Go to file

Justin Halsall acba854f30 Fix security vulnerability in workflows (#1804 )

* Fix a security hole in #1787 found by Arun Murugesan:

"The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request."

See https://github.com/preactjs/compressed-size-action/issues/54 for why that action shouldn't be used with pull_request_target

This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo)

* The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation')

* ci(bundle-size): extract bundle size scripts and simplify workflow

- Add `.github/scripts/measure-bundle-sizes.js` and
  `render-bundle-size-comment.js` to replace inline node scripts
  embedded in workflow YAML, improving readability and reusability
- Refactor `eslint-check.yml` to use the new script files and fix
  checkout steps to handle both PR and non-PR triggers correctly
- Refactor `pr-checks-privileged.yml` to replace the large
  `github-script` block with `render-bundle-size-comment.js` and
  the `marocchino/sticky-pull-request-comment` action; remove the
  now-unnecessary `pr_number.txt` artifact by reading the PR number
  directly from the workflow_run event
- Pin `ataylorme/eslint-annotate-action` to a specific commit SHA
- Add `actions: read` permission where needed for artifact downloads

* ci: add fork PR support and harden workflow

- Look up PR number via API when workflow_run.pull_requests is empty
  (GitHub leaves it empty for fork PRs), falling back gracefully
- Use head SHA instead of branch name for PR checkout to avoid TOCTOU
- Fix formatSignedSize to produce +0 instead of -0 for zero values
- Gate comment steps on successful PR number lookup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-17 22:23:34 +01:00

.cache

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

.changeset

docs: revamp installation docs for esm and umd (#1788 )

2026-02-17 13:59:02 +01:00

.github

Fix security vulnerability in workflows (#1804 )

2026-03-17 22:23:34 +01:00

.vscode

Reverse monkey patch built in methods to support LWC (#1509 )

2024-08-02 10:55:05 +02:00

.yarn/releases

Lock yarn to 1.23.0 (#922 )

2022-06-30 23:20:26 +08:00

docs

docs: revamp installation docs for esm and umd (#1788 )

2026-02-17 13:59:02 +01:00

packages

docs: revamp installation docs for esm and umd (#1788 )

2026-02-17 13:59:02 +01:00

scripts

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

.editorconfig

yarn format - prettier improvements & add .editorconfig (#1471 )

2024-05-13 11:53:08 +01:00

.eslintignore

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

.eslintrc.js

Eslint camelCase (#1625 )

2025-01-21 15:49:09 +00:00

.gitattributes

Lock yarn to 1.23.0 (#922 )

2022-06-30 23:20:26 +08:00

.gitignore

Umd folder (#1704 )

2026-02-13 15:03:23 +01:00

.markdownlint.yml

Chore: Add issue/pr template and general housekeeping tools and docs (#900 )

2022-05-22 09:59:42 +08:00

.npmignore

Add yarn support for installing unreleased rrweb as a dependency (#497 )

2021-02-19 11:57:01 +08:00

.prettierignore

Chore: Ignore generated files from .svelte-kit for prettier & make video tests more stable (#1500 )

2024-06-10 10:04:03 +02:00

.prettierrc

yarn format - prettier improvements & add .editorconfig (#1471 )

2024-05-13 11:53:08 +01:00

.puppeteerrc.cjs

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

.release-it.json

CI: add a prettier GitHub action to format code automatically (#988 )

2022-09-06 09:38:43 +08:00

.yarnrc.yml

Lock yarn to 1.23.0 (#922 )

2022-06-30 23:20:26 +08:00

CHANGELOG.md

close #489 add v1.0.0 changelog

2021-07-06 00:18:40 +08:00

CODE_OF_CONDUCT.md

CI: add a prettier GitHub action to format code automatically (#988 )

2022-09-06 09:38:43 +08:00

CONTRIBUTING.md

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

guide.md

docs: revamp installation docs for esm and umd (#1788 )

2026-02-17 13:59:02 +01:00

guide.zh_CN.md

docs: revamp installation docs for esm and umd (#1788 )

2026-02-17 13:59:02 +01:00

LICENSE

add company info

2019-01-26 20:16:02 +08:00

package.json

chore(ci): track bundle size (#1630 )

2025-02-06 11:17:43 +01:00

README.md

Umd folder (#1704 )

2026-02-13 15:03:23 +01:00

README.zh_CN.md

docs: revamp installation docs for esm and umd (#1788 )

2026-02-17 13:59:02 +01:00

SECURITY.md

Create SECURITY.md (#1719 )

2025-08-05 01:28:23 -07:00

tsconfig.base.json

Improve development tooling (#1516 )

2024-06-21 18:13:53 +01:00

tsconfig.eslint.json

Chore: Add issue/pr template and general housekeeping tools and docs (#900 )

2022-05-22 09:59:42 +08:00

tsconfig.json

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

turbo.json

Fix typo in turbo.json

2026-02-16 12:03:22 +01:00

vite.config.default.ts

Umd folder (#1704 )

2026-02-13 15:03:23 +01:00

vitest.config.ts

Fix Vitest hanging indefinitely with Vite 6 by using forks pool (#1760 )

2025-11-21 00:23:23 +01:00

vitest.workspace.ts

Chore: Migrate build to vite (#1033 )

2024-06-07 11:07:36 +02:00

yarn.lock

Migrates to vite@6 to drop base64 inlined worker source from all bundles (#1762 )

2026-02-06 15:11:36 +01:00

README.md

Try rrweb

rrweb

The rrweb documentary (in Chinese, with English subtitles)

中文文档

I have joined Github Sponsors and highly appreciate your sponsorship.

rrweb refers to 'record and replay the web', which is a tool for recording and replaying users' interactions on the web.

Guide

📚 Read the rrweb guide here. 📚

🍳 Recipes 🍳

📺 Presentation: Hacking the browser to digital twin your users 📺

Project Structure

rrweb is mainly composed of 3 parts:

rrweb-snapshot, including both snapshot and rebuilding features. The snapshot is used to convert the DOM and its state into a serializable data structure with a unique identifier; the rebuilding feature is to rebuild the snapshot into corresponding DOM.
rrweb, including two functions, record and replay. The record function is used to record all the mutations in the DOM; the replay is to replay the recorded mutations one by one according to the corresponding timestamp.
rrweb-player, is a player UI for rrweb, providing GUI-based functions like pause, fast-forward, drag and drop to play at any time.

Roadmap

storage engine: do deduplication on a large number of rrweb sessions
compact mutation data in common patterns
provide plugins via the new plugin API, including:
- XHR plugin
- fetch plugin
- GraphQL plugin
- ...

Internal Design

Contribute Guide

Since we want the record and replay sides to share a strongly typed data structure, rrweb is developed with typescript which provides stronger type support.

Typescript handbook

Fork this repository.
Run yarn install in the root to install required dependencies for all sub-packages (note: npm install is not recommended).
Run yarn build:all to build all packages and get a stable base, then yarn dev in the root to get auto-building for all the sub-packages whenever you modify anything.
Navigate to one of the sub-packages (in the packages folder) where you'd like to make a change.
Patch the code and run yarn test to run the tests, make sure they pass before you commit anything. Add test cases in order to avoid future regression.
If tests are failing, but the change in output is desirable, run yarn test:update and carefully commit the changes in test output.
Push the code and create a pull request.