| Warn |
 |
Telemetry collection: npm posthog-js
Note: A client-side telemetry and session-replay library at package/dist/array.full.no-external.js instruments browser activity by wrapping fetch/XMLHttpRequest, capturing errors and console output, recording DOM interactions, and optionally collecting request/response bodies and headers. It serializes/compresses the data and transmits payloads to backend endpoints, with configurable data redaction, masking, consent controls, and potential UI surveys. The module may utilize cookies/localStorage and possibly a Web Worker or remote config/scripts; misconfiguration can lead to excessive data capture or data exfiltration and privacy/compliance risks.
From: package.json → npm/posthog-js@1.399.2
ℹ Read more on: This package | This alert | What is telemetry?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.399.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Telemetry collection: npm posthog-js
Note: A client-side analytics/session-recording SDK embedded in package/dist/module.full.js instruments browser activity (DOM and network), patches fetch/XHR and console behavior, may capture request/response bodies and DOM content, serializes and transmits collected data, and persists identifiers and telemetry queues. It can dynamically load remote configurations or external scripts via a runtime injector, creating significant privacy, governance, and supply-chain risks; it also includes a potentially dangerous HTML rendering sink (dangerouslySetInnerHTML) in the UI. Enforce strict configuration validation, CSP/SRI/allowlists for external scripts, sanitize content, and monitor body/header capture settings.
From: package.json → npm/posthog-js@1.399.2
ℹ Read more on: This package | This alert | What is telemetry?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.399.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Telemetry collection: npm posthog-js
Note: The file package/dist/array.no-external.js loads remote transforms and external scripts, enabling server-driven DOM mutations and potential data exfiltration, which creates elevated supply-chain and privacy risks. Treat as a high data-handling/privacy-risk component requiring governance: review extension trust boundaries, enforce strict integrity checks and allowlists, apply a robust Content Security Policy, and assess consent/PII handling; note potential UUID generation quality issues when crypto RNG is unavailable. Malware likelihood from this fragment alone appears low, but data-handling risks warrant careful evaluation.
From: package.json → npm/posthog-js@1.399.2
ℹ Read more on: This package | This alert | What is telemetry?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.399.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Telemetry collection: npm posthog-js
Note: The JavaScript SDK loads and executes remote scripts at runtime to support server-driven experiments and DOM transformations, creating supply-chain and code-execution risks with potential data exfiltration if upstream content is compromised. The primary attack surface is remote script loading and DOM-injection via innerHTML/style; compromise of remote configuration, asset URLs, extension registries, or script hooks could allow arbitrary code execution in the page context. Mitigations include strict origin allowlisting, CSP/SRI integrity protections, server-side integrity checks, and safe script hook configurations. Overall risk is medium-to-high depending on exposure.
From: package.json → npm/posthog-js@1.399.2
ℹ Read more on: This package | This alert | What is telemetry?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.399.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Potential security risk (AI signal): npm posthog-js is 70.0% likely risky
Notes: This module is primarily an A/B/feature-experiment client, but it includes a high-impact security primitive: it directly injects server-provided transform.html into the DOM via element.innerHTML and applies remote selectors and inline styles. If the experiment/transform data source can be influenced (e.g., compromised backend, insider mistake, or supply-chain control-plane issue), this can become a DOM XSS/injection vector. Additionally, it sends a token in the request URL query string, increasing token-leak risk. No overt malware or exfiltration logic is evident in this fragment; risk is centered on untrusted data-to-DOM execution through innerHTML and preview-triggered variant application.
Confidence: 0.70
Severity: 0.72
From: package.json → npm/posthog-js@1.399.2
ℹ Read more on: This package | This alert | What are AI-detected potential security risks?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.399.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|