← Home

playwright-core

npm Repository Homepage

A high-level API to automate web browsers

100
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

pavelfeldmanyurysdgozman-msplaywright-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:lib/vite/traceViewer/index.BCnMPevh.js AI (source-diff): Vite-bundled trace viewer entry; standard minified build output. ai
source-diff net-exec-file:lib/vite/traceViewer/assets/defaultSettingsView-D31xz8zv.js AI (source-diff): Bundled React app with fetch for modulepreload; not malicious network+exec. ai
source-diff obfuscated-file:lib/vite/traceViewer/assets/defaultSettingsView-D31xz8zv.js AI (source-diff): Vite-bundled React UI; standard minified build output for this package. ai
source-diff obfuscated-file:lib/vite/traceViewer/assets/codeMirrorModule-Ds_H_9Yq.js AI (source-diff): Vite-bundled CodeMirror; standard minified build output for this package. ai
source-diff obfuscated-file:lib/vite/recorder/assets/codeMirrorModule-BHYmBp6h.js AI (source-diff): Vite-bundled CodeMirror; standard minified build output for this package. ai
source-diff obfuscated-file:lib/vite/traceViewer/uiMode.C2Efnu2P.js AI (source-diff): Vite-bundled UI mode entry; standard minified build output. ai
source-diff obfuscated-file:lib/vite/dashboard/assets/index-DpEq2p62.js AI (source-diff): Vite-bundled React UI; standard minified build output for this package. ai
source-diff obfuscated-file:lib/vite/recorder/assets/index-DA10QRaq.js AI (source-diff): Vite-bundled React UI; standard minified build output for this package. ai
npm-metadata suspicious-initial-version AI (npm-metadata): 0.0.0 is the legitimate namespace-reservation stub for the canonical Playwright package, published 6+ years ago with 50.7M weekly downloads across 5458 versions. ai
provenance no-provenance AI (provenance): playwright-core is an established Microsoft package predating Sigstore provenance adoption on npm; absence of attestation is expected for this version. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Constructs a localhost URL (127.0.0.1) for an internal HTTP server — standard practice for Playwright's local browser automation server. ai
install-scripts install-script:install AI (install-scripts): playwright-core's install script downloads browser binaries — this is the package's documented and expected install flow, stable across all versions. ai
semgrep semgrep:http-module-request AI (semgrep): HTTP requests in browserFetcher.js are used to download browser binaries from CDN — core functionality of this browser automation package, not exfiltration. ai
source-diff obfuscated-file:lib/vite/traceViewer/index.Dtstcb7U.js AI (source-diff): Vite-bundled frontend asset for Playwright Trace Viewer UI. Hash-suffixed filenames are standard Vite content-hash output. Code is minified React/UI code, not malicious obfuscation. ai
bogus-package bogus-package AI (bogus-package): playwright-core is a large Microsoft framework; no keywords and no declared deps are structural choices, not spam indicators. README is at playwright.dev. ai
npm-metadata bundled-binaries AI (npm-metadata): PrintDeps.exe is a documented Playwright utility for inspecting Windows DLL dependencies during browser binary management. Legitimate and stable across versions. ai
semgrep semgrep:hex-decode AI (semgrep): Hex decode in utilsBundleImpl is part of bundled dotenv/debug string parsing logic, not malicious payload handling. False positive for this package. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawning child processes is core to Playwright's browser automation functionality. Confirmed legitimate use in debug mode launcher. ai
source-diff obfuscated-file:lib/vite/traceViewer/assets/codeMirrorModule-DS0FLvoc.js AI (source-diff): Vite-bundled frontend asset for Playwright's Trace Viewer UI. Minified CodeMirror editor code — expected for this package. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() in bundled zod library — standard JS metaprogramming, not evasion. ai
semgrep semgrep:env-bulk-read AI (semgrep): Environment enumeration in a bundled utility — standard config/logging behavior in this framework. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require used to load package.json from browser reference directories — benign metadata reading. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding used for WebSocket message handling between browser page and Playwright server — expected protocol behavior. ai
semgrep semgrep:new-function-constructor AI (semgrep): Used in javascript.js for JS expression validation before evaluation — legitimate use in a browser automation tool. ai
semgrep semgrep:env-spread AI (semgrep): Spreading process.env when spawning browser child processes is standard and expected for a browser automation framework. ai
semgrep semgrep:child-process-import AI (semgrep): Playwright-core must launch browser processes via child_process — this is core functionality, not malicious. ai
source-diff obfuscated-file:lib/vite/traceViewer/uiMode.Vipi55dB.js AI (source-diff): Vite-bundled UI mode asset for Playwright's Trace Viewer. Minification is expected for browser-targeted build output. ai
source-diff obfuscated-file:lib/vite/traceViewer/index.C5466mMT.js AI (source-diff): Vite-bundled Trace Viewer entry point. Minified output is expected for browser-targeted assets in this package. ai
source-diff net-exec-file:lib/vite/traceViewer/assets/defaultSettingsView-GTWI-W_B.js AI (source-diff): Network calls are Vite modulepreload polyfill (fetch) and React rendering — standard frontend bundle behavior, not dropper malware. ai
source-diff obfuscated-file:lib/vite/traceViewer/assets/defaultSettingsView-GTWI-W_B.js AI (source-diff): Vite-bundled React frontend asset for Playwright's Trace Viewer UI. Minification is expected for browser-targeted build output. ai

