Skip to content

Update dependency posthog-js to v1.380.0#3547

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x-lockfile
Open

Update dependency posthog-js to v1.380.0#3547
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/posthog-js-1.x-lockfile

Conversation

@renovate

@renovate renovate Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
posthog-js (source) 1.239.01.380.0 age confidence

Release Notes

PostHog/posthog-js (posthog-js)

v1.380.0

Compare Source

1.380.0

Minor Changes
  • #​3715 2387084 Thanks @​dustinbyrne! - Promote browser tracing header configuration to the public tracing_headers option while keeping addTracingHeaders and __add_tracing_headers as deprecated aliases.
    (2026-06-04)
Patch Changes

v1.379.3

Compare Source

1.379.3

Patch Changes
  • #​3741 32de5d2 Thanks @​clr182! - logs: the console-log integration now respects opt_out_capturing() — it checks is_capturing() before emitting, so log events stop on opt-out (and resume on opt-in).
    (2026-06-04)
  • Updated dependencies []:

v1.379.2

Compare Source

1.379.2

Patch Changes
  • #​3736 374962a Thanks @​arnohillen! - replay: re-apply scroll positions after fast-forward/seek. Scrolls applied mid-catch-up could clamp to 0 when the target wasn't scrollable yet (e.g. scroll-revealed sheets/modals whose content sits below the fold), leaving the content scrolled out of view on replay. The last scroll per node is now re-applied in the flush stage once layout has settled. posthog-js is bumped too so the rebuilt bundle containing the fix is published.
    (2026-06-03)
  • Updated dependencies []:

v1.379.1

Compare Source

1.379.1

Patch Changes
  • #​3570 4a27ced Thanks @​gruessi! - fix(record): release iframe documents and observers on iframe removal — same-origin iframes mounted and unmounted while session recording is active no longer leak their Document, every node serialized into the mirror, or one MutationObserver per mount. Closes eight retainer chains: load-listener disposers, named pagehide handlers, the recordCrossOriginIframes cleanup gate (now applied to same-origin too), captured Document / Window sets that survive iframe.src swap-to-about:blank before removal, and the global mutationBuffers[] / handlers[] arrays which previously accumulated forever. Validated end-to-end: a host page that mounts/unmounts 5 blob-URL iframes every 2s for 110s went from +118 MB / +390 leaked HTMLDocuments to ~0 MB / 0.
    (2026-06-03)

  • #​3717 1688b38 Thanks @​turnipdabeets! - Move the OpenTelemetry logs dependencies to devDependencies. They are only used to build the CDN-served logs extension chunk, which inlines them, so consumers no longer install the transitive protobufjs (whose eval("require") tripped unsafe-eval Content Security Policies).

    If you imported @opentelemetry/* directly while relying on it being hoisted from posthog-js, add it to your own dependencies. (2026-06-03)

  • Updated dependencies []:

v1.379.0

Compare Source

1.379.0

Minor Changes
Patch Changes

v1.378.1

Compare Source

1.378.1

Patch Changes

v1.378.0

Compare Source

1.378.0

Minor Changes
  • #​3688 8181354 Thanks @​pauldambra! - feat(persistence): add persistence_save_debounce_ms config option to coalesce rapid storage saves into a single write. Setting a positive value debounces writes to localStorage/cookie by that window; the in-memory props object still updates synchronously so within-tab reads see the latest values immediately, and pending writes flush on beforeunload and pagehide so no state is lost on tab close. Cross-tab storage events are reduced proportionally to the debounce window. Defaults to 0 (no debouncing) for backwards compatibility. On pages that capture many events per second, 250 is a reasonable starting point. The new 2026-05-30 config default opts into persistence_save_debounce_ms: 250 automatically.
    (2026-06-01)
Patch Changes

v1.377.0

Compare Source

1.377.0

Minor Changes
  • #​3708 3d4a76f Thanks @​pauldambra! - Detect Brave (desktop, Android, iOS), Vivaldi, Yandex, Naver Whale, DuckDuckGo, Pale Moon, and Waterfox so users on these browsers no longer get bucketed as Chrome or Firefox.

    detectBrowser / detectBrowserVersion now accept an optional third argument, BrowserDetectionHints, with a brave flag (set when navigator.brave exists). The browser SDK populates this automatically to catch desktop / Android Brave, which is Chromium-based and carries no UA marker. Brave on iOS is picked up purely from the Brave/ UA marker — WebKit doesn't ship navigator.brave. The original two-argument signature still works for non-DOM callers. (2026-06-01)

Patch Changes

v1.376.6

Compare Source

1.376.6

Patch Changes
  • #​3687 663e250 Thanks @​pauldambra! - fix(persistence): skip the storage write when the serialized props are unchanged. Callers spam save() after every property change, and many of those changes leave the serialized payload identical (e.g. resetting a value to its current value). Writing identical bytes to localStorage still fires a cross-tab storage event in every same-origin tab, where Chrome allocates the payload buffer in mojo IPC even though no listener reacts. Now save() compares the serialized payload against the last successful write and bails out when nothing changed.
    (2026-05-31)
  • Updated dependencies []:

v1.376.5

Compare Source

1.376.5

Patch Changes
  • #​3686 66cbc59 Thanks @​pauldambra! - fix(persistence): throttle session-activity timestamp writes to a 5s granularity. The in-memory value still moves at full resolution; only writes to localStorage/cookie are coalesced. Activity-timestamp-only updates within the granularity window are skipped, dropping localStorage write pressure and cross-tab storage event broadcasts on pages that capture many events per second. The pending in-memory value is flushed on destroy and beforeunload so a tab close inside the window does not leave the persisted value up to 5s stale for sibling tabs. The flush re-reads storage first and bails out if a sibling tab has rotated the session, so the flush cannot clobber the new session with the old id/start.
    (2026-05-31)
  • Updated dependencies [d9ad199]:

v1.376.4

Compare Source

1.376.4

Patch Changes
  • #​3685 f59f35a Thanks @​ioannisj! - fix(cookieless): enable request queue when opting out in on_reject mode. When using cookieless_mode: "on_reject", calling opt_out_capturing() correctly switched the SDK into cookieless capturing but never enabled the RequestQueue — so batched events were enqueued but never flushed over the network. At init time the queue was not started because consent was PENDING and is_capturing() returned false; opt_out_capturing() is the first moment capturing becomes active but was missing the _start_queue_if_opted_in() call that opt_in_capturing() already had.
    (2026-05-28)

  • #​3692 f01cd93 Thanks @​ksvat! - fix(replay): take a fresh full snapshot after session ID rotates via forcedIdleReset. Previously, when the session manager's idle enforcement timer rotated the session id, the recorder tore down rrweb and set _isIdle = 'unknown' before the new session id was observed. Neither restart path then fired (the _onSessionIdCallback guard only restarted when _isIdle === true, and _updateWindowAndSessionIds could not run with rrweb stopped), so the new session received only incremental mutations until a later snapshot — leaving the player stuck on "Buffering". The restart guard now also fires when rrweb isn't running.
    (2026-05-28)

  • #​3691 cc71f3f Thanks @​ksvat! - fix(replay): ship ph-no-capture absolute-position fix from #​3678 to posthog-js. The original changeset only bumped @posthog/rrweb and @posthog/rrweb-snapshot; because posthog-js depends on @posthog/rrweb via workspace:*, the cascade did not bump posthog-js, so the rebuilt bundle containing the fix was not published. This changeset re-publishes posthog-js with the fix.
    (2026-05-28)

  • #​3695 e1ff722 Thanks @​ksvat! - chore(replay): expose $sdk_debug_rrweb_attached and $sdk_debug_rrweb_start_attempted debug properties on captured events. Today the SDK already stamps several $sdk_debug_* properties (start reason, linked-flag trigger status, recording status) that report the SDK's intent to record — they all flip to "active" as soon as the state machine evaluates the configured triggers. None of them observe whether rrweb actually attached and is producing events. The new booleans close that gap: $sdk_debug_rrweb_start_attempted is set when _startRecorder() is first entered, and $sdk_debug_rrweb_attached reflects whether _stopRrweb is currently a non-falsy stop handle (i.e. rrwebRecord({...}) returned successfully and the recorder has not been torn down). No behavior change — this only adds two booleans to the existing sdkDebugProperties channel, used to diagnose cases where a session reports trigger_activated / recording_status: active but no $snapshot data is ever uploaded.
    (2026-05-28)

  • Updated dependencies [7b84b75]:

v1.376.3

Compare Source

1.376.3

Patch Changes

v1.376.2

Compare Source

1.376.2

Patch Changes
  • #​3667 cafa9cc Thanks @​pauldambra! - fix(replay): stop polling preload-as-style <link> elements forever. Session recorder treated <link rel="preload" as="style" href="*.css"> as if it were a stylesheet and waited for link.sheet to populate. Per spec preload links never instantiate a CSSStyleSheet, so the wait timed out, re-serialized the link, scheduled another wait, and leaked a load listener on every cycle — multiplying further on every real load event. Pages with Next.js-style CSS preloads accumulated thousands of active polling chains, saturating the main thread and freezing the tab on refocus
    (2026-05-26)
  • Updated dependencies []:

v1.376.1

Compare Source

1.376.1
Patch Changes

v1.376.0

Compare Source

1.376.0

Minor Changes
  • #​3655 6e8d349 Thanks @​arnaudhillen! - Expose the in-repo @posthog/rrweb, @posthog/rrweb-types, and @posthog/rrweb-plugin-console-record packages as subpath entry points on posthog-js. Consumers can now import { Replayer } from 'posthog-js/rrweb', import type { eventWithTime } from 'posthog-js/rrweb-types', and import { LogLevel } from 'posthog-js/rrweb-plugin-console-record' instead of installing the underlying rrweb packages directly. The rrweb worker sourcemap (image-bitmap-data-url-worker-*.js.map) is also shipped from posthog-js/dist/ so downstream bundlers no longer need to reach into node_modules/@&#8203;posthog/rrweb.
    (2026-05-22)
Patch Changes

v1.375.0

Compare Source

1.375.0

Minor Changes
  • #​3641 2e1d5f4 Thanks @​dustinbyrne! - Add flag_keys config to restrict browser feature flag remote evaluation to specific flag keys.
    (2026-05-21)
Patch Changes

v1.374.4

Compare Source

1.374.4

Patch Changes
  • #​3638 87e2145 Thanks @​marandaneto! - Apply tracing headers to matching XMLHttpRequest requests
    (2026-05-21)

  • #​3646 4f87827 Thanks @​marandaneto! - Avoid throwing or initializing PostHogProvider when no API key or client is provided
    (2026-05-21)

  • #​3645 280832b Thanks @​TueHaulund! - Capture <link rel="stylesheet"> URLs from link.sheet.href and try link.sheet directly for inlining, so recordings survive SPA history.pushState navigations between routes of different path depths (where link.href re-resolves against a new baseURI but link.sheet.href preserves the URL the browser actually fetched).

    Ships the fix landed in #​3635, which only bumped the internal @posthog/rrweb-snapshot package — that package is bundled into posthog-js at build time but is not published to npm on its own, so a posthog-js bump is needed to actually deliver the change. (2026-05-21)

  • Updated dependencies []:

v1.374.3

Compare Source

1.374.3

Patch Changes

v1.374.2

Compare Source

1.374.2

Patch Changes
  • #​3550 df91995 Thanks @​TueHaulund! - Preserve session-recording remote config across posthog.reset().

    posthog.reset() was clearing the entire persistence store, which wiped
    $session_recording_remote_config along with user state. On the next session
    rotation triggered by the reset, start('session_id_changed') would early-return
    because the remote config was missing — leaving rrweb torn down and the new
    session opening with no Meta + FullSnapshot until the next periodic 5-minute
    checkout.

    This affected any flow where an app calls posthog.reset() mid-session
    (e.g. on sign-out / sign-in) and was particularly visible on Flutter Web
    recordings that depend on a fresh FullSnapshot to anchor the CanvasKit DOM. (2026-05-18)

  • Updated dependencies []:

v1.374.1

Compare Source

1.374.1

Patch Changes

v1.374.0

Compare Source

1.374.0

Minor Changes
  • #​3620 594ea11 Thanks @​pauldambra! - Dead clicks: add a .ph-no-deadclick CSS class (and capture_dead_clicks.css_selector_ignorelist config option) to exclude specific elements from dead-click detection without affecting autocapture, session replay, or heatmaps. Mirrors the existing .ph-no-rageclick pattern.
    (2026-05-18)
Patch Changes
  • #​3621 3c0a09f Thanks @​pauldambra! - Dead clicks: a click on an <a> (or any element inside an <a>, including across shadow DOM) is no longer flagged as a dead click — the browser navigates / downloads / opens a new window and we can't observe that. Reuses autocapture's existing DOM walker for the ancestor walk. Direct clicks on <button>, <input>, <select>, <textarea>, <label>, and <form> (previously all skipped) are now eligible for dead-click detection: if their JS handler ran, the existing mutation / scroll / selection observers see the effect; if it didn't, dead-click correctly surfaces the bug. A broken <button> with no handler, or an <svg> icon inside one, will now flag — which is exactly the dead-click case we want to catch.
    (2026-05-18)
  • Updated dependencies [594ea11]:

