset for Playwright's Trace Viewer. Minification is expected for browser-targeted build output. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/index.C5466mMT.js | AI (source-diff): Vite-bundled Trace Viewer entry point. Minified output is expected for browser-targeted assets in this package. | ai | |
| source-diff | net-exec-file:lib/vite/traceViewer/assets/defaultSettingsView-GTWI-W_B.js | AI (source-diff): Network calls are Vite modulepreload polyfill (fetch) and React rendering — standard frontend bundle behavior, not dropper malware. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/assets/defaultSettingsView-GTWI-W_B.js | AI (source-diff): Vite-bundled React frontend asset for Playwright's Trace Viewer UI. Minification is expected for browser-targeted build output. | ai |
Versions (showing 35 of 135)
| Version | Deps | Published |
|---|---|---|
| 1.19.0 | 16 / 0 | |
| 1.18.1 | 16 / 0 | |
| 1.18.0 | 16 / 0 | |
| 1.17.2 | 16 / 0 | |
| 1.17.1 | 16 / 0 | |
| 1.17.0 | 16 / 0 | |
| 1.16.3 | 16 / 0 | |
| 1.16.2 | 16 / 0 | |
| 1.16.1 | 16 / 0 | |
| 1.16.0 | 16 / 0 | |
| 1.13.0 | 14 / 0 | |
| 1.11.1 | 14 / 0 | |
| 1.5.0 | 11 / 0 | |
| 1.2.1 | 11 / 0 | |
| 1.0.2 | 10 / 26 | |
| 1.0.1 | 10 / 26 | |
| 1.0.0 | 10 / 26 | |
| 0.18.0 | 10 / 26 | |
| 0.17.0 | 10 / 26 | |
| 0.16.0 | 10 / 26 | |
| 0.15.0 | 10 / 25 | |
| 0.14.0 | 10 / 25 | |
| 0.13.0 | 10 / 25 | |
| 0.12.1 | 9 / 24 | |
| 0.12.0 | 9 / 24 | |
| 0.11.1 | 10 / 24 | |
| 0.11.0 | 10 / 24 | |
| 0.10.0 | 11 / 25 | |
| 0.9.24 | 11 / 25 | |
| 0.9.23 | 11 / 25 | |
| 0.9.22 | 11 / 25 | |
| 0.9.21 | 11 / 25 | |
| 0.9.19 | 10 / 24 | |
| 0.9.18 | 10 / 24 | |
| 0.0.0 | 0 / 0 |
v1.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.1
2 findingsScript: node install.js
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.