
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
@mergifyio/playwright
Advanced tools
A Playwright reporter that integrates seamlessly with Mergify, uploading OpenTelemetry traces of test executions to Mergify CI Insights and absorbing failures of tests quarantined via Mergify's CI Insights Quarantine feature.
More information at https://mergify.com
Install the package as a dev dependency alongside @playwright/test (>= 1.40.0):
npm install --save-dev @mergifyio/playwright
Wrap your playwright.config.ts with withMergify and import test /
expect from @mergifyio/playwright instead of @playwright/test:
// playwright.config.ts
import { defineConfig } from '@playwright/test';
import { withMergify } from '@mergifyio/playwright';
export default withMergify(defineConfig({
projects: [{ name: 'chromium', use: { /* ... */ } }],
}));
// tests/example.spec.ts
import { test, expect } from '@mergifyio/playwright';
test('flaky thing', async ({ page }) => {
// ...
});
Set MERGIFY_TOKEN in your CI environment. Without it, the integration stays
silent and tests run normally.
withMergify registers the reporter that uploads test-run traces to Mergify
CI Insights, plus a globalSetup that fetches the quarantine list and a
globalTeardown that cleans up. The test export is Playwright's base test
extended with an auto-fixture: when a test's name is on the quarantine list
AND it fails, the fixture sets testInfo.expectedStatus = 'failed' so
Playwright reports the outcome as passing. Quarantined tests that pass are
reported as passing unchanged (no "unexpected pass" penalty — matches
pytest's xfail(strict=False)).
At the end of the run, a summary is printed on stderr:
[@mergifyio/playwright] Quarantine report:
fetched: 3
caught: 1
- tests/auth.spec.ts > Login > submits form
unused: 2
- tests/api.spec.ts > retries once
- tests/data.spec.ts > builds payload
Gotcha: wrapping the config with withMergify but forgetting to change
the test import leaves the quarantine list fetched but never applied —
every entry shows up under "unused" (the caught count stays 0).
| Variable | Description | Default |
|---|---|---|
MERGIFY_TOKEN | Mergify API authentication token | (required) |
MERGIFY_API_URL | Mergify API endpoint | https://api.mergify.com |
PLAYWRIGHT_MERGIFY_ENABLE | Force-enable outside CI | false |
MERGIFY_CI_DEBUG | Print spans to console instead of uploading | false |
MERGIFY_TRACEPARENT | W3C distributed trace context | — |
MERGIFY_TEST_RUN_ID | Test run identifier (set by withMergify's globalSetup; read by workers) | — |
MERGIFY_STATE_FILE | Path to the per-run quarantine state file (set by globalSetup; read by workers) | — |
For detailed documentation, see the official guide.
Clone the repo and install dependencies:
pnpm install
Available scripts (from this package's directory or with pnpm --filter @mergifyio/playwright):
| Command | What it does |
|---|---|
pnpm test | Run the test suite once (vitest run) |
pnpm run build | Bundle the package with tsdown |
FAQs
Playwright reporter for Mergify CI Insights
The npm package @mergifyio/playwright receives a total of 1,789 weekly downloads. As such, @mergifyio/playwright popularity was classified as popular.
We found that @mergifyio/playwright demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.