Skip to content

Agent-browser-shield

v2026.6.8.22 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 4d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents browser-extension browser-use security

Affected surfaces

auth rbac

Summary

AI summary

Updates Fix, Feat, and Chore across a mixed release.

Full changelog

What's Changed

  • Docs: sync config skill + rule counts to current behavior by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/175
  • Fix: scrub instead of detach for framework-rendered DOM by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/176
  • Fix: re-scrub meta content rewrites and noscript re-renders by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/180
  • Feat: hidden-fee-annotate rule for drip-pricing fees (#119) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/181
  • Docs: note accepted gap for enabled input value inside hidden wrapper by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/184
  • Feat: scrub value on input[type=hidden] in attribute-injection-sanitize by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/185
  • Fix: cover aria-roledescription/-placeholder/-valuetext/-keyshortcuts in attribute-injection-sanitize by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/186
  • Bump marocchino/sticky-pull-request-comment from 2 to 3 by @dependabot[bot] in https://github.com/pixiebrix/agent-browser-shield/pull/195
  • Bump astral-sh/setup-uv from 7 to 8.1.0 by @dependabot[bot] in https://github.com/pixiebrix/agent-browser-shield/pull/193
  • Bump actions/checkout from 6 to 6.0.2 by @dependabot[bot] in https://github.com/pixiebrix/agent-browser-shield/pull/189
  • Feat: form-prefill-annotate rule for preselected form controls (#121) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/187
  • Chore: switch Dependabot ecosystem from npm to bun by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/196
  • Chore: bump dev-deps (biome, eslint, typescript-eslint, astro) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/202
  • Chore(deps): Bump react-router-dom from 7.15.1 to 7.16.0 in /demo-site by @dependabot[bot] in https://github.com/pixiebrix/agent-browser-shield/pull/199
  • Fix: resolve modern CSS color syntaxes in hidden-text-strip by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/205
  • Fix: extend unicode-invisibles-strip to cover bypass code points by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/204
  • Feat: hidden-affiliate-sanitize rule for affiliate/UTM/referral metadata (#121) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/188
  • Fix: narrow hidden-text-strip landmark + aria-hidden allowlists by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/207
  • Fix: extend hidden-text-strip with six additional CSS hide paths by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/206
  • Fix: extend cross-origin-frame-redact to and by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/208
  • Fix: schema-trust Person annotation + broader disguised-ad coverage (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/209
  • Fix: detect PII / encoded payloads split across sibling text nodes (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/210
  • Fix: cover open declarative shadow DOM via setHTMLUnsafe (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/211
  • Fix: narrow hidden-text-strip display:none carve-out for live regions by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/212
  • Fix: scarcity/countdown synonym evasion (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/213
  • Fix: catch single-script IDN homograph links (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/215
  • Fix: defend cleared checkout checkboxes against programmatic re-checks (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/214
  • Fix: extend encoded-payload-redact with text-cipher encodings (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/216
  • Fix: main-world shadow-root probe for definitive closed-shadow detection (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/217
  • Refactor: extract chrome.scripting registry mock into shared helper by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/218
  • Docs: list remaining bypass gaps as known limitations (#203) by @twschiller in https://github.com/pixiebrix/agent-browser-shield/pull/219

Full Changelog: https://github.com/pixiebrix/agent-browser-shield/compare/v2026.6.5.21...v2026.6.8.22

Breaking Changes

  • Dependabot ecosystem switched from npm to bun
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Agent-browser-shield

Get notified when new releases ship.

Sign up free

About Agent-browser-shield

All releases →

Related context

Earlier breaking changes

  • v2026.6.2.13 Enforce lib/↔rules/ import boundary via no-restricted-paths

Beta — feedback welcome: [email protected]