Skip to content

Resolve all actionable dependabot alerts (vite, turbo, happy-dom, vitest)#31

Merged
Vadman97 merged 7 commits into
refresh-from-upstreamfrom
dependabot-fixes
Jun 11, 2026
Merged

Resolve all actionable dependabot alerts (vite, turbo, happy-dom, vitest)#31
Vadman97 merged 7 commits into
refresh-from-upstreamfrom
dependabot-fixes

Conversation

@Vadman97

Copy link
Copy Markdown
Contributor

What

Stacked on #29 (merge that first). Resolves 31 of 37 open dependabot alerts — everything except the 6 svelte advisories (see below). All flagged packages are dev-time tooling; nothing here changes published bundles.

Dependency From → To Alerts resolved
vitest (10 manifests) ^1.4.0 → ^3.2.6 7 critical (UI server arbitrary file read/execute)
happy-dom (root) ^14 → ^20.8.9 2 critical (script-tag SSCE, VM escape RCE) + 1 high
vite (17 manifests) ^6.0.1 → ^6.4.2 17 medium (path traversal)
turbo (root) 2.8.7 → ^2.9.14 1 low + 1 medium

Migration notes

  • vitest 1 → 3: configs were already compatible (forks pool, configDefaults.exclude, retry options). Two test fixes: toThrow('') now means "exactly empty message" (packer test asserts the real message), and the cross-origin-iframe packFn test needed a networkidle0 wait that the upgrade surfaced (it was racing iframe load — the same flake that produced two stable snapshot outcomes earlier). Local rrweb-suite failures under vitest 3 are a strict subset of the vitest 1 set — no regressions.
  • happy-dom 14 → 20: now enforces same-origin history URLs; one test switched to a relative replaceState path.
  • Snapshots regenerated on the CI browser via the snapshot-update/** workflow (one webgl image changed, all text snapshots stable).

Deferred: svelte (6 medium alerts, rrweb-player)

All six are SSR-only XSS advisories — rrweb-player doesn't do SSR (it's a client-side replayer bundled by vite). Fixing requires the svelte 4 → 5 major migration plus coordinated bumps of @sveltejs/vite-plugin-svelte, svelte-preprocess, and the svelte2tsx d.ts pipeline — a meaningful migration that shouldn't ride along with dependency bumps. Recommend a follow-up ticket; in the interim the alerts can be dismissed as "vulnerable code not in use" given no SSR.

🤖 Generated with Claude Code

Vadman97 and others added 4 commits June 10, 2026 23:30
Resolves the vite path-traversal advisory (GHSA medium, 17 manifests)
and both turbo advisories (local code execution during Yarn Berry
detection, login callback CSRF).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Resolves two critical advisories (script-tag server-side code
execution, VM context escape RCE) and the high-severity fetch
credentials advisory. happy-dom >= 20 enforces same-origin history
URLs, so load-diagnostics.test.ts now uses a relative replaceState
path.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Resolves the critical Vitest UI server arbitrary file read/execute
advisory across 10 package manifests. Migration notes:
- packer: assert the actual error message — vitest 3 interprets
  toThrow('') as requiring an exactly-empty message.
- all/cross-origin-iframe-packer: wait for networkidle0 in setContent
  so the cross-origin iframe's recorded snapshot is deterministic
  (previously raced iframe load, yielding two stable outcomes).
- Local rrweb suite failure set under vitest 3 is a strict subset of
  the vitest 1 set (no migration regressions).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Vadman97 Vadman97 requested a review from a team June 11, 2026 13:39
Vadman97 and others added 3 commits June 11, 2026 13:56
With happy-dom 20 declared at the rrweb root workspace, yarn 4 inside
the observability-sdk workspace stops surfacing sibling workspaces'
bins (highlight.run lost its vite/vitest bins, breaking its typegen).
Declaring it in rrweb-snapshot/rrdom/browser-client — the packages
whose tests actually use it — avoids the resolution quirk and matches
the per-package declaration convention.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Vadman97

Copy link
Copy Markdown
Contributor Author

observability-sdk integration validation

Validated both PR branches against a throwaway observability-sdk clone with the rrweb submodule pinned to this branch, running o11y's own commands (yarn install, yarn build:sdk, yarn test). Three integration breaks were caught this way and are fixed in these PRs:

  1. turbo nested-config keys (Refresh fork from upstream rrweb v2.0.1 + make CI build/lint/tests work standalone #29): globalDependencies/globalPassThroughEnv (and even task-level passThroughEnv) in rrweb/turbo.json make o11y's root turbo 2.8 hard-error (add extends key). The file must stay in the legacy tasks-only shape; standalone env passthrough now comes from --env-mode=loose on this repo's root scripts, which o11y never invokes.
  2. happy-dom placement (Resolve all actionable dependabot alerts (vite, turbo, happy-dom, vitest) #31): declaring happy-dom 20 at the rrweb monorepo root made yarn (inside the o11y workspace) stop surfacing highlight.run's own vite/vitest bins, breaking its typegen. Declared in the three packages that use it instead.
  3. vitest version skew: with rrweb on vitest 3, the same yarn quirk hides highlight.run's vite bin while it stays on vitest 1.

Required companion change in the o11y submodule-bump PR (validated end-to-end — build:sdk 18/18 green):

  • sdk/highlight-run: bump vitest to ^3.2.6 (its own dependabot wants this too); keep vite at ^5.4.21 (vite 6 trips a separate CJS-interop issue in its worker build — not needed for this integration).
  • sdk/highlight-run/src/client/otel/flush-on-unload.test.ts: change the four vi.fn<any, Promise<void>> to vitest-3 single-generic form (vi.fn<(...args: unknown[]) => Promise<void>>).
  • Regenerate yarn.lock (yarn install; ~270 line diff).

Notes: o11y's root yarn build fails identically with the current production pin (pre-existing — its CI only runs yarn test/build:sdk paths). The aws-lambda#build failure in my local run is just the SAM CLI missing on my machine.

@Vadman97 Vadman97 merged commit 2b838d9 into refresh-from-upstream Jun 11, 2026
13 checks passed
@Vadman97 Vadman97 deleted the dependabot-fixes branch June 11, 2026 16:06
Vadman97 added a commit to launchdarkly/observability-sdk that referenced this pull request Jun 11, 2026
## Summary

Bumps the `rrweb` submodule to current fork main, which includes:

- **Upstream refresh to rrweb v2.0.1** (launchdarkly/rrweb#29) — first
upstream sync in ~2 years, plus standalone CI (build/lint/tests) for the
fork
- **Dependabot updates** (launchdarkly/rrweb#31) — vite 6, vitest 3,
happy-dom 20, turbo 2.9
- **tsconfig lib fix** (launchdarkly/rrweb#34) — restores ES2017 lib so
`@highlight-run/rrweb` type-checks inside this workspace

Only the submodule pin and the regenerated `yarn.lock` change — no SDK
source changes needed (main already migrated to vite 6 / vitest 4, which
covers the previously-required companion changes).

## Validation (local, against this exact pin)

- `yarn install` + `yarn dedupe --check` clean
- `yarn build:sdk` 18/18 tasks green
- `yarn enforce-size` 9/9 (highlight.run within the 256 kB brotli limit)
- `yarn turbo run test --filter=highlight.run` — 437/437 tests pass

## Release

`feat:` commit → release-please cuts a **minor** for `highlight.run`;
the `node-workspace` plugin cascades linked bumps to
`@launchdarkly/observability` and `@launchdarkly/session-replay`.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **High Risk**
> Large session-replay dependency refresh after a long upstream gap;
replay fidelity and bundle behavior depend on rrweb even though SDK code
is unchanged in this PR.
> 
> **Overview**
> Updates the vendored **launchdarkly/rrweb** workspace (submodule
refresh to upstream **v2.0.1**) and regenerates **`yarn.lock`** so
Highlight’s session-replay stack matches the fork’s current packages and
tooling.
> 
> The lockfile shifts rrweb workspaces toward **Vite 6**, **Vitest 3**,
**happy-dom 20**, **Playwright 1.60**, and **turbo 2.9**, and wires in
new fork packages such as **`@highlight-run/rrweb-browser-client`** and
the **network record/replay** plugins. **`sdk/highlight-run/README.md`**
now states that recording uses the LaunchDarkly rrweb fork synced to
v2.0.1.
> 
> No `highlight.run` SDK source changes in this diff—only
dependency/workspace metadata and documentation.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
16df13f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants