Skip to content

Update dependency posthog-js to v1.396.3#334

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x
Open

Update dependency posthog-js to v1.396.3#334
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x

Conversation

@renovate

@renovate renovate Bot commented Jun 23, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
posthog-js (source) 1.392.01.396.3 age confidence

Release Notes

PostHog/posthog-js (posthog-js)

v1.396.3

Compare Source

v1.396.2

Compare Source

1.396.2

Patch Changes
  • #​4003 b6261e7 Thanks @​marandaneto! - Include a Promise polyfill in the IE11 bundle and avoid Promise-dependent async compression paths when Promise support is unavailable.
    (2026-06-29)

v1.396.1

Compare Source

1.396.1

Patch Changes

v1.396.0

Compare Source

1.396.0

Minor Changes
  • #​3987 74cc6bb Thanks @​TueHaulund! - Add a get_current_url config option that overrides the URL used for client-side URL targeting — session replay URL triggers, the session replay URL blocklist, survey URL display conditions, product tour URL conditions, web experiment URL conditions, and autocapture URL allow/ignore lists. These match against window.location.href directly, which does not reflect a $current_url rewritten in before_send. Apps where the browser URL is not meaningful for targeting (e.g. Electron/desktop builds served from a generated host) can now return the logical URL to match against. Defaults to window.location.href when not set.
    (2026-06-29)
Patch Changes

v1.395.0

Compare Source

1.395.0

Minor Changes
  • #​3977 6200888 Thanks @​turnipdabeets! - Add getAllFeatureFlags(), which returns all currently loaded feature flags as structured FeatureFlagResults (key, enabled, variant, payload). It is a synchronous read of the cached flags and does not send a $feature_flag_called event.
    (2026-06-26)
Patch Changes

v1.394.0

Compare Source

1.394.0

Minor Changes
  • #​3986 919abca Thanks @​ioannisj! - Capture the $device_model super-property on Android Chromium via navigator.userAgentData.getHighEntropyValues(['model']). Resolved once during init and sent on subsequent events; opt out with disableDeviceModel: true.
    (2026-06-26)

v1.393.6

Compare Source

1.393.6

Patch Changes

v1.393.5

Compare Source

1.393.5

Patch Changes

v1.393.4

Compare Source

1.393.4

Patch Changes

v1.393.3

Compare Source

1.393.3

Patch Changes
  • #​3945 f94deaf Thanks @​ioannisj! - fix(surveys): guard handlePageUnload against version-skewed surveys instance missing the method
    (2026-06-24)

v1.393.2

Compare Source

1.393.2

Patch Changes
  • #​3944 1c9a811 Thanks @​ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.
    (2026-06-24)

v1.393.1

Compare Source

1.393.1

Patch Changes
  • #​3919 99bad9c Thanks @​pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page's fetch. Off by default; enabled for defaults: '2026-06-25' and settable directly via session_recording.streamNetworkBody.
    (2026-06-24)
  • Updated dependencies [99bad9c]:

v1.393.0

Compare Source

1.393.0

Minor Changes
  • #​3921 c28b161 Thanks @​marandaneto! - Add disable_capture_url_hashes to strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically when config.defaults is '2026-06-25' or later. Enabling it (either explicitly or via the '2026-06-25' defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as $current_url, $initial_current_url, $session_entry_url, autocapture $elements[*].attr__href, $external_click_url, replay href URLs, heatmaps, web vitals $current_url, logs url.full, conversations current_url/request_url, or Next.js Pages Router $pageview $current_url.

    If you only want to capture some hashes, leave hash capture enabled and use before_send to remove or redact sensitive hash values before events are sent. (2026-06-23)

Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) June 23, 2026 02:44
@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedposthog-js@​1.392.0 ⏵ 1.396.366 -1710081 +1100100

View full report

@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/module.full.js contains a browser telemetry/session-replay SDK that instruments DOM/events, intercepts fetch/XHR, and uploads data to remote endpoints. It supports a dynamic external script loader controlled by remote configuration, creating privacy, data-exfiltration, and supply-chain/external-code execution risk exposure. It should be treated as a sensitive third-party dependency requiring strict governance, CSP/allow-listing, careful configuration review, and verification of remote-config/external asset integrity to prevent misconfigurations or upstream compromise.

From: package.jsonnpm/posthog-js@1.396.3

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/module.no-external.js represents a client-side analytics/telemetry SDK that loads external scripts at runtime and transmits telemetry to remote endpoints. It can modify the DOM and assign server-provided HTML via innerHTML (and CSS via style) without apparent sanitization, creating a credible XSS risk if experiment data is untrusted. The runtime loader and external dependencies also expand supply-chain attack surface.

From: package.jsonnpm/posthog-js@1.396.3

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The PostHog JavaScript SDK loads remote configurations and conditionally injects external scripts via dynamically created script tags, enabling extensions and server-driven experiments. This creates a supply-chain/execution risk and potential data-collection/privacy concerns through telemetry, identifier persistence in cookies/localStorage, and possible DOM modifications. Mitigations include strict CSP/SRI, asset allowlisting, restricted external dependencies, and server-side sanitization for any HTML/CSS transforms.

From: package.jsonnpm/posthog-js@1.396.3

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The package/dist/lazy-recorder.js module implements a rrweb-style session recorder that captures DOM mutations and user interactions, applies masking/sampling, buffers events, and uploads recordings to a backend API endpoint. The primary risk is privacy and data-handling security, contingent on masking guarantees, endpoint integrity, secure routing, and proper consent/authorization; there are no evident signs of malware, but misconfiguration can lead to leakage of sensitive content.

From: package.jsonnpm/posthog-js@1.396.3

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot changed the title Update dependency posthog-js to v1.392.0 Update dependency posthog-js to v1.392.0 - autoclosed Jun 23, 2026
@renovate renovate Bot closed this Jun 23, 2026
auto-merge was automatically disabled June 23, 2026 02:52

Pull request was closed

@renovate renovate Bot deleted the renovate/posthog-js-1.x branch June 23, 2026 02:52
@renovate renovate Bot changed the title Update dependency posthog-js to v1.392.0 - autoclosed Update dependency posthog-js to v1.393.0 Jun 23, 2026
@renovate renovate Bot reopened this Jun 23, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch 2 times, most recently from c6ab571 to d3a9f55 Compare June 23, 2026 11:55
@renovate renovate Bot enabled auto-merge (squash) June 24, 2026 13:42
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from d3a9f55 to 6db392c Compare June 24, 2026 13:42
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.0 Update dependency posthog-js to v1.393.3 Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from 6db392c to f79cf27 Compare June 24, 2026 17:53
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.3 Update dependency posthog-js to v1.393.4 Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from f79cf27 to 14f20a0 Compare June 25, 2026 14:52
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.4 Update dependency posthog-js to v1.393.5 Jun 25, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from 14f20a0 to 77d6278 Compare June 26, 2026 12:52
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.5 Update dependency posthog-js to v1.393.6 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from 77d6278 to eec9845 Compare June 26, 2026 21:12
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.6 Update dependency posthog-js to v1.395.0 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from eec9845 to d629dc7 Compare June 29, 2026 10:58
@renovate renovate Bot changed the title Update dependency posthog-js to v1.395.0 Update dependency posthog-js to v1.396.1 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from d629dc7 to e64a0f1 Compare June 29, 2026 18:06
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.1 Update dependency posthog-js to v1.396.2 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from e64a0f1 to fbf3a09 Compare June 30, 2026 16:38
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.2 Update dependency posthog-js to v1.396.3 Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants