Skip to content

chore(deps): upgrade rrweb-snapshot to 2.0.1#10668

Merged
sheremet-va merged 3 commits into
vitest-dev:mainfrom
hi-ogawa:rrweb-snapshot-v2
Jun 26, 2026
Merged

chore(deps): upgrade rrweb-snapshot to 2.0.1#10668
sheremet-va merged 3 commits into
vitest-dev:mainfrom
hi-ogawa:rrweb-snapshot-v2

Conversation

@hi-ogawa

@hi-ogawa hi-ogawa commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Description

Extracting from renovate PR #9958 (that is currently failing with invalid patch). This PR updates rrweb from the long time alpha to stable v2.0.1.

They did some security hardening for rrweb-io/rrweb#1817, but we did already had sandbox ensured manually, so I went with UNSAFE_allowUnprotectedRebuild.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. If the feature is substantial or introduces breaking changes without a discussion, PR might be closed.
  • Ideally, include a test that fails without this PR but passes with it.
  • Please, don't make changes to pnpm-lock.yaml unless you introduce a new test example.
  • Please check Allow edits by maintainers to make review process faster. Note that this option is not available for repositories that are owned by Github organizations.

Tests

  • Run the tests with pnpm test:ci.

Documentation

  • If you introduce new functionality, document it. You can run documentation with pnpm run docs command.

Changesets

  • Changes in changelog are generated from PR name. Please, make sure that it explains your changes in an understandable manner. Please, prefix changeset messages with feat:, fix:, perf:, docs:, or chore:.

Bump from the last alpha (2.0.0-alpha.20) to stable 2.0.1 in the browser
and ui packages.

rrweb 2.0 guards `rebuild()` behind a sandboxed-iframe factory/WeakSet
contract (CVE-2025-45806) and throws for documents not created via its
helpers. The UI trace viewer already renders snapshots into its own
`sandbox="allow-same-origin"` iframe, so pass `UNSAFE_allowUnprotectedRebuild:
true` to keep our existing iframe lifecycle without weakening the sandbox.

Regenerate the local pseudo-class patch against 2.0.1 (now version-pinned).

Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
@netlify

netlify Bot commented Jun 26, 2026

Copy link
Copy Markdown

Deploy Preview for vitest-dev ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit f30c333
🔍 Latest deploy log https://app.netlify.com/projects/vitest-dev/deploys/6a3e40437c030d0007509a30
😎 Deploy Preview https://deploy-preview-10668--vitest-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@hi-ogawa hi-ogawa marked this pull request as ready for review June 26, 2026 09:02

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered upstreaming this patch? 👀

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No I haven't but good point. I think I can bring that up to the issue. Probably I need to consider their high level rrweb API use case too though worth the try.

Comment thread packages/ui/client/components/trace/TraceView.vue Outdated
@sheremet-va sheremet-va merged commit 44b27d8 into vitest-dev:main Jun 26, 2026
16 of 18 checks passed
@hi-ogawa hi-ogawa deleted the rrweb-snapshot-v2 branch July 1, 2026 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants