You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dump full inlining information for higher optimization tiers in walltime so we can show more functions on the profiler. To test it out, set CODSPEED_WALLTIME_PROFILER=samply env variable in the codspeed action.
New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:
constcontext=awaitbrowser.newContext();// Seed a passkey your backend provisioned for a test user.awaitcontext.credentials.create('example.com',{id: credentialId,
userHandle,
privateKey,
publicKey,});awaitcontext.credentials.install();constpage=awaitcontext.newPage();awaitpage.goto('https://example.com/login');// The page's navigator.credentials.get() is answered with the seeded passkey.
You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.
New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.
Test runner
The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
Supported expect.soft.poll(...).
New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
This is a routine automated dependency update PR from Renovate Bot, bumping a wide range of dependencies across the stack: GitHub Actions (setup-node v6.3.0, mise-action v3.6.3, zizmor-action v0.5.2, codeql-action v4.32.6), Node.js packages (pnpm 10.32.1, vitest/vite 4.1.0/8.0.0 stable releases from beta, oxfmt, oxlint, undici, electron, node-addon-slsa), Rust crates (tempfile 3.27.0), Python tools (ruff, semgrep, pyrefly, zizmor), and various aqua-managed CLI tools (uv, gh, gitleaks, shfmt, nextest). All GitHub Action references continue to be pinned by full commit SHA, which is good practice for this repository.
Most changes are straightforward version bumps with no behavioral impact on the codebase itself.
Several beta versions (vitest, vite) graduate to stable releases — a positive change.
The packageManager field in package.json was updated to pnpm@10.32.1 but the SHA512 integrity hash that was present in the old value was dropped, removing Corepack's ability to verify the pnpm binary on download.
Confidence Score: 4/5
This PR is safe to merge; the only notable finding is a non-critical omission of the Corepack integrity hash for pnpm.
All changes are automated dependency bumps. GitHub Actions remain SHA-pinned, Dockerfile images are digest-pinned, and lock files are fully regenerated. The one notable point is the missing SHA512 hash in the packageManager field, which is a best-practice/supply-chain hygiene issue rather than an active vulnerability. Everything else is routine.
package.json — missing SHA512 hash in the packageManager field.
Important Files Changed
Filename
Overview
package.json
Updated pnpm to 10.32.1 but dropped the SHA512 integrity hash from the packageManager field, removing Corepack's ability to verify the binary's integrity on download.
Dockerfile
Updated docker/dockerfile syntax to 1.22 and manylinux_2_28 base image to a new digest. Both references are pinned by SHA256. No issues found.
Cargo.lock
Updated tempfile from 3.26.0 to 3.27.0 which pulls in getrandom 0.3.4 instead of 0.4.2, and resolves different windows-sys versions for various crates. Standard lock file update.
mise.toml
Updated gitleaks, uv, gh CLI, nextest, and mvdan/sh (shfmt) to newer patch/minor versions. No issues found.
pyproject.toml
Updated pyrefly, ruff, semgrep, and zizmor to newer versions. No issues found.
pnpm-workspace.yaml
Updated catalog versions for @vitest/coverage-istanbul, electron, oxfmt, oxlint, undici, vite, and vitest from beta/older versions to stable releases. No issues found.
The previous packageManager value included a +sha512 integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.
You can restore supply-chain integrity by running:
corepack use pnpm@10.32.1
This will update package.json with the correct hash for 10.32.1, e.g.:
Consider asking Renovate to preserve the hash when bumping the packageManager field (the pinDigests option may help, or a custom packageRules entry targeting packageManager).
Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 202
Comment:
**Missing Corepack integrity hash for pnpm**
The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.
You can restore supply-chain integrity by running:
```bash
corepack use pnpm@10.32.1
```
This will update `package.json` with the correct hash for 10.32.1, e.g.:
Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).
How can I resolve this? If you propose a fix, please make it concise.
Prompt To Fix All With AI
This is a comment left during a code review.
Path: package.json
Line: 202
Comment:
**Missing Corepack integrity hash for pnpm**
The previous `packageManager` value included a `+sha512` integrity hash that Corepack uses to cryptographically verify the pnpm binary on download. The new value omits this hash entirely, so Corepack will skip integrity verification when bootstrapping pnpm from this field.
You can restore supply-chain integrity by running:
```bash
corepack use pnpm@10.32.1
```
This will update `package.json` with the correct hash for 10.32.1, e.g.:
```suggestion "packageManager": "pnpm@10.32.1+sha512.<hash-for-10.32.1>",```
Consider asking Renovate to preserve the hash when bumping the `packageManager` field (the [`pinDigests`](https://docs.renovatebot.com/configuration-options/#pindigests) option may help, or a custom `packageRules` entry targeting `packageManager`).
How can I resolve this? If you propose a fix, please make it concise.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore pypi/zizmor@1.26.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: pypi zizmor is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore pypi/zizmor@1.26.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.4.0→5.7.11.60.0→1.61.125.9.1→25.9.425.9.54.1.7→4.1.94.1.10v4.15.1→v4.18.1v4.18.5(+2)v4.1.0→v4.1.1v4.1.0→v4.1.1v5.0.5→v5.1.0v6.0.2→v6.0.31.0.102→1.0.1031.44.0→1.46.00.70.0→0.72.00.11.16→0.11.260.11.28(+1)1.19.1→1.20.12.92.0→2.96.01.46.3→1.48.01.11.1→1.12.01.12.1v6.0.1→v6.0.2v7.2.0→v7.3.01.24→1.25v4.2.0→v4.3.0v4.4.0v4.1.0→v4.2.042.2.0→42.5.242.6.1(+1)2.1.1→2.2.0v4.36.0→v4.36.3v4.37.00.19.7→0.19.90.20.24.53.2→v4.53.30.9.136→0.9.1380.9.140v2026.5.15→v2026.7.0v2026.7.5(+4)v4.0.1→v4.2.00.22.1→0.23.02.11.2→2.12.224.15.0→24.18.011.2.2→11.9.011.11.0(+1)0.51.0→0.57.00.58.01.66.0→1.72.01.73.011.2.2+sha512.36e6621fad506178936455e70247b8808ef4ec25797a9f437a93281a020484e2607f6a469a22e982987c3dbb8866e3071514ab10a4a1749e06edcd1ec118436f→11.9.011.11.0(+1)==1.0.0→==1.1.13.14.5→3.14.665f13b3→c0cc0741.12.3→1.12.41.13.0==0.15.14→==0.15.200.15.21nightly-2026-05-24→nightly-2026-07-03nightly-2026-07-09(+5)nightly-2026-05-24→nightly-2026-07-02nightly-2026-07-09(+6)4.22.3→4.22.54.23.08.3.0→8.6.08.7.08.3.0→8.6.08.7.08.0.14→8.1.38.1.45.0.1→5.0.34.1.7→4.1.94.1.10==1.25.2→==1.26.1v0.5.6→v0.5.7Release Notes
CodSpeedHQ/codspeed-node (@codspeed/vitest-plugin)
v5.7.1Compare Source
What's Changed
Full Changelog: CodSpeedHQ/codspeed-node@v5.7.0...v5.7.1
v5.7.0Compare Source
Highlights
CODSPEED_WALLTIME_PROFILER=samplyenv variable in the codspeed action.What's Changed
Full Changelog: CodSpeedHQ/codspeed-node@v5.6.0...v5.7.0
v5.6.0Compare Source
What's Changed
Full Changelog: CodSpeedHQ/codspeed-node@v5.5.0...v5.6.0
v5.5.0Compare Source
Highlights
We are introducing
@codspeed/playwright, for walltime benchmarking and profiling of end to end browser applications through playwright.Here's an example usage, but head to the docs for more information
Note: this plugin is only compatible with the walltime instrument.
What's Changed
Full Changelog: CodSpeedHQ/codspeed-node@v5.4.0...v5.5.0
microsoft/playwright (@playwright/test)
v1.61.1Compare Source
v1.61.0Compare Source
🔑 WebAuthn passkeys
New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer
navigator.credentials.create()/navigator.credentials.get()ceremonies in the page — no real hardware key required, works in all browsers:You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.
🗃️ Web Storage
New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:
New APIs
Network
Browser and Screencast
artifactsDirin browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.cursorin screencast.showActions() controls the cursor decoration rendered for pointer actions.onFramecallback in screencast.start() now receives atimestampof when the frame was presented by the browser.Test runner
trace: new'on-all-retries','retain-on-first-failure'and'retain-on-failure-and-retries'values. See the video modes table for which runs are recorded and kept in each mode.expect.soft.poll(...).process.argvfrom the runner process, handy for reading custom arguments passed after the--separator.AggregateErroras a separate entry.-Gcommand line shorthand for--grep-invert.🛠️ Other improvements
Browser Versions
This version was also tested against the following stable channels:
vitest-dev/vitest (@vitest/coverage-istanbul)
v4.1.9Compare Source
🐞 Bug Fixes
importOriginalwith optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)View changes on GitHub
v4.1.8Compare Source
🐞 Bug Fixes
cdpAPI whenallowWrite/allowExec: false[backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)View changes on GitHub
CodSpeedHQ/action (CodSpeedHQ/action)
v4.18.1Compare Source
Release Notes
🚀 Features
Install codspeed-runner 4.18.1
Install prebuilt binaries via shell script
Download codspeed-runner 4.18.1
Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md
v4.18.0Compare Source
Release Notes
🚀 Features
🐛 Bug Fixes
Install codspeed-runner 4.18.0
Install prebuilt binaries via shell script
Download codspeed-runner 4.18.0
Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md
v4.17.6Compare Source
Release Notes
🚀 Features
PerfEventto also support samply format by @GuillaumeLagrange🐛 Bug Fixes
💼 Other
🏗️ Refactor
📚 Documentation
⚙️ Internals
Install codspeed-runner 4.17.6
Install prebuilt binaries via shell script
Download codspeed-runner 4.17.6
Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md
Full Changelog: CodSpeedHQ/action@v4.17.5...v4.17.6
v4.17.5Compare Source
Release Notes
This release bundles all runner changes from
4.17.1through4.17.5.🚀 Features
modearg to target setup by @fargito in #397🐛 Bug Fixes
💼 Other
🏗️ Refactor
⚙️ Internals
Install codspeed-runner 4.17.5
Install prebuilt binaries via shell script
Download codspeed-runner 4.17.5
Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md
Full Changelog: CodSpeedHQ/action@v4.17.0...v4.17.5
v4.17.0Compare Source
Release Notes
🚀 Features
🐛 Bug Fixes
💼 Other
🏗️ Refactor
🧪 Testing
⚙️ Internals
Install codspeed-runner 4.17.0
Install prebuilt binaries via shell script
Download codspeed-runner 4.17.0
Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md
Full Changelog: CodSpeedHQ/action@v4.15.1...v4.17.0
actions/attest (actions/attest)
v4.1.1[Comp