Refresh fork from upstream rrweb v2.0.1 + make CI build/lint/tests work standalone#29
Merged
Conversation
…1696) * fix: CI hang forever in the yarn [4/4] Building fresh packages...
…iframe becomes cross-origin (#1695) * fix: rrweb recorder may throw error when stopping recording after an iframe becomes cross-origin * add change set * add failure message check * Update packages/rrweb/src/record/index.ts Co-authored-by: Eoghan Murray <eoghan@getthere.ie> * remove settimeout --------- Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Create SECURITY.md * Format fix * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com> * Update SECURITY.md mention the google group is private * Update SECURITY.md * Update SECURITY.md formatting --------- Co-authored-by: Yun Feng <yun.feng0817@gmail.com> Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com> Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Fix missing import after #1705; probably was there before I requested changes
* Prefer `includes` formulation for brevity and as it composes better (easier to understand) in longer boolean expressions with && * Noticed two different interpretations of `headMetaAuthorship` under slimDOMOptions; take the opportunity to cleanup and merge code
* Fix vitest hanging by using forks instead of threads pool Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Juice10 <4106+Juice10@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* build(rrvideo): upgrade playwright from 1.32.1 to 1.56.1 Update playwright dependency to latest version and refactor test execution options to use a shared configuration with increased timeout for stability.
* Fix wujie monkeypatches ownerDocument --------- Co-authored-by: wfk007 <wfk007@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* docs: add r/rrweb subreddit badge to README files Add Reddit community badge linking to https://www.reddit.com/r/rrweb to the main README.md, Chinese README.zh_CN.md, and the rrweb-snapshot package README.md to promote community engagement. https://claude.ai/code/session_01RUhZVWQGCVhsh5NAzv5C6X * Add empty changeset --------- Co-authored-by: Claude <noreply@anthropic.com>
…777) * Update webgl.ts --------- Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com> Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* fix: improve nested CSS rule handling and add related tests * fix: enhance null safety for nested CSS rules and add related tests * Improve nested CSS rule handling and replayer handling Updated the fix message to include replayer handling of missing rules. --------- Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* fix: ensure empty string replace/replaceSync clears stylesheets --------- Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…les (#1762) * chore: maintain CSS output file name in vite@6.0.1 Without this change, build would fail because the produced stylesheet assumes the `package.json['name']` i.e., `styles/rrweb.css`. To maintain the existing behavior, these changes are required. See https://vite.dev/guide/migration.html#customize-css-output-file-name-in-library-mode * build(rrvideo): upgrade playwright from 1.32.1 to 1.56.1 Update playwright dependency to latest version and refactor test execution options to use a shared configuration with increased timeout for stability. * debug(rrvideo): add comprehensive logging to video transformation process Add detailed console.log statements throughout the transformToVideo function to track execution flow and debug potential issues. Logging covers browser launch, context creation, page navigation, replay progress, and video file operations. * ci(rrvideo): install playwright browsers and improve test output visibility - Add Playwright Chromium installation step to CI workflow - Change test execution stdio from 'pipe' to 'inherit' for better debugging * fix(rrvideo): prevent autoplay and manually start playback after event listeners Set autoPlay to false in replayer configuration and manually call play() after all event listeners are attached. This ensures event handlers are properly registered before playback begins, preventing potential race conditions. Also refactor test execution options to separate stdio configuration from timeout settings for better control over test output visibility. * fix(rrvideo): add timeout and error handling to replay process Add comprehensive error handling to prevent hanging during video transformation: - Add 2-minute timeout for replay finish event - Add console and error listeners for better debugging - Improve promise chain with proper error catching - Clear timeout on successful completion or error This prevents the process from hanging indefinitely when the replay finish event never fires. * fix(rrvideo): add