Published: · 5 min read
Playwright MCP v0.0.72 renamed browser_run_code to browser_run_code_unsafe, making sandbox escape risk explicit. The new browser_network_request tool enables indexed request inspection. Teams using this MCP server in CI pipelines need to update tool references and security documentation now.
Playwright MCP v0.0.72 renamed browser_run_code to browser_run_code_unsafe, making sandbox escape risk explicit. The new browser_network_request tool enables indexed request inspection. Teams using this MCP server in CI pipelines need to update tool references and security documentation now.
Microsoft shipped playwright-mcp v0.0.72 on April 30, 2026 with two headline changes: a renamed tool that forces explicit acknowledgment of security boundaries, and a new indexed network request API.
The tool formerly known as browser_run_code is now browser_run_code_unsafe. The rename surfaces a capability that was always there—arbitrary code execution within the Playwright browser context—and makes the sandbox implications impossible to miss in code reviews, CI configs, and architecture docs.
Also new: browser_network_requests now returns a numbered list, and browser_network_request lets you fetch any single request by index, including headers and body. Both tools accept a filename option for direct file output.
I've seen what happens when security assumptions live in the gap between "works in dev" and "approved for prod." At CooperVision, where I've led test infrastructure through a 40% faster test execution migration from Selenium to Playwright, the gap between a tool's name and its actual risk profile costs real time.
When a tool is named browser_run_code, it's easy to approve it in a security review without asking what code actually runs. When it's named browser_run_code_unsafe, you can't pretend the sandbox boundary is theoretical. This rename is documentation embedded in the API contract.
For QA architects integrating MCP servers into CI pipelines, this matters in three places: security review templates, tool permission configs in your MCP client, and any internal docs that reference the old name.
The new indexed request API is straightforward. Here's a TypeScript example using the new browser_network_request with an index:
// Fetch the numbered list from browser_network_requests
const requestList = await client.callTool('browser_network_requests', {
url: 'https://api.example.com/orders'
});
// Returns: [{index: 0, method: 'GET', url: '...'}, {index: 1, ...}]
// Fetch full details for a specific request
const fullRequest = await client.callTool('browser_network_request', {
index: 0,
filename: 'request_0.json' // Optional: write directly to file
});
// Or fetch just headers for inspection
const headers = await client.callTool('browser_network_request', {
index: 0,
part: 'headers'
});For the renamed tool, update your tool references:
// Before (v0.0.71)
await client.callTool('browser_run_code', {
code: `await page.click('#submit')`
});
// After (v0.0.72)
await client.callTool('browser_run_code_unsafe', {
code: `await page.click('#submit')`
});
The functionality is identical. The name changed.
The rename doesn't change behavior—but it will break your existing integrations silently if you're using tool name matching in your MCP client config. If you hardcoded browser_run_code in a tool registry or a Claude Desktop config file, you'll get a "tool not found" error with no explanation that a rename is the cause.
The unhandled rejection fix (previously crashing the server on unhandled errors in browser_run_code_unsafe) means old error patterns in your logs may disappear. That's good, but if you had monitoring that expected crashes on certain error types, you'll need to update alert thresholds.
If you're running Playwright MCP in CI—using it to drive browser automation for end-to-end tests or visual regression checks—the rename forces a config audit. In practice, this is a one-line change in your tool mapping, but it should trigger a broader review of what other tools you're calling and whether their names still match upstream.
The new filename option for network tools solves a real CI artifact problem: network logs that used to need in-memory buffering and post-processing can now write directly to the filesystem, making them available for artifact upload without extra code.
At CooperVision, I've shipped changes that cut deployment times in half partly because artifact handling got smarter. Direct file output from MCP tools is that kind of small win that compounds across hundreds of test runs.
browser_run_code to browser_run_code_unsafefilename parameter is backward-compatible (optional, existing behavior unchanged)browser_network_requests behavior works as beforeThe browser_run_code_unsafe rename is the right call. It's an API contract change that forces honest conversations about what your automation tools can actually do. In enterprise environments where QA architects own security review sign-off, explicit naming prevents the kind of assumption drift that creates vulnerabilities.
The new indexed network request API is a solid ergonomic improvement—pinpoint access to individual requests without parsing full lists. Combined with the filename output option, it makes Playwright MCP a more capable tool for CI pipelines that need artifact generation.
This is a non-breaking change for functionality, but a breaking change for tool name references. Audit your configs, update your docs, and move on. The 40% faster test execution gains from the Selenium→Playwright migration taught me that staying current on toolchain changes pays off—it's rarely as painful as it feels in the moment.
Upgrade and update your tool names. Then look at what you can do with indexed request inspection that you couldn't before.
Anton Gulin is an AI QA Architect — the first person to claim this title on LinkedIn. He builds AI-powered test automation systems where AI agents and human engineers collaborate on quality. Former Apple SDET, current Lead Software Engineer in Test at CooperVision. Find him at anton.qa or on LinkedIn.
Get notified when I publish something new, and unsubscribe at any time.
·4 min read
Playwright MCP v0.0.73 fixes a critical gap where extension channels and executable paths couldn't be resolved from CI/CD environment variables. This release enables true containerized test pipelines—configure browser installations once in your Dockerfile, override per job via environment variables, no hardcoded paths required.
·5 min read
Playwright CLI v0.1.10 introduces a spec-driven testing skill that guides AI agents through plan/generate/heal workflows for maintaining test suites from written specifications. Network inspection now uses stable request indexing, and raw output is default for all data-fetching commands—eliminating preprocessing steps in CI pipelines.
·3 min read
AI agents made it worse. They still get stuck at login screens. This month, that changed. MCP (how AI talks to tools) is changing how we test. Two teams at Microsoft shipped a fix. They released two ways to share your browser with AI. Playwright core added browser.bind(). The CLI team added an MCP Bridge. Both land in the same month. This is not a test. It is the new way.
