Resolve all actionable dependabot alerts (vite, turbo, happy-dom, vitest)#31
Merged
Conversation
Resolves the vite path-traversal advisory (GHSA medium, 17 manifests) and both turbo advisories (local code execution during Yarn Berry detection, login callback CSRF). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Resolves two critical advisories (script-tag server-side code execution, VM context escape RCE) and the high-severity fetch credentials advisory. happy-dom >= 20 enforces same-origin history URLs, so load-diagnostics.test.ts now uses a relative replaceState path. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Resolves the critical Vitest UI server arbitrary file read/execute
advisory across 10 package manifests. Migration notes:
- packer: assert the actual error message — vitest 3 interprets
toThrow('') as requiring an exactly-empty message.
- all/cross-origin-iframe-packer: wait for networkidle0 in setContent
so the cross-origin iframe's recorded snapshot is deterministic
(previously raced iframe load, yielding two stable outcomes).
- Local rrweb suite failure set under vitest 3 is a strict subset of
the vitest 1 set (no migration regressions).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
With happy-dom 20 declared at the rrweb root workspace, yarn 4 inside the observability-sdk workspace stops surfacing sibling workspaces' bins (highlight.run lost its vite/vitest bins, breaking its typegen). Declaring it in rrweb-snapshot/rrdom/browser-client — the packages whose tests actually use it — avoids the resolution quirk and matches the per-package declaration convention. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
Author
observability-sdk integration validationValidated both PR branches against a throwaway
Required companion change in the o11y submodule-bump PR (validated end-to-end —
Notes: o11y's root |
ntiner1
approved these changes
Jun 11, 2026
Vadman97
added a commit
to launchdarkly/observability-sdk
that referenced
this pull request
Jun 11, 2026
## Summary Bumps the `rrweb` submodule to current fork main, which includes: - **Upstream refresh to rrweb v2.0.1** (launchdarkly/rrweb#29) — first upstream sync in ~2 years, plus standalone CI (build/lint/tests) for the fork - **Dependabot updates** (launchdarkly/rrweb#31) — vite 6, vitest 3, happy-dom 20, turbo 2.9 - **tsconfig lib fix** (launchdarkly/rrweb#34) — restores ES2017 lib so `@highlight-run/rrweb` type-checks inside this workspace Only the submodule pin and the regenerated `yarn.lock` change — no SDK source changes needed (main already migrated to vite 6 / vitest 4, which covers the previously-required companion changes). ## Validation (local, against this exact pin) - `yarn install` + `yarn dedupe --check` clean - `yarn build:sdk` 18/18 tasks green - `yarn enforce-size` 9/9 (highlight.run within the 256 kB brotli limit) - `yarn turbo run test --filter=highlight.run` — 437/437 tests pass ## Release `feat:` commit → release-please cuts a **minor** for `highlight.run`; the `node-workspace` plugin cascades linked bumps to `@launchdarkly/observability` and `@launchdarkly/session-replay`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Large session-replay dependency refresh after a long upstream gap; replay fidelity and bundle behavior depend on rrweb even though SDK code is unchanged in this PR. > > **Overview** > Updates the vendored **launchdarkly/rrweb** workspace (submodule refresh to upstream **v2.0.1**) and regenerates **`yarn.lock`** so Highlight’s session-replay stack matches the fork’s current packages and tooling. > > The lockfile shifts rrweb workspaces toward **Vite 6**, **Vitest 3**, **happy-dom 20**, **Playwright 1.60**, and **turbo 2.9**, and wires in new fork packages such as **`@highlight-run/rrweb-browser-client`** and the **network record/replay** plugins. **`sdk/highlight-run/README.md`** now states that recording uses the LaunchDarkly rrweb fork synced to v2.0.1. > > No `highlight.run` SDK source changes in this diff—only dependency/workspace metadata and documentation. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 16df13f. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Stacked on #29 (merge that first). Resolves 31 of 37 open dependabot alerts — everything except the 6 svelte advisories (see below). All flagged packages are dev-time tooling; nothing here changes published bundles.
Migration notes
configDefaults.exclude, retry options). Two test fixes:toThrow('')now means "exactly empty message" (packer test asserts the real message), and the cross-origin-iframe packFn test needed anetworkidle0wait that the upgrade surfaced (it was racing iframe load — the same flake that produced two stable snapshot outcomes earlier). Local rrweb-suite failures under vitest 3 are a strict subset of the vitest 1 set — no regressions.replaceStatepath.snapshot-update/**workflow (one webgl image changed, all text snapshots stable).Deferred: svelte (6 medium alerts, rrweb-player)
All six are SSR-only XSS advisories — rrweb-player doesn't do SSR (it's a client-side replayer bundled by vite). Fixing requires the svelte 4 → 5 major migration plus coordinated bumps of
@sveltejs/vite-plugin-svelte,svelte-preprocess, and the svelte2tsx d.ts pipeline — a meaningful migration that shouldn't ride along with dependency bumps. Recommend a follow-up ticket; in the interim the alerts can be dismissed as "vulnerable code not in use" given no SSR.🤖 Generated with Claude Code