Versions (showing 100 of 414)

Hide prereleases
Version Deps Published
1.19.0 16 / 0
1.18.1 16 / 0
1.18.0 16 / 0
1.17.2 16 / 0
1.17.1 16 / 0
1.17.0 16 / 0
1.16.3 16 / 0
1.16.2 16 / 0
1.16.1 16 / 0
1.16.0 16 / 0
1.13.0 14 / 0
1.11.1 14 / 0
1.5.0 11 / 0
1.2.1 11 / 0
1.0.2 10 / 26
1.0.1 10 / 26
1.0.0 10 / 26
0.18.0 10 / 26
0.17.0 10 / 26
0.16.0 10 / 26
0.15.0 10 / 25
0.14.0 10 / 25
0.13.0 10 / 25
0.12.1 9 / 24
0.12.0 9 / 24
0.11.1 10 / 24
0.11.0 10 / 24
0.10.0 11 / 25
0.9.24 11 / 25
0.9.23 11 / 25
0.9.22 11 / 25
0.9.21 11 / 25
0.9.19 10 / 24
0.9.18 10 / 24
0.0.0 0 / 0
1.60.0-alpha-2026-04-22 0 / 0
1.60.0-alpha-2026-04-21 0 / 0
1.60.0-alpha-2026-04-20 0 / 0
1.60.0-alpha-2026-04-19 0 / 0
1.60.0-alpha-2026-04-18 0 / 0
1.60.0-alpha-2026-04-17 0 / 0
1.60.0-alpha-2026-04-16 0 / 0
1.60.0-alpha-2026-04-15 0 / 0
1.60.0-alpha-2026-04-14 0 / 0
1.60.0-alpha-2026-04-13 0 / 0
1.60.0-alpha-2026-04-11 0 / 0
1.60.0-alpha-2026-04-10 0 / 0
1.60.0-alpha-2026-04-09 0 / 0
1.60.0-alpha-2026-04-08 0 / 0
1.60.0-alpha-2026-04-07 0 / 0
1.60.0-alpha-2026-04-06 0 / 0
1.60.0-alpha-2026-04-05 0 / 0
1.60.0-alpha-2026-04-04 0 / 0
1.60.0-alpha-2026-04-03 0 / 0
1.60.0-alpha-2026-04-02 0 / 0
1.60.0-alpha-2026-04-01 0 / 0
1.60.0-alpha-2026-03-31 0 / 0
1.60.0-alpha-1776382637000 0 / 0
1.60.0-alpha-1776364014000 0 / 0
1.60.0-alpha-1776125391000 0 / 0
1.60.0-alpha-1776119671000 0 / 0
1.60.0-alpha-1775951570000 0 / 0
1.60.0-alpha-1775931579000 0 / 0
1.60.0-alpha-1775752697000 0 / 0
1.60.0-alpha-1775674864000 0 / 0
1.60.0-alpha-1775584683000 0 / 0
1.60.0-alpha-1775258971000 0 / 0
1.60.0-alpha-1775237291000 0 / 0
1.60.0-alpha-1775180302000 0 / 0
1.60.0-alpha-1775061447000 0 / 0
1.60.0-alpha-1775059755000 0 / 0
1.60.0-alpha-1774999321000 0 / 0
1.59.1-beta-1775762078000 0 / 0
1.59.1-beta-1775752988000 0 / 0
1.59.1-beta-1775097386000 0 / 0
1.59.1-beta-1775063275000 0 / 0
1.59.0-beta-1775061558000 0 / 0
1.59.0-beta-1775060947000 0 / 0
1.59.0-beta-1774999371000 0 / 0
1.59.0-beta-1774995564000 0 / 0
1.59.0-beta-1774990462000 0 / 0
1.59.0-beta-1774983340000 0 / 0
1.59.0-beta-1774974568000 0 / 0
1.59.0-beta-1774973666000 0 / 0
1.59.0-beta-1774969283000 0 / 0
1.59.0-beta-1774960396000 0 / 0
1.59.0-beta-1774957992000 0 / 0
1.59.0-beta-1774952471000 0 / 0
1.59.0-beta-1774918830000 0 / 0
1.59.0-beta-1774915887000 0 / 0
1.59.0-alpha-2026-03-30 0 / 0
1.59.0-alpha-2026-03-29 0 / 0
1.59.0-alpha-2026-03-28 0 / 0
1.59.0-alpha-2026-03-27 0 / 0
1.59.0-alpha-2026-03-26 0 / 0
1.59.0-alpha-2026-03-25 0 / 0
1.59.0-alpha-2026-03-24 0 / 0
1.59.0-alpha-2026-03-23 0 / 0
1.59.0-alpha-2026-03-22 0 / 0
1.59.0-alpha-2026-03-21 0 / 0
Showing 100 of 414 Next page →

v1.19.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.18.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.18.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.17.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.16.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.13.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.11.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.1

2 findings
HIGH Package has 'install' script install-scripts

Script: node install.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.18.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.15.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.14.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.13.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.11.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.24

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.23

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.22

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.21

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.19

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.9.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.