chore(rrweb): Replace fast-mhtml with inline MHTML parser#274
chore(rrweb): Replace fast-mhtml with inline MHTML parser#274
Conversation
Remove the fast-mhtml dependency which was only used in one test utility function for parsing MHTML snapshots. Replace with a minimal inline parser (~30 lines) that handles multipart MIME boundary splitting and quoted-printable decoding. fast-mhtml pulled in cheerio, express, undici, qs, and bluebird — a massive transitive tree for a simple test helper. This removes ~584 lines from yarn.lock. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| } | ||
| if (filename.includes('frame')) { | ||
| content = format(content, { parser: 'html' }); | ||
| } |
There was a problem hiding this comment.
Frame formatting condition is now dead code
Low Severity
The filename.includes('frame') check is now dead code. The old fast-mhtml library generated internal names starting with "frame" for frame parts, producing rewritten names like file-frame-4. The new parseMhtml only extracts Content-Location headers — frame parts either lack this header (yielding empty filenames → file-null-0) or have URL-based values (yielding file-http-N). Neither ever contains "frame", so format(content, { parser: 'html' }) is never called. The updated snapshots confirm this: previously pretty-printed HTML is now single-line.
Additional Locations (1)
| .replace(/=([0-9A-Fa-f]{2})/g, (_, hex) => | ||
| String.fromCharCode(parseInt(hex, 16)), | ||
| ); | ||
| } |
There was a problem hiding this comment.
Quoted-printable decoder mishandles multi-byte UTF-8 sequences
Low Severity
decodeQuotedPrintable uses String.fromCharCode(parseInt(hex, 16)) which treats each encoded byte as an independent character. For multi-byte UTF-8 sequences (e.g., =C3=A9 for "é"), this produces two incorrect Latin-1 characters instead of one correct Unicode character. Current tests use ASCII-only content so this doesn't surface, but any future test with non-ASCII text in MHTML snapshots would decode incorrectly.
Remove the
fast-mhtmldependency which was only used in one test utility function (packages/rrweb/test/utils.ts) for parsing MHTML snapshots in replayer E2E tests.Replace with a minimal inline parser (~30 lines) that handles multipart MIME boundary splitting and quoted-printable content decoding. All 47 replayer tests pass.
fast-mhtmlpulled incheerio,express,undici,qs,bluebird, andcookie— a massive transitive tree for a simple test helper. This removes ~584 lines fromyarn.lock.Dependabot alerts resolved
Fully resolved (vulnerable package completely removed from lockfile):
qsqsPartially resolved (some entries removed, but package still exists via other dependency chains):
undicipuppeteer(Phase 3)cookie@sveltejs/kit(Phase 5)closes https://linear.app/getsentry/issue/SDK-1097/replace-fast-mhtml-9-alerts