Skip to content

Update dependency posthog-js to v1.399.2#334

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x
Open

Update dependency posthog-js to v1.399.2#334
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x

Update dependency posthog-js to v1.399.2

f6911e3
Select commit
Loading
Failed to load commit list.
Socket Security / Socket Security: Pull Request Alerts succeeded Jul 10, 2026 in 19s

Pull Request #334 Alerts: Complete with warnings

Report Status Message
PR #334 Alerts ⚠️ Found 5 project alerts

Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

Details

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Telemetry collection: npm posthog-js

Note: A client-side telemetry and session-replay library at package/dist/array.full.no-external.js instruments browser activity by wrapping fetch/XMLHttpRequest, capturing errors and console output, recording DOM interactions, and optionally collecting request/response bodies and headers. It serializes/compresses the data and transmits payloads to backend endpoints, with configurable data redaction, masking, consent controls, and potential UI surveys. The module may utilize cookies/localStorage and possibly a Web Worker or remote config/scripts; misconfiguration can lead to excessive data capture or data exfiltration and privacy/compliance risks.

From: package.jsonnpm/posthog-js@1.399.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.399.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: A client-side analytics/session-recording SDK embedded in package/dist/module.full.js instruments browser activity (DOM and network), patches fetch/XHR and console behavior, may capture request/response bodies and DOM content, serializes and transmits collected data, and persists identifiers and telemetry queues. It can dynamically load remote configurations or external scripts via a runtime injector, creating significant privacy, governance, and supply-chain risks; it also includes a potentially dangerous HTML rendering sink (dangerouslySetInnerHTML) in the UI. Enforce strict configuration validation, CSP/SRI/allowlists for external scripts, sanitize content, and monitor body/header capture settings.

From: package.jsonnpm/posthog-js@1.399.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.399.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/array.no-external.js loads remote transforms and external scripts, enabling server-driven DOM mutations and potential data exfiltration, which creates elevated supply-chain and privacy risks. Treat as a high data-handling/privacy-risk component requiring governance: review extension trust boundaries, enforce strict integrity checks and allowlists, apply a robust Content Security Policy, and assess consent/PII handling; note potential UUID generation quality issues when crypto RNG is unavailable. Malware likelihood from this fragment alone appears low, but data-handling risks warrant careful evaluation.

From: package.jsonnpm/posthog-js@1.399.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.399.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The JavaScript SDK loads and executes remote scripts at runtime to support server-driven experiments and DOM transformations, creating supply-chain and code-execution risks with potential data exfiltration if upstream content is compromised. The primary attack surface is remote script loading and DOM-injection via innerHTML/style; compromise of remote configuration, asset URLs, extension registries, or script hooks could allow arbitrary code execution in the page context. Mitigations include strict origin allowlisting, CSP/SRI integrity protections, server-side integrity checks, and safe script hook configurations. Overall risk is medium-to-high depending on exposure.

From: package.jsonnpm/posthog-js@1.399.2

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.399.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Potential security risk (AI signal): npm posthog-js is 70.0% likely risky

Notes: This module is primarily an A/B/feature-experiment client, but it includes a high-impact security primitive: it directly injects server-provided transform.html into the DOM via element.innerHTML and applies remote selectors and inline styles. If the experiment/transform data source can be influenced (e.g., compromised backend, insider mistake, or supply-chain control-plane issue), this can become a DOM XSS/injection vector. Additionally, it sends a token in the request URL query string, increasing token-leak risk. No overt malware or exfiltration logic is evident in this fragment; risk is centered on untrusted data-to-DOM execution through innerHTML and preview-triggered variant application.

Confidence: 0.70

Severity: 0.72

From: package.jsonnpm/posthog-js@1.399.2

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.399.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report