Praman 1.3.4: Playwright 1.61, Web Storage Fixture, Native Timestamps, and Security Hardening
Praman 1.3.4 is now available on npm. This release brings Playwright 1.61 support with 5 new feature flags, a typed Web Storage fixture for localStorage/sessionStorage operations, native screencast frame timestamps, security fixes resolving 5 vulnerabilities, and CI hardening with floor+ceiling Playwright validation.
What changed since v1.3.3
Ten commits landed between v1.3.3 and v1.3.4, covering Playwright 1.61 compatibility, a new Web Storage fixture, screencast precision improvements, security vulnerability resolution, and CI pipeline enhancements.
Playwright 1.61 — 5 New Feature Flags
Praman now detects and gates Playwright 1.61 APIs via 5 new feature flags in the internal PlaywrightFeatures interface:
| Feature flag | API gated | What it enables |
|---|---|---|
hasWebAuthnCredentials | browserContext.credentials | WebAuthn credential management for passkey testing |
hasWebStorageAPI | page.localStorage / sessionStorage | Typed access to browser storage without evaluate() |
hasSoftPoll | expect.soft.poll() | Soft assertion polling for non-blocking checks |
hasScreencastTimestamp | Native onFrame timestamps | Microsecond-precise frame timing from the browser |
hasVideoRetainModes | on-all-retries, retain-on-* | Granular video recording retention strategies |
All flags are auto-detected at runtime. On Playwright < 1.61, all return false with zero behavior change. The peer dependency range remains ">=1.57.0 <2.0.0" — Playwright 1.61 already falls within range, so no package.json changes are needed.
Web Storage Fixture
The headline feature of this release: a typed fixture for seeding and inspecting browser storage without page.evaluate():
import { test } from 'playwright-praman';
test('configure app via localStorage', async ({ webStorage }) => {
// Bulk seed before navigation
await webStorage.localStorage.seed({
theme: 'dark',
language: 'en',
featureFlags: JSON.stringify({ newUI: true }),
});
// Individual operations
await webStorage.sessionStorage.setItem('sessionToken', 'abc123');
const token = await webStorage.sessionStorage.getItem('sessionToken');
// Inspection
const allLocal = await webStorage.localStorage.items(); // Record<string, string>
const count = await webStorage.localStorage.size(); // number
// Cleanup
await webStorage.localStorage.clear();
});
API Surface
Both webStorage.localStorage and webStorage.sessionStorage expose the same WebStorageHelper interface:
| Method | Signature | Description |
|---|---|---|
setItem | (key: string, value: string) => Promise<void> | Set a single key-value pair |
getItem | (key: string) => Promise<string | null> | Get value by key |
removeItem | (key: string) => Promise<void> | Remove a single key |
items | () => Promise<Record<string, string>> | Get all entries as a record |
seed | (entries: Record<string, string>) => Promise<void> | Bulk-set multiple pairs |
clear | () => Promise<void> | Clear all entries |
size | () => Promise<number> | Count of stored entries |
Feature Gate
The fixture is gated behind hasWebStorageAPI. On Playwright < 1.61, it throws a PramanError with code ERR_COMPAT_FEATURE_UNAVAILABLE and actionable suggestions:
PramanError: Web Storage fixture requires Playwright 1.61+
Suggestions:
- Upgrade Playwright: npm install @playwright/test@latest
- Use page.evaluate() as a fallback for older versions
When to Use
Use the Web Storage fixture instead of page.evaluate() when you need to:
- Seed configuration before navigating to an SAP Fiori app (theme, language, feature flags)
- Inject tokens for apps that read auth state from localStorage
- Verify storage side effects after user interactions (form drafts, preferences)
- Clear storage between test steps for isolation
The typed API catches key/value type errors at compile time and the fixture integrates with Praman's test lifecycle (placed after auth, before navigation in the fixture chain).
Native Screencast Frame Timestamps
The screencast fixture now uses native browser-provided frame timestamps on Playwright 1.61+. Previously, all frame timestamps were synthetic (Date.now() - startTime). The native timestamps come directly from the browser's rendering pipeline with microsecond alignment.
Impact: More precise timing for frame-level analysis, video synchronization, and performance measurement. The ScreencastFrame.timestamp type and semantics are unchanged (milliseconds since recording start) — this is a transparent precision improvement.
Backward compatible: Falls back to synthetic timestamps on Playwright < 1.61.
Security Hardening
This release resolves 5 security vulnerabilities:
| Package | Severity | Issue | Fix |
|---|---|---|---|
vite | High | Windows server.fs.deny bypass | Upgraded 8.0.6 → 8.1.3 |
esbuild | High | Arbitrary file read on Windows | npm override → 0.28.1 |
undici | High | 7 advisories (TLS, WebSocket, SOCKS) | Upgraded 7.24.7 → 7.28.0 |
linkify-it | High | Quadratic complexity DoS | Upgraded 5.0.0 → 5.0.2 |
tar | Moderate | File smuggling via PAX headers | Upgraded 7.5.15 → 7.5.16 |
The remaining 8 alerts are all in @ui5/mcp-server's transitive @sigstore/core dependency chain — no fix is available until SAP publishes an updated package.
CI Pipeline: Floor + Ceiling Validation
The CI workflow now validates Playwright compatibility at both boundaries:
playwright-floor (1.57.0) → build + full test suite pass
playwright-ceiling (latest) → build + full test suite + verify 1.61 flags active
This ensures every commit maintains backward compatibility with the minimum supported Playwright version while also verifying that new feature flags activate correctly on the latest release.
Additional CI improvements:
actions/checkoutupgraded v5 → v7 (security hardening forpull_request_target)github/codeql-actionupgraded to 4.36.2
New Error Category: Compat
A new error category for feature-availability errors:
throw new PramanError({
code: ErrorCode.ERR_COMPAT_FEATURE_UNAVAILABLE,
message: 'Web Storage fixture requires Playwright 1.61+',
attempted: 'Access page.localStorage / page.sessionStorage API',
retryable: false,
suggestions: [
'Upgrade Playwright: npm install @playwright/test@latest',
'Use page.evaluate() as a fallback for older versions',
],
});
This brings the total to 78 error codes across 18 categories. Every Praman error includes structured metadata: code, attempted, retryable, and suggestions[] — making errors actionable for both humans and AI agents.
Dependency Updates
| Category | Packages |
|---|---|
| Playwright | @playwright/test 1.60.0 → 1.61.1 |
| AI/LLM | @anthropic-ai/sdk 0.100.1 → 0.110.0 |
| CLI | commander 14.0.3 → 15.0.0 |
| Testing | vitest + @vitest/coverage-v8 → 4.1.9 |
| Telemetry | @opentelemetry/* suite upgraded |
| SAP tooling | @ui5/mcp-server 0.2.12 → 0.2.14 |
| Build | esbuild 0.28.0 → 0.28.1 (override for tsup nested dep) |
| Linting | @commitlint/cli 21.0.2 → 21.2.0 |
35 dev dependencies upgraded in total.
Upgrade Guide
No configuration changes required. All new features are either:
- Auto-detected (feature flags activate when PW 1.61+ is detected)
- Opt-in (Web Storage fixture only activates when
webStorageis destructured in a test)
If you're on Playwright < 1.61, everything continues to work unchanged. To access the Web Storage fixture, upgrade Playwright:
npm install @playwright/test@latest
What's Next
- WebAuthn credentials fixture — passkey/FIDO2 testing for SAP systems with biometric auth
expect.soft.poll()wrapper — non-blocking assertions that retry without failing the test- Playwright 1.62 tracking — compat layer ready for the next release cycle
