chore(replay): bump @posthog/rrweb to 0.0.59

[pauldambra]

Problem

We are 33 versions behind on the PostHog fork of rrweb. Latest is 0.0.59 (published 2026-04-22); we were pinned to 0.0.26 (2025-10-10).

The gap includes a bunch of replay/player bug fixes we want in production (replay flicker, iframe/weakmap leaks, doctype + custom element hardening, SecurityError handling in iframe cleanup, nested CSS handling, adopted-stylesheet clears, etc.), plus recorder-side fixes (canvas dedup, OffscreenCanvas fallbacks, iframe observer leaks, postcss-removal from the bundle).

Changes

• frontend/package.json, common/replay-shared/package.json, common/replay-headless/package.json: bump @posthog/rrweb, @posthog/rrweb-types, @posthog/rrweb-plugin-console-record from 0.0.26 → 0.0.59
• pnpm-lock.yaml regenerated. Transitive @posthog/rrweb-snapshot, @posthog/rrweb-utils, @posthog/rrdom go from 0.0.4 → 0.0.59 to match.

PostHog/posthog-rrweb PRs rolled in

Replay player

• fix: address memory leaks in replayer posthog-rrweb#92 fix: address memory leaks in replayer
• fix: remove load listener from iframemanager to avoid leaking memory posthog-rrweb#94 fix: remove load listener from iframemanager to avoid leaking memory
• fix(rrweb): Track and re-attach iframe data on full snapshot posthog-rrweb#108 fix(rrweb): track and re-attach iframe data on full snapshot
• fix(replay): cleanup tracked iframes to prevent memory leak posthog-rrweb#121 fix(replay): cleanup tracked iframes to prevent memory leak
• fix(replay): clear weakmaps in destroy method posthog-rrweb#122 fix(replay): clear weakmaps in destroy method
• fix(replay): cleanup iframe WeakMaps in removeIframeById to prevent memory leak posthog-rrweb#123 fix(replay): cleanup iframe WeakMaps in removeIframeById to prevent memory leak
• fix: must clean elements from maps on remove from DOM posthog-rrweb#124 fix: must clean elements from maps on remove from DOM
• fix: replayer should stop services on destroy posthog-rrweb#125 fix: replayer should stop services on destroy
• fix: apply tailwind hover css posthog-rrweb#143 fix: apply tailwind hover css
• fix: improve nested CSS rule handling posthog-rrweb#152 fix: improve nested CSS rule handling
• fix: allow clearing adopted stylesheets with empty strings posthog-rrweb#153 fix: allow clearing adopted stylesheets with empty strings
• fix: prevent object reference mutation breaking remote CSS replay posthog-rrweb#154 fix: prevent object reference mutation breaking remote CSS replay
• fix: skip unchanged setAttribute calls to prevent replay flicker posthog-rrweb#158 fix: skip unchanged setAttribute calls to prevent replay flicker
• fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation posthog-rrweb#159 fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation
• fix: handle SecurityError in IframeManager destroy and removeIframeById posthog-rrweb#163 fix: handle SecurityError in IframeManager destroy and removeIframeById
• fix: guard rrweb rebuild against invalid custom element names posthog-rrweb#168 fix: guard rrweb rebuild against invalid custom element names
• fix(rebuild): tolerate existing doctype to avoid HierarchyRequestError posthog-rrweb#169 fix(rebuild): tolerate existing doctype to avoid HierarchyRequestError

Recorder

• fix: possible memory leaks in recorder posthog-rrweb#91 fix: possible memory leaks in recorder
• fix: pass data quality options to toDataURL posthog-rrweb#95 fix: pass data quality options to toDataURL
• feat: resize or replace base64 images based on config posthog-rrweb#99 feat: resize or replace base64 images based on config
• fix: reset mirror when stopping posthog-rrweb#100 fix: reset mirror when stopping
• fix: don't ship postcss with the recorder posthog-rrweb#101 / Create pythonapp.yml #164 / Pass timestamps from the clients for non-realtime/batch processed data #166 remove postcss from recorder bundle
• feat(rrweb): allow for css transform recording posthog-rrweb#113 feat(rrweb): allow for css transform recording
• fix: avoid Symbol.toStringTag access in stringify isObject check posthog-rrweb#127 fix: avoid Symbol.toStringTag access in stringify isObject check
• fix(rrweb-snapshot): add max depth limit to DOM serialization posthog-rrweb#130 fix(rrweb-snapshot): add max depth limit to DOM serialization
• feat: re-export maxDepth helpers through dependency chain posthog-rrweb#132 feat: re-export maxDepth helpers through dependency chain
• fix(rrweb): close ImageBitmap in worker when OffscreenCanvas is unavailable posthog-rrweb#136 fix(rrweb): close ImageBitmap in worker when OffscreenCanvas is unavailable
• fix(rrweb): add displayWidth/displayHeight to canvas mutation data posthog-rrweb#137 fix(rrweb): add displayWidth/displayHeight to canvas mutation data
• fix(rrweb): stop canvas FPS observer when OffscreenCanvas is unavailable posthog-rrweb#138 fix(rrweb): stop canvas FPS observer when OffscreenCanvas is unavailable
• fix: reuse OffscreenCanvas in worker to prevent memory leak posthog-rrweb#139 fix: reuse OffscreenCanvas in worker to prevent memory leak
• fix(rrweb): use FNV-1a hash for canvas frame dedup instead of full base64 posthog-rrweb#140 fix(rrweb): use FNV-1a hash for canvas frame dedup instead of full base64
• fix iframe observer leak posthog-rrweb#142 fix iframe observer leak
• fix: handle cross-origin iframe errors during stop handler cleanup posthog-rrweb#145 fix: handle cross-origin iframe errors during stop handler cleanup
• fix: mask textarea innerText mutations posthog-rrweb#148 fix: mask textarea innerText mutations
• fix: guard WebGLRenderingContext access for iOS compatibility posthog-rrweb#150 fix: guard WebGLRenderingContext access for iOS compatibility
• refactor: extract slimDOMDefaults into shared function posthog-rrweb#151 refactor: extract slimDOMDefaults into shared function
• fix: catch all SecurityError variants in stop handler cleanup posthog-rrweb#156 fix: catch all SecurityError variants in stop handler cleanup
• fix: clear mutation buffer on iframe pagehide to prevent recording corruption posthog-rrweb#157 fix: clear mutation buffer on iframe pagehide to prevent recording corruption
• fix(rrweb): recover from errors in canvas FPS snapshot pipeline posthog-rrweb#160 fix(rrweb): recover from errors in canvas FPS snapshot pipeline
• fix(rrweb): break infinite recursion between ShadowDomManager and MutationBuffer reset posthog-rrweb#162 fix(rrweb): break infinite recursion between ShadowDomManager and MutationBuffer reset
• fix(record): null check on pagehide posthog-rrweb#167 fix(record): null check on pagehide

Chores / infra (non-code-affecting): #93, #96, #98, #103, #105, #106, #107, #109, #110, #111, #112, #114, #115, #117, #118, #119, #120, #144, #146, #149, #161, #165, #170

How did you test this code?

I am an agent, so this was tested in code only — no manual browser smoke test yet:

• pnpm --filter=@posthog/frontend typescript:check — no new type errors in any rrweb-consuming file. (There are 77 pre-existing errors in products/workflows/frontend/*, all unrelated to this change.)
• hogli test frontend/src/scenes/session-recordings/player — 251/251 tests pass. Some suites failed to load due to a pre-existing @posthog/hogvm module-resolution issue in unrelated files (saved-insights, max, PathCleanFilters); none of those failures are caused by the rrweb bump.

Reviewer smoke test recommended before merge: run ./bin/start, open a recent session replay, and play it end-to-end (scrub, pause, network tab, iframe-heavy recording, canvas recording if available). Confirm no console errors and no replay flicker.

Publish to changelog?

no

🤖 LLM context

Authored by PostHog Code (Claude Opus 4.7). Task ID 5b092d28-8278-4b17-8154-200c54457eb3. The full list of posthog-rrweb PRs above was pulled from gh pr list --repo PostHog/posthog-rrweb --state merged --search "merged:>=2025-10-10". TypeScript/types surfaces used by consumers (Replayer, ReplayPlugin, playerConfig, eventWithTime, EventType, IncrementalSource) did not need any consumer-side adaptation.

---

Created with PostHog Code

[github-actions]

Hey @pauldambra! 👋\nThis pull request seems to contain no description. Please add useful context, rationale, and/or any other information that will help make sense of this change now and in the distant Mars-based future.

[pauldambra]

• chore(replay): bump @posthog/rrweb to 0.0.59 #55746 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

_{Reviews (1): Last reviewed commit: "chore(replay): bump @posthog/rrweb to 0...." | Re-trigger Greptile}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​eslint@​8.57.1
	npm/​next@​14.2.35
	npm/​eslint-config-next@​14.2.35
	npm/​@​types/​uuid@​9.0.8
	npm/​@​napi-rs/​blake-hash@​1.3.6
	npm/​@​types/​sharp@​0.31.1
	npm/​@​types/​react-dom@​18.3.7
	npm/​@​types/​react@​18.3.28
	npm/​@​types/​node@​20.19.20
	npm/​@​types/​node@​20.19.29
	npm/​tsx@​4.21.0
	npm/​postcss@​8.5.6
	npm/​react@​18.3.1
	npm/​posthog-js@​1.369.3
	npm/​commander@​12.1.0
	npm/​yaml@​2.8.2
	npm/​tailwindcss@​3.4.18
	npm/​daisyui@​4.12.24
	npm/​uuid@​9.0.1
	npm/​pg@​8.16.3
	npm/​typescript@​5.9.3
	npm/​autoprefixer@​10.4.21
	npm/​sharp@​0.34.5
	npm/​react-dom@​18.3.1
	npm/​playwright@​1.56.0

View full report

[github-actions]

Size Change: +42.7 kB (+0.03%)

Total Size: 130 MB

Filename	Size	Change
frontend/dist/exporter	20.9 MB	+10.7 kB (+0.05%)
frontend/dist/exporter.js	20.9 MB	+10.7 kB (+0.05%)
frontend/dist/render-query	20.6 MB	+10.7 kB (+0.05%)
frontend/dist/render-query.js	20.6 MB	+10.7 kB (+0.05%)

ℹ️ View Unchanged

Filename	Size	Change
frontend/dist/368Hedgehogs	5.26 kB	0 B
frontend/dist/abap	14.2 kB	0 B
frontend/dist/AccountSocialConnected	2.2 kB	0 B
frontend/dist/Action	23.9 kB	0 B
frontend/dist/Actions	1.02 kB	0 B
frontend/dist/AdvancedActivityLogsScene	35.6 kB	0 B
frontend/dist/AgenticAuthorize	5.25 kB	0 B
frontend/dist/apex	3.95 kB	0 B
frontend/dist/ApprovalDetail	16.2 kB	0 B
frontend/dist/array.full.es5.js	337 kB	0 B
frontend/dist/array.full.js	430 kB	0 B
frontend/dist/array.js	186 kB	0 B
frontend/dist/AsyncMigrations	13.1 kB	0 B
frontend/dist/AuthorizationStatus	716 B	0 B
frontend/dist/azcli	846 B	0 B
frontend/dist/bat	1.84 kB	0 B
frontend/dist/BatchExportScene	60.5 kB	0 B
frontend/dist/bicep	2.55 kB	0 B
frontend/dist/Billing	493 B	0 B
frontend/dist/BillingSection	20.8 kB	0 B
frontend/dist/BoxPlot	5.04 kB	0 B
frontend/dist/browserAll-0QZMN1W2	37.4 kB	0 B
frontend/dist/ButtonPrimitives	562 B	0 B
frontend/dist/CalendarHeatMap	4.79 kB	0 B
frontend/dist/cameligo	2.18 kB	0 B
frontend/dist/changeRequestsLogic	544 B	0 B
frontend/dist/CLIAuthorize	11.4 kB	0 B
frontend/dist/CLILive	4.01 kB	0 B
frontend/dist/clojure	9.64 kB	0 B
frontend/dist/coffee	3.59 kB	0 B
frontend/dist/Cohort	24.8 kB	0 B
frontend/dist/CohortCalculationHistory	6.22 kB	0 B
frontend/dist/Cohorts	9.39 kB	0 B
frontend/dist/ConfirmOrganization	4.51 kB	0 B
frontend/dist/conversations.js	65.8 kB	0 B
frontend/dist/Coupons	720 B	0 B
frontend/dist/cpp	5.3 kB	0 B
frontend/dist/Create	829 B	0 B
frontend/dist/crisp-chat-integration.js	1.88 kB	0 B
frontend/dist/csharp	4.52 kB	0 B
frontend/dist/csp	1.42 kB	0 B
frontend/dist/css	4.51 kB	0 B
frontend/dist/cssMode	4.15 kB	0 B
frontend/dist/CustomCssScene	3.55 kB	0 B
frontend/dist/CustomerAnalyticsConfigurationScene	2.06 kB	0 B
frontend/dist/CustomerAnalyticsScene	26.5 kB	0 B
frontend/dist/CustomerJourneyBuilderScene	1.83 kB	0 B
frontend/dist/CustomerJourneyTemplatesScene	7.51 kB	0 B
frontend/dist/customizations.full.js	17.9 kB	0 B
frontend/dist/CyclotronJobInputAssignee	1.32 kB	0 B
frontend/dist/CyclotronJobInputBusinessHours	2.71 kB	0 B
frontend/dist/CyclotronJobInputTicketTags	711 B	0 B
frontend/dist/cypher	3.38 kB	0 B
frontend/dist/dart	4.25 kB	0 B
frontend/dist/Dashboard	1.11 kB	0 B
frontend/dist/Dashboards	24.1 kB	0 B
frontend/dist/DataManagementScene	646 B	0 B
frontend/dist/DataPipelinesNewScene	2.32 kB	0 B
frontend/dist/DataWarehouseScene	1.26 kB	+50 B (+4.13%)
frontend/dist/Deactivated	1.13 kB	0 B
frontend/dist/dead-clicks-autocapture.js	13.1 kB	0 B
frontend/dist/DeadLetterQueue	5.38 kB	0 B
frontend/dist/DebugScene	20 kB	0 B
frontend/dist/decompressionWorker	2.85 kB	0 B
frontend/dist/decompressionWorker.js	2.85 kB	0 B
frontend/dist/DefinitionEdit	7.11 kB	0 B
frontend/dist/DefinitionView	22.7 kB	0 B
frontend/dist/DestinationsScene	2.71 kB	0 B
frontend/dist/dist	575 B	0 B
frontend/dist/dockerfile	1.87 kB	0 B
frontend/dist/EarlyAccessFeature	753 B	0 B
frontend/dist/EarlyAccessFeatures	2.84 kB	0 B
frontend/dist/ecl	5.33 kB	0 B
frontend/dist/EditorScene	891 B	0 B
frontend/dist/elixir	10.3 kB	0 B
frontend/dist/elk.bundled	1.44 MB	0 B
frontend/dist/EmailMFAVerify	3.01 kB	0 B
frontend/dist/EndpointScene	37.5 kB	0 B
frontend/dist/EndpointsScene	22.1 kB	0 B
frontend/dist/ErrorTrackingIssueFingerprintsScene	6.98 kB	0 B
frontend/dist/ErrorTrackingIssueScene	95.6 kB	0 B
frontend/dist/ErrorTrackingScene	22.6 kB	0 B
frontend/dist/EvaluationTemplates	575 B	0 B
frontend/dist/EventsScene	2.57 kB	0 B
frontend/dist/exception-autocapture.js	11.8 kB	0 B
frontend/dist/Experiment	218 kB	0 B
frontend/dist/Experiments	18.2 kB	0 B
frontend/dist/ExportsScene	3.98 kB	0 B
frontend/dist/FeatureFlag	128 kB	0 B
frontend/dist/FeatureFlags	606 B	0 B
frontend/dist/FeatureFlagTemplatesScene	7.03 kB	0 B
frontend/dist/FlappyHog	5.78 kB	0 B
frontend/dist/flow9	1.8 kB	0 B
frontend/dist/freemarker2	16.7 kB	0 B
frontend/dist/fsharp	2.98 kB	0 B
frontend/dist/go	2.65 kB	0 B
frontend/dist/graphql	2.26 kB	0 B
frontend/dist/Group	14.4 kB	0 B
frontend/dist/Groups	3.91 kB	0 B
frontend/dist/GroupsNew	7.34 kB	0 B
frontend/dist/handlebars	7.34 kB	0 B
frontend/dist/hcl	3.59 kB	0 B
frontend/dist/HealthCategoryDetailScene	7.23 kB	0 B
frontend/dist/HealthScene	10.6 kB	0 B
frontend/dist/HeatmapNewScene	4.16 kB	0 B
frontend/dist/HeatmapRecordingScene	3.92 kB	0 B
frontend/dist/HeatmapScene	5.88 kB	0 B
frontend/dist/HeatmapsScene	3.88 kB	0 B
frontend/dist/hls	394 kB	0 B
frontend/dist/HogFunctionScene	59.3 kB	0 B
frontend/dist/HogRepl	7.37 kB	0 B
frontend/dist/html	5.58 kB	0 B
frontend/dist/htmlMode	4.62 kB	0 B
frontend/dist/image-blob-reduce.esm	49.4 kB	0 B
frontend/dist/InboxScene	59.8 kB	0 B
frontend/dist/index	306 kB	0 B
frontend/dist/index.js	306 kB	0 B
frontend/dist/ini	1.1 kB	0 B
frontend/dist/InsightQuickStart	5.42 kB	0 B
frontend/dist/InsightScene	28.7 kB	0 B
frontend/dist/IntegrationsRedirect	733 B	0 B
frontend/dist/intercom-integration.js	1.93 kB	0 B
frontend/dist/InviteSignup	14.4 kB	0 B
frontend/dist/java	3.22 kB	0 B
frontend/dist/javascript	985 B	0 B
frontend/dist/jsonMode	13.9 kB	0 B
frontend/dist/julia	7.22 kB	0 B
frontend/dist/kotlin	3.4 kB	0 B
frontend/dist/lazy	158 kB	0 B
frontend/dist/LegacyPluginScene	26.6 kB	0 B
frontend/dist/LegalDocumentNewScene	44.2 kB	0 B
frontend/dist/LegalDocumentsScene	4.34 kB	0 B
frontend/dist/LemonTextAreaMarkdown	502 B	0 B
frontend/dist/less	3.9 kB	0 B
frontend/dist/lexon	2.44 kB	0 B
frontend/dist/lib	2.22 kB	0 B
frontend/dist/Link	468 B	0 B
frontend/dist/LinkScene	24.8 kB	0 B
frontend/dist/LinksScene	4.19 kB	0 B
frontend/dist/liquid	4.53 kB	0 B
frontend/dist/LiveDebugger	19.1 kB	0 B
frontend/dist/LiveEventsTable	3.22 kB	0 B
frontend/dist/LLMAnalyticsClusterScene	15.7 kB	0 B
frontend/dist/LLMAnalyticsClustersScene	43.1 kB	0 B
frontend/dist/LLMAnalyticsDatasetScene	19.7 kB	0 B
frontend/dist/LLMAnalyticsDatasetsScene	3.28 kB	0 B
frontend/dist/LLMAnalyticsEvaluation	59.4 kB	0 B
frontend/dist/LLMAnalyticsEvaluationsScene	29.8 kB	0 B
frontend/dist/LLMAnalyticsPlaygroundScene	36.3 kB	0 B
frontend/dist/LLMAnalyticsScene	118 kB	0 B
frontend/dist/LLMAnalyticsSessionScene	13.4 kB	0 B
frontend/dist/LLMAnalyticsTraceScene	129 kB	0 B
frontend/dist/LLMAnalyticsUsers	526 B	0 B
frontend/dist/LLMASessionFeedbackDisplay	4.83 kB	0 B
frontend/dist/LLMPromptScene	17.5 kB	0 B
frontend/dist/LLMPromptsScene	4.47 kB	0 B
frontend/dist/LLMSkillScene	589 B	0 B
frontend/dist/LLMSkillsScene	606 B	0 B
frontend/dist/Login	8.61 kB	0 B
frontend/dist/Login2FA	4.24 kB	0 B
frontend/dist/logs.js	38.5 kB	0 B
frontend/dist/LogsScene	11.4 kB	0 B
frontend/dist/lua	2.11 kB	0 B
frontend/dist/m3	2.81 kB	0 B
frontend/dist/main	819 kB	0 B
frontend/dist/ManagedMigration	14.1 kB	0 B
frontend/dist/markdown	3.79 kB	0 B
frontend/dist/MarketingAnalyticsScene	39.7 kB	0 B
frontend/dist/MaterializedColumns	10.2 kB	0 B
frontend/dist/Max	801 B	0 B
frontend/dist/mdx	5.39 kB	0 B
frontend/dist/memlens.lib.bundle	27.8 kB	0 B
frontend/dist/MessageTemplate	16.3 kB	0 B
frontend/dist/MetricsScene	828 B	0 B
frontend/dist/mips	2.58 kB	0 B
frontend/dist/ModelsScene	13.6 kB	0 B
frontend/dist/MonacoDiffEditor	403 B	0 B
frontend/dist/monacoEditorWorker	288 kB	0 B
frontend/dist/monacoEditorWorker.js	288 kB	0 B
frontend/dist/monacoJsonWorker	419 kB	0 B
frontend/dist/monacoJsonWorker.js	419 kB	0 B
frontend/dist/monacoTsWorker	7.02 MB	0 B
frontend/dist/monacoTsWorker.js	7.02 MB	0 B
frontend/dist/MoveToPostHogCloud	4.46 kB	0 B
frontend/dist/msdax	4.91 kB	0 B
frontend/dist/mysql	11.3 kB	0 B
frontend/dist/NavTabChat	4.68 kB	0 B
frontend/dist/NewSourceScene	783 B	0 B
frontend/dist/NewTabScene	647 B	0 B
frontend/dist/NodeDetailScene	16.3 kB	0 B
frontend/dist/NotebookCanvasScene	3.16 kB	0 B
frontend/dist/NotebookPanel	5.14 kB	0 B
frontend/dist/NotebookScene	8.17 kB	0 B
frontend/dist/NotebooksScene	7.58 kB	0 B
frontend/dist/OAuthAuthorize	573 B	0 B
frontend/dist/objective-c	2.41 kB	0 B
frontend/dist/Onboarding	734 kB	0 B
frontend/dist/OnboardingCouponRedemption	1.2 kB	0 B
frontend/dist/pascal	2.99 kB	0 B
frontend/dist/pascaligo	2 kB	0 B
frontend/dist/passkeyLogic	484 B	0 B
frontend/dist/PasswordReset	4.35 kB	0 B
frontend/dist/PasswordResetComplete	2.97 kB	0 B
frontend/dist/PendingDeletion	2.21 kB	0 B
frontend/dist/perl	8.25 kB	0 B
frontend/dist/PersonScene	16 kB	0 B
frontend/dist/PersonsScene	4.68 kB	0 B
frontend/dist/pgsql	13.5 kB	0 B
frontend/dist/php	8.02 kB	0 B
frontend/dist/PipelineStatusScene	9.1 kB	0 B
frontend/dist/pla	1.67 kB	0 B
frontend/dist/posthog	144 kB	0 B
frontend/dist/postiats	7.86 kB	0 B
frontend/dist/powerquery	16.9 kB	0 B
frontend/dist/powershell	3.27 kB	0 B
frontend/dist/PreflightCheck	5.56 kB	0 B
frontend/dist/product-tours.js	115 kB	0 B
frontend/dist/ProductTour	273 kB	0 B
frontend/dist/ProductTours	4.68 kB	0 B
frontend/dist/ProjectHomepage	40.8 kB	0 B
frontend/dist/protobuf	9.05 kB	0 B
frontend/dist/pug	4.82 kB	0 B
frontend/dist/python	4.76 kB	0 B
frontend/dist/qsharp	3.19 kB	0 B
frontend/dist/QueryPerformance	6.99 kB	0 B
frontend/dist/r	3.12 kB	0 B
frontend/dist/razor	9.35 kB	0 B
frontend/dist/recorder-v2.js	111 kB	0 B
frontend/dist/recorder.js	111 kB	0 B
frontend/dist/redis	3.55 kB	0 B
frontend/dist/redshift	11.8 kB	0 B
frontend/dist/RegionMap	29.4 kB	0 B
frontend/dist/ResourceTransfer	9.17 kB	0 B
frontend/dist/restructuredtext	3.9 kB	0 B
frontend/dist/RevenueAnalyticsScene	25.6 kB	0 B
frontend/dist/ruby	8.5 kB	0 B
frontend/dist/rust	4.16 kB	0 B
frontend/dist/SavedInsights	664 B	0 B
frontend/dist/sb	1.82 kB	0 B
frontend/dist/scala	7.32 kB	0 B
frontend/dist/scheme	1.76 kB	0 B
frontend/dist/scss	6.41 kB	0 B
frontend/dist/SdkDoctorScene	9.4 kB	0 B
frontend/dist/SessionAttributionExplorerScene	6.62 kB	0 B
frontend/dist/SessionGroupSummariesTable	4.62 kB	0 B
frontend/dist/SessionGroupSummaryScene	17 kB	0 B
frontend/dist/SessionProfileScene	15 kB	0 B
frontend/dist/SessionRecordingDetail	1.75 kB	0 B
frontend/dist/SessionRecordingFilePlaybackScene	4.46 kB	0 B
frontend/dist/SessionRecordings	742 B	0 B
frontend/dist/SessionRecordingsKiosk	8.84 kB	0 B
frontend/dist/SessionRecordingsPlaylistScene	4.14 kB	0 B
frontend/dist/SessionRecordingsSettingsScene	1.9 kB	0 B
frontend/dist/SessionsScene	3.98 kB	0 B
frontend/dist/SettingsScene	2.98 kB	0 B
frontend/dist/SharedMetric	4.83 kB	0 B
frontend/dist/SharedMetrics	549 B	0 B
frontend/dist/shell	3.07 kB	0 B
frontend/dist/SignupContainer	25.8 kB	0 B
frontend/dist/Site	1.18 kB	0 B
frontend/dist/solidity	18.6 kB	0 B
frontend/dist/sophia	2.76 kB	0 B
frontend/dist/SourceScene	758 B	0 B
frontend/dist/SourcesScene	6.1 kB	0 B
frontend/dist/sparql	2.55 kB	0 B
frontend/dist/sql	10.3 kB	0 B
frontend/dist/SqlVariableEditScene	7.24 kB	0 B
frontend/dist/st	7.4 kB	0 B
frontend/dist/StartupProgram	21.2 kB	0 B
frontend/dist/SubscriptionScene	12.8 kB	0 B
frontend/dist/SubscriptionsScene	4.89 kB	0 B
frontend/dist/SupportSettingsScene	1.16 kB	0 B
frontend/dist/SupportTicketScene	24.6 kB	0 B
frontend/dist/SupportTicketsScene	733 B	0 B
frontend/dist/Survey	848 B	0 B
frontend/dist/SurveyFormBuilder	1.54 kB	0 B
frontend/dist/Surveys	18.2 kB	0 B
frontend/dist/surveys.js	90.7 kB	0 B
frontend/dist/SurveyWizard	64.3 kB	0 B
frontend/dist/swift	5.26 kB	0 B
frontend/dist/SystemStatus	16.8 kB	0 B
frontend/dist/systemverilog	7.61 kB	0 B
frontend/dist/TaskDetailScene	22.3 kB	0 B
frontend/dist/TaskTracker	13.2 kB	0 B
frontend/dist/tcl	3.57 kB	0 B
frontend/dist/TextCardMarkdownEditor	11 kB	0 B
frontend/dist/toolbar	10.6 MB	0 B
frontend/dist/toolbar.js	10.6 MB	0 B
frontend/dist/ToolbarLaunch	2.52 kB	0 B
frontend/dist/tracing-headers.js	1.74 kB	0 B
frontend/dist/TracingScene	29.8 kB	0 B
frontend/dist/TransformationsScene	1.95 kB	0 B
frontend/dist/tsMode	24 kB	0 B
frontend/dist/twig	5.97 kB	0 B
frontend/dist/TwoFactorReset	4.02 kB	0 B
frontend/dist/typescript	240 B	0 B
frontend/dist/typespec	2.82 kB	0 B
frontend/dist/Unsubscribe	1.65 kB	0 B
frontend/dist/UserInterview	4.53 kB	0 B
frontend/dist/UserInterviews	2.01 kB	0 B
frontend/dist/vb	5.79 kB	0 B
frontend/dist/VercelConnect	4.99 kB	0 B
frontend/dist/VercelLinkError	1.94 kB	0 B
frontend/dist/VerifyEmail	4.51 kB	0 B
frontend/dist/vimMode	211 kB	0 B
frontend/dist/VisualReviewRunScene	34.5 kB	0 B
frontend/dist/VisualReviewRunsScene	6.12 kB	0 B
frontend/dist/VisualReviewSettingsScene	10.8 kB	0 B
frontend/dist/web-vitals.js	6.39 kB	0 B
frontend/dist/WebAnalyticsScene	5.77 kB	0 B
frontend/dist/WebGLRenderer-DYjOwNoG	60.3 kB	0 B
frontend/dist/WebGPURenderer-B_wkl_Ja	36.3 kB	0 B
frontend/dist/WebScriptsScene	2.57 kB	0 B
frontend/dist/webworkerAll-puPV1rBA	324 B	0 B
frontend/dist/wgsl	7.34 kB	0 B
frontend/dist/Wizard	4.45 kB	0 B
frontend/dist/WorkflowScene	101 kB	0 B
frontend/dist/WorkflowsScene	58.3 kB	0 B
frontend/dist/WorldMap	4.73 kB	0 B
frontend/dist/xml	2.98 kB	0 B
frontend/dist/yaml	4.6 kB	0 B

_{compressed-size-action}

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: npm minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions CVE: GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.4 Patched version: 9.0.7 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/minimatch@9.0.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern CVE: GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern (HIGH) Affected versions: >= 10.0.0 < 10.2.1; >= 9.0.0 < 9.0.6; >= 8.0.0 < 8.0.5; >= 7.0.0 < 7.4.7; >= 6.0.0 < 6.2.1; >= 5.0.0 < 5.1.7; >= 4.0.0 < 4.2.4; < 3.1.3 Patched version: 9.0.6 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/minimatch@9.0.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments CVE: GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.3 Patched version: 9.0.7 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/minimatch@9.0.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments CVE: GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.3 Patched version: 9.0.7 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/eslint@8.57.1 → npm/minimatch@9.0.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions CVE: GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.4 Patched version: 9.0.7 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/eslint@8.57.1 → npm/minimatch@9.0.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern CVE: GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern (HIGH) Affected versions: >= 10.0.0 < 10.2.1; >= 9.0.0 < 9.0.6; >= 8.0.0 < 8.0.5; >= 7.0.0 < 7.4.7; >= 6.0.0 < 6.2.1; >= 5.0.0 < 5.1.7; >= 4.0.0 < 4.2.4; < 3.1.3 Patched version: 9.0.6 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/eslint@8.57.1 → npm/minimatch@9.0.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components CVE: GHSA-h25m-26qc-wcjf Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components (HIGH) Affected versions: >= 13.0.0 < 15.0.8; >= 15.1.1-canary.0 < 15.1.12; >= 15.2.0-canary.0 < 15.2.9; >= 15.3.0-canary.0 < 15.3.9; >= 15.4.0-canary.0 < 15.4.11; >= 15.5.1-canary.0 < 15.5.10; >= 15.6.0-canary.0 < 15.6.0-canary.61; >= 16.0.0-beta.0 < 16.0.11; >= 16.1.0-canary.0 < 16.1.5 Patched version: 15.0.8 From: tools/hedgebox-dummy/package.json → npm/next@14.2.35 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@14.2.35. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js has a Denial of Service with Server Components CVE: GHSA-q4gf-8mx6-v5v3 Next.js has a Denial of Service with Server Components (HIGH) Affected versions: >= 13.0.0 < 15.5.15; >= 16.0.0-beta.0 < 16.2.3 Patched version: 15.5.15 From: tools/hedgebox-dummy/package.json → npm/next@14.2.35 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@14.2.35. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Picomatch has a ReDoS vulnerability via extglob quantifiers CVE: GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers (HIGH) Affected versions: >= 4.0.0 < 4.0.4; >= 3.0.0 < 3.0.2; < 2.3.2 Patched version: 2.3.2 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/tailwindcss@3.4.18 → npm/picomatch@2.3.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/picomatch@2.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Picomatch has a ReDoS vulnerability via extglob quantifiers CVE: GHSA-c2c7-rcm5-vvqj Picomatch has a ReDoS vulnerability via extglob quantifiers (HIGH) Affected versions: >= 4.0.0 < 4.0.4; >= 3.0.0 < 3.0.2; < 2.3.2 Patched version: 4.0.4 From: tools/hedgebox-dummy/pnpm-lock.yaml → npm/eslint-config-next@14.2.35 → npm/picomatch@4.0.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/picomatch@4.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-04-22 15:15 UTC	Run
prod-us	✅ Deployed	2026-04-22 15:32 UTC	Run
prod-eu	✅ Deployed	2026-04-22 16:42 UTC	Run