Skip to content

Update dependency posthog-js to v1.396.6#334

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x
Open

Update dependency posthog-js to v1.396.6#334
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x

Conversation

@renovate

@renovate renovate Bot commented Jun 23, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
posthog-js (source) 1.392.01.396.6 age confidence

Release Notes

PostHog/posthog-js (posthog-js)

v1.396.6

Compare Source

1.396.6

Patch Changes
  • #​4053 45d1b36 Thanks @​posthog! - feat(web): add a graceful shutdown() to the browser client for parity with posthog-node, so isomorphic teardown code (e.g. the Nuxt module) that calls posthog.shutdown() on the client no longer throws TypeError: shutdown is not a function. It best-effort flushes the queued events and always resolves.
    (2026-07-03)

  • #​4054 f0657eb Thanks @​posthog! - fix(web): detect our own feature-flag request timeouts via a timedOut flag instead of the abort reason, so they are logged at warn (not error) on browsers that don't propagate controller.abort(reason) — keeping benign timeouts out of error tracking's console-error capture
    (2026-07-03)

  • #​4031 94a0530 Thanks @​posthog! - Improve survey display reliability:

    • posthog-js: refresh the cached $surveys definitions after a short TTL (stale-while-revalidate) so server-side changes such as switching a survey from popover to API propagate to long-lived tabs without a page reload.
    • posthog-js: add posthog.surveys.markSurveyAsSeen(surveyId, { iteration }) so custom integrators that render surveys through their own backend can honour the "already seen" and wait-period checks.
    • posthog-react-native: guarantee the survey Modal notifies its parent on close even when iOS Modal.onDismiss fails to fire, so the transparent full-screen modal can no longer stay mounted intercepting touches and freezing the app. (2026-07-03)
  • Updated dependencies [45d1b36]:

v1.396.5

Compare Source

1.396.5

Patch Changes
  • #​4050 d7cf13b Thanks @​turnipdabeets! - Prevent uncaught getComputedStyle crashes in heatmaps and autocapture when the event target is a cross-realm element (e.g. from an iframe or synthetic event)
    (2026-07-02)
  • Updated dependencies [5e7e132]:

v1.396.4

Compare Source

1.396.4

Patch Changes
  • #​4035 18e543b Thanks @​posthog! - fix(web): isolate onFeatureFlags callbacks so a throwing user handler no longer breaks the remaining callback chain or gets misattributed as an SDK error
    (2026-07-01)

  • #​4039 15bcb42 Thanks @​github-actions! - fix(replay): measure $snapshot_bytes as UTF-8 byte length instead of UTF-16 string length, so non-ASCII session replay payloads are counted accurately against the message size limit
    (2026-07-01)

v1.396.3

Compare Source

v1.396.2

Compare Source

1.396.2

Patch Changes
  • #​4003 b6261e7 Thanks @​marandaneto! - Include a Promise polyfill in the IE11 bundle and avoid Promise-dependent async compression paths when Promise support is unavailable.
    (2026-06-29)

v1.396.1

Compare Source

1.396.1

Patch Changes

v1.396.0

Compare Source

1.396.0

Minor Changes
  • #​3987 74cc6bb Thanks @​TueHaulund! - Add a get_current_url config option that overrides the URL used for client-side URL targeting — session replay URL triggers, the session replay URL blocklist, survey URL display conditions, product tour URL conditions, web experiment URL conditions, and autocapture URL allow/ignore lists. These match against window.location.href directly, which does not reflect a $current_url rewritten in before_send. Apps where the browser URL is not meaningful for targeting (e.g. Electron/desktop builds served from a generated host) can now return the logical URL to match against. Defaults to window.location.href when not set.
    (2026-06-29)
Patch Changes

v1.395.0

Compare Source

1.395.0

Minor Changes
  • #​3977 6200888 Thanks @​turnipdabeets! - Add getAllFeatureFlags(), which returns all currently loaded feature flags as structured FeatureFlagResults (key, enabled, variant, payload). It is a synchronous read of the cached flags and does not send a $feature_flag_called event.
    (2026-06-26)
Patch Changes

v1.394.0

Compare Source

1.394.0

Minor Changes
  • #​3986 919abca Thanks @​ioannisj! - Capture the $device_model super-property on Android Chromium via navigator.userAgentData.getHighEntropyValues(['model']). Resolved once during init and sent on subsequent events; opt out with disableDeviceModel: true.
    (2026-06-26)

v1.393.6

Compare Source

1.393.6

Patch Changes

v1.393.5

Compare Source

1.393.5

Patch Changes

v1.393.4

Compare Source

1.393.4

Patch Changes

v1.393.3

Compare Source

1.393.3

Patch Changes
  • #​3945 f94deaf Thanks @​ioannisj! - fix(surveys): guard handlePageUnload against version-skewed surveys instance missing the method
    (2026-06-24)

v1.393.2

Compare Source

1.393.2

Patch Changes
  • #​3944 1c9a811 Thanks @​ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.
    (2026-06-24)

v1.393.1

Compare Source

1.393.1

Patch Changes
  • #​3919 99bad9c Thanks @​pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page's fetch. Off by default; enabled for defaults: '2026-06-25' and settable directly via session_recording.streamNetworkBody.
    (2026-06-24)
  • Updated dependencies [99bad9c]:

v1.393.0

Compare Source

1.393.0

Minor Changes
  • #​3921 c28b161 Thanks @​marandaneto! - Add disable_capture_url_hashes to strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically when config.defaults is '2026-06-25' or later. Enabling it (either explicitly or via the '2026-06-25' defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as $current_url, $initial_current_url, $session_entry_url, autocapture $elements[*].attr__href, $external_click_url, replay href URLs, heatmaps, web vitals $current_url, logs url.full, conversations current_url/request_url, or Next.js Pages Router $pageview $current_url.

    If you only want to capture some hashes, leave hash capture enabled and use before_send to remove or redact sensitive hash values before events are sent. (2026-06-23)

Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) June 23, 2026 02:44
@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedposthog-js@​1.392.0 ⏵ 1.396.675 -810081 +1100 +1100

View full report

@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Telemetry collection: npm posthog-js

Note: A dependency implements intrusive client-side instrumentation akin to session replay/telemetry that patches fetch/XHR, collects DOM contents, errors, and optionally request/response headers and bodies, and transmits telemetry to configured endpoints. It may render UI via dangerouslySetInnerHTML and persist data in localStorage, creating substantial privacy and data-exfiltration risks and potential XSS if upstream content is not properly sanitized. Requires strict configuration, masking/deny lists, and robust HTML sanitization.

From: package.jsonnpm/posthog-js@1.396.6

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The file package/dist/module.full.js contains a browser analytics/session-replay SDK that instruments DOM/events and network activity, captures data, and transmits telemetry to remote endpoints. It includes a dynamic external script loader controlled by remote/configuration, creating privacy, data-exfiltration, and supply-chain/external-code execution risks. Risk prominence depends on deployment configuration and the possibility of remote-config/external-asset manipulation.

From: package.jsonnpm/posthog-js@1.396.6

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Telemetry collection: npm posthog-js

Note: The package/dist/array.js module loads and executes external scripts based on remote configuration, enabling dynamic script execution, DOM mutations, and innerHTML/injection risks that impact supply-chain integrity and client privacy. Both alerts emphasize the need for strict consent, robust loading controls, asset integrity measures (CSP/SRI, origin allowlisting), thorough sanitization, and auditing of extension/dependency loading to mitigate the risk.

From: package.jsonnpm/posthog-js@1.396.6

ℹ Read more on: This package | This alert | What is telemetry?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.396.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot changed the title Update dependency posthog-js to v1.392.0 Update dependency posthog-js to v1.392.0 - autoclosed Jun 23, 2026
@renovate renovate Bot closed this Jun 23, 2026
auto-merge was automatically disabled June 23, 2026 02:52

Pull request was closed

@renovate renovate Bot deleted the renovate/posthog-js-1.x branch June 23, 2026 02:52
@renovate renovate Bot changed the title Update dependency posthog-js to v1.392.0 - autoclosed Update dependency posthog-js to v1.393.0 Jun 23, 2026
@renovate renovate Bot reopened this Jun 23, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch 2 times, most recently from c6ab571 to d3a9f55 Compare June 23, 2026 11:55
@renovate renovate Bot enabled auto-merge (squash) June 24, 2026 13:42
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from d3a9f55 to 6db392c Compare June 24, 2026 13:42
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.0 Update dependency posthog-js to v1.393.3 Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from 6db392c to f79cf27 Compare June 24, 2026 17:53
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.3 Update dependency posthog-js to v1.393.4 Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from f79cf27 to 14f20a0 Compare June 25, 2026 14:52
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.4 Update dependency posthog-js to v1.393.5 Jun 25, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from 14f20a0 to 77d6278 Compare June 26, 2026 12:52
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.5 Update dependency posthog-js to v1.393.6 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from 77d6278 to eec9845 Compare June 26, 2026 21:12
@renovate renovate Bot changed the title Update dependency posthog-js to v1.393.6 Update dependency posthog-js to v1.395.0 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from eec9845 to d629dc7 Compare June 29, 2026 10:58
@renovate renovate Bot changed the title Update dependency posthog-js to v1.395.0 Update dependency posthog-js to v1.396.1 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from d629dc7 to e64a0f1 Compare June 29, 2026 18:06
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.1 Update dependency posthog-js to v1.396.2 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from e64a0f1 to fbf3a09 Compare June 30, 2026 16:38
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.2 Update dependency posthog-js to v1.396.3 Jun 30, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from fbf3a09 to 7bd9e0b Compare July 1, 2026 23:10
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.3 Update dependency posthog-js to v1.396.4 Jul 1, 2026
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.4 Update dependency posthog-js to v1.396.5 Jul 2, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch 2 times, most recently from 7bd9e0b to d244c4f Compare July 2, 2026 19:55
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x branch from d244c4f to deb6a51 Compare July 3, 2026 15:45
@renovate renovate Bot changed the title Update dependency posthog-js to v1.396.5 Update dependency posthog-js to v1.396.6 Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants