[ca] Update agentic CLIs: Claude Code 2.1.140, Copilot 1.0.46, Codex 0.130.0, GitHub MCP 1.0.4, Playwright 1.60.0

[github-actions]

Summary

Five agentic CLI/MCP components have updates available. Versions have been bumped in pkg/constants/version_constants.go and make recompile has been run successfully against all 223 workflows.

Component	Previous	New	Status
Claude Code	2.1.133	2.1.140	Updated
Copilot CLI	1.0.43	1.0.46	Updated
Codex	0.129.0	0.130.0	Updated
GitHub MCP Server	v1.0.3	v1.0.4	Updated
Playwright Browser	v1.59.1	v1.60.0	Updated
MCP Gateway	v0.3.6	v0.3.6	No change
Playwright MCP	0.0.75	0.0.75	No change
Playwright CLI	0.1.13	0.1.13	No change

Critical Notes

• Playwright 1.60.0 ships breaking changes: long-deprecated APIs removed (Locator.ariaRef(), handle option on exposeBinding, logger on connect/connectOverCDP, videosPath/videoSize context options). Browser engines bumped to Chromium 148, Firefox 150, WebKit 26.4. Risk: Medium if any gh-aw workflows or fixtures rely on the removed APIs; no known usages in this repo.
• Copilot 1.0.46 auto-approves read-only gh CLI commands (list, view, status, diff). Reduces friction but slightly widens the autonomous action surface — verify expected behavior in any workflow that pins Copilot.
• All other changes are additive features and bug fixes — Risk: Low for the remaining four.

Update Claude Code

• Previous: 2.1.133 → New: 2.1.140 (7 patch versions)

Key Features (2.1.139)

• New unified agent view across all Claude Code sessions
• /goal command for cross-turn completion conditions
• /scroll-speed command for mouse wheel tuning
• claude plugin details subcommand showing component inventory and costs
• Hook args field supports direct command execution without shell wrapper
• MCP stdio servers now receive CLAUDE_PROJECT_DIR env var

Notable Fixes (2.1.140 and earlier)

• Agent subagent_type matching tolerates case and separator variations
• /goal command no longer hangs silently when hooks are disabled
• Settings hot-reload works correctly with symlinked configs
• Read tool validation handles offset parameters with whitespace padding
• MCP servers no longer disappear after /clear in IDE extensions (2.1.136)
• OAuth token overwrite race condition fixed (2.1.136)

View Full Changelog

2.1.140

• Improved Agent tool subagent_type matching to handle case and separator variations
• Updated agent color palette
• Fixed /goal command hanging silently when certain hooks are disabled
• Resolved settings hot-reload issues with symlinked configuration files
• Fixed background service connection failures in enterprise security environments
• Addressed remote managed settings retry logic for expired tokens
• Fixed /loop scheduling redundant wakeups for background task polling
• Resolved Windows event-loop stalling from synchronous executable checks
• Fixed Read tool validation when offset parameters use whitespace padding
• Terminal cursor behavior improved when focus is lost
• Plugin warnings now display when default component folders are silently ignored

2.1.139

• Introduced agent view feature showing all Claude Code sessions in a unified list
• Added /goal command for setting completion conditions across multiple turns
• Introduced /scroll-speed command
• Added claude plugin details subcommand displaying component inventory and costs
• Enhanced transcript navigation with keyboard shortcuts and prompt jumping
• Hook args field now supports direct command execution
• PostToolUse hooks gained continueOnBlock option
• MCP stdio servers now receive CLAUDE_PROJECT_DIR environment variable
• Compaction prompt improved to preserve sensitive user instructions
• /mcp Reconnect picks up configuration edits without restart

2.1.138 — Internal fixes only

2.1.137 — Fixed extension activation failure on Windows

2.1.136

• Added env var to re-enable session quality surveys via OpenTelemetry
• Introduced settings.autoMode.hard_deny for unconditional auto mode blocking
• Fixed MCP servers disappearing after /clear in IDE extensions
• Resolved OAuth token overwrite race condition
• Fixed MCP OAuth refresh token loss during concurrent server operations
• Addressed API error when extended thinking produced redacted blocks
• Fixed --resume session discovery with underscores in project paths
• Improved image handling with downscaling and oversized cleanup
• Enhanced permission prompts and dialog consistency

Impact Assessment

• Risk: Low
• No breaking changes detected
• All changes additive or bug fixes

Package Links

• NPM Package: https://www.npmjs.com/package/`@anthropic-ai/claude-code`
• Changelog: https://github.com/anthropics/claude-code/blob/main/CHANGELOG.md

---

Update Copilot CLI

• Previous: 1.0.43 → New: 1.0.46 (3 versions)
• Timeline: 2026-05-08 through 2026-05-12

Key Features

• /autopilot slash command to toggle interactive/autopilot modes (1.0.45)
• /fork command to fork current session into independent session (1.0.45)
• Mid-input slash commands and multi-skill invocation in single messages (1.0.44)
• userPromptSubmitted hooks can bypass LLM and respond directly (1.0.44)
• Optional prerelease argument to copilot update and /update (1.0.44)
• Read-only gh CLI commands (list, view, status, diff) auto-approved without confirmation (1.0.46)

Notable Fixes

• Deprecation warnings now displayed when CLI version may lose premium model access (1.0.46)
• HTTP/2 session crash (ERR_HTTP2_INVALID_SESSION) mid-turn resolved (1.0.46)
• PowerShell 7+ falls back gracefully to Windows PowerShell when unavailable (1.0.45)
• OpenTelemetry output aligns with GenAI semantic conventions (1.0.45)
• Startup up to ~1.5s faster on terminals with limited OSC color support (1.0.45)
• agentStop hook fires correctly when agent stops via task_complete (1.0.45)
• Long lines in diff view wrap at terminal width instead of truncating (1.0.46)

View Full Changelog

1.0.46 (2026-05-12)

• Display warning when CLI version is deprecated and premium model access may be lost
• PowerShell starts correctly when pwsh installed as .NET global tool shim
• Long lines in diff view wrap at terminal width instead of being truncated
• Read-only gh CLI commands (list, view, status, diff, etc.) auto-approved without prompting
• Sessions no longer crash mid-turn with ERR_HTTP2_INVALID_SESSION errors

1.0.45 (2026-05-11)

• Add /autopilot slash command to toggle interactive/autopilot modes
• Fall back to Windows PowerShell when PowerShell 7+ (pwsh) not available
• OpenTelemetry output aligns with GenAI semantic conventions
• Sessions with extension permission prompts can be resumed without corruption error
• agentStop hook fires correctly when agent stops via task_complete
• CLI starts faster on terminals with limited OSC color query support
• Add /fork command

1.0.44 (2026-05-08)

• Path completion in /add-dir no longer flickers
• Slash commands can appear mid-input, multiple skills per message
• userPromptSubmitted hooks can bypass LLM
• Faster /user list and /user switch
• Optional prerelease argument to copilot update
• Shell aliases and rc file settings work in ! commands
• Quota display correct for Free users
• Permissions granted in autopilot preserved after /clear
• Effort level applies correctly when switching models
• Ctrl+C while permission prompt pending no longer hangs
• Invalid URL entries in settings.json skipped with warning instead of crash

Impact Assessment

• Risk: Low–Medium
• Behavior change: read-only gh commands auto-approved in 1.0.46 (slightly broader autonomy)
• No breaking flag changes detected
• Verify in next workflow run: MCP tool loading and /models with PAT auth (per version_constants.go pinning note)

Package Links

• NPM Package: https://www.npmjs.com/package/`@github/copilot`
• Repository: https://github.com/github/copilot-cli
• Release Notes: https://github.com/github/copilot-cli/releases
• 1.0.46: https://github.com/github/copilot-cli/releases/tag/v1.0.46
• 1.0.45: https://github.com/github/copilot-cli/releases/tag/v1.0.45
• 1.0.44: https://github.com/github/copilot-cli/releases/tag/v1.0.44

---

Update Codex

• Previous: 0.129.0 → New: 0.130.0
• Released: 2026-05-08

Key Features

• codex remote-control — new top-level command, simpler entrypoint for starting a headless, remotely controllable app-server (add top-level remote-control command openai/codex#21424)
• App-server clients can page large threads with unloaded/summary/full turn item views (feat(app-server, threadstore): Thread pagination APIs and ThreadStore contract openai/codex#21566)
• Bedrock auth can use AWS console-login credentials from aws login profiles (feat: enable AWS login credentials for Bedrock auth openai/codex#21623)
• Plugin details show bundled hooks, plus link metadata and discoverability controls (Show plugin hooks in plugin details openai/codex#21447, feat: Expose plugin share metadata in shareContext openai/codex#21495, feat: Update plugin share settings with discoverability openai/codex#21637)
• view_image resolves files through selected environment for multi-environment sessions (Route view_image through selected environments openai/codex#21143)

Notable Fixes

• Live app-server threads pick up config changes without restart (app-server: refresh live threads from latest config snapshot openai/codex#21187)
• Turn diffs stay accurate across apply-patch operations including partial failures (Make turn diff tracking operation backed openai/codex#21180, fix: preserve exact turn diffs after partial apply_patch failures openai/codex#21518)
• Thread summaries, renames, resume, and fork paths work through ThreadStore (Move thread name edits to ThreadStore openai/codex#21264, Route ThreadManager rollout path reads through thread store openai/codex#21265, [codex] Fix pathless thread summaries openai/codex#21266)
• Remote compaction emits response.processed for v2 streams, avoids service_tier on API-key compact requests (Send response.processed after remote compaction v2 openai/codex#21642, Omit service_tier from remote /responses/compact requests under API auth openai/codex#21676)
• Windows sandbox setup grants sandbox users access to desktop runtime binary cache (Grant sandbox users access to desktop runtime bin openai/codex#21564)
• Removed stale "research preview" wording from codex exec startup banner (Remove exec research preview banner wording openai/codex#21683)

View Full Changelog

Chores

• Added a faster Cargo profiling build profile and disabled empty doctest targets (Add a Cargo build profile for benchmarking openai/codex#21574, Disable empty Cargo test targets openai/codex#21584)
• Hardened dependency and CI hygiene with fully qualified GitHub Action pins, Dependabot cooldown, cargo-shear upgrade ([codex] Fully qualify hash-pins in GitHub Actions openai/codex#21436, Upgrade cargo-shear to 1.11.2 openai/codex#21547, [codex] Apply a Dependabot cooldown of 7 days openai/codex#21599)
• Simplified internal surfaces: removed unused device-key APIs, extra skills roots, remote thread-store implementation, string-keyed MCP tool maps (device-key: clean up unused crate openai/codex#21487, Remove skills list extra roots openai/codex#21485, [codex] Remove remote thread store implementation openai/codex#21596, [codex] Remove string-keyed MCP tool maps openai/codex#21454)
• Configurable OpenTelemetry trace metadata and richer review/feedback analytics (codex-otel: add configurable trace metadata openai/codex#21556, [codex-analytics] add tool review event schema openai/codex#18747, [codex-analytics] plumb protocol-native review timing openai/codex#21434, [codex] add account id to feedback uploads openai/codex#21498)

Documentation

• Fixed issue templates so CLI reports keep intended guidance, labels apply correctly, feature requests link to right contributing docs (Fix duplicate CLI issue template description openai/codex#21685, Fix issue template labels openai/codex#21686, Fix feature request Contributing link openai/codex#21688)
• Updated install and tooling docs to use cargo install --locked (Ensure all mentions of cargo-install are --locked openai/codex#21592)

Impact Assessment

• Risk: Low
• No breaking changes; new remote-control command is additive
• Internal refactors (ThreadStore, MCP tool maps) should be transparent

Package Links

• NPM Package: https://www.npmjs.com/package/`@openai/codex`
• Repository: https://github.com/openai/codex
• Release Notes: https://github.com/openai/codex/releases/tag/rust-v0.130.0
• Compare: openai/codex@rust-v0.129.0...rust-v0.130.0

---

Update GitHub MCP Server

• Previous: v1.0.3 → New: v1.0.4
• Released: 2026-05-11

Key Changes

• Add Xcode installation guide for Codex and Claude Agent (Add Xcode installation guide for Codex and Claude Agent github-mcp-server#2431)
• Improve dependabot error message (Improve dependabot error message github-mcp-server#2375)
• defer _meta.ui strip to per-request RegisterTools — mcp-apps fix (fix(mcp-apps): defer _meta.ui strip to per-request RegisterTools github-mcp-server#2446)
• Add ifc label for get_me tool (Add ifc label for get_me tool github-mcp-server#2432)
• Prevent inputs param from being stripped from actions_run_trigger tool schema (Prevent inputs param from being stripped from actions_run_trigger tool schema github-mcp-server#2417)
• Handle lightweight tags in get_tag (Handle lightweight tags in get_tag github-mcp-server#2400)

Impact Assessment

• Risk: Low
• All changes are bug fixes or additive enhancements
• actions_run_trigger schema fix improves correctness — workflows using this tool should benefit
• get_tag now handles lightweight tags correctly

Package Links

• Repository: https://github.com/github/github-mcp-server
• Release Notes: https://github.com/github/github-mcp-server/releases/tag/v1.0.4
• Full Changelog: github/github-mcp-server@v1.0.3...v1.0.4

---

Update Playwright Browser

• Previous: v1.59.1 → New: v1.60.0
• Released: 2026-05-11

Breaking Changes

• Locator.ariaRef() removed — use standard locator.ariaSnapshot() pipeline instead
• handle option on BrowserContext.exposeBinding and Page.exposeBinding removed
• logger option on BrowserType.connect and BrowserType.connectOverCDP removed — use tracing instead
• Context options videosPath / videoSize removed — use recordVideo instead

Key Features

• HAR recording on Tracing: tracing.startHar() / tracing.stopHar() as first-class API
• Drop API: new locator.drop() simulates external drag-and-drop of files or clipboard-like data
• Aria snapshots: expect(page).toMatchAriaSnapshot() now works on Page; new boxes option appends bounding boxes for AI consumption
• test.abort(): new method to abort the currently running test from a fixture, hook, or route handler
• New browser.on('context') event
• BrowserContext now mirrors lifecycle events from pages (download, frameattached, framedetached, framenavigated, pageclose, pageload)
• New description option in getByRole() for matching accessible description
• New pseudo option in expect(locator).toHaveCSS() reads computed styles from ::before / ::after
• New webSocketRoute.protocols() returns WebSocket subprotocols
• New noDefaults option in connectOverCDP() disables Playwright's default overrides
• New webError.location() mirrors consoleMessage.location()
• HTML reporter accepts .zip files directly via npx playwright show-report
• Trace Viewer adds pretty-print toggle for JSON / form request and response bodies

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

Impact Assessment

• Risk: Medium
• Breaking changes affect only deprecated APIs that have been deprecated for some time
• Browser version bumps may surface site/test regressions in dependent workflows
• Affects: Playwright-based workflows in gh-aw that use the browser Docker image (mcr.microsoft.com/playwright:v1.60.0)
• Migration: search workflow definitions and templates for ariaRef, exposeBinding ... handle, connectOverCDP ... logger, videosPath, videoSize

Package Links

• Repository: https://github.com/microsoft/playwright
• Release Notes: https://github.com/microsoft/playwright/releases/tag/v1.60.0
• Docker Image: mcr.microsoft.com/playwright:v1.60.0

---

Recommendations

• Priority: Merge after running smoke tests for Claude, Copilot, and Codex engines
• Testing strategy:
  • Run smoke-claude.lock.yml, smoke-copilot.lock.yml, smoke-codex.lock.yml to validate the new CLI versions
  • For Playwright, run any browser-automation workflows against the new image
  • Confirm Copilot MCP tools.mcp loading still works and /models does not silently fail on PATs (per pinning note in version_constants.go)
• Rollout: Single PR bundling all five updates is appropriate — they are independent components and risk is bounded to their respective engines

Files Changed

• pkg/constants/version_constants.go — 5 version constants updated
• 223 *.lock.yml files regenerated via make recompile

References

• §25782546471

Generated by CLI Version Checker · ● 8.5M · ◷

• expires on May 15, 2026, 6:37 AM UTC