(This is a packaging/dependency-resolution issue, not specific to any MCP client — it occurs at npm/pnpm install time, before the server is ever invoked.)
This is a follow-up to microsoft/playwright-mcp#917, which was closed with:
We don't yet have a story for interoperable Playwright and Playwright MCP… it'll always be the latest version. That makes your scenario of the exact match niche until we hear more requests of such integration.
Here's one more request, with a motivation that's distinct from the type-incompatibility angle in #917 / microsoft/playwright-mcp#1113 and the browser-build mismatch in microsoft/playwright-mcp#1091: supply-chain integrity.
Why "latest, always" conflicts with a security-pinned codebase
We pin every dependency — including MCP packages — through the lockfile and review version bumps, specifically to reduce supply-chain attack surface. We can't run MCP tools off a floating "latest"; the resolved versions have to be committed and audited. That's fundamentally at odds with @playwright/mcp requiring whatever alpha is newest.
The pin doesn't stay contained to the MCP
@playwright/mcp doesn't just depend on an alpha playwright/playwright-core — it pins an exact alpha (e.g. playwright@1.61.0-alpha-1781023400000), and that pin leaks into unrelated parts of the dependency tree via peer resolution:
@vitest/browser-playwright declares playwright: "*" as a (non-optional) peer.
- pnpm satisfies that peer with the only standalone
playwright in the tree — the exact alpha dragged in by @playwright/mcp.
- That alpha pins Chromium build 1226, while the rest of our repo runs stable
@playwright/test@1.60.0 (Chromium build 1223), which is what playwright install provisions.
- Result: in a fresh CI environment our Storybook (vitest browser-mode) tests can't launch a browser, because the build the alpha wants was never installed.
So the alpha pin isn't limited to the agentic-loop/IDE use case it was justified by in #917 — through transitive peer resolution it forces an alpha Chromium onto a stable Playwright test suite living in the same lockfile.
What would help (any of)
- A
@playwright/mcp release line that depends on a stable playwright/playwright-core (even if it lags the bleeding edge), so security-pinned consumers have a non-alpha option; or
- Widening the dependency to a range that lets a
pnpm/npm overrides align playwright with the stable version already in the consumer's lockfile, without breaking the MCP; or
- A documented, supported override recipe for keeping a single, stable, lockfile-pinned
playwright/playwright-core across @playwright/mcp + @playwright/test + @vitest/browser-playwright.
We currently work around it with pnpm.overrides forcing playwright/playwright-core to stable 1.60.0, but per #917 that's a fragile workaround rather than a supported path — and it's exactly the kind of unreviewed version-coercion our supply-chain policy is trying to avoid.
Version
@playwright/mcp 0.0.76 (pins playwright 1.61.0-alpha-1781023400000); repo otherwise on @playwright/test 1.60.0
(This is a packaging/dependency-resolution issue, not specific to any MCP client — it occurs at
npm/pnpm installtime, before the server is ever invoked.)This is a follow-up to microsoft/playwright-mcp#917, which was closed with:
Here's one more request, with a motivation that's distinct from the type-incompatibility angle in #917 / microsoft/playwright-mcp#1113 and the browser-build mismatch in microsoft/playwright-mcp#1091: supply-chain integrity.
Why "latest, always" conflicts with a security-pinned codebase
We pin every dependency — including MCP packages — through the lockfile and review version bumps, specifically to reduce supply-chain attack surface. We can't run MCP tools off a floating "latest"; the resolved versions have to be committed and audited. That's fundamentally at odds with
@playwright/mcprequiring whatever alpha is newest.The pin doesn't stay contained to the MCP
@playwright/mcpdoesn't just depend on an alphaplaywright/playwright-core— it pins an exact alpha (e.g.playwright@1.61.0-alpha-1781023400000), and that pin leaks into unrelated parts of the dependency tree via peer resolution:@vitest/browser-playwrightdeclaresplaywright: "*"as a (non-optional) peer.playwrightin the tree — the exact alpha dragged in by@playwright/mcp.@playwright/test@1.60.0(Chromium build 1223), which is whatplaywright installprovisions.So the alpha pin isn't limited to the agentic-loop/IDE use case it was justified by in #917 — through transitive peer resolution it forces an alpha Chromium onto a stable Playwright test suite living in the same lockfile.
What would help (any of)
@playwright/mcprelease line that depends on a stableplaywright/playwright-core(even if it lags the bleeding edge), so security-pinned consumers have a non-alpha option; orpnpm/npmoverridesalignplaywrightwith the stable version already in the consumer's lockfile, without breaking the MCP; orplaywright/playwright-coreacross@playwright/mcp+@playwright/test+@vitest/browser-playwright.We currently work around it with
pnpm.overridesforcingplaywright/playwright-coreto stable1.60.0, but per #917 that's a fragile workaround rather than a supported path — and it's exactly the kind of unreviewed version-coercion our supply-chain policy is trying to avoid.Version
@playwright/mcp0.0.76 (pinsplaywright1.61.0-alpha-1781023400000); repo otherwise on@playwright/test1.60.0