Skip to content

[MCP]: Exact alpha playwright pin in @playwright/mcp breaks lockfile-based supply-chain pinning in mixed codebases #41546

Description

@dbartholomae

(This is a packaging/dependency-resolution issue, not specific to any MCP client — it occurs at npm/pnpm install time, before the server is ever invoked.)

This is a follow-up to microsoft/playwright-mcp#917, which was closed with:

We don't yet have a story for interoperable Playwright and Playwright MCP… it'll always be the latest version. That makes your scenario of the exact match niche until we hear more requests of such integration.

Here's one more request, with a motivation that's distinct from the type-incompatibility angle in #917 / microsoft/playwright-mcp#1113 and the browser-build mismatch in microsoft/playwright-mcp#1091: supply-chain integrity.

Why "latest, always" conflicts with a security-pinned codebase

We pin every dependency — including MCP packages — through the lockfile and review version bumps, specifically to reduce supply-chain attack surface. We can't run MCP tools off a floating "latest"; the resolved versions have to be committed and audited. That's fundamentally at odds with @playwright/mcp requiring whatever alpha is newest.

The pin doesn't stay contained to the MCP

@playwright/mcp doesn't just depend on an alpha playwright/playwright-core — it pins an exact alpha (e.g. playwright@1.61.0-alpha-1781023400000), and that pin leaks into unrelated parts of the dependency tree via peer resolution:

  • @vitest/browser-playwright declares playwright: "*" as a (non-optional) peer.
  • pnpm satisfies that peer with the only standalone playwright in the tree — the exact alpha dragged in by @playwright/mcp.
  • That alpha pins Chromium build 1226, while the rest of our repo runs stable @playwright/test@1.60.0 (Chromium build 1223), which is what playwright install provisions.
  • Result: in a fresh CI environment our Storybook (vitest browser-mode) tests can't launch a browser, because the build the alpha wants was never installed.

So the alpha pin isn't limited to the agentic-loop/IDE use case it was justified by in #917 — through transitive peer resolution it forces an alpha Chromium onto a stable Playwright test suite living in the same lockfile.

What would help (any of)

  1. A @playwright/mcp release line that depends on a stable playwright/playwright-core (even if it lags the bleeding edge), so security-pinned consumers have a non-alpha option; or
  2. Widening the dependency to a range that lets a pnpm/npm overrides align playwright with the stable version already in the consumer's lockfile, without breaking the MCP; or
  3. A documented, supported override recipe for keeping a single, stable, lockfile-pinned playwright/playwright-core across @playwright/mcp + @playwright/test + @vitest/browser-playwright.

We currently work around it with pnpm.overrides forcing playwright/playwright-core to stable 1.60.0, but per #917 that's a fragile workaround rather than a supported path — and it's exactly the kind of unreviewed version-coercion our supply-chain policy is trying to avoid.

Version

@playwright/mcp 0.0.76 (pins playwright 1.61.0-alpha-1781023400000); repo otherwise on @playwright/test 1.60.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions