chore(repo): Update playwright to fix CVE-2025-59288

[dominic-clerk]

Description

The actual Clerk packages are not affected by this vulnerability.

Playwright fetches executable files over insecure connections during its installation and opens up developer machines to MITM attacks.

GHSA-7mvr-c777-76hp

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Chores
  • Updated devDependency @playwright/test to ^1.56.1 in root and testing package manifests.
  • Added a placeholder changeset entry.

[changeset-bot]

🦋 Changeset detected

Latest commit: fc7e17c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Oct 29, 2025 8:33am

[coderabbitai]

Walkthrough

Bumps the @playwright/test devDependency to ^1.56.1 in the repository root and packages/testing, and adds a new empty changeset file .changeset/easy-papers-drop.md.

Changes

Cohort / File(s)	Summary
Playwright Test Dependency Bump package.json, packages/testing/package.json	Updated devDependency @playwright/test to ^1.56.1 in root and testing package manifests.
New Changeset .changeset/easy-papers-drop.md	Added a new (placeholder/empty) changeset file.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Check consistency of the version across manifests.
• Confirm the changeset content is intentional (currently empty/placeholder).

Poem

🐰
Hops and keys, a tiny bump tonight,
Playwright steps forward, neat and light.
A change file dropped, small and true,
Tests await with skies of blue. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "chore(repo): Update playwright to fix CVE-2025-59288" accurately reflects the primary changes in the changeset, which are updates to @playwright/test from versions ^1.44.0 to ^1.56.1 and ^1.54.1 to ^1.56.1 across two package.json files. The title is concise, specific, and clearly communicates that the PR is a dependency upgrade addressing a known security vulnerability. The conventional chore prefix and the CVE reference provide meaningful context that would help developers scanning history understand the intent of the change.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dc-playwright-CVE-2025-59288

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CVE-2025: Entity not found: Issue - Could not find referenced Issue.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7089

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7089

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7089

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7089

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7089

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7089

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7089

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7089

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7089

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7089

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7089

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7089

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7089

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7089

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7089

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7089

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7089

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7089

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7089

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7089

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7089

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7089

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7089

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7089

commit: fc7e17c

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 16a36a0 and fc7e17c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .changeset/easy-papers-drop.md (1 hunks)
• package.json (1 hunks)
• packages/testing/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• package.json
• packages/testing/package.json

🧰 Additional context used

📓 Path-based instructions (1)

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/easy-papers-drop.md

🪛 LanguageTool

.changeset/easy-papers-drop.md

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)

• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 14)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (expo-web, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (elements, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Unit Tests (22, **)
• GitHub Check: Static analysis
• GitHub Check: Unit Tests (18, --filter=@clerk/astro --filter=@clerk/backend --filter=@clerk/express --filter=@c...
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Empty changeset is incomplete; add package entries and summary.

The changeset file contains only YAML delimiters with no package entries or summary. According to the Changesets convention (as referenced in the coding guidelines), each changeset must document the affected packages, change types, and a summary of the change.

For this PR updating Playwright, add the affected packages and change details. Based on the PR context (updating @playwright/test in both the root and packages/testing), your changeset should resemble:

 ---
+@clerk/testing: patch
+@playwright/test: patch
 ---
+
+Fix CVE-2025-59288 by updating @playwright/test dependency to ^1.56.1. Playwright was fetching executable files over insecure connections during installation, which could expose developer machines to MITM attacks.

Adjust the package names and change types (patch/minor/major) as appropriate for your repository's structure.

🧰 Tools

🪛 LanguageTool

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

🤖 Prompt for AI Agents

In .changeset/easy-papers-drop.md around lines 1 to 2, the changeset is empty
(only YAML delimiters); add entries for the affected packages and a brief
summary. Update the file to list the packages changed (e.g., "@" or the specific
root package and "packages/testing") with their change types (patch/minor/major
as appropriate for the Playwright upgrade) and a one- or two-sentence summary
like "Update @playwright/test to X.Y.Z in root and packages/testing to bump
Playwright version"; adjust package names and chosen change types to match your
repo conventions.