Merged
Conversation
Copilot started reviewing on behalf of
Matus Tomlein (matus-tomlein)
March 27, 2026 12:39
View session
Matus Tomlein (matus-tomlein)
requested review from
Peter Perlepes (igneel64) and
Nick (stanch)
There was a problem hiding this comment.
Pull request overview
Adds a new browser tracker plugin package to perform a one-time client-side bot detection using FingerprintJS BotD and attach the result as a Snowplow context entity, and updates Rush/release metadata for the 4.7.0 release process.
Changes:
- Introduce
@snowplow/browser-plugin-bot-detection(implementation, types/schemata, build config, Jest tests, README/LICENSE). - Register the new plugin with Rush and approve the new dependency (
@fingerprintjs/botd), updating the pnpm lock and repo state. - Switch the Rush version policy
nextBumpfrompatchtominorfor the release.
Reviewed changes
Copilot reviewed 15 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| rush.json | Adds the new plugin project to the Rush workspace. |
| plugins/browser-plugin-bot-detection/tsconfig.json | Inherits repo TypeScript configuration for the new plugin. |
| plugins/browser-plugin-bot-detection/test/bot-detection.test.ts | Adds Jest tests covering success, pending, and failure paths. |
| plugins/browser-plugin-bot-detection/src/types.ts | Defines the exported context data shape and bot kind union. |
| plugins/browser-plugin-bot-detection/src/schemata.ts | Adds the Iglu schema constant for the context entity. |
| plugins/browser-plugin-bot-detection/src/index.ts | Implements the plugin lifecycle + context attachment behavior. |
| plugins/browser-plugin-bot-detection/rollup.config.js | Adds Rollup build outputs (UMD, minified UMD, ES module). |
| plugins/browser-plugin-bot-detection/package.json | Declares package metadata, dependencies, scripts, and entrypoints. |
| plugins/browser-plugin-bot-detection/jest.config.js | Configures plugin-level Jest settings for TS + jsdom. |
| plugins/browser-plugin-bot-detection/README.md | Documents installation and usage of the new plugin. |
| plugins/browser-plugin-bot-detection/LICENSE | Adds the package license file. |
| common/config/rush/version-policies.json | Updates the version policy to a minor bump for the release. |
| common/config/rush/repo-state.json | Updates Rush repo state hash after lockfile changes. |
| common/config/rush/pnpm-lock.yaml | Adds the new plugin importer + locks @fingerprintjs/botd@2.0.0. |
| common/config/rush/browser-approved-packages.json | Approves @fingerprintjs/botd and the new internal plugin package for browser usage. |
| common/changes/@snowplow/browser-plugin-bot-detection/bot-detection-plugin_2026-03-17-17-11.json | Adds the Rush change entry describing the new plugin. |
Files not reviewed (1)
- common/config/rush/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
* Add browser-plugin-bot-detection wrapping FingerprintJS BotD Introduces a new browser tracker plugin that detects bots client-side using @fingerprintjs/botd and attaches the result as a client_side_bot_detection context entity to all tracked events. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Matus Tomlein (matus-tomlein)
force-pushed
the
release/4.7.0
branch
from
08beaf9 to
7ed64ad
Compare
Fixes #1464 The `sha1` npm package references `Buffer.isBuffer()` internally. Bundlers like webpack/Next.js see this and inject a **~28 KB Buffer polyfill** into every client page — even though the `Buffer` code path is never reached (we only hash short strings) On top of that, `sha1` only ships CommonJS, forcing CJS interop on every bundler that consumes the ESM dist - Remove `sha1` and `@types/sha1` dependencies - Add a ~90-line inline SHA-1 (FIPS 180-4) that only handles UTF-8 strings — which is all the tracker needs - Tests cover RFC 3174 vectors plus the actual domain-hash values to ensure identical output - **-28 KB raw / ~7 KB gzipped** from every page for Next.js / webpack 5 users - Eliminates the last CJS dependency in `browser-tracker-core` - No API or behavioral changes
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
Contributor
Author
|
Have added another feature into the release, Peter Perlepes (@igneel64) can you please take a look when you get a chance so we can get this out? |
Peter Perlepes (igneel64)
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces a new @snowplow/browser-plugin-bot-detection plugin that integrates FingerprintJS BotD for client-side bot detection. When added to a tracker, it runs a single detection on page load and automatically attaches the result as a client_side_bot_detection context entity to every tracked event, indicating whether the visitor is a bot and, if so, which kind (e.g. headless_chrome, selenium). This complements server-side bot detection by capturing the browser environment signals that are only observable client-side.
The new release also reduces browser bundle size by eliminating a Buffer polyfill dependency (around 28 KB).
Enhancements
sha1npm package with inline implementation in browser-tracker-core, removing ~28 KB Buffer polyfill from browser bundles (snowplowssha1dependency pulls 28 KB Buffer polyfill into browser bundles #1464) thanks to Jan Nicklas (@jantimon)