deps(pip)(deps-dev): bump playwright from 1.40.0 to 1.60.0

[dependabot]

Bumps playwright from 1.40.0 to 1.60.0.

Release notes

Sourced from playwright's releases.

v1.60.0

🐍 Python improvements

• New FormData class for building multipart/form-data request bodies — pass to api_request_context.post(form=…) etc.
• expect.soft(...) soft assertions collect multiple failures in a test instead of stopping at the first one. Requires up-to-date pytest integration to work.
• All timeout parameters now accept datetime.timedelta — applies wherever a timeout is taken, e.g. page.goto(), locator.click(), expect(...).to_be_visible().
• Async context manager support across more APIs — async with now works for objects returned from screencast.show_actions(), screencast.show_overlays(), etc.
• page.expect_request(...) and page.expect_response(...) now accept async predicates.
• Typed overloads for expect_event / wait_for_event so the event payload type is inferred per event name.

🌐 HAR recording on Tracing

tracing.start_har() / tracing.stop_har() expose HAR recording as a first-class tracing API, with the same content, mode and url_filter options as record_har:

context.tracing.start_har("trace.har")
page = context.new_page()
page.goto("https://playwright.dev")
context.tracing.stop_har()

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic DataTransfer in the page context — works cross-browser and is great for testing upload zones:

page.locator("#dropzone").drop(
    files={"name": "note.txt", "mime_type": "text/plain", "buffer": b"hello"},
)
page.locator("#dropzone").drop(
data={
"text/plain": "hello world",
"text/uri-list": "https://example.com",
},
)

🎯 Aria snapshots

• expect(page).to_match_aria_snapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator("body").
• New boxes option on locator.aria_snapshot() / page.aria_snapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

New APIs

Browser, Context and Page

• Event browser.on("context") — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browser_context.on("download"), browser_context.on("frameattached"), browser_context.on("framedetached"), browser_context.on("framenavigated"), browser_context.on("pageclose"), browser_context.on("pageload").

Locators and Assertions

... (truncated)

Commits

• 93f3201 chore: roll driver to 1.60.0 (#3079)
• 0ebdf2d feat(assertions): add expect.soft() for collecting multiple failures (#3065)
• 18810d8 feat: add FormData class for form and multipart requests (#3060)
• b846cee chore: roll to 1.60.0-beta-1778142790000 (#3069)
• 873c5c7 fix(setup): update auditwheel to 6.4.0 for InWheel tempdir fix (#3063)
• 9df9fac feat: accept datetime.timedelta for timeout parameters (#3059)
• 856ae37 devops: Update EsrpRelease (#3064)
• 161bd3d build(deps): bump flake8 from 7.2.0 to 7.3.0 (#2896)
• ac9bf29 build(deps): bump types-requests from 2.32.4.20250809 to 2.32.4.20260107 (#2975)
• deb2df8 build(deps): bump pytest-cov from 6.3.0 to 7.1.0 (#2976)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[RelativisticJet]

Holding per Phase-3.6-hold-period analysis (2026-05-23):

This is a major-version jump (1.40 → 1.60, 20 minor versions) of the Python playwright package, which is imported by 5 E2E test files (tests/e2e/conftest.py, page_objects.py, test_wl_save.py, tests/test_e2e_manual_browser.py, tests/test_e2e_realworld.py).

Playwright minor versions occasionally:

• Tighten selector engine semantics (could break flaky CSS selectors)
• Change default timeouts
• Rev bundled browser builds (affects pixel-diff visual regression baselines)

Merging without an E2E re-baseline could trigger a stream of visual-diff failures during the rc1 hold period. Hold until: (a) the rc1 4-week hold ends (2026-06-18ish), OR (b) someone runs the full E2E suite locally against 1.60 to establish a fresh baseline.

Tracked but deferred.

[dependabot]

Dependabot attempted to update this pull request, but because the branch dependabot/pip/playwright-1.60.0 is protected it was unable to do so.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[RelativisticJet]

Resolution: landed on main as 6fa38c3 (deps(pip-dev): bump playwright 1.40.0 → 1.60.0).

The bump itself was the easy part. The work required to make it safe:

1. 9123a6c — Removed unused pytest-playwright from requirements-dev.txt (closed sibling PR deps(pip)(deps-dev): update pytest-playwright requirement from >=0.4.0 to >=0.8.0 #12).
2. 25ff280 — Rewrote tests/e2e/page_objects.py + added tests/e2e/_shared.py with proven selectors. The previous page objects had a guessed DOM model (<select> for the rule picker, <button>:has-text("Save") for action buttons) that never matched the real app. 14 .locators( typos (plural — never a Page method) fixed too.
3. efd1e11 — Rewrote conftest.py (login selector was 'button:has-text("Sign in")' but Splunk uses <input type="submit"> — login silently failed for every test using the browser/admin_browser fixture) + rewrote the 5 workflow test files against real selectors + the standard mapped CSV (DR55_brute_force_users.csv) with backup/restore.
4. 6fa38c3 — Pin bump landed.
5. 24b7bde — Wired Python E2E into CI via .github/workflows/e2e-python.yml (nightly + push-to-main on dev-pin changes). Python E2E was never CI-gated before, which is how the pre-existing brokenness went undetected for so long.

Final baseline under playwright 1.60 + Chromium 148 headless:

• tests/e2e/ (excluding test_wl_save.py): 15 passed, 11 skipped (documented), 0 errors
• tests/e2e/test_wl_save.py: 11 passed / 2 known pre-existing state-leak flakes (NOT playwright 1.60 regressions — reproduced on 1.40 too; tracked in qa-findings.jsonl)

All 11 skips have explicit @pytest.mark.skip(reason=...) text with deferral rationale.