Skip to content

chore(deps): update dependency posthog-js to v1.402.3#164

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x-lockfile
Open

chore(deps): update dependency posthog-js to v1.402.3#164
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x-lockfile

Conversation

@renovate

@renovate renovate Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
posthog-js (source) 1.374.41.402.3 age confidence

Release Notes

PostHog/posthog-js (posthog-js)

v1.402.3

Compare Source

1.402.3

Patch Changes
  • #​4157 4a2ecf5 Thanks @​posthog! - Session recording no longer emits an uncaught NotAllowedError ("Sharing constructed stylesheets in multiple documents is not allowed") when a page assigns a CSSStyleSheet constructed in a different document to adoptedStyleSheets. That assignment is the host page's own invalid operation, but the recorder's patched setter sat on the call stack, so the exception was attributed to rrweb and churned fingerprints in error tracking. The recorder now contains this specific rejection (matched by its standardized NotAllowedError name, so it works even when the setter throws from an iframe realm) and skips recording those sheets, while still re-throwing any other native-setter error so host-page behaviour is preserved.
    (2026-07-15)

  • #​4158 0dc389e Thanks @​posthog! - fix(replay): session recording no longer throws TypeError: Converting circular structure to JSON when replay event data contains a circular reference. The circular-reference guard now also detects cycles that pass through an array, and affected events are captured with [Circular] markers instead of surfacing an unhandled error and being dropped.
    (2026-07-15)

  • Updated dependencies [fc2cb2e]:

v1.402.2

Compare Source

1.402.2

Patch Changes
  • #​4151 81adbfd Thanks @​posthog! - Session recording no longer emits an uncaught TypeError: Illegal invocation when a programmatic input-value change happens on an object that is not a genuine native input element (for example a proxy on the element prototype chain). The recorder drops that one replay update instead of throwing.
    (2026-07-15)

v1.402.1

Compare Source

1.402.1

Patch Changes
  • #​4117 1eddff7 Thanks @​DanielVisca! - add the posthog.metrics API (count, gauge, histogram) to posthog-node — alpha

    Backend services can now record metrics through the same statsd-style pre-aggregating client the browser SDK ships, with no OpenTelemetry setup:

    const client = new PostHog('phc_...', { metrics: { serviceName: 'billing-worker' } })
    client.metrics.count('invoices.processed', 1, { attributes: { plan: 'pro' } })
    client.metrics.gauge('queue.depth', 42)
    client.metrics.histogram('job.duration', 187, { unit: 'ms' })

    Samples aggregate in memory and flush as OTLP/JSON to /i/v1/metrics (one data point per series per window). Pending metrics are flushed on shutdown(). Core gains _sendMetricsBatch on PostHogCoreStateless (same outcome contract as _sendLogsBatch) and a shared resolveMetricsConfig, so any core-based SDK can host PostHogMetrics. (2026-07-15)

  • Updated dependencies [1eddff7]:

v1.402.0

Compare Source

1.402.0

Minor Changes
  • #​4143 0e8ad14 Thanks @​robbie-c! - Stamp the current hostname as $snapshot_host on every $snapshot event the session recorder sends. The value is derived from the page URL after it passes through the existing replay URL masking pipeline (maskCapturedNetworkRequestFn / deprecated maskNetworkRequestFn, hash stripping, personal-data query-param masking), so it cannot bypass a customer's masking config. When masking removes the URL or the masked result doesn't parse as a URL, the property is omitted entirely. This gives ingestion consumers a per-message host signal even for mid-session snapshot batches that contain no URL-bearing events.
    (2026-07-15)

v1.401.0

Compare Source

1.401.0

Minor Changes
  • #​4129 800af7c Thanks @​pauldambra! - feat: add session_recording.attributeFilter option that passes an attribute allowlist through to the native MutationObserver, so mutations to unlisted attributes (e.g. animation-driven inline style churn) never cost recording CPU (port of upstream rrweb #​1873)
    (2026-07-15)
Patch Changes

v1.400.1

Compare Source

1.400.1

Patch Changes
  • #​4090 6dd8827 Thanks @​lucasheriques! - chore: survey seen-key and repeat-activation helpers now live in @​posthog/core, shared by the web and React Native SDKs. Core's survey enums are now const-object literal unions (matching the web SDK's existing pattern), so the same values type-check across both SDKs. No behavior change. Type-level note: enum members no longer work as standalone type annotations (e.g. SurveyType.Popover as a type); use the exported union types instead. Runtime values are unchanged.
    (2026-07-14)
  • Updated dependencies [6dd8827]:

v1.400.0

Compare Source

1.400.0

Minor Changes
  • #​4101 dc2aa5b Thanks @​posthog! - Normalize the error tracking rate-limiter config to first-class options. The browser SDK now reads exceptionRateLimiterRefillRate / exceptionRateLimiterBucketSize on error_tracking, with the previous double-underscore __exceptionRateLimiterRefillRate / __exceptionRateLimiterBucketSize options deprecated but still honoured as a fallback. The option shape (ExceptionRateLimiterConfig) and default-resolution logic (resolveExceptionRateLimiterConfig) now live in @posthog/core and are shared between the browser and Node SDKs.
    (2026-07-14)
Patch Changes
  • #​4140 1eabd30 Thanks @​turnipdabeets! - Handle sendBeacon quota rejections instead of silently dropping events. A beacon rejected by the browser (over the page's shared ~64KiB in-flight keepalive quota) is now split in half and re-sent recursively so the batch delivers as far as the quota allows; a rejected payload that cannot be split falls back to a non-keepalive fetch and logs a warning. Previously the boolean return of sendBeacon was ignored and an over-quota unload batch was lost with no signal.
    (2026-07-14)
  • Updated dependencies [dc2aa5b]:

v1.399.5

Compare Source

1.399.5

Patch Changes
  • #​4134 ab10064 Thanks @​posthog! - Bound autocapture's DOM ancestor walks against abnormal host-page DOM trees. autocapturePropertiesForElement and shouldCaptureElement now stop climbing the parentNode chain after 1000 ancestors or if they revisit a node (only possible when a page patches parentNode, since native DOMs cannot contain cycles), instead of walking indefinitely. When shouldCaptureElement cannot finish checking ancestors for ph-no-capture/ph-sensitive, it fails closed and reports the element as not capturable. Behavior on normal DOM trees is unchanged.
    (2026-07-14)

  • #​4141 17d956c Thanks @​posthog! - Log network-level fetch failures from posthog-js's own request layer (ad blocker, dropped connection, CORS, page teardown) at warn instead of error. The browser rejects these with a generic TypeError (Failed to fetch, Firefox's NetworkError..., or Safari's Load failed); they are already caught and retried by the request queue, so they are expected noise rather than SDK errors — _fetch now gives them the same warn treatment as our own timeout aborts. Genuine, unexpected errors still log at error.
    (2026-07-14)

v1.399.4

Compare Source

1.399.4
Patch Changes
  • #​4139 7c339be Thanks @​turnipdabeets! - Encode uncompressed sendBeacon bodies as base64 form data so the beacon keeps a CORS-simple content type. Previously an uncompressed unload beacon was sent as application/json, which forces a CORS preflight — a preflight cannot complete while the page unloads, so on cross-origin hosts the browser silently dropped the POST and the final batch of events was lost. Compression is inactive whenever the remote config request fails (flaky network, blocked endpoint), when the config response omits supportedCompression, or with disable_compression: true.
    (2026-07-13)

v1.399.3

Compare Source

1.399.3

Patch Changes
  • #​4133 4ebb618 Thanks @​mikenicholls88! - Make jsonStringify circular-safe so event serialization never throws. Previously a captured property holding a circular value — most commonly a DOM node that retains a React fiber pointing back at the element — made JSON.stringify throw Converting circular structure to JSON; with capture_exceptions enabled that throw was recaptured as a new $exception, at times in a loop. On a throw we now fall back to safeJsonStringify from @posthog/core. The fast (non-circular) path is unchanged, and only true cycles become "[Circular]", so shared-but-acyclic references keep their real values.
    (2026-07-13)

v1.399.2

Compare Source

1.399.2

Patch Changes
  • #​4118 f630394 Thanks @​posthog! - Fix a RangeError: Maximum call stack size exceeded originating from the shared rrweb patch() helper. It patches shared globals such as Element.prototype.attachShadow (shadow-dom-manager) and the DOM/canvas observers, so multiple recorder instances or repeated start/stop cycles wrap the same global more than once. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated cycles grew the wrapper chain without bound until a real call walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable per-layer link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Recording behavior is unchanged. This applies the same fix as #​4063 (fetch/XHR) to the shared helper so every rrweb-record caller inherits the bounded-chain behavior.
    (2026-07-10)

v1.399.1

Compare Source

v1.399.0

Compare Source

1.399.0

Minor Changes
  • #​4115 86bb3a5 Thanks @​DanielVisca! - add the posthog.metrics API (count, gauge, histogram) — alpha

    A statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to /i/v1/metrics — one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:

    posthog.metrics.count('orders_created', 1)
    posthog.metrics.gauge('active_connections', 42)
    posthog.metrics.histogram('api_latency', 187, { unit: 'ms' })

    Configure via metrics: { serviceName, environment, flushIntervalMs, maxSeriesPerFlush, beforeSend, ... }. (2026-07-08)

Patch Changes

v1.398.7

Compare Source

1.398.7

Patch Changes
  • #​4113 45f17ee Thanks @​TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removed

    Follow-up to the shadow-observer iframe-teardown fix: takeFullSnapshot's onSerialize registers every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot). addShadowRoot now derives the owning document from the host element, so per-document teardown matches iframe-nested roots too. (2026-07-08)

v1.398.6

Compare Source

1.398.6

Patch Changes

v1.398.5

Compare Source

1.398.5

Patch Changes
  • #​4103 be8242a Thanks @​rafaeelaudibert! - Publish the code-split ESM toolbar bundle when the build emits one. The release tooling now recursively includes dist/toolbar/ (with explicit JS content types for the strict-MIME ESM chunks) across the immutable, major-alias, and compatibility upload prefixes, and the workflow accepts the canonical toolbar.js/toolbar.css layout. This is a no-op against today's single-file build.
    (2026-07-08)

v1.398.4

Compare Source

v1.398.3

Compare Source

1.398.3

Patch Changes
  • #​4112 38bb185 Thanks @​TueHaulund! - fix session replay silently dropping shadow DOM mutations after an iframe teardown

    The single shared ShadowDomManager observes every shadow root on the page, but MutationBuffer.reset() disconnected it. That reset fires whenever any one buffer is torn down, so an iframe being removed or navigating away disconnected every shadow-root observer page-wide. Shadow DOM content (for example a widget mounted in an open shadow root) then stopped recording until the next periodic full snapshot re-registered it. Buffer teardown now releases only its own resources; global shadow observation is reset by takeFullSnapshot and on recording stop. (2026-07-08)

v1.398.2

Compare Source

1.398.2

Patch Changes
  • #​4063 24aadd5 Thanks @​posthog! - Fix a RangeError: Maximum call stack size exceeded that could originate from the shared patch() fetch/XHR wrapper. posthog-js wraps window.fetch in two independent places (tracing headers and session-recording network capture), so their restores routinely ran out of order. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated start/stop cycles grew the wrapper chain without bound until a real fetch walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Header-injection and network-capture behavior is unchanged.
    (2026-07-07)

  • #​4100 e250a24 Thanks @​marandaneto! - Stop adding the gzip compression query parameter to browser SDK requests.
    (2026-07-07)

  • #​4083 f07e241 Thanks @​posthog! - fix(replay): harden session-replay network capture so instrumentation that throws (e.g. new Request() rejecting a URL/method) degrades gracefully and never breaks or misattributes the host application's own xhr.open() / fetch() calls
    (2026-07-07)

v1.398.1

Compare Source

1.398.1

Patch Changes

v1.398.0

Compare Source

v1.397.0

Compare Source

1.397.0

Minor Changes
  • #​4089 cc340db Thanks @​bs1180! - feat(web): add a posthog-js/customizations subpath entry point exposing the optional customizations (setAllPersonProfilePropertiesAsPersonPropertiesForFlags, the before-send sampling helpers, and the redux/kea loggers) as a proper ES module with bundled types, replacing the internal posthog-js/lib/src/customizations deep import. Also fixes the TypeScript definitions so setAllPersonProfilePropertiesAsPersonPropertiesForFlags accepts the instance passed to the loaded callback (the documented usage), and the loaded callback's instance type now includes config.
    (2026-07-06)

v1.396.9

Compare Source

v1.396.8

Compare Source

1.396.8

Patch Changes
  • #​4062 2af0026 Thanks @​posthog! - fix(web): prevent an infinite-recursion stack overflow in the logs console capture. The console wrapper's own capture path can emit internal debug lines through PostHog's logger, which wrote back to the wrapped console and re-entered capture until the stack blew (RangeError: Maximum call stack size exceeded). The wrapper now exposes the original console method via __rrweb_original__ (so the internal logger bypasses it) and guards against re-entrancy from any code that logs mid-capture.
    (2026-07-06)

v1.396.7

Compare Source

v1.396.6

Compare Source

1.396.6

Patch Changes
  • #​4053 45d1b36 Thanks @​posthog! - feat(web): add a graceful shutdown() to the browser client for parity with posthog-node, so isomorphic teardown code (e.g. the Nuxt module) that calls posthog.shutdown() on the client no longer throws TypeError: shutdown is not a function. It best-effort flushes the queued events and always resolves.
    (2026-07-03)

  • #​4054 f0657eb Thanks @​posthog! - fix(web): detect our own feature-flag request timeouts via a timedOut flag instead of the abort reason, so they are logged at warn (not error) on browsers that don't propagate controller.abort(reason) — keeping benign timeouts out of error tracking's console-error capture
    (2026-07-03)

  • #​4031 94a0530 Thanks @​posthog! - Improve survey display reliability:

    • posthog-js: refresh the cached $surveys definitions after a short TTL (stale-while-revalidate) so server-side changes such as switching a survey from popover to API propagate to long-lived tabs without a page reload.
    • posthog-js: add posthog.surveys.markSurveyAsSeen(surveyId, { iteration }) so custom integrators that render surveys through their own backend can honour the "already seen" and wait-period checks.
    • posthog-react-native: guarantee the survey Modal notifies its parent on close even when iOS Modal.onDismiss fails to fire, so the transparent full-screen modal can no longer stay mounted intercepting touches and freezing the app. (2026-07-03)
  • Updated dependencies [45d1b36]:

v1.396.5

Compare Source

1.396.5

Patch Changes
  • #​4050 d7cf13b Thanks @​turnipdabeets! - Prevent uncaught getComputedStyle crashes in heatmaps and autocapture when the event target is a cross-realm element (e.g. from an iframe or synthetic event)
    (2026-07-02)
  • Updated dependencies [5e7e132]:

v1.396.4

Compare Source

1.396.4
Patch Changes
  • #​4035 18e543b Thanks @​posthog! - fix(web): isolate onFeatureFlags callbacks so a throwing user handler no longer breaks the remaining callback chain or gets misattributed as an SDK error
    (2026-07-01)

  • #​4039 15bcb42 Thanks @​github-actions! - fix(replay): measure $snapshot_bytes as UTF-8 byte length instead of UTF-16 string length, so non-ASCII session replay payloads are counted accurately against the message size limit
    (2026-07-01)

v1.396.3

Compare Source

1.396.3
Patch Changes
  • #​4020 e0ad8ef Thanks @​posthog! - Fix TypeError: ....at is not a function thrown by the bundled web-vitals dependency on browsers that predate Array.prototype.at() (Chrome <92, iOS Safari <15.4). The web-vitals entrypoints now install a tiny Array.prototype.at polyfill before web-vitals runs, so web vitals capture works again on older browsers instead of crashing with an unhandled error.
    (2026-06-30)

v1.396.2

Compare Source

1.396.2
Patch Changes
  • #​4003 b6261e7 Thanks @​marandaneto! - Include a Promise polyfill in the IE11 bundle and avoid Promise-dependent async compression paths when Promise support is unavailable.
    (2026-06-29)

v1.396.1

Compare Source

1.396.1
Patch Changes

v1.396.0

Compare Source

1.396.0
Minor Changes
  • #​3987 74cc6bb Thanks @​TueHaulund! - Add a get_current_url config option that overrides the URL used for client-side URL targeting — session replay URL triggers, the session replay URL blocklist, survey URL display conditions, product tour URL conditions, web experiment URL conditions, and autocapture URL allow/ignore lists. These match against window.location.href directly, which does not reflect a $current_url rewritten in before_send. Apps where the browser URL is not meaningful for targeting (e.g. Electron/desktop builds served from a generated host) can now return the logical URL to match against. Defaults to window.location.href when not set.
    (2026-06-29)
Patch Changes

v1.395.0

Compare Source

1.395.0

Minor Changes
  • #​3977 6200888 Thanks @​turnipdabeets! - Add getAllFeatureFlags(), which returns all currently loaded feature flags as structured FeatureFlagResults (key, enabled, variant, payload). It is a synchronous read of the cached flags and does not send a $feature_flag_called event.
    (2026-06-26)
Patch Changes

v1.394.0

Compare Source

1.394.0

Minor Changes
  • #​3986 919abca Thanks @​ioannisj! - Capture the $device_model super-property on Android Chromium via navigator.userAgentData.getHighEntropyValues(['model']). Resolved once during init and sent on subsequent events; opt out with disableDeviceModel: true.
    (2026-06-26)

v1.393.6

Compare Source

1.393.6

Patch Changes

v1.393.5

Compare Source

1.393.5

Patch Changes

v1.393.4

Compare Source

1.393.4

Patch Changes

v1.393.3

Compare Source

1.393.3

Patch Changes
  • #​3945 f94deaf Thanks @​ioannisj! - fix(surveys): guard handlePageUnload against version-skewed surveys instance missing the method
    (2026-06-24)

v1.393.2

Compare Source

1.393.2

Patch Changes
  • #​3944 1c9a811 Thanks @​ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.
    (2026-06-24)

v1.393.1

Compare Source

1.393.1

Patch Changes
  • #​3919 99bad9c Thanks @​pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page's fetch. Off by default; enabled for defaults: '2026-06-25' and settable directly via session_recording.streamNetworkBody.
    (2026-06-24)
  • Updated dependencies [99bad9c]:

v1.393.0

Compare Source

1.393.0

Minor Changes
  • #​3921 c28b161 Thanks @​marandaneto! - Add disable_capture_url_hashes to strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically when config.defaults is '2026-06-25' or later. Enabling it (either explicitly or via the '2026-06-25' defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as $current_url, $initial_current_url, $session_entry_url, autocapture $elements[*].attr__href, $external_click_url, replay href URLs, heatmaps, web vitals $current_url, logs url.full, conversations current_url/request_url, or Next.js Pages Router $pageview $current_url.

    If you only want to capture some hashes, leave hash capture enabled and use before_send to remove or redact sensitive hash values before events are sent. (2026-06-23)

Patch Changes

v1.392.0

Compare Source

1.392.0

Minor Changes
  • #​3895 ce528ed Thanks @​turnipdabeets! - Console log auto-capture (logs: { captureConsoleLogs: true }) now flows through the same pipeline as posthog.captureLog(), posthog.logger.*, and PostHog's other SDKs, instead of OpenTelemetry. As a result:

    • the bundled OpenTelemetry dependencies are removed, shrinking the lazily-loaded logs chunk
    • auto-captured console logs now run through logs.beforeSend (the same hook as captureLog/logger.*), so you can redact or drop sensitive console output before it's sent. To treat console logs differently from manual logs, branch on the record's log.source attribute: auto-captured console logs set it to console.<method> (e.g. console.error), while manual captureLog/logger.* logs leave it unset
    • console logs now link to the person's profile: they carry the person id as posthogDistinctId, the attribute PostHog uses to associate logs with a person (docs). The old path used distinct_id, which isn't used for person linking by default, so console logs previously didn't appear on person profiles unless you'd configured a custom key.

    Console logs keep their posthog-browser-logs service.name, their console instrumentation scope, and their log.source: console.<level> attribute.

    As part of moving onto the shared pipeline, console records now use PostHog's standard log field names — the same ones programmatic web logs and other SDKs use, and the ones the Logs UI surfaces. For the fields below the values are unchanged — only the attribute names/locations differ:

    • distinct_idposthogDistinctId (record attribute)
    • location.hrefurl.full (record attribute; same value — the page URL)
    • session.id (resource attribute) → sessionId (record attribute) — renamed and moved
    • host and window.id move from resource attributes to record attributes (names unchanged)
    • records also now carry the standard SDK context shared by other logs, including feature_flags

    For most projects this needs no action — these are already the canonical log fields. The only thing to update is a saved Logs query or dashboard built specifically on an old console attribute name, for example:

    • attributes.distinct_idattributes.posthogDistinctId
    • attributes.location.hrefattributes.url.full
    • resource.attributes.session.idattributes.sessionId
    • resource.attributes.host / resource.attributes.window.idattributes.host / attributes.window.id (2026-06-22)
Patch Changes

v1.391.9

Compare Source

1.391.9

Patch Changes
  • #​3922 26aa9ba Thanks @​posthog! - Exception autocapture: posthog-js's own fetch timeout now aborts with an explicit, descriptive reason (PostHog request timed out after <n>ms) instead of a reason-less DOMException: AbortError: signal is aborted without reason. This keeps name === 'AbortError' so existing timeout handling (e.g. feature flag timeout detection) is unchanged, but makes our own timeouts identifiable and stops them being re-captured as noise by console-error exception autocapture.
    (2026-06-22)

v1.391.8

Compare Source

1.391.8

Patch Changes

v1.391.7

Compare Source

1.391.7

Patch Changes
  • #​3914 dac4edb Thanks @​pauldambra! - Session replay network capture: redact credential-bearing headers on both request and response (previously only request), and match credential-shaped custom header names by substring (e.g. x-gist-encoded-user-token) in addition to the exact deny list - avoiding accidental capture of tokens/cookies in recordings.
    (2026-06-22)

v1.391.6

Compare Source

1.391.6

Patch Changes

v1.391.5

Compare Source

1.391.5

Patch Changes
  • #​3915 beaccc3 Thanks @​pauldambra! - Session replay: apply the existing base64 image size cap (maxBase64ImageLength) to SVG <image> elements with data: URIs on both href and xlink:href. Previously the cap only covered <img> elements, so large inline data URIs inside SVGs were recorded in full - this also covers them in mutations, replacing oversized ones with the striped placeholder.
    (2026-06-22)

v1.391.4

Compare Source

1.391.4

Patch Changes
  • #​3913 ee9f2a8 Thanks @​pauldambra! - Session replay network capture: expand the default payload host deny list to skip third-party analytics, RUM, and session-replay telemetry whose payloads have no replay value - Datadog, Segment, RudderStack, Amplitude, Mixpanel, Hotjar (both .com and .io), and FullStory. Also covers both Google Analytics beacon hosts (google-analytics.com, plus analytics.google.com which gtag uses when Google Signals is enabled) and widens New Relic to nr-data.net.
    (2026-06-22)

v1.391.3

Compare Source

1.391.3

Patch Changes
  • #​3909 ab4a220 Thanks @​marandaneto! - Avoid style-src-attr CSP violations when diffing rrweb style mutations.
    (2026-06-22)

  • #​3912 78ac40c Thanks @​pauldambra! - Session replay network capture: never record binary/asset response or request bodies (image, video, audio, font, octet-stream, pdf, zip, wasm) even when recordBody is enabled - they bloat recordings, duplicate what the replay already shows, and the body is no longer read.
    (2026-06-22)

v1.391.2

Compare Source

1.391.2

Patch Changes

v1.391.1

Compare Source

1.391.1

Patch Changes
  • #​3899 d090a7c Thanks @​lucasheriques! - Surveys: re-check eligibility when a popover's display delay elapses, instead of only re-checking the URL.

    A survey with a display delay could be queued while a visitor was still anonymous (the targeting flag passed for the anonymous profile), and then displayed after the delay even though identify() had reloaded feature flags and the survey's internal targeting flag was now false for the identified profile (e.g. a "show once per user" survey the person had already dismissed). The delayed display now re-runs the full display predicate (eligibility, URL/device/selector conditions, event/action trigger, and feature flags) before rendering, so a survey that became ineligible during the delay is no longer shown. Pending delayed surveys are also cancelled promptly when a later evaluation cycle finds them ineligible. (2026-06-19)

v1.391.0

Compare Source

1.391.0

Minor Changes
  • #​3885 5392a55 Thanks @​pauldambra! - feat(replay): capture canvas at reduced resolution

    Adds session_recording.canvasCapture.resolutionScale - a (0, 1] fraction of the canvas display size to capture replay frames at. The captured bitmap is downscaled (pixel-area savings are quadratic) while the canvas's true display size is still recorded, so playback stretches the smaller frame back to the correct dimensions and aspect ratio - only sharpness drops, never layout. It defaults to 1 (full resolution, matching today's behaviour), and the latest defaults bundle (2026-05-30) opts new installs into 0.6.

    The canvas's true display size travels with each frame through the encode worker (as required message fields), so the encoded reply is always drawn back to the correct dimensions — no pe

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • Between 08:00 AM and 05:59 PM, Monday through Friday (* 8-17 * * 1-5)
  • Automerge
    • Between 08:00 AM and 05:59 PM, Monday through Friday (* 8-17 * * 1-5)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the Renovate label May 22, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented May 22, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
launchpad 35a2f95 Commit Preview URL

Branch Preview URL
Jul 16 2026, 12:39 AM

@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 42478cb to f251cc4 Compare May 22, 2026 19:56
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.375.0 chore(deps): update dependency posthog-js to v1.376.0 May 22, 2026
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.376.0 chore(deps): update dependency posthog-js to v1.376.2 May 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 2 times, most recently from 6b7755f to 1cab717 Compare May 27, 2026 18:17
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.376.2 chore(deps): update dependency posthog-js to v1.376.3 May 27, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 1cab717 to 213b568 Compare May 28, 2026 13:58
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.376.3 chore(deps): update dependency posthog-js to v1.376.4 May 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 213b568 to 97e061a Compare May 29, 2026 02:45
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.376.4 chore(deps): update dependency posthog-js to v1.376.5 May 31, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 2 times, most recently from f27c7c2 to 2e586c6 Compare June 1, 2026 03:30
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.376.5 chore(deps): update dependency posthog-js to v1.376.6 Jun 1, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 2e586c6 to 4476dd5 Compare June 13, 2026 18:31
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.376.6 chore(deps): update dependency posthog-js to v1.386.6 Jun 13, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 4476dd5 to 19f1f85 Compare June 15, 2026 13:01
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.386.6 chore(deps): update dependency posthog-js to v1.386.8 Jun 15, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 19f1f85 to b460fd9 Compare June 16, 2026 18:40
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.386.8 chore(deps): update dependency posthog-js to v1.387.0 Jun 16, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from b460fd9 to 82ab376 Compare June 17, 2026 18:04
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.387.0 chore(deps): update dependency posthog-js to v1.390.0 Jun 17, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 82ab376 to a73ee33 Compare June 18, 2026 01:12
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.390.0 chore(deps): update dependency posthog-js to v1.390.2 Jun 18, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 2 times, most recently from 04a5f21 to 40be235 Compare June 19, 2026 12:45
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.390.2 chore(deps): update dependency posthog-js to v1.391.0 Jun 19, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 40be235 to 682b1f4 Compare June 19, 2026 18:54
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.391.0 chore(deps): update dependency posthog-js to v1.391.2 Jun 19, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from bb5f626 to f01f36b Compare June 25, 2026 14:14
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.393.4 chore(deps): update dependency posthog-js to v1.393.5 Jun 25, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from f01f36b to 9e00d46 Compare June 26, 2026 14:03
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.393.5 chore(deps): update dependency posthog-js to v1.393.6 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 9e00d46 to f0db7c0 Compare June 26, 2026 21:14
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.393.6 chore(deps): update dependency posthog-js to v1.395.0 Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from f0db7c0 to 6cfb125 Compare June 29, 2026 10:55
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.395.0 chore(deps): update dependency posthog-js to v1.396.1 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 6cfb125 to 2079aca Compare June 29, 2026 18:12
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.1 chore(deps): update dependency posthog-js to v1.396.2 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 2079aca to b50b37b Compare June 30, 2026 19:00
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.2 chore(deps): update dependency posthog-js to v1.396.3 Jun 30, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from b50b37b to c6a5826 Compare July 1, 2026 22:51
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.3 chore(deps): update dependency posthog-js to v1.396.4 Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from c6a5826 to 72c9f12 Compare July 2, 2026 17:52
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.4 chore(deps): update dependency posthog-js to v1.396.5 Jul 2, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 72c9f12 to a7dfd85 Compare July 3, 2026 14:34
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.5 chore(deps): update dependency posthog-js to v1.396.6 Jul 3, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from a7dfd85 to 9dc2b9e Compare July 6, 2026 09:10
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.6 chore(deps): update dependency posthog-js to v1.396.7 Jul 6, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 9dc2b9e to 21b5bb3 Compare July 6, 2026 18:13
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.7 chore(deps): update dependency posthog-js to v1.396.9 Jul 6, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 21b5bb3 to 71ad502 Compare July 6, 2026 22:02
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.396.9 chore(deps): update dependency posthog-js to v1.398.0 Jul 6, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 71ad502 to 7ef27b3 Compare July 7, 2026 16:53
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.398.0 chore(deps): update dependency posthog-js to v1.398.1 Jul 7, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 7ef27b3 to 89b0130 Compare July 7, 2026 22:45
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.398.1 chore(deps): update dependency posthog-js to v1.398.2 Jul 7, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 89b0130 to 469f1d3 Compare July 8, 2026 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants