All notable changes to this actor are documented here.
The format is based on Keep a Changelog ,
and this project adheres to Semantic Versioning .
The scan report has its own schema version (meta.reportVersion, currently
1.0.0) — a breaking change to the report shape bumps that independently of
the actor version.
[Unreleased]
Known issues
npm audit reports 17 moderate-severity findings, all the same advisory
(GHSA-8988-4f7v-96qf ,
unbounded memory allocation in W3C Baggage propagation) in
@opentelemetry/core <2.8.0, pulled in transitively via lighthouse →
@sentry/node@9.47.1. No compatible fix exists upstream yet: Lighthouse's
latest release still pins @sentry/node@^9.28.1, and that line hasn't
picked up the @opentelemetry/core bump (only Sentry's v10 line has).
Not exploitable here — Lighthouse only calls Sentry.init() when
flags.enableErrorReporting is set, which runRenderAudit never passes, so
the vulnerable code path is imported but never initialized. Re-check with
npm audit after bumping lighthouse.
Added
Detection-level e2e coverage: live runs against the W3C WAI "Before and
After Demonstration" page (a stable, deliberately inaccessible public
fixture) assert that wcag-audit reports real WCAG violations and that
html-structure finds the fixture's known failures (missing <html lang>,
images without alt) — previously the e2e tier only validated output shape.
E2e tests for SARIF output (OUTPUT.sarif is valid SARIF 2.1.0 with a 1:1
rule/result mapping to report findings), KV-vs-dataset parity, the
failOnSeverity CI gate (run fails after persisting the report), and the
SSRF guard (scans of non-public targets are refused).
Changed
Per-engine e2e tests now assert the engine actually reached
status: 'completed' on the live platform, surfacing the engine's own error
detail on failure; a single retry absorbs transient live-platform flakiness.
The e2e suite runs its live actor runs concurrently (capped at 4 in flight),
cutting the post-deploy verify stage's wall time roughly in half.
[0.1.0] — 2026-07-03
Initial release.
Added
Six accessibility engines in a single run: wcag-audit (full WCAG 2.x
ruleset violations), render-audit (rendered-page accessibility score),
keyboard-nav (focus order and focus-trap testing) — browser-based via
bundled Chromium — plus three native, browserless engines: html-structure
(lang, alt text, form labels, heading hierarchy, title, duplicate ids, empty
interactive elements), media-captions, and viewport-a11y.
Normalized, deduplicated findings with severity, p0–p3 priority, WCAG
criterion/level, and an overall 0–100 score with an A–F grade.
Report written to the OUTPUT key-value record and pushed to the default
dataset; optional SARIF 2.1.0 output (outputFormat: sarif/both) for code
scanning.
CI gating via failOnGrade / failOnSeverity (non-zero exit after the
report is persisted).
Authenticated scanning via custom request headers / session cookie
(same-origin only) and optional proxy routing with graceful direct-connection
fallback.
SSRF guard: refuses to scan private or non-public targets.
Pay-per-event billing (scan-completed), charged only when at least one
engine completed.
Three-tier test suite (unit, local integration via apify run in Docker,
live e2e) and a GitLab CI pipeline: check → deploy → verify.