chore(deps): update dependency posthog-js to v1.404.1#129
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Deploying connect-minekube with
|
| Latest commit: |
fb304fe
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://9b1b680d.connect-minekube.pages.dev |
| Branch Preview URL: | https://renovate-posthog-js-1-x-lock.connect-minekube.pages.dev |
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
from
July 11, 2026 04:06
4a53b00 to
46fa2dd
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
2 times, most recently
from
July 13, 2026 20:04
918d9d9 to
53e5ef4
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
from
July 14, 2026 17:15
53e5ef4 to
1ead1f8
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
from
July 14, 2026 23:15
1ead1f8 to
466d23a
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
2 times, most recently
from
July 15, 2026 19:33
1c0c924 to
1f3cfb3
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
from
July 16, 2026 15:41
1f3cfb3 to
650870f
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
from
July 16, 2026 23:55
650870f to
79ca3b8
Compare
renovate
Bot
force-pushed
the
renovate/posthog-js-1.x-lockfile
branch
from
July 17, 2026 21:28
79ca3b8 to
fb304fe
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.398.2→1.404.1Release Notes
PostHog/posthog-js (posthog-js)
v1.404.1Compare Source
1.404.1
Patch Changes
66c1666Thanks @turnipdabeets! - Honour the project-level autocapture opt-out when the remote config request fails. Previously a failed config fetch (network error, timeout, blocked request) enabled autocapture on opted-out projects and persisted that state for later page loads. Autocapture now keeps the last successfully received server value, and stays off until the first successful config response.(2026-07-17)
v1.404.0Compare Source
1.404.0
Minor Changes
607bf54Thanks @pauldambra! - Add dead swipe detection to dead clicks autocapture. When dead clicks autocapture is enabled, touch swipe gestures that produce no observable screen change (no scroll, mutation, selection or visibility change) are now captured as$dead_swipeevents, surfacing failed navigations on touch devices. Configurable viacapture_dead_swipes(defaulttrue) andswipe_threshold_px(default30) on thecapture_dead_clicksconfig. Swipes over surfaces whose response cannot be observed (canvas, video and other media elements under the finger) are skipped, and captures are limited per page load viamax_dead_swipes_per_page_load(default10).(2026-07-16)
Patch Changes
df17ddcThanks @posthog! - Catch synchronous throws from a monkey-patchedwindow.fetchso they no longer escape as unhandled exceptions. A synchronous throw is now routed through the same handling as an async rejection, so the request queue retries instead of the error leaking into error tracking.(2026-07-16)
607bf54]:v1.403.0Compare Source
1.403.0
Minor Changes
#4159
fad6d9aThanks @haacked! - add$feature_flag_has_experimentto$feature_flag_calledevents$feature_flag_calledevents now carry a$feature_flag_has_experimentboolean sourced from the server'shas_experimentflag metadata (the/flags?v=2response for remote evaluation, the/api/feature_flag/local_evaluationdefinitions for posthog-node local evaluation). The property is only sent when the server explicitly reportshas_experiment; it is omitted entirely when the value is unknown (older servers, missing metadata, bootstrapped or locally injected flags). (2026-07-16)Patch Changes
fad6d9a]:v1.402.3Compare Source
1.402.3
Patch Changes
#4157
4a2ecf5Thanks @posthog! - Session recording no longer emits an uncaughtNotAllowedError("Sharing constructed stylesheets in multiple documents is not allowed") when a page assigns aCSSStyleSheetconstructed in a different document toadoptedStyleSheets. That assignment is the host page's own invalid operation, but the recorder's patched setter sat on the call stack, so the exception was attributed to rrweb and churned fingerprints in error tracking. The recorder now contains this specific rejection (matched by its standardizedNotAllowedErrorname, so it works even when the setter throws from an iframe realm) and skips recording those sheets, while still re-throwing any other native-setter error so host-page behaviour is preserved.(2026-07-15)
#4158
0dc389eThanks @posthog! - fix(replay): session recording no longer throwsTypeError: Converting circular structure to JSONwhen replay event data contains a circular reference. The circular-reference guard now also detects cycles that pass through an array, and affected events are captured with[Circular]markers instead of surfacing an unhandled error and being dropped.(2026-07-15)
Updated dependencies [
fc2cb2e]:v1.402.2Compare Source
1.402.2
Patch Changes
81adbfdThanks @posthog! - Session recording no longer emits an uncaughtTypeError: Illegal invocationwhen a programmatic input-value change happens on an object that is not a genuine native input element (for example a proxy on the element prototype chain). The recorder drops that one replay update instead of throwing.(2026-07-15)
v1.402.1Compare Source
1.402.1
Patch Changes
#4117
1eddff7Thanks @DanielVisca! - add the posthog.metrics API (count, gauge, histogram) to posthog-node — alphaBackend services can now record metrics through the same statsd-style pre-aggregating client the browser SDK ships, with no OpenTelemetry setup:
Samples aggregate in memory and flush as OTLP/JSON to
/i/v1/metrics(one data point per series per window). Pending metrics are flushed onshutdown(). Core gains_sendMetricsBatchonPostHogCoreStateless(same outcome contract as_sendLogsBatch) and a sharedresolveMetricsConfig, so any core-based SDK can hostPostHogMetrics. (2026-07-15)Updated dependencies [
1eddff7]:v1.402.0Compare Source
1.402.0
Minor Changes
0e8ad14Thanks @robbie-c! - Stamp the current hostname as$snapshot_hoston every$snapshotevent the session recorder sends. The value is derived from the page URL after it passes through the existing replay URL masking pipeline (maskCapturedNetworkRequestFn/ deprecatedmaskNetworkRequestFn, hash stripping, personal-data query-param masking), so it cannot bypass a customer's masking config. When masking removes the URL or the masked result doesn't parse as a URL, the property is omitted entirely. This gives ingestion consumers a per-message host signal even for mid-session snapshot batches that contain no URL-bearing events.(2026-07-15)
v1.401.0Compare Source
1.401.0
Minor Changes
800af7cThanks @pauldambra! - feat: addsession_recording.attributeFilteroption that passes an attribute allowlist through to the native MutationObserver, so mutations to unlisted attributes (e.g. animation-driven inlinestylechurn) never cost recording CPU (port of upstream rrweb #1873)(2026-07-15)
Patch Changes
800af7c]:v1.400.1Compare Source
1.400.1
Patch Changes
6dd8827Thanks @lucasheriques! - chore: survey seen-key and repeat-activation helpers now live in @posthog/core, shared by the web and React Native SDKs. Core's survey enums are now const-object literal unions (matching the web SDK's existing pattern), so the same values type-check across both SDKs. No behavior change. Type-level note: enum members no longer work as standalone type annotations (e.g.SurveyType.Popoveras a type); use the exported union types instead. Runtime values are unchanged.(2026-07-14)
6dd8827]:v1.400.0Compare Source
1.400.0
Minor Changes
dc2aa5bThanks @posthog! - Normalize the error tracking rate-limiter config to first-class options. The browser SDK now readsexceptionRateLimiterRefillRate/exceptionRateLimiterBucketSizeonerror_tracking, with the previous double-underscore__exceptionRateLimiterRefillRate/__exceptionRateLimiterBucketSizeoptions deprecated but still honoured as a fallback. The option shape (ExceptionRateLimiterConfig) and default-resolution logic (resolveExceptionRateLimiterConfig) now live in@posthog/coreand are shared between the browser and Node SDKs.(2026-07-14)
Patch Changes
1eabd30Thanks @turnipdabeets! - HandlesendBeaconquota rejections instead of silently dropping events. A beacon rejected by the browser (over the page's shared ~64KiB in-flight keepalive quota) is now split in half and re-sent recursively so the batch delivers as far as the quota allows; a rejected payload that cannot be split falls back to a non-keepalive fetch and logs a warning. Previously the boolean return ofsendBeaconwas ignored and an over-quota unload batch was lost with no signal.(2026-07-14)
dc2aa5b]:v1.399.5Compare Source
1.399.5
Patch Changes
#4134
ab10064Thanks @posthog! - Bound autocapture's DOM ancestor walks against abnormal host-page DOM trees.autocapturePropertiesForElementandshouldCaptureElementnow stop climbing theparentNodechain after 1000 ancestors or if they revisit a node (only possible when a page patchesparentNode, since native DOMs cannot contain cycles), instead of walking indefinitely. WhenshouldCaptureElementcannot finish checking ancestors forph-no-capture/ph-sensitive, it fails closed and reports the element as not capturable. Behavior on normal DOM trees is unchanged.(2026-07-14)
#4141
17d956cThanks @posthog! - Log network-level fetch failures from posthog-js's own request layer (ad blocker, dropped connection, CORS, page teardown) atwarninstead oferror. The browser rejects these with a genericTypeError(Failed to fetch, Firefox'sNetworkError..., or Safari'sLoad failed); they are already caught and retried by the request queue, so they are expected noise rather than SDK errors —_fetchnow gives them the samewarntreatment as our own timeout aborts. Genuine, unexpected errors still log aterror.(2026-07-14)
v1.399.4Compare Source
1.399.4
Patch Changes
7c339beThanks @turnipdabeets! - Encode uncompressedsendBeaconbodies as base64 form data so the beacon keeps a CORS-simple content type. Previously an uncompressed unload beacon was sent asapplication/json, which forces a CORS preflight — a preflight cannot complete while the page unloads, so on cross-origin hosts the browser silently dropped the POST and the final batch of events was lost. Compression is inactive whenever the remote config request fails (flaky network, blocked endpoint), when the config response omitssupportedCompression, or withdisable_compression: true.(2026-07-13)
v1.399.3Compare Source
1.399.3
Patch Changes
4ebb618Thanks @mikenicholls88! - MakejsonStringifycircular-safe so event serialization never throws. Previously a captured property holding a circular value — most commonly a DOM node that retains a React fiber pointing back at the element — madeJSON.stringifythrowConverting circular structure to JSON; withcapture_exceptionsenabled that throw was recaptured as a new$exception, at times in a loop. On a throw we now fall back tosafeJsonStringifyfrom@posthog/core. The fast (non-circular) path is unchanged, and only true cycles become"[Circular]", so shared-but-acyclic references keep their real values.(2026-07-13)
v1.399.2Compare Source
1.399.2
Patch Changes
f630394Thanks @posthog! - Fix aRangeError: Maximum call stack size exceededoriginating from the shared rrwebpatch()helper. It patches shared globals such asElement.prototype.attachShadow(shadow-dom-manager) and the DOM/canvas observers, so multiple recorder instances or repeated start/stop cycles wrap the same global more than once. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated cycles grew the wrapper chain without bound until a real call walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable per-layer link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Recording behavior is unchanged. This applies the same fix as #4063 (fetch/XHR) to the shared helper so every rrweb-record caller inherits the bounded-chain behavior.(2026-07-10)
v1.399.1Compare Source
v1.399.0Compare Source
1.399.0
Minor Changes
#4115
86bb3a5Thanks @DanielVisca! - add the posthog.metrics API (count, gauge, histogram) — alphaA statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to
/i/v1/metrics— one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:Configure via
metrics: { serviceName, environment, flushIntervalMs, maxSeriesPerFlush, beforeSend, ... }. (2026-07-08)Patch Changes
86bb3a5]:v1.398.7Compare Source
1.398.7
Patch Changes
#4113
45f17eeThanks @TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removedFollow-up to the shadow-observer iframe-teardown fix:
takeFullSnapshot'sonSerializeregisters every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot).addShadowRootnow derives the owning document from the host element, so per-document teardown matches iframe-nested roots too. (2026-07-08)v1.398.6Compare Source
1.398.6
Patch Changes
c75c0baThanks @hpouillot! - fix: avoid throwing when rrweb recorder cleanup cannot remove a listener(2026-07-08)
v1.398.5Compare Source
1.398.5
Patch Changes
be8242aThanks @rafaeelaudibert! - Publish the code-split ESM toolbar bundle when the build emits one. The release tooling now recursively includesdist/toolbar/(with explicit JS content types for the strict-MIME ESM chunks) across the immutable, major-alias, and compatibility upload prefixes, and the workflow accepts the canonicaltoolbar.js/toolbar.csslayout. This is a no-op against today's single-file build.(2026-07-08)
v1.398.4Compare Source
v1.398.3Compare Source
1.398.3
Patch Changes
#4112
38bb185Thanks @TueHaulund! - fix session replay silently dropping shadow DOM mutations after an iframe teardownThe single shared ShadowDomManager observes every shadow root on the page, but MutationBuffer.reset() disconnected it. That reset fires whenever any one buffer is torn down, so an iframe being removed or navigating away disconnected every shadow-root observer page-wide. Shadow DOM content (for example a widget mounted in an open shadow root) then stopped recording until the next periodic full snapshot re-registered it. Buffer teardown now releases only its own resources; global shadow observation is reset by takeFullSnapshot and on recording stop. (2026-07-08)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.