playwright-firefox
A high-level API to automate Firefox
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Microsoft migrated Playwright publishing to GitHub Actions CI/CD; SLSA attestation confirms legitimate automated release pipeline. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): SLSA provenance + Microsoft authorship + strong publisher track record make account takeover implausible. | ai | |
| install-scripts | install-script:install | AI (install-scripts): playwright-firefox's install script downloads the Firefox browser binary — this is the documented, expected behavior for all Playwright browser packages published by Microsoft. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Sparse README and no keywords are cosmetic issues typical of browser-driver sub-packages; not a security concern for this well-established Microsoft package. | ai |
Versions (showing 13 of 13)
| Version | Deps | Published |
|---|---|---|
| 1.60.0 | 1 / 0 | |
| 1.59.1 | 1 / 0 | |
| 1.59.0 | 1 / 0 | |
| 1.58.2 | 1 / 0 | |
| 1.58.1 | 1 / 0 | |
| 1.58.0 | 1 / 0 | |
| 1.57.0 | 1 / 0 | |
| 1.56.1 | 1 / 0 | |
| 1.56.0 | 1 / 0 | |
| 1.54.1 | 1 / 0 | |
| 1.53.2 | 1 / 0 | |
| 1.53.1 | 1 / 0 | |
| 1.53.0 | 1 / 0 |
v1.60.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.1
2 findingsScript: node install.js
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.56.1
2 findingsThis version was published by a different npm account than previous versions on 2025-10-17. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.56.0
2 findingsThis version was published by a different npm account than previous versions on 2025-10-06. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.54.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.53.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.53.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.53.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.