browser_run_code_unsafe: The Naming Change That Forces Honest Architecture

TL;DR

Playwright MCP v0.0.72 renamed browser_run_code to browser_run_code_unsafe, making sandbox escape risk explicit. The new browser_network_request tool enables indexed request inspection. Teams using this MCP server in CI pipelines need to update tool references and security documentation now.

The Release

Microsoft shipped playwright-mcp v0.0.72 on April 30, 2026 with two headline changes: a renamed tool that forces explicit acknowledgment of security boundaries, and a new indexed network request API.

The tool formerly known as browser_run_code is now browser_run_code_unsafe. The rename surfaces a capability that was always there—arbitrary code execution within the Playwright browser context—and makes the sandbox implications impossible to miss in code reviews, CI configs, and architecture docs.

Also new: browser_network_requests now returns a numbered list, and browser_network_request lets you fetch any single request by index, including headers and body. Both tools accept a filename option for direct file output.

Why This Matters for Engineers, QA, and CI

I've seen what happens when security assumptions live in the gap between "works in dev" and "approved for prod." At CooperVision, where I've led test infrastructure through a 40% faster test execution migration from Selenium to Playwright, the gap between a tool's name and its actual risk profile costs real time.

When a tool is named browser_run_code, it's easy to approve it in a security review without asking what code actually runs. When it's named browser_run_code_unsafe, you can't pretend the sandbox boundary is theoretical. This rename is documentation embedded in the API contract.

For QA architects integrating MCP servers into CI pipelines, this matters in three places: security review templates, tool permission configs in your MCP client, and any internal docs that reference the old name.

How to Use It

The new indexed request API is straightforward. Here's a TypeScript example using the new browser_network_request with an index:

// Fetch the numbered list from browser_network_requests
const requestList = await client.callTool('browser_network_requests', {
  url: 'https://api.example.com/orders'
});
// Returns: [{index: 0, method: 'GET', url: '...'}, {index: 1, ...}]

// Fetch full details for a specific request
const fullRequest = await client.callTool('browser_network_request', {
  index: 0,
  filename: 'request_0.json'  // Optional: write directly to file
});

// Or fetch just headers for inspection
const headers = await client.callTool('browser_network_request', {
  index: 0,
  part: 'headers'
});

For the renamed tool, update your tool references:

// Before (v0.0.71)
await client.callTool('browser_run_code', {
  code: `await page.click('#submit')`
});

// After (v0.0.72)
await client.callTool('browser_run_code_unsafe', {
  code: `await page.click('#submit')`
});

The functionality is identical. The name changed.

The Gotcha Nobody Is Talking About

The rename doesn't change behavior—but it will break your existing integrations silently if you're using tool name matching in your MCP client config. If you hardcoded browser_run_code in a tool registry or a Claude Desktop config file, you'll get a "tool not found" error with no explanation that a rename is the cause.

The unhandled rejection fix (previously crashing the server on unhandled errors in browser_run_code_unsafe) means old error patterns in your logs may disappear. That's good, but if you had monitoring that expected crashes on certain error types, you'll need to update alert thresholds.

What This Changes in Your CI Pipeline

If you're running Playwright MCP in CI—using it to drive browser automation for end-to-end tests or visual regression checks—the rename forces a config audit. In practice, this is a one-line change in your tool mapping, but it should trigger a broader review of what other tools you're calling and whether their names still match upstream.

The new filename option for network tools solves a real CI artifact problem: network logs that used to need in-memory buffering and post-processing can now write directly to the filesystem, making them available for artifact upload without extra code.

At CooperVision, I've shipped changes that cut deployment times in half partly because artifact handling got smarter. Direct file output from MCP tools is that kind of small win that compounds across hundreds of test runs.

Migration Notes

• Update all tool name references from browser_run_code to browser_run_code_unsafe
• Review security documentation to reflect the explicit "unsafe" designation
• Check MCP client configs for hardcoded tool names
• The filename parameter is backward-compatible (optional, existing behavior unchanged)
• The indexed request API is additive; existing browser_network_requests behavior works as before

Verdict

The browser_run_code_unsafe rename is the right call. It's an API contract change that forces honest conversations about what your automation tools can actually do. In enterprise environments where QA architects own security review sign-off, explicit naming prevents the kind of assumption drift that creates vulnerabilities.

The new indexed network request API is a solid ergonomic improvement—pinpoint access to individual requests without parsing full lists. Combined with the filename output option, it makes Playwright MCP a more capable tool for CI pipelines that need artifact generation.

This is a non-breaking change for functionality, but a breaking change for tool name references. Audit your configs, update your docs, and move on. The 40% faster test execution gains from the Selenium→Playwright migration taught me that staying current on toolchain changes pays off—it's rarely as painful as it feels in the moment.

Upgrade and update your tool names. Then look at what you can do with indexed request inspection that you couldn't before.

Anton Gulin is an AI QA Architect — the first person to claim this title on LinkedIn. He builds AI-powered test automation systems where AI agents and human engineers collaborate on quality. Former Apple SDET, current Lead Software Engineer in Test at CooperVision. Find him at anton.qa or on LinkedIn.