error handling and restructure replayer initialization Wrap replayer initialization in try-catch block to handle potential errors gracefully. Restructure Player instantiation to use rrwebPlayer directly instead of rrwebPlayer.Player, and move width/height into props object for correct API usage. On error, log to console and trigger onReplayFinish callback to prevent hanging state. * build(umd): rename record and replay globals Update UMD build globals for recorder and replayer and refresh documentation accordingly. BREAKING CHANGE: UMD global names changed to rrwebRecord and rrwebReplay. * fix(rrvideo): adjust replay timeout to duration * docs: update rrweb-player CDN script path * Update vite.config.default.ts Co-authored-by: Eoghan Murray <eoghan@getthere.ie> --------- Co-authored-by: Rui <rui@conti.sh> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
…1787) * Update filesize badges (might need further evolution before 2.0.0) * Don't run full CI/CD when only .md docs have changed in the PR - move eslint checks into their own file so they can also ignore .md changes - prettier checks don't need the same perms as eslint, so we can demote pull_request_target -> pull_request * Add empty changeset * Implement the bundle size change originally originally added in #1784 - adding here also to show how the conflicts would resolve * Update .github/workflows/eslint-check.yml --------- Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* Don't allow video autoplay to automatically unfreeze page. If it's a 'real' playback, there should be a mount or a keyboard event which will serve to unfreeze the page. Also add other non-user events to the list (we really should have an `isUserEvent` function) * Apply formatting changes * Create a new `umd` folder alongside `dist` for output of UMD files with a plain `.js` instead of `.cjs` extension, as the latter won't be served with the correct mime type by jsdelivr - #1687 (just rename `.cjs` to `.js`) was rejected due to the the 'dual package hazard' [1], and produces a warning when run through publint.dev (which was the original motivation for changing to \.cjs) - jsdelivr won't be serving `.cjs` with the correct mime type: jsdelivr/jsdelivr#18584 [1] https://nodejs.org/en/learn/modules/publishing-a-package#the-dual-package-hazard * Update to point to alpha.19 as presumably that's when the umd folder will be available after the changes in this PR * Apply formatting changes * Don't try to create the same directory twice (was failing on packages/packer/umd) * Create thirty-shirts-grow.md * Revert something that shouldn't have gotten into the UMD branch folder * Apply formatting changes * Update vite.config.default.ts * Apply formatting changes * build: include umd builds in published packages Add umd directory to the files array in package.json for all packages to include UMD builds in npm publications. Also update .gitignore to exclude umd folders from version control. * Docs: point to correct file * Remove unused code * docs: update rrweb cdn urls to umd bundles Align README and guide examples with published UMD file locations for rrweb, @rrweb/record, and @rrweb/replay. Update versioned rrweb script examples from 2.0.0-alpha.19 to 2.0.0-alpha.21 in both English and Chinese guides. * build(all): include umd folder in package files --------- Co-authored-by: eoghanmurray <eoghanmurray@users.noreply.github.com> Co-authored-by: Justin Halsall <Juice10@users.noreply.github.com>
* docs: revamp installation docs for esm and umd Document recommended install paths across the main guides and package READMEs for rrweb, @rrweb/all, @rrweb/record, @rrweb/replay, and rrweb-player. Clarify three usage modes: bundler/npm, browser no-build with import maps and +esm, and legacy UMD fallback. * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply formatting changes * Apply suggestion from @eoghanmurray Co-authored-by: Eoghan Murray <eoghan@getthere.ie> * Apply formatting changes * docs(all): streamline README usage section Move the guide link next to the import example and remove the duplicated Usage section to keep docs concise and easier to scan. * docs(readme): update gzip size badges in zh-cn readme * docs(plugins): update readme imports to scoped esm packages Replace `rrweb` default imports and `rrweb.Replayer` usage with `@rrweb/record` `record` and `@rrweb/replay` `Replayer` in plugin usage examples. Also update canvas WebRTC plugin imports to scoped `@rrweb/*` package names to keep docs aligned with current package structure. * docs: update docs to prefer scoped esm packages replace `rrweb` default import examples with `@rrweb/record` and `@rrweb/replay` across recipes and guides in en/zh-CN. clarify package selection for new integrations, add `@rrweb/all` convenience guidance, and refresh CDN/style import snippets for ESM and legacy UMD compatibility. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Fix a security hole in #1787 found by Arun Murugesan: "The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request." See preactjs/compressed-size-action#54 for why that action shouldn't be used with pull_request_target This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo) * The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation') * ci(bundle-size): extract bundle size scripts and simplify workflow - Add `.github/scripts/measure-bundle-sizes.js` and `render-bundle-size-comment.js` to replace inline node scripts embedded in workflow YAML, improving readability and reusability - Refactor `eslint-check.yml` to use the new script files and fix checkout steps to handle both PR and non-PR triggers correctly - Refactor `pr-checks-privileged.yml` to replace the large `github-script` block with `render-bundle-size-comment.js` and the `marocchino/sticky-pull-request-comment` action; remove the now-unnecessary `pr_number.txt` artifact by reading the PR number directly from the workflow_run event - Pin `ataylorme/eslint-annotate-action` to a specific commit SHA - Add `actions: read` permission where needed for artifact downloads * ci: add fork PR support and harden workflow - Look up PR number via API when workflow_run.pull_requests is empty (GitHub leaves it empty for fork PRs), falling back gracefully - Use head SHA instead of branch name for PR checkout to avoid TOCTOU - Fix formatSignedSize to produce +0 instead of -0 for zero values - Gate comment steps on successful PR number lookup Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Eoghan Murray <eoghan@getthere.ie> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Agent-Logs-Url: https://github.com/rrweb-io/rrweb/sessions/9d6a7c7c-2700-43e5-9792-92d4355b0e9f Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Yuyz0112 <13651389+Yuyz0112@users.noreply.github.com>
* Deprecate inline asset recording options
* ci: align eslint report scope * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add asset event types Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* docs: design sandboxed rebuild guard * docs: refine sandboxed rebuild decision * docs: plan sandboxed rebuild implementation * fix(snapshot): guard unprotected browser rebuilds * test(snapshot): cover guarded rebuild targets * fix(snapshot): require iframe sandbox API * test(snapshot): reject raw sandbox attribute * feat(snapshot): add sandboxed iframe rebuild helper * test(snapshot): keep sandbox iframe mock test-local * fix(snapshot): clean up sandboxed iframe on rebuild failure * fix(snapshot): remove failed iframe from detached roots * test(snapshot): derive sandbox mock tokens from attribute * fix(rrweb): mark unsafe canvas rebuilds explicitly * test(rrweb): wait for unsafe canvas rebuild * test(rrweb): assert unsafe canvas rebuilt content * docs: explain sandboxed rebuild requirements * docs: clarify rebuild sandbox warnings * docs: add Chinese rebuild sandbox warning * docs: clarify sandbox rebuild target * chore: add sandboxed rebuild changeset * fix(snapshot): trust helper-created rebuild documents * fix(rrweb): use trusted sandboxed iframe factory * test(snapshot): cover trusted sandbox token policy * docs(snapshot): document rebuild options * fix(rrweb): keep unsafe rebuild state with iframe * fix(snapshot): reject detached sandbox roots * docs(snapshot): document sandboxed iframe helpers * Rename unsafe rebuild flags * Update sandboxed rebuild changeset
* refactor(config): improve path resolution in minifyAndUMDPlugin Update the `minifyAndUMDPlugin` to use `resolve` instead of string replacement for determining UMD directory and file paths. This ensures more robust path handling across different operating systems (especially Windows). Additionally, update the filename regex to support both forward and backward slashes. * Apply formatting changes * Enhance Windows path handling in UMD builds Improve path resolution for UMD outputs on Windows and update filename regex to support both forward slashes. * Delete .changeset/windows-path-slasher.md Actually as per conversation with Justin, we don't need the changesets as it's a dev only change --------- Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
* Update README with new rrweb cloud link and details * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Brings in 54 upstream commits since the fork point (fd9d274), including the Vite 6 migration, vitest forks-pool fix, slim-dom refactor, UMD output folder, network capture plugin, and @rrweb/browser-client. Conflict resolution principles: - Keep @highlight-run/* package names, 2.0.0-lambda.5 versions, and workspace:* internal deps (consumed by launchdarkly/observability-sdk as a git submodule / yarn workspace member). - Keep no yarn.lock (lockfile lives in observability-sdk workspace) and yarn 4.9.1 packageManager. - Keep de-nested turbo build scripts (fork #26) and dropped //#references:update root task (fork #24). - Adopt upstream's vite-based build (rollup.config.js deleted) and new snapshot-utils/rebuild-utils boundaries; fork privacy helpers (obfuscateText, shouldObfuscateTextByDefault, isElementSrcBlocked) re-exported through the snapshot-utils barrel. - Renamed new upstream packages to fork scheme: @highlight-run/ rrweb-browser-client, rrweb-rrweb-plugin-network-{record,replay}; added vite aliases for @rrweb/record, rrweb-player, console-replay, network-record. - Workflows: keep LD SHA-pinned release.yml/style-check.yml/eslint.yml; adopt upstream Tests workflow (pinned Chrome + WebKit job) adapted to yarn 4 + no lockfile; drop upstream's pr-checks-privileged.yml (workflow_run privileged pattern) and duplicate eslint-check.yml. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Add .yarnrc.yml (nodeLinker: node-modules, mutable installs) so standalone installs match the observability-sdk workspace layout instead of defaulting to PnP. - Make vite.config.default.ts aliases and tsconfig.base.json paths layout-aware: try the observability-sdk parent node_modules first, fall back to the repo's own node_modules (CI / standalone checkout). - Fix packer/all/record/replay/utils package.json dist filenames to match actual vite outputs (entry-derived for packer, package-name derived for the rest). - web-extension: read rrweb version from the workspace package instead of a (renamed) dependencies entry; alias rrweb/rrweb-player imports. - rrvideo: import @highlight-run/* names directly (node CLI, no bundler aliasing; @rrweb/types exports runtime values) and add the missing rrweb-types workspace dependency. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- rrweb-player: ship per-file declarations (rollupTypes: false) — api-extractor cannot follow the relative node_modules type imports baked into dependency d.ts files by the @highlight-run aliasing. - web-extension: restore internal package mappings clobbered by the package-level tsconfig paths override; add missing @types/react. - rrweb-player: annotate two implicitly-any event handler params. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Declare vitest in rrdom/rrweb (yarn 4 only exposes declared bins; yarn 1 hoisting masked this upstream), pin prettier-plugin-svelte to 3.2.4 (3.5.x requires prettier 3; repo pins prettier 2.8.4). - Adopt source-resolving vitest plugin in the shared vitest config so test imports of upstream package names (rrweb-snapshot, @rrweb/types, ...) resolve to the renamed workspace packages; keep the vite 6 forks-pool fix. - Extend (not replace) vitest default excludes in rrweb/rrweb-snapshot configs — overriding exclude dropped **/node_modules/** and collected stray dependency spec files under yarn 4's nested layout. - Fix test expectations for fork dist filenames (record, all) and rename @rrweb/types imports in rrvideo tests. - Skip upstream's record bundle tree-shaking/size guard tests (the fork intentionally inlines workspace deps into bundles) and the mask-text integration snapshot (fork obfuscation is randomized by design). - Normalize lit-html's random template markers in snapshot stringify helpers; regenerate the all-package snapshot accordingly. - Lint: per-package scripts use npx eslint (hoisted bin), root:true in .eslintrc, downgrade unsafe-* rules to warnings in packages/rrweb (cross-package types degrade through aliased d.ts), fix remaining errors in fork code (async rAF callbacks, casts, template literal). - gitignore the local standalone-marker yarn.lock. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- eslint.yml: corepack + Node lts + plain install (no lockfile in this repo by design), annotation gated on launchdarkly/rrweb instead of the upstream repo slug, timeout. - style-check.yml: drop the eslint jobs (eslint.yml owns linting), same install modernization for the prettier jobs. - Declare cross-env in packages whose scripts use it (yarn 4 strict bins). - prettier --write on merge-affected sources; ignore generated dist/build/svelte d.ts artifacts in .prettierignore. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- record(): accept both the upstream canvas sampling shape
(sampling.canvas: 'all' | number) and the fork's extended object
({ fps, fpsManual, resizeFactor, ... }). Previously the upstream
shape was silently ignored — no canvas observer was initialized at
all, which is why every canvas/webgl record test has been red.
observability-sdk (object shape) is unaffected.
- Test harness: default privacySetting to 'none' in
generateRecordSnippet so the upstream-inherited integration suite is
deterministic (the fork's default privacy mode emits randomized
obfuscated text); tests can still opt in explicitly.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
lint:report's root glob covers packages without per-package lint scripts (rrvideo, web-extension, canvas-webrtc-replay); the aliased d.ts type degradation produces the same unsafe-* false positives there. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Restore upstream's cssom -> rrweb-cssom resolution in yarn 4 syntax (dropped in the merge); stock jsdom cssom silently no-ops nested CSS rule manipulation, breaking the rrdom virtual style rule tests. - Seed Math.random in test pages (like the existing Date.now mock): elements matched by maskTextClass escalate their subtree to strict privacy, which obfuscates via Math.random even with privacySetting: 'none'. - Default maskTextFn to a deterministic masker in the test harness (the fork defaults it to randomized obfuscateText). - privacySetting: 'none' in record.test.ts / cross-origin-iframes inline record calls. - 2d-mutation: hold direct spy references — the fork wraps ctx.drawImage (wrapCanvasContextDrawImage), replacing the property. - WebKit CI job: build rrweb-snapshot/rrweb via turbo so workspace dependency d.ts files exist for tsc. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…es; fix ignore.html fixture selector The data-rr-ignore attribute in the fixture was renamed during the class rename sweep, but it is a plain test selector that the test types into — restore it to match the test and upstream. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Screenshot timing around a paused replay intermittently differs by ~14% in CI (passed in the twin run of the same commit); retry flakes while keeping genuine failures failing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
Author
|
CI is now fully green (11/11 checks) — first green Tests run on this fork. Final test tally on CI: 269/273 in the rrweb suite (3 intentional skips documented in-code), all other 23 suite tasks passing, plus the new WebKit job. Two notable finds while getting here, beyond the merge itself:
Dependabot fixes coming next in a stacked PR. |
globalDependencies/globalPassThroughEnv are root-only keys; when this repo is consumed as a workspace member of launchdarkly/observability-sdk its turbo (run from the o11y root) reads rrweb/turbo.json as a nested workspace config and hard-errors on them. Use task-level passThroughEnv instead, which is valid in both contexts. Verified against an observability-sdk checkout with the submodule pointed at this branch. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… CLI
turbo 2.8 tolerates a nested workspace turbo.json without 'extends'
only while it contains plain task keys — adding passThroughEnv made
observability-sdk's root turbo hard-error ('add extends key'). Keep
rrweb/turbo.json in the legacy tasks-only shape and pass environment
through with --env-mode=loose on the standalone root scripts instead
(observability-sdk invokes its own root scripts, not these).
Verified both ways: o11y root 'turbo run build --dry' parses the
config, and standalone turbo test receives PUPPETEER_* env again.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
ntiner1
approved these changes
Jun 11, 2026
…est) (#31) ## What Stacked on #29 (merge that first). Resolves **31 of 37** open dependabot alerts — everything except the 6 svelte advisories (see below). All flagged packages are dev-time tooling; nothing here changes published bundles. | Dependency | From → To | Alerts resolved | |---|---|---| | vitest (10 manifests) | ^1.4.0 → ^3.2.6 | 7 critical (UI server arbitrary file read/execute) | | happy-dom (root) | ^14 → ^20.8.9 | 2 critical (script-tag SSCE, VM escape RCE) + 1 high | | vite (17 manifests) | ^6.0.1 → ^6.4.2 | 17 medium (path traversal) | | turbo (root) | 2.8.7 → ^2.9.14 | 1 low + 1 medium | ### Migration notes - **vitest 1 → 3**: configs were already compatible (forks pool, `configDefaults.exclude`, retry options). Two test fixes: `toThrow('')` now means "exactly empty message" (packer test asserts the real message), and the cross-origin-iframe packFn test needed a `networkidle0` wait that the upgrade surfaced (it was racing iframe load — the same flake that produced two stable snapshot outcomes earlier). Local rrweb-suite failures under vitest 3 are a strict subset of the vitest 1 set — no regressions. - **happy-dom 14 → 20**: now enforces same-origin history URLs; one test switched to a relative `replaceState` path. - Snapshots regenerated on the CI browser via the `snapshot-update/**` workflow (one webgl image changed, all text snapshots stable). ### Deferred: svelte (6 medium alerts, rrweb-player) All six are **SSR-only XSS advisories** — rrweb-player doesn't do SSR (it's a client-side replayer bundled by vite). Fixing requires the svelte 4 → 5 major migration plus coordinated bumps of `@sveltejs/vite-plugin-svelte`, `svelte-preprocess`, and the svelte2tsx d.ts pipeline — a meaningful migration that shouldn't ride along with dependency bumps. Recommend a follow-up ticket; in the interim the alerts can be dismissed as "vulnerable code not in use" given no SSR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com> Co-authored-by: Vadman97 <Vadman97@users.noreply.github.com>
Vadman97
added a commit
that referenced
this pull request
Jun 11, 2026
The upstream refresh (#29) took upstream's `"lib": ["es6", "dom"]` in `tsconfig.base.json`. That setting only compiles by accident in this repo standalone: vitest's type declarations pull in modern ES lib references, masking the source's uses of `Array.prototype.includes` (ES2016) and `Object.entries` (ES2017). Inside the observability-sdk workspace the type layout differs and `@highlight-run/rrweb`'s `tsc -noEmit` fails with TS2550 errors, breaking o11y's `build:sdk`. Restores the fork's previous `ES2017` lib, which matches the APIs the source actually uses. `lib` only affects type-checking — emitted output is governed by `target`/vite config, so no runtime change. Validated: standalone `tsc -noEmit` green for rrweb + rrweb-snapshot; observability-sdk `build:sdk` goes 9/11 failed → 18/18 green with this change. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Vadman97
added a commit
to launchdarkly/observability-sdk
that referenced
this pull request
Jun 11, 2026
## Summary Bumps the `rrweb` submodule to current fork main, which includes: - **Upstream refresh to rrweb v2.0.1** (launchdarkly/rrweb#29) — first upstream sync in ~2 years, plus standalone CI (build/lint/tests) for the fork - **Dependabot updates** (launchdarkly/rrweb#31) — vite 6, vitest 3, happy-dom 20, turbo 2.9 - **tsconfig lib fix** (launchdarkly/rrweb#34) — restores ES2017 lib so `@highlight-run/rrweb` type-checks inside this workspace Only the submodule pin and the regenerated `yarn.lock` change — no SDK source changes needed (main already migrated to vite 6 / vitest 4, which covers the previously-required companion changes). ## Validation (local, against this exact pin) - `yarn install` + `yarn dedupe --check` clean - `yarn build:sdk` 18/18 tasks green - `yarn enforce-size` 9/9 (highlight.run within the 256 kB brotli limit) - `yarn turbo run test --filter=highlight.run` — 437/437 tests pass ## Release `feat:` commit → release-please cuts a **minor** for `highlight.run`; the `node-workspace` plugin cascades linked bumps to `@launchdarkly/observability` and `@launchdarkly/session-replay`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Large session-replay dependency refresh after a long upstream gap; replay fidelity and bundle behavior depend on rrweb even though SDK code is unchanged in this PR. > > **Overview** > Updates the vendored **launchdarkly/rrweb** workspace (submodule refresh to upstream **v2.0.1**) and regenerates **`yarn.lock`** so Highlight’s session-replay stack matches the fork’s current packages and tooling. > > The lockfile shifts rrweb workspaces toward **Vite 6**, **Vitest 3**, **happy-dom 20**, **Playwright 1.60**, and **turbo 2.9**, and wires in new fork packages such as **`@highlight-run/rrweb-browser-client`** and the **network record/replay** plugins. **`sdk/highlight-run/README.md`** now states that recording uses the LaunchDarkly rrweb fork synced to v2.0.1. > > No `highlight.run` SDK source changes in this diff—only dependency/workspace metadata and documentation. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 16df13f. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Syncs the fork with upstream rrweb-io/rrweb
main(v2.0.1) — 54 upstream commits since our fork point (fd9d2747, ~v2.0.0-alpha.18 era) — and makes the repo's CI actually able to build, lint, and run tests standalone.Done as a merge (not a history rewrite) so it lands via a normal PR; the resulting tree is what a rebase would produce. Answer to the side question "do we intend to pull in upstream changes?": yes, and after this PR future syncs are routine
git merge upstream/mainwith a much smaller conflict surface.Upstream highlights pulled in
@rrweb/browser-client, network record/replay plugins (renamed to our@highlight-run/*scheme)2.0.0-lambda.5; bumping is a separate release decision)Fork invariants preserved
@highlight-run/*package names,workspace:*internal deps (consumed bylaunchdarkly/observability-sdkas a git submodule / workspace member)yarn.lock(the lockfile lives in observability-sdk); yarn 4.9.1obfuscateText, masking, canvas + video snapshotting, etc.) — verified the fork's full feature diff vs upstream survived the merge (~2k lines across 96 files, matching the pre-merge footprint)Why CI tests were failing (the dependabot-PR blocker)
Several latent issues, mostly yarn 1 → yarn 4 semantics the fork inherited:
vitest/cross-env/eslintweren't declared in packages whose scripts use them — yarn 1 exposed hoisted bins everywhere, yarn 4 doesn't. (This alone broke several#testand#linttasks.)excludeoverrides dropped the default**/node_modules/**exclude, collecting stray dependency spec files under yarn 4's nested layout.prettier-plugin-sveltefloated to a prettier-3-only release. Pinned to 3.2.4. (Remaining risk: other deps can still drift — see follow-ups.)../node_modules/...); now they fall back to the repo's ownnode_modulesso standalone CI and local checkouts work. Added.yarnrc.yml(nodeLinker: node-modules, matching observability-sdk; mutable installs since there is no lockfile).obfuscateTextvs fixed snapshots (skipped; masking is covered inutils.test.ts), and lit-html's random template marker (now normalized in the snapshot stringifiers).CI workflow changes
ci-cd.yml): adopted upstream's job (pins Chrome to.puppeteerrc.cjsrevision viasetup-chrome, installs Playwright for rrvideo, adds a WebKit job), adapted to corepack/yarn 4/no lockfile. Third-party action pinned to SHA per SEC-7924.rrweb-io/rrweband could never run — now gated onlaunchdarkly/rrweb.pr-checks-privileged.yml(workflow_runprivileged pattern — same class of thing SEC removed before) nor their duplicateeslint-check.yml.Verification (local)
yarn build:all22/22,yarn check-types34/34,yarn turbo run lint12/12,yarn prettier --checkcleanFollow-ups (separate PRs)
@highlight-run/*2.0.1-based packages🤖 Generated with Claude Code