chore(deps-dev): bump the npm-minor-patch group across 1 directory with 4 updates

[dependabot]

Bumps the npm-minor-patch group with 3 updates in the / directory: @playwright/test, sharp and vite.

Updates @playwright/test from 1.60.0 to 1.61.1

Release notes

Sourced from @​playwright/test's releases.

v1.61.1

Bug Fixes

• #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
• #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
• #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
• #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
• #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

... (truncated)

Commits

• 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
• 4328122 chore: mark v1.61.1 (#41404)
• 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
• 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
• 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
• b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
• b5a3175 cherry-pick(#41319): fix(loader): support other node versions
• d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
• 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
• a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
• Additional commits viewable in compare view

Updates playwright from 1.60.0 to 1.61.1

Release notes

Sourced from playwright's releases.

v1.61.1

Bug Fixes

• #41365 [Bug]: Expect.Extend matcher with same name as default matcher in same expect instance overrides default matchers implementation to custom matcher
• #41351 [Bug]: Playwright UI mode: apiRequestContext._wrapApiCall reports unexpected number of bytes (same test passes in headed mode)
• #41360 [Bug]: Trace viewer: message times in websockets are downscaled by 1000
• #41311 [Bug]: [Regression]: Sync loader throws "context.conditions?.includes is not a function" on Node 22.15
• #41371 [Regression]: Sync ESM loader (registerHooks) fails to resolve extensionless .ts subpath imports across pnpm workspace symlinks

v1.61.0

🔑 WebAuthn passkeys

New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:

const context = await browser.newContext();
// Seed a passkey your backend provisioned for a test user.
await context.credentials.create('example.com', {
id: credentialId,
userHandle,
privateKey,
publicKey,
});
await context.credentials.install();
const page = await context.newPage();
await page.goto('https://example.com/login');
// The page's navigator.credentials.get() is answered with the seeded passkey.

You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.

🗃️ Web Storage

New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:

await page.localStorage.setItem('token', 'abc');
const token = await page.localStorage.getItem('token');
const items = await page.sessionStorage.items();

New APIs

Network

• apiResponse.securityDetails() and apiResponse.serverAddr() mirror the browser-side response.securityDetails() and response.serverAddr().

Browser and Screencast

... (truncated)

Commits

• 39e3553 cherry-pick(#41399): fix(test): load require-reached files as commonjs in syn...
• 4328122 chore: mark v1.61.1 (#41404)
• 2c29a94 fix(tracing): stop recording websocket frames outside of chunks (#41398)
• 4324b19 cherry-pick(#41367): fix(test): keep builtin expect matchers on base extend
• 041e7e3 cherry-pick(#41364): fix(har): WebSocket message timestamps should be in mi...
• b8a0fc3 cherry-pick(#41309, #43149): Revert "fix(firefox): treat `navigationCommitted...
• b5a3175 cherry-pick(#41319): fix(loader): support other node versions
• d4724a9 cherry-pick(#41290): feat(docker): add Ubuntu 26.04 (Resolute Raccoon) image
• 1cc5a90 cherry-pick(#41295): chore: PLAYWRIGHT_TRACING_NO_WEBSOCKET_FRAMES and PLAYWR...
• a6772bd cherry-pick(#41280): Revert "fix(trace-viewer): add keyboard navigation to `N...
• Additional commits viewable in compare view

Updates sharp from 0.35.1 to 0.35.2

Release notes

Sourced from sharp's releases.

v0.35.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

• Bound dilate and erode width to avoid mask-size overflow. #4548 @​metsw24-max

• Verify convolve kernel values are numbers. #4549 @​metsw24-max

v0.35.2-rc.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

... (truncated)

Commits

• c9622a3 Release v0.35.2
• cd4568f Upgrade to sharp-libvips v1.3.1
• 78390cf Tests: Add font file to prevent font discovery flakiness (#4550)
• 61210b4 Verify convolve kernel values are numbers (#4549)
• 1cb27dc Prerelease v0.35.2-rc.2
• c7606c3 Upgrade to sharp-libvips v1.3.1-rc.0
• 29d1e9e Prerelease v0.35.2-rc.1
• bbba0a1 Improve code bundler support with stub binaries
• ab52866 Bound dilate and erode width to avoid mask-size overflow (#4548)
• 0f594dd Prerelease v0.35.2-rc.0
• Additional commits viewable in compare view

Updates vite from 8.0.16 to 8.1.0

Release notes

Sourced from vite's releases.

create-vite@8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0

Please refer to CHANGELOG.md for details.

v8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0-beta.0

Please refer to CHANGELOG.md for details.

v8.1.0-beta.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.1.0 (2026-06-23)

Features

• extend server.fs.deny list with common files (#22707) (61ba8fd)
• update rolldown to 1.1.2 (#22695) (4f008a6)
• use ~ for Rolldown (#22693) (9928722)

Bug Fixes

• bundled-dev: errors should be kept when incremental build fails (#22617) (9a0dd48)
• cache falsy values in perEnvironmentState (#22715) (0e91e79)
• glob: respect caseSensitive option in hmr matcher (#22711) (65f525e)
• html: omit nonce on import map when cspNonce is unset (#22713) (8340bb5)
• optimizer: skip null-valued exports in expandGlobIds glob resolution (#22611) (8b9f5cd)
• resolved build options should be kept as a getter (#22691) (3527191)
• server: handle malformed URI in memory files middleware (#22714) (df9e0a5)
• use literal envPrefix queries for Vite Task (#22706) (da72733)
• warn on deprecated envFile (#22555) (ed7b283)

Code Refactoring

• client: inline dev-id value in CSS selector (#22736) (57f59bc)
• remove unused removeRawQuery util (#22724) (403cc60)
• use rolldownOptions property for chunkImportMap (#22692) (8e8816c)

8.1.0-beta.0 (2026-06-15)

Features

• import.meta.glob support caseSensitive option (#21707) (2ad6737)
• add warning to discourage Vite with yarn pnp (#21906) (3fbb55a)
• build: chunk importmap (#21580) (e180312)
• css: support lightningcss plugin dependency (#21748) (0b7aaed)
• deps: bump @​vitejs/devtools peer dependency version (#22542) (d2c2bc0)
• html: add html.additionalAssetSources option (#21412) (a41404b)
• integrate with Vite Task for zero-config build caching (#22453) (f8d75f7)
• rename server.hmr options to server.ws options (#21357) (9ce3036)
• server: support multiple hosts in __VITE_ADDITIONAL_SERVER_ALLOWED_HOSTS (#21501) (735f9a1)
• track dependencies when loading config with native (#22602) (a7e2da8)
• types: add more precise typing for known query types to match known as types (#21863) (cc39e55)
• update rolldown to 1.1.1 (#22593) (8a13d63)
• wasm: direct .wasm imports (WASM ESM Integration) (#21779) (c23d85b)

Bug Fixes

• apply correct fs restrictions for pnpm gvs (#22415) (092320b)
• css: support external CSS with lightningcss (#18389) (d64a1a5)
• deps: update all non-major dependencies (#22637) (44bb9d9)
• deps: update all non-major dependencies (#22681) (f4f0633)
• html: insert import map before modulepreload that is not self-close tag (#21409) (e399c89)
• optimizer: preserve sourcemaps for transformed optimized deps with follow-up transforms (#22428) (1298951)

... (truncated)

Commits

• 5909efd fix: allow multiple bindCLIShortcuts calls with shortcut merging (#21103)
• 39a0a15 chore(deps): update rolldown-related dependencies (#21095)
• 6a34ac3 fix(deps): update all non-major dependencies (#21096)
• 02ceaec chore(deps): update dependency @​rollup/plugin-commonjs to v29 (#21099)
• 572aaca release: v7.2.2
• 728c8ee fix: revert "refactor: use fs.cpSync (#21019)" (#21081)
• a532e68 release: v7.2.1
• 82d2d6c fix(worker): some worker asset was missing (#21074)
• f83264f refactor(build): rename indexOfMatchInSlice to findPreloadMarker (#21054)
• 8293de0 release: v7.2.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

✅ Playwright report published: https://fuermenschen.github.io/hfm/pr-158/
This link updates on each run for this PR. Older PRs/branches remain available under their own subfolder.