Skip to content

chore(deps): update dependency posthog-js to v1.404.1#129

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x-lockfile
Open

chore(deps): update dependency posthog-js to v1.404.1#129
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x-lockfile

Conversation

@renovate

@renovate renovate Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
posthog-js (source) 1.398.21.404.1 age confidence

Release Notes

PostHog/posthog-js (posthog-js)

v1.404.1

Compare Source

1.404.1

Patch Changes
  • #​4191 66c1666 Thanks @​turnipdabeets! - Honour the project-level autocapture opt-out when the remote config request fails. Previously a failed config fetch (network error, timeout, blocked request) enabled autocapture on opted-out projects and persisted that state for later page loads. Autocapture now keeps the last successfully received server value, and stays off until the first successful config response.
    (2026-07-17)

v1.404.0

Compare Source

1.404.0

Minor Changes
  • #​4149 607bf54 Thanks @​pauldambra! - Add dead swipe detection to dead clicks autocapture. When dead clicks autocapture is enabled, touch swipe gestures that produce no observable screen change (no scroll, mutation, selection or visibility change) are now captured as $dead_swipe events, surfacing failed navigations on touch devices. Configurable via capture_dead_swipes (default true) and swipe_threshold_px (default 30) on the capture_dead_clicks config. Swipes over surfaces whose response cannot be observed (canvas, video and other media elements under the finger) are skipped, and captures are limited per page load via max_dead_swipes_per_page_load (default 10).
    (2026-07-16)
Patch Changes
  • #​4171 df17ddc Thanks @​posthog! - Catch synchronous throws from a monkey-patched window.fetch so they no longer escape as unhandled exceptions. A synchronous throw is now routed through the same handling as an async rejection, so the request queue retries instead of the error leaking into error tracking.
    (2026-07-16)
  • Updated dependencies [607bf54]:

v1.403.0

Compare Source

1.403.0

Minor Changes
  • #​4159 fad6d9a Thanks @​haacked! - add $feature_flag_has_experiment to $feature_flag_called events

    $feature_flag_called events now carry a $feature_flag_has_experiment boolean sourced from the server's has_experiment flag metadata (the /flags?v=2 response for remote evaluation, the /api/feature_flag/local_evaluation definitions for posthog-node local evaluation). The property is only sent when the server explicitly reports has_experiment; it is omitted entirely when the value is unknown (older servers, missing metadata, bootstrapped or locally injected flags). (2026-07-16)

Patch Changes

v1.402.3

Compare Source

1.402.3

Patch Changes
  • #​4157 4a2ecf5 Thanks @​posthog! - Session recording no longer emits an uncaught NotAllowedError ("Sharing constructed stylesheets in multiple documents is not allowed") when a page assigns a CSSStyleSheet constructed in a different document to adoptedStyleSheets. That assignment is the host page's own invalid operation, but the recorder's patched setter sat on the call stack, so the exception was attributed to rrweb and churned fingerprints in error tracking. The recorder now contains this specific rejection (matched by its standardized NotAllowedError name, so it works even when the setter throws from an iframe realm) and skips recording those sheets, while still re-throwing any other native-setter error so host-page behaviour is preserved.
    (2026-07-15)

  • #​4158 0dc389e Thanks @​posthog! - fix(replay): session recording no longer throws TypeError: Converting circular structure to JSON when replay event data contains a circular reference. The circular-reference guard now also detects cycles that pass through an array, and affected events are captured with [Circular] markers instead of surfacing an unhandled error and being dropped.
    (2026-07-15)

  • Updated dependencies [fc2cb2e]:

v1.402.2

Compare Source

1.402.2

Patch Changes
  • #​4151 81adbfd Thanks @​posthog! - Session recording no longer emits an uncaught TypeError: Illegal invocation when a programmatic input-value change happens on an object that is not a genuine native input element (for example a proxy on the element prototype chain). The recorder drops that one replay update instead of throwing.
    (2026-07-15)

v1.402.1

Compare Source

1.402.1

Patch Changes
  • #​4117 1eddff7 Thanks @​DanielVisca! - add the posthog.metrics API (count, gauge, histogram) to posthog-node — alpha

    Backend services can now record metrics through the same statsd-style pre-aggregating client the browser SDK ships, with no OpenTelemetry setup:

    const client = new PostHog('phc_...', { metrics: { serviceName: 'billing-worker' } })
    client.metrics.count('invoices.processed', 1, { attributes: { plan: 'pro' } })
    client.metrics.gauge('queue.depth', 42)
    client.metrics.histogram('job.duration', 187, { unit: 'ms' })

    Samples aggregate in memory and flush as OTLP/JSON to /i/v1/metrics (one data point per series per window). Pending metrics are flushed on shutdown(). Core gains _sendMetricsBatch on PostHogCoreStateless (same outcome contract as _sendLogsBatch) and a shared resolveMetricsConfig, so any core-based SDK can host PostHogMetrics. (2026-07-15)

  • Updated dependencies [1eddff7]:

v1.402.0

Compare Source

1.402.0

Minor Changes
  • #​4143 0e8ad14 Thanks @​robbie-c! - Stamp the current hostname as $snapshot_host on every $snapshot event the session recorder sends. The value is derived from the page URL after it passes through the existing replay URL masking pipeline (maskCapturedNetworkRequestFn / deprecated maskNetworkRequestFn, hash stripping, personal-data query-param masking), so it cannot bypass a customer's masking config. When masking removes the URL or the masked result doesn't parse as a URL, the property is omitted entirely. This gives ingestion consumers a per-message host signal even for mid-session snapshot batches that contain no URL-bearing events.
    (2026-07-15)

v1.401.0

Compare Source

1.401.0

Minor Changes
  • #​4129 800af7c Thanks @​pauldambra! - feat: add session_recording.attributeFilter option that passes an attribute allowlist through to the native MutationObserver, so mutations to unlisted attributes (e.g. animation-driven inline style churn) never cost recording CPU (port of upstream rrweb #​1873)
    (2026-07-15)
Patch Changes

v1.400.1

Compare Source

1.400.1

Patch Changes
  • #​4090 6dd8827 Thanks @​lucasheriques! - chore: survey seen-key and repeat-activation helpers now live in @​posthog/core, shared by the web and React Native SDKs. Core's survey enums are now const-object literal unions (matching the web SDK's existing pattern), so the same values type-check across both SDKs. No behavior change. Type-level note: enum members no longer work as standalone type annotations (e.g. SurveyType.Popover as a type); use the exported union types instead. Runtime values are unchanged.
    (2026-07-14)
  • Updated dependencies [6dd8827]:

v1.400.0

Compare Source

1.400.0

Minor Changes
  • #​4101 dc2aa5b Thanks @​posthog! - Normalize the error tracking rate-limiter config to first-class options. The browser SDK now reads exceptionRateLimiterRefillRate / exceptionRateLimiterBucketSize on error_tracking, with the previous double-underscore __exceptionRateLimiterRefillRate / __exceptionRateLimiterBucketSize options deprecated but still honoured as a fallback. The option shape (ExceptionRateLimiterConfig) and default-resolution logic (resolveExceptionRateLimiterConfig) now live in @posthog/core and are shared between the browser and Node SDKs.
    (2026-07-14)
Patch Changes
  • #​4140 1eabd30 Thanks @​turnipdabeets! - Handle sendBeacon quota rejections instead of silently dropping events. A beacon rejected by the browser (over the page's shared ~64KiB in-flight keepalive quota) is now split in half and re-sent recursively so the batch delivers as far as the quota allows; a rejected payload that cannot be split falls back to a non-keepalive fetch and logs a warning. Previously the boolean return of sendBeacon was ignored and an over-quota unload batch was lost with no signal.
    (2026-07-14)
  • Updated dependencies [dc2aa5b]:

v1.399.5

Compare Source

1.399.5

Patch Changes
  • #​4134 ab10064 Thanks @​posthog! - Bound autocapture's DOM ancestor walks against abnormal host-page DOM trees. autocapturePropertiesForElement and shouldCaptureElement now stop climbing the parentNode chain after 1000 ancestors or if they revisit a node (only possible when a page patches parentNode, since native DOMs cannot contain cycles), instead of walking indefinitely. When shouldCaptureElement cannot finish checking ancestors for ph-no-capture/ph-sensitive, it fails closed and reports the element as not capturable. Behavior on normal DOM trees is unchanged.
    (2026-07-14)

  • #​4141 17d956c Thanks @​posthog! - Log network-level fetch failures from posthog-js's own request layer (ad blocker, dropped connection, CORS, page teardown) at warn instead of error. The browser rejects these with a generic TypeError (Failed to fetch, Firefox's NetworkError..., or Safari's Load failed); they are already caught and retried by the request queue, so they are expected noise rather than SDK errors — _fetch now gives them the same warn treatment as our own timeout aborts. Genuine, unexpected errors still log at error.
    (2026-07-14)

v1.399.4

Compare Source

1.399.4

Patch Changes
  • #​4139 7c339be Thanks @​turnipdabeets! - Encode uncompressed sendBeacon bodies as base64 form data so the beacon keeps a CORS-simple content type. Previously an uncompressed unload beacon was sent as application/json, which forces a CORS preflight — a preflight cannot complete while the page unloads, so on cross-origin hosts the browser silently dropped the POST and the final batch of events was lost. Compression is inactive whenever the remote config request fails (flaky network, blocked endpoint), when the config response omits supportedCompression, or with disable_compression: true.
    (2026-07-13)

v1.399.3

Compare Source

1.399.3

Patch Changes
  • #​4133 4ebb618 Thanks @​mikenicholls88! - Make jsonStringify circular-safe so event serialization never throws. Previously a captured property holding a circular value — most commonly a DOM node that retains a React fiber pointing back at the element — made JSON.stringify throw Converting circular structure to JSON; with capture_exceptions enabled that throw was recaptured as a new $exception, at times in a loop. On a throw we now fall back to safeJsonStringify from @posthog/core. The fast (non-circular) path is unchanged, and only true cycles become "[Circular]", so shared-but-acyclic references keep their real values.
    (2026-07-13)

v1.399.2

Compare Source

1.399.2

Patch Changes
  • #​4118 f630394 Thanks @​posthog! - Fix a RangeError: Maximum call stack size exceeded originating from the shared rrweb patch() helper. It patches shared globals such as Element.prototype.attachShadow (shadow-dom-manager) and the DOM/canvas observers, so multiple recorder instances or repeated start/stop cycles wrap the same global more than once. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated cycles grew the wrapper chain without bound until a real call walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable per-layer link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Recording behavior is unchanged. This applies the same fix as #​4063 (fetch/XHR) to the shared helper so every rrweb-record caller inherits the bounded-chain behavior.
    (2026-07-10)

v1.399.1

Compare Source

v1.399.0

Compare Source

1.399.0

Minor Changes
  • #​4115 86bb3a5 Thanks @​DanielVisca! - add the posthog.metrics API (count, gauge, histogram) — alpha

    A statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to /i/v1/metrics — one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:

    posthog.metrics.count('orders_created', 1)
    posthog.metrics.gauge('active_connections', 42)
    posthog.metrics.histogram('api_latency', 187, { unit: 'ms' })

    Configure via metrics: { serviceName, environment, flushIntervalMs, maxSeriesPerFlush, beforeSend, ... }. (2026-07-08)

Patch Changes

v1.398.7

Compare Source

1.398.7

Patch Changes
  • #​4113 45f17ee Thanks @​TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removed

    Follow-up to the shadow-observer iframe-teardown fix: takeFullSnapshot's onSerialize registers every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot). addShadowRoot now derives the owning document from the host element, so per-document teardown matches iframe-nested roots too. (2026-07-08)

v1.398.6

Compare Source

1.398.6

Patch Changes

v1.398.5

Compare Source

1.398.5

Patch Changes
  • #​4103 be8242a Thanks @​rafaeelaudibert! - Publish the code-split ESM toolbar bundle when the build emits one. The release tooling now recursively includes dist/toolbar/ (with explicit JS content types for the strict-MIME ESM chunks) across the immutable, major-alias, and compatibility upload prefixes, and the workflow accepts the canonical toolbar.js/toolbar.css layout. This is a no-op against today's single-file build.
    (2026-07-08)

v1.398.4

Compare Source

v1.398.3

Compare Source

1.398.3

Patch Changes
  • #​4112 38bb185 Thanks @​TueHaulund! - fix session replay silently dropping shadow DOM mutations after an iframe teardown

    The single shared ShadowDomManager observes every shadow root on the page, but MutationBuffer.reset() disconnected it. That reset fires whenever any one buffer is torn down, so an iframe being removed or navigating away disconnected every shadow-root observer page-wide. Shadow DOM content (for example a widget mounted in an open shadow root) then stopped recording until the next periodic full snapshot re-registered it. Buffer teardown now releases only its own resources; global shadow observation is reset by takeFullSnapshot and on recording stop. (2026-07-08)


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying connect-minekube with  Cloudflare Pages  Cloudflare Pages

Latest commit: fb304fe
Status: ✅  Deploy successful!
Preview URL: https://9b1b680d.connect-minekube.pages.dev
Branch Preview URL: https://renovate-posthog-js-1-x-lock.connect-minekube.pages.dev

View logs

@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 4a53b00 to 46fa2dd Compare July 11, 2026 04:06
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.399.1 chore(deps): update dependency posthog-js to v1.399.2 Jul 11, 2026
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 2 times, most recently from 918d9d9 to 53e5ef4 Compare July 13, 2026 20:04
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.399.2 chore(deps): update dependency posthog-js to v1.399.4 Jul 13, 2026
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.399.4 chore(deps): update dependency posthog-js to v1.399.5 Jul 14, 2026
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 53e5ef4 to 1ead1f8 Compare July 14, 2026 17:15
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.399.5 chore(deps): update dependency posthog-js to v1.400.0 Jul 14, 2026
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 1ead1f8 to 466d23a Compare July 14, 2026 23:15
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.400.0 chore(deps): update dependency posthog-js to v1.400.1 Jul 14, 2026
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.400.1 chore(deps): update dependency posthog-js to v1.402.0 Jul 15, 2026
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 2 times, most recently from 1c0c924 to 1f3cfb3 Compare July 15, 2026 19:33
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.402.0 chore(deps): update dependency posthog-js to v1.402.2 Jul 15, 2026
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.402.2 chore(deps): update dependency posthog-js to v1.402.3 Jul 15, 2026
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 1f3cfb3 to 650870f Compare July 16, 2026 15:41
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.402.3 chore(deps): update dependency posthog-js to v1.404.0 Jul 16, 2026
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 650870f to 79ca3b8 Compare July 16, 2026 23:55
@renovate
renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 79ca3b8 to fb304fe Compare July 17, 2026 21:28
@renovate renovate Bot changed the title chore(deps): update dependency posthog-js to v1.404.0 chore(deps): update dependency posthog-js to v1.404.1 Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants