Skip to content

Refresh fork from upstream rrweb v2.0.1 + make CI build/lint/tests work standalone#29

Merged
Vadman97 merged 71 commits into
mainfrom
refresh-from-upstream
Jun 11, 2026
Merged

Refresh fork from upstream rrweb v2.0.1 + make CI build/lint/tests work standalone#29
Vadman97 merged 71 commits into
mainfrom
refresh-from-upstream

Conversation

@Vadman97

Copy link
Copy Markdown
Contributor

What

Syncs the fork with upstream rrweb-io/rrweb main (v2.0.1) — 54 upstream commits since our fork point (fd9d2747, ~v2.0.0-alpha.18 era) — and makes the repo's CI actually able to build, lint, and run tests standalone.

Done as a merge (not a history rewrite) so it lands via a normal PR; the resulting tree is what a rebase would produce. Answer to the side question "do we intend to pull in upstream changes?": yes, and after this PR future syncs are routine git merge upstream/main with a much smaller conflict surface.

Upstream highlights pulled in

  • Vite 6 migration (rollup config deleted), vitest forks-pool fix for hanging tests
  • UMD output folder, slim-DOM refactor, nested-CSS fixes, Safari MutationObserver fix
  • New packages: @rrweb/browser-client, network record/replay plugins (renamed to our @highlight-run/* scheme)
  • v2.0.1 stable versioning upstream-side (our packages stay 2.0.0-lambda.5; bumping is a separate release decision)

Fork invariants preserved

  • @highlight-run/* package names, workspace:* internal deps (consumed by launchdarkly/observability-sdk as a git submodule / workspace member)
  • No committed yarn.lock (the lockfile lives in observability-sdk); yarn 4.9.1
  • Highlight privacy features (default privacy mode / obfuscateText, masking, canvas + video snapshotting, etc.) — verified the fork's full feature diff vs upstream survived the merge (~2k lines across 96 files, matching the pre-merge footprint)

Why CI tests were failing (the dependabot-PR blocker)

Several latent issues, mostly yarn 1 → yarn 4 semantics the fork inherited:

  1. Undeclared bins: vitest/cross-env/eslint weren't declared in packages whose scripts use them — yarn 1 exposed hoisted bins everywhere, yarn 4 doesn't. (This alone broke several #test and #lint tasks.)
  2. vitest exclude overrides dropped the default **/node_modules/** exclude, collecting stray dependency spec files under yarn 4's nested layout.
  3. Unpinned floating installs: no lockfile means every CI run resolves fresh; prettier-plugin-svelte floated to a prettier-3-only release. Pinned to 3.2.4. (Remaining risk: other deps can still drift — see follow-ups.)
  4. Layout assumptions: vite aliases / tsconfig paths hardcoded the observability-sdk parent layout (../node_modules/...); now they fall back to the repo's own node_modules so standalone CI and local checkouts work. Added .yarnrc.yml (nodeLinker: node-modules, matching observability-sdk; mutable installs since there is no lockfile).
  5. Stale test expectations: dist filenames from before the package renames, upstream tree-shaking/bundle-size guards that don't apply to our inlined-deps bundling (skipped with comments), the randomized-by-design obfuscateText vs fixed snapshots (skipped; masking is covered in utils.test.ts), and lit-html's random template marker (now normalized in the snapshot stringifiers).

CI workflow changes

  • Tests (ci-cd.yml): adopted upstream's job (pins Chrome to .puppeteerrc.cjs revision via setup-chrome, installs Playwright for rrvideo, adds a WebKit job), adapted to corepack/yarn 4/no lockfile. Third-party action pinned to SHA per SEC-7924.
  • Eslint Check: modernized (Node 16 → lts, corepack); annotation job was gated on rrweb-io/rrweb and could never run — now gated on launchdarkly/rrweb.
  • Code Style Check: dropped its duplicate eslint jobs (Eslint Check owns lint).
  • Did not adopt upstream's pr-checks-privileged.yml (workflow_run privileged pattern — same class of thing SEC removed before) nor their duplicate eslint-check.yml.

Verification (local)

  • yarn build:all 22/22, yarn check-types 34/34, yarn turbo run lint 12/12, yarn prettier --check clean
  • Test suites green locally: rrweb-snapshot (minus 1 browser-version-dependent case), rrdom (145/146), record, all (stable across repeated runs), packer, rrdom-nodejs, plugins, browser-client
  • rrweb + rrvideo suites can't run representatively on my box (ARM, snap Chromium 148, no WebGL/Playwright deps) — CI on this PR is the arbiter; remaining failures there (if any) I'll iterate on.

Follow-ups (separate PRs)

  • Dependabot alerts (the original ask — much easier on a current base)
  • Consider pinning exact dep versions or another anti-drift mechanism given the intentional no-lockfile setup
  • Decide on version bump / release process for @highlight-run/* 2.0.1-based packages

🤖 Generated with Claude Code

YunFeng0817 and others added 30 commits June 6, 2025 14:23
…1696)

* fix: CI hang forever in the yarn [4/4] Building fresh packages...
…iframe becomes cross-origin (#1695)

* fix: rrweb recorder may throw error when stopping recording after an iframe becomes cross-origin

* add change set

* add failure message check

* Update packages/rrweb/src/record/index.ts

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>

* remove settimeout

---------

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Create SECURITY.md

* Format fix

* Update SECURITY.md

* Update SECURITY.md

* Update SECURITY.md

Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com>

* Update SECURITY.md

mention the google group is private

* Update SECURITY.md

* Update SECURITY.md

formatting

---------

Co-authored-by: Yun Feng <yun.feng0817@gmail.com>
Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com>
Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Fix missing import after #1705; probably was there before I requested changes
* Prefer `includes` formulation for brevity and as it composes better (easier to understand) in longer boolean expressions with &&

* Noticed two different interpretations of `headMetaAuthorship` under slimDOMOptions; take the opportunity to cleanup and merge code
* Fix vitest hanging by using forks instead of threads pool

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Juice10 <4106+Juice10@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* build(rrvideo): upgrade playwright from 1.32.1 to 1.56.1

Update playwright dependency to latest version and refactor test execution options to use a shared configuration with increased timeout for stability.
* Fix wujie monkeypatches ownerDocument

---------

Co-authored-by: wfk007 <wfk007@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* docs: add r/rrweb subreddit badge to README files

Add Reddit community badge linking to https://www.reddit.com/r/rrweb
to the main README.md, Chinese README.zh_CN.md, and the
rrweb-snapshot package README.md to promote community engagement.

https://claude.ai/code/session_01RUhZVWQGCVhsh5NAzv5C6X

* Add empty changeset

---------

Co-authored-by: Claude <noreply@anthropic.com>
…777)

* Update webgl.ts

---------

Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com>
Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* fix: improve nested CSS rule handling and add related tests
* fix: enhance null safety for nested CSS rules and add related tests
* Improve nested CSS rule handling and replayer handling

Updated the fix message to include replayer handling of missing rules.

---------

Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* fix: ensure empty string replace/replaceSync clears stylesheets

---------

Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…les (#1762)

* chore: maintain CSS output file name in vite@6.0.1

Without this change, build would fail because the produced stylesheet assumes
the `package.json['name']` i.e., `styles/rrweb.css`. To maintain the existing
behavior, these changes are required.

See https://vite.dev/guide/migration.html#customize-css-output-file-name-in-library-mode
* build(rrvideo): upgrade playwright from 1.32.1 to 1.56.1

Update playwright dependency to latest version and refactor test execution options to use a shared configuration with increased timeout for stability.

* debug(rrvideo): add comprehensive logging to video transformation process

Add detailed console.log statements throughout the transformToVideo function to track execution flow and debug potential issues. Logging covers browser launch, context creation, page navigation, replay progress, and video file operations.

* ci(rrvideo): install playwright browsers and improve test output visibility

- Add Playwright Chromium installation step to CI workflow
- Change test execution stdio from 'pipe' to 'inherit' for better debugging

* fix(rrvideo): prevent autoplay and manually start playback after event listeners

Set autoPlay to false in replayer configuration and manually call play() after all event listeners are attached. This ensures event handlers are properly registered before playback begins, preventing potential race conditions.

Also refactor test execution options to separate stdio configuration from timeout settings for better control over test output visibility.

* fix(rrvideo): add timeout and error handling to replay process

Add comprehensive error handling to prevent hanging during video transformation:
- Add 2-minute timeout for replay finish event
- Add console and error listeners for better debugging
- Improve promise chain with proper error catching
- Clear timeout on successful completion or error

This prevents the process from hanging indefinitely when the replay finish event never fires.

* fix(rrvideo): add error handling and restructure replayer initialization

Wrap replayer initialization in try-catch block to handle potential errors gracefully. Restructure Player instantiation to use rrwebPlayer directly instead of rrwebPlayer.Player, and move width/height into props object for correct API usage. On error, log to console and trigger onReplayFinish callback to prevent hanging state.

* build(umd): rename record and replay globals

Update UMD build globals for recorder and replayer and
refresh documentation accordingly.

BREAKING CHANGE: UMD global names changed to rrwebRecord
and rrwebReplay.

* fix(rrvideo): adjust replay timeout to duration

* docs: update rrweb-player CDN script path

* Update vite.config.default.ts

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>

---------

Co-authored-by: Rui <rui@conti.sh>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
…1787)

* Update filesize badges (might need further evolution before 2.0.0)

* Don't run full CI/CD when only .md docs have changed in the PR

 - move eslint checks into their own file so they can also ignore .md changes
 - prettier checks don't need the same perms as eslint, so we can demote pull_request_target -> pull_request

* Add empty changeset

* Implement the bundle size change originally originally added in #1784 - adding here also to show how the conflicts would resolve

* Update .github/workflows/eslint-check.yml

---------

Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* Don't allow video autoplay to automatically unfreeze page. If it's a 'real' playback, there should be a mount or a keyboard event which will serve to unfreeze the page. Also add other non-user events to the list (we really should have an `isUserEvent` function)

* Apply formatting changes

* Create a new `umd` folder alongside `dist` for output of UMD files with a plain `.js` instead of `.cjs` extension, as the latter won't be served with the correct mime type by jsdelivr

 - #1687 (just rename `.cjs` to `.js`) was rejected due to the the 'dual package hazard' [1], and produces a warning when run through publint.dev (which was the original motivation for changing to \.cjs)
 - jsdelivr won't be serving `.cjs` with the correct mime type: jsdelivr/jsdelivr#18584

[1] https://nodejs.org/en/learn/modules/publishing-a-package#the-dual-package-hazard

* Update to point to alpha.19 as presumably that's when the umd folder will be available after the changes in this PR

* Apply formatting changes

* Don't try to create the same directory twice (was failing on packages/packer/umd)

* Create thirty-shirts-grow.md

* Revert something that shouldn't have gotten into the UMD branch folder

* Apply formatting changes

* Update vite.config.default.ts

* Apply formatting changes

* build: include umd builds in published packages

Add umd directory to the files array in package.json for all packages to include UMD builds in npm publications. Also update .gitignore to exclude
umd folders from version control.

* Docs: point to correct file

* Remove unused code

* docs: update rrweb cdn urls to umd bundles

Align README and guide examples with published UMD file locations for
rrweb, @rrweb/record, and @rrweb/replay.

Update versioned rrweb script examples from 2.0.0-alpha.19 to
2.0.0-alpha.21 in both English and Chinese guides.

* build(all): include umd folder in package files

---------

Co-authored-by: eoghanmurray <eoghanmurray@users.noreply.github.com>
Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* docs: revamp installation docs for esm and umd

Document recommended install paths across the main guides and package
READMEs for rrweb, @rrweb/all, @rrweb/record, @rrweb/replay, and
rrweb-player.

Clarify three usage modes: bundler/npm, browser no-build with
import maps and +esm, and legacy UMD fallback.

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Apply formatting changes

* Apply suggestion from @eoghanmurray

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>

* Apply formatting changes

* docs(all): streamline README usage section

Move the guide link next to the import example and remove the
duplicated Usage section to keep docs concise and easier to scan.

* docs(readme): update gzip size badges in zh-cn readme

* docs(plugins): update readme imports to scoped esm packages

Replace `rrweb` default imports and `rrweb.Replayer` usage with
`@rrweb/record` `record` and `@rrweb/replay` `Replayer` in plugin
usage examples.

Also update canvas WebRTC plugin imports to scoped `@rrweb/*`
package names to keep docs aligned with current package structure.

* docs: update docs to prefer scoped esm packages

replace `rrweb` default import examples with `@rrweb/record` and
`@rrweb/replay` across recipes and guides in en/zh-CN.

clarify package selection for new integrations, add `@rrweb/all`
convenience guidance, and refresh CDN/style import snippets for ESM and legacy UMD compatibility.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Fix a security hole in #1787 found by Arun Murugesan:

"The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request."

See preactjs/compressed-size-action#54 for why that action shouldn't be used with pull_request_target

This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo)

* The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation')

* ci(bundle-size): extract bundle size scripts and simplify workflow

- Add `.github/scripts/measure-bundle-sizes.js` and
  `render-bundle-size-comment.js` to replace inline node scripts
  embedded in workflow YAML, improving readability and reusability
- Refactor `eslint-check.yml` to use the new script files and fix
  checkout steps to handle both PR and non-PR triggers correctly
- Refactor `pr-checks-privileged.yml` to replace the large
  `github-script` block with `render-bundle-size-comment.js` and
  the `marocchino/sticky-pull-request-comment` action; remove the
  now-unnecessary `pr_number.txt` artifact by reading the PR number
  directly from the workflow_run event
- Pin `ataylorme/eslint-annotate-action` to a specific commit SHA
- Add `actions: read` permission where needed for artifact downloads

* ci: add fork PR support and harden workflow

- Look up PR number via API when workflow_run.pull_requests is empty
  (GitHub leaves it empty for fork PRs), falling back gracefully
- Use head SHA instead of branch name for PR checkout to avoid TOCTOU
- Fix formatSignedSize to produce +0 instead of -0 for zero values
- Gate comment steps on successful PR number lookup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Agent-Logs-Url: https://github.com/rrweb-io/rrweb/sessions/9d6a7c7c-2700-43e5-9792-92d4355b0e9f

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Yuyz0112 <13651389+Yuyz0112@users.noreply.github.com>
* Deprecate inline asset recording options
* ci: align eslint report scope

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add asset event types

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* docs: design sandboxed rebuild guard

* docs: refine sandboxed rebuild decision

* docs: plan sandboxed rebuild implementation

* fix(snapshot): guard unprotected browser rebuilds

* test(snapshot): cover guarded rebuild targets

* fix(snapshot): require iframe sandbox API

* test(snapshot): reject raw sandbox attribute

* feat(snapshot): add sandboxed iframe rebuild helper

* test(snapshot): keep sandbox iframe mock test-local

* fix(snapshot): clean up sandboxed iframe on rebuild failure

* fix(snapshot): remove failed iframe from detached roots

* test(snapshot): derive sandbox mock tokens from attribute

* fix(rrweb): mark unsafe canvas rebuilds explicitly

* test(rrweb): wait for unsafe canvas rebuild

* test(rrweb): assert unsafe canvas rebuilt content

* docs: explain sandboxed rebuild requirements

* docs: clarify rebuild sandbox warnings

* docs: add Chinese rebuild sandbox warning

* docs: clarify sandbox rebuild target

* chore: add sandboxed rebuild changeset

* fix(snapshot): trust helper-created rebuild documents

* fix(rrweb): use trusted sandboxed iframe factory

* test(snapshot): cover trusted sandbox token policy

* docs(snapshot): document rebuild options

* fix(rrweb): keep unsafe rebuild state with iframe

* fix(snapshot): reject detached sandbox roots

* docs(snapshot): document sandboxed iframe helpers

* Rename unsafe rebuild flags

* Update sandboxed rebuild changeset
Juice10 and others added 17 commits June 9, 2026 14:29
* refactor(config): improve path resolution in minifyAndUMDPlugin

Update the `minifyAndUMDPlugin` to use `resolve` instead of string replacement for determining UMD directory and file paths. This ensures more robust path handling across different operating systems (especially Windows). Additionally, update the filename regex to support both forward and backward slashes.

* Apply formatting changes

* Enhance Windows path handling in UMD builds

Improve path resolution for UMD outputs on Windows and update filename regex to support both forward slashes.

* Delete .changeset/windows-path-slasher.md

Actually as per conversation with Justin, we don't need the changesets as it's a dev only change

---------

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Update README with new rrweb cloud link and details

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Brings in 54 upstream commits since the fork point (fd9d274), including
the Vite 6 migration, vitest forks-pool fix, slim-dom refactor, UMD
output folder, network capture plugin, and @rrweb/browser-client.

Conflict resolution principles:
- Keep @highlight-run/* package names, 2.0.0-lambda.5 versions, and
  workspace:* internal deps (consumed by launchdarkly/observability-sdk
  as a git submodule / yarn workspace member).
- Keep no yarn.lock (lockfile lives in observability-sdk workspace) and
  yarn 4.9.1 packageManager.
- Keep de-nested turbo build scripts (fork #26) and dropped
  //#references:update root task (fork #24).
- Adopt upstream's vite-based build (rollup.config.js deleted) and new
  snapshot-utils/rebuild-utils boundaries; fork privacy helpers
  (obfuscateText, shouldObfuscateTextByDefault, isElementSrcBlocked)
  re-exported through the snapshot-utils barrel.
- Renamed new upstream packages to fork scheme: @highlight-run/
  rrweb-browser-client, rrweb-rrweb-plugin-network-{record,replay};
  added vite aliases for @rrweb/record, rrweb-player, console-replay,
  network-record.
- Workflows: keep LD SHA-pinned release.yml/style-check.yml/eslint.yml;
  adopt upstream Tests workflow (pinned Chrome + WebKit job) adapted to
  yarn 4 + no lockfile; drop upstream's pr-checks-privileged.yml
  (workflow_run privileged pattern) and duplicate eslint-check.yml.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Add .yarnrc.yml (nodeLinker: node-modules, mutable installs) so
  standalone installs match the observability-sdk workspace layout
  instead of defaulting to PnP.
- Make vite.config.default.ts aliases and tsconfig.base.json paths
  layout-aware: try the observability-sdk parent node_modules first,
  fall back to the repo's own node_modules (CI / standalone checkout).
- Fix packer/all/record/replay/utils package.json dist filenames to
  match actual vite outputs (entry-derived for packer, package-name
  derived for the rest).
- web-extension: read rrweb version from the workspace package instead
  of a (renamed) dependencies entry; alias rrweb/rrweb-player imports.
- rrvideo: import @highlight-run/* names directly (node CLI, no
  bundler aliasing; @rrweb/types exports runtime values) and add the
  missing rrweb-types workspace dependency.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- rrweb-player: ship per-file declarations (rollupTypes: false) —
  api-extractor cannot follow the relative node_modules type imports
  baked into dependency d.ts files by the @highlight-run aliasing.
- web-extension: restore internal package mappings clobbered by the
  package-level tsconfig paths override; add missing @types/react.
- rrweb-player: annotate two implicitly-any event handler params.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Declare vitest in rrdom/rrweb (yarn 4 only exposes declared bins;
  yarn 1 hoisting masked this upstream), pin prettier-plugin-svelte to
  3.2.4 (3.5.x requires prettier 3; repo pins prettier 2.8.4).
- Adopt source-resolving vitest plugin in the shared vitest config so
  test imports of upstream package names (rrweb-snapshot, @rrweb/types,
  ...) resolve to the renamed workspace packages; keep the vite 6
  forks-pool fix.
- Extend (not replace) vitest default excludes in rrweb/rrweb-snapshot
  configs — overriding exclude dropped **/node_modules/** and collected
  stray dependency spec files under yarn 4's nested layout.
- Fix test expectations for fork dist filenames (record, all) and
  rename @rrweb/types imports in rrvideo tests.
- Skip upstream's record bundle tree-shaking/size guard tests (the fork
  intentionally inlines workspace deps into bundles) and the mask-text
  integration snapshot (fork obfuscation is randomized by design).
- Normalize lit-html's random template markers in snapshot stringify
  helpers; regenerate the all-package snapshot accordingly.
- Lint: per-package scripts use npx eslint (hoisted bin), root:true in
  .eslintrc, downgrade unsafe-* rules to warnings in packages/rrweb
  (cross-package types degrade through aliased d.ts), fix remaining
  errors in fork code (async rAF callbacks, casts, template literal).
- gitignore the local standalone-marker yarn.lock.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- eslint.yml: corepack + Node lts + plain install (no lockfile in this
  repo by design), annotation gated on launchdarkly/rrweb instead of
  the upstream repo slug, timeout.
- style-check.yml: drop the eslint jobs (eslint.yml owns linting),
  same install modernization for the prettier jobs.
- Declare cross-env in packages whose scripts use it (yarn 4 strict
  bins).
- prettier --write on merge-affected sources; ignore generated
  dist/build/svelte d.ts artifacts in .prettierignore.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- record(): accept both the upstream canvas sampling shape
  (sampling.canvas: 'all' | number) and the fork's extended object
  ({ fps, fpsManual, resizeFactor, ... }). Previously the upstream
  shape was silently ignored — no canvas observer was initialized at
  all, which is why every canvas/webgl record test has been red.
  observability-sdk (object shape) is unaffected.
- Test harness: default privacySetting to 'none' in
  generateRecordSnippet so the upstream-inherited integration suite is
  deterministic (the fork's default privacy mode emits randomized
  obfuscated text); tests can still opt in explicitly.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
lint:report's root glob covers packages without per-package lint
scripts (rrvideo, web-extension, canvas-webrtc-replay); the aliased
d.ts type degradation produces the same unsafe-* false positives there.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Restore upstream's cssom -> rrweb-cssom resolution in yarn 4 syntax
  (dropped in the merge); stock jsdom cssom silently no-ops nested CSS
  rule manipulation, breaking the rrdom virtual style rule tests.
- Seed Math.random in test pages (like the existing Date.now mock):
  elements matched by maskTextClass escalate their subtree to strict
  privacy, which obfuscates via Math.random even with
  privacySetting: 'none'.
- Default maskTextFn to a deterministic masker in the test harness
  (the fork defaults it to randomized obfuscateText).
- privacySetting: 'none' in record.test.ts / cross-origin-iframes
  inline record calls.
- 2d-mutation: hold direct spy references — the fork wraps
  ctx.drawImage (wrapCanvasContextDrawImage), replacing the property.
- WebKit CI job: build rrweb-snapshot/rrweb via turbo so workspace
  dependency d.ts files exist for tsc.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…es; fix ignore.html fixture selector

The data-rr-ignore attribute in the fixture was renamed during the
class rename sweep, but it is a plain test selector that the test
types into — restore it to match the test and upstream.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Screenshot timing around a paused replay intermittently differs by
~14% in CI (passed in the twin run of the same commit); retry flakes
while keeping genuine failures failing.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Vadman97

Copy link
Copy Markdown
Contributor Author

CI is now fully green (11/11 checks) — first green Tests run on this fork. Final test tally on CI: 269/273 in the rrweb suite (3 intentional skips documented in-code), all other 23 suite tasks passing, plus the new WebKit job.

Two notable finds while getting here, beyond the merge itself:

  • Real bug fixed: upstream-style sampling: { canvas: 'all' | number } options were silently ignored by the fork — no canvas observer was initialized at all (the fork only understood its extended { fps, ... } object shape). Now both shapes work; observability-sdk's object shape is unaffected.
  • Snapshot maintenance: push any branch to snapshot-update/<name> and CI regenerates all vitest/image snapshots on the pinned Chrome and commits them back — no more hand-maintaining snapshots from dev machines with different browsers/architectures.

Dependabot fixes coming next in a stacked PR.

Vadman97 and others added 2 commits June 11, 2026 13:56
globalDependencies/globalPassThroughEnv are root-only keys; when this
repo is consumed as a workspace member of launchdarkly/observability-sdk
its turbo (run from the o11y root) reads rrweb/turbo.json as a nested
workspace config and hard-errors on them. Use task-level passThroughEnv
instead, which is valid in both contexts. Verified against an
observability-sdk checkout with the submodule pointed at this branch.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… CLI

turbo 2.8 tolerates a nested workspace turbo.json without 'extends'
only while it contains plain task keys — adding passThroughEnv made
observability-sdk's root turbo hard-error ('add extends key'). Keep
rrweb/turbo.json in the legacy tasks-only shape and pass environment
through with --env-mode=loose on the standalone root scripts instead
(observability-sdk invokes its own root scripts, not these).

Verified both ways: o11y root 'turbo run build --dry' parses the
config, and standalone turbo test receives PUPPETEER_* env again.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…est) (#31)

## What

Stacked on #29 (merge that first). Resolves **31 of 37** open dependabot
alerts — everything except the 6 svelte advisories (see below). All
flagged packages are dev-time tooling; nothing here changes published
bundles.

| Dependency | From → To | Alerts resolved |
|---|---|---|
| vitest (10 manifests) | ^1.4.0 → ^3.2.6 | 7 critical (UI server
arbitrary file read/execute) |
| happy-dom (root) | ^14 → ^20.8.9 | 2 critical (script-tag SSCE, VM
escape RCE) + 1 high |
| vite (17 manifests) | ^6.0.1 → ^6.4.2 | 17 medium (path traversal) |
| turbo (root) | 2.8.7 → ^2.9.14 | 1 low + 1 medium |

### Migration notes
- **vitest 1 → 3**: configs were already compatible (forks pool,
`configDefaults.exclude`, retry options). Two test fixes: `toThrow('')`
now means "exactly empty message" (packer test asserts the real
message), and the cross-origin-iframe packFn test needed a
`networkidle0` wait that the upgrade surfaced (it was racing iframe load
— the same flake that produced two stable snapshot outcomes earlier).
Local rrweb-suite failures under vitest 3 are a strict subset of the
vitest 1 set — no regressions.
- **happy-dom 14 → 20**: now enforces same-origin history URLs; one test
switched to a relative `replaceState` path.
- Snapshots regenerated on the CI browser via the `snapshot-update/**`
workflow (one webgl image changed, all text snapshots stable).

### Deferred: svelte (6 medium alerts, rrweb-player)
All six are **SSR-only XSS advisories** — rrweb-player doesn't do SSR
(it's a client-side replayer bundled by vite). Fixing requires the
svelte 4 → 5 major migration plus coordinated bumps of
`@sveltejs/vite-plugin-svelte`, `svelte-preprocess`, and the svelte2tsx
d.ts pipeline — a meaningful migration that shouldn't ride along with
dependency bumps. Recommend a follow-up ticket; in the interim the
alerts can be dismissed as "vulnerable code not in use" given no SSR.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Vadman97 <Vadman97@users.noreply.github.com>
@Vadman97 Vadman97 merged commit b0cd492 into main Jun 11, 2026
11 checks passed
@Vadman97 Vadman97 deleted the refresh-from-upstream branch June 11, 2026 16:07
Vadman97 added a commit that referenced this pull request Jun 11, 2026
The upstream refresh (#29) took upstream's `"lib": ["es6", "dom"]` in
`tsconfig.base.json`. That setting only compiles by accident in this
repo standalone: vitest's type declarations pull in modern ES lib
references, masking the source's uses of `Array.prototype.includes`
(ES2016) and `Object.entries` (ES2017). Inside the observability-sdk
workspace the type layout differs and `@highlight-run/rrweb`'s `tsc
-noEmit` fails with TS2550 errors, breaking o11y's `build:sdk`.

Restores the fork's previous `ES2017` lib, which matches the APIs the
source actually uses. `lib` only affects type-checking — emitted output
is governed by `target`/vite config, so no runtime change.

Validated: standalone `tsc -noEmit` green for rrweb + rrweb-snapshot;
observability-sdk `build:sdk` goes 9/11 failed → 18/18 green with this
change.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Vadman97 added a commit to launchdarkly/observability-sdk that referenced this pull request Jun 11, 2026
## Summary

Bumps the `rrweb` submodule to current fork main, which includes:

- **Upstream refresh to rrweb v2.0.1** (launchdarkly/rrweb#29) — first
upstream sync in ~2 years, plus standalone CI (build/lint/tests) for the
fork
- **Dependabot updates** (launchdarkly/rrweb#31) — vite 6, vitest 3,
happy-dom 20, turbo 2.9
- **tsconfig lib fix** (launchdarkly/rrweb#34) — restores ES2017 lib so
`@highlight-run/rrweb` type-checks inside this workspace

Only the submodule pin and the regenerated `yarn.lock` change — no SDK
source changes needed (main already migrated to vite 6 / vitest 4, which
covers the previously-required companion changes).

## Validation (local, against this exact pin)

- `yarn install` + `yarn dedupe --check` clean
- `yarn build:sdk` 18/18 tasks green
- `yarn enforce-size` 9/9 (highlight.run within the 256 kB brotli limit)
- `yarn turbo run test --filter=highlight.run` — 437/437 tests pass

## Release

`feat:` commit → release-please cuts a **minor** for `highlight.run`;
the `node-workspace` plugin cascades linked bumps to
`@launchdarkly/observability` and `@launchdarkly/session-replay`.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **High Risk**
> Large session-replay dependency refresh after a long upstream gap;
replay fidelity and bundle behavior depend on rrweb even though SDK code
is unchanged in this PR.
> 
> **Overview**
> Updates the vendored **launchdarkly/rrweb** workspace (submodule
refresh to upstream **v2.0.1**) and regenerates **`yarn.lock`** so
Highlight’s session-replay stack matches the fork’s current packages and
tooling.
> 
> The lockfile shifts rrweb workspaces toward **Vite 6**, **Vitest 3**,
**happy-dom 20**, **Playwright 1.60**, and **turbo 2.9**, and wires in
new fork packages such as **`@highlight-run/rrweb-browser-client`** and
the **network record/replay** plugins. **`sdk/highlight-run/README.md`**
now states that recording uses the LaunchDarkly rrweb fork synced to
v2.0.1.
> 
> No `highlight.run` SDK source changes in this diff—only
dependency/workspace metadata and documentation.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
16df13f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.