test(deps): bump the npm group across 1 directory with 3 updates

[dependabot]

Bumps the npm group with 3 updates in the / directory: @playwright/test, @types/node and playwright-bdd.

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @types/node from 25.6.0 to 25.8.0

Commits

• See full diff in compare view

Updates playwright-bdd from 8.5.0 to 8.5.1

Release notes

Sourced from playwright-bdd's releases.

Release 8.5.1

• fix: support Playwright 1.60+.

Changelog

Sourced from playwright-bdd's changelog.

[8.5.1] - 2026-05-12

• fix: support Playwright 1.60+.

Commits

• d9e94c2 update cucumber packages and fix tests
• 9fc0aa8 update minor deps
• ff62aec changelog
• dc330bd fix for pw 1.60
• 6f01e7f fix: validate used step definitions with strict Cucumber-compatible arity checks
• b6aed9f update docs
• 4e4aa1b final fixes
• 52f0610 Expose doc string media types
• 5ce2288 fix gitattributes on win
• 0779d5a add tests for step hooks
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1284

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	71.82 MB	71.82 MB	+338 B (+0%)	🔼
linux/arm64	70.13 MB	70.13 MB	+1.2 kB (+0%)	🔼

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	23		0	0	0.35s
✅ DOCKERFILE	hadolint	3		0	0	0.28s
✅ JSON	npm-package-json-lint	yes		no	no	0.55s
✅ JSON	prettier	21	4	0	0	1.01s
✅ JSON	v8r	21		0	0	11.09s
✅ MARKDOWN	markdownlint	12	0	0	0	1.12s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.34s
✅ REPOSITORY	checkov	yes		no	no	26.19s
✅ REPOSITORY	gitleaks	yes		no	no	1.39s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
⚠️ REPOSITORY	grype	yes		no	1	56.14s
✅ REPOSITORY	secretlint	yes		no	no	2.02s
✅ REPOSITORY	syft	yes		no	no	3.14s
❌ REPOSITORY	trivy	yes		1	1	12.79s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.35s
✅ REPOSITORY	trufflehog	yes		no	no	6.15s
⚠️ SPELL	lychee	83		3	0	12.18s
✅ YAML	prettier	31	0	0	0	1.19s
✅ YAML	v8r	31		0	0	12.39s
✅ YAML	yamllint	31		0	0	1.15s

Detailed Issues

❌ REPOSITORY / trivy - 1 error

warning: Package: idna
Installed Version: 3.11
Vulnerability CVE-2026-45409
Severity: MEDIUM
Fixed Version: 3.15
Link: [CVE-2026-45409](https://avd.aquasec.com/nvd/cve-2026-45409)
    ┌─ .devcontainer/cpp/requirements.txt:187:1
    │
187 │ idna==3.11 \
    │ ^
    │
    = Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
    = This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process.
      
      ### Impact
      A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.
      
      ### Patches
      Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support).
      
      ### Workarounds
      Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

warning: 1 warnings emitted

⚠️ REPOSITORY / grype - 1 warning

warning: A medium vulnerability in python package: idna, version 3.11 was found at: /.devcontainer/cpp/requirements.txt

warning: 1 warnings emitted

⚠️ SPELL / lychee - 3 errors

[IGNORED] docker://pandoc/extra:3.9.0.0-ubuntu@sha256:72afa9c8d3300e5f10c9c4330e101725687f2179bffd912fb859c6d2ae85de62 | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.9.0.0-ubuntu@sha256:72afa9c8d3300e5f10c9c4330e101725687f2179bffd912fb859c6d2ae85de62)
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[ERROR] https://docs.sigstore.dev/cosign/verifying/verify/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/verifying/verify/) Maybe a certificate error?
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Network error: error sending request for url (https://www.conventionalcommits.org/en/v1.0.0/) Maybe a certificate error?
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....121
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........3

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

Errors in README.md
[ERROR] https://docs.sigstore.dev/cosign/verifying/verify/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/verifying/verify/) Maybe a certificate error?

Errors in .github/workflows/pr-conventional-title.yml
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Network error: error sending request for url (https://www.conventionalcommits.org/en/v1.0.0/) Maybe a certificate error?

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/salesforce@v9.4.0 (58 linters)
• oxsecurity/megalinter/flavors/javascript@v9.4.0 (61 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge ➔ ghcr.io/philips-software/amp-devcontainer-rust:pr-1284

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	468.63 MB	468.63 MB	+421 B (+0%)	🔼
linux/arm64	419.81 MB	419.82 MB	+724 B (+0%)	🔼

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge ➔ ghcr.io/philips-software/amp-devcontainer-cpp:pr-1284

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	544.95 MB	544.95 MB	+1.31 kB (+0%)	🔼
linux/arm64	524.3 MB	524.3 MB	+1.64 kB (+0%)	🔼

[github-actions]

Test Results

 12 files   - 1   12 suites   - 1   16m 58s ⏱️ - 2m 42s
 32 tests  - 1   32 ✅  - 1  0 💤 ±0  0 ❌ ±0 
136 runs   - 1  136 ✅  - 1  0 💤 ±0  0 ❌ ±0 

Results for commit e78d3ed. ± Comparison against base commit 30a53b3.