v1.373.5

Compare Source

1.373.5

Patch Changes
  • #​3613 221973e Thanks @​lucasheriques! - Surveys: submit open text questions with Cmd/Ctrl+Enter. The textarea still inserts a newline on plain Enter (native behaviour), matching the convention used by Slack, GitHub, Discord, and ChatGPT for multi-line inputs. Single-line "Other:" inputs continue to submit on plain Enter as before.
    (2026-05-15)
  • Updated dependencies []:

v1.373.4

Compare Source

1.373.4

Patch Changes

v1.373.3

Compare Source

1.373.3

Patch Changes

v1.373.2

Compare Source

1.373.2

Patch Changes

v1.373.1

Compare Source

1.373.1

Patch Changes

v1.373.0

Compare Source

1.373.0

Minor Changes
Patch Changes

v1.372.10

Compare Source

1.372.10

Patch Changes
  • #​3544 d120042 Thanks @​ksvat! - fix: stop session recording before destroying sessionManager in opt_out_capturing() with cookieless_mode: "on_reject". Previously, queued/throttled rrweb events (e.g. mousemove) could fire after the sessionManager was set to undefined and throw [SessionRecording] must be started with a valid sessionManager. Also adds a defensive early-return in onRRwebEmit so any remaining late events bail out instead of throwing.
    (2026-05-07)

  • #​3542 94a5ba0 Thanks @​TueHaulund! - Preserve <style> textContent when the browser's CSSOM serialization would
    emit empty longhands from var() inside a shorthand. When a stylesheet has
    e.g. padding: var(--p); padding-bottom: var(--pb);, browsers store the
    shorthand's longhands with empty token lists per the CSS Custom Properties
    spec, and CSSStyleRule.cssText re-emits them as padding-top: ; padding-right: ; padding-left: ;. The previous behavior replaced the
    <style> text with that corrupted output, silently dropping layout rules
    on replay. We now detect the empty-longhand pattern and keep the original
    textContent in that case. Affects users of any CSS-in-JS framework that
    combines var() with shorthands (Chakra UI v3, Panda CSS, Emotion, etc.).
    Same class of bug as rrweb-io/rrweb#1667. (2026-05-07)

  • Updated dependencies []:

v1.372.9

Compare Source

1.372.9
Patch Changes
  • #​3537 026e09d Thanks @​TueHaulund! - Pull in the canvas-manager fix from @posthog/rrweb 0.0.61: skip canvas
    snapshots while the WebGL context is lost so transparent bitmaps don't
    poison the worker's fingerprint dedup map and silently kill canvas
    recording for the rest of the session. Also wraps getCanvas() in
    try/catch so DOM/shadow-root traversal errors can't cancel the rAF
    loop. See PR #​3527 for context. (2026-05-05)
  • Updated dependencies []:

v1.372.8

Compare Source

1.372.8
Patch Changes

v1.372.7

Compare Source

1.372.7
Patch Changes

v1.372.6

Compare Source

1.372.6
Patch Changes

v1.372.5

Compare Source

1.372.5

Patch Changes

v1.372.4

Compare Source

1.372.4

Patch Changes

v1.372.3

Compare Source

1.372.3
Patch Changes

v1.372.2

Compare Source

1.372.2
Patch Changes

v1.372.1

Compare Source

1.372.1

Patch Changes

v1.372.0

Compare Source

1.372.0

Minor Changes
Patch Changes

v1.371.4

Compare Source

1.371.4

Patch Changes

v1.371.3

Compare Source

1.371.3

Patch Changes

v1.371.2

Compare Source

1.371.2

Patch Changes
  • #​3453 96f19b7 Thanks @​turnipdabeets! - Lift OTLP log serialization helpers from posthog-js into @​posthog/core so the
    upcoming React Native logs feature consumes the same builders. Browser gains
    two fixes as a side effect: NaN and ±Infinity attribute values no longer get
    silently dropped during JSON encoding, and the scope.version OTLP field is
    now populated with the SDK version (changes the server's instrumentation_scope
    column from "posthog-js@" to "posthog-js@"). (2026-04-23)
  • Updated dependencies [96f19b7]:

v1.371.1

Compare Source

1.371.1

Patch Changes
  • #​3425 2da17e8 Thanks @​marandaneto! - Classify SDK-owned persistence keys with an explicit event exposure policy so new internal persistence state must be intentionally marked as event-visible, hidden, or derived.
    (2026-04-23)
  • Updated dependencies []:

v1.371.0

Compare Source

1.371.0

Patch Changes
  • #​3432 1a8b727 Thanks @​richardsolomou! - refactor: rename __add_tracing_headers to addTracingHeaders. The __ prefix signalled an internal/experimental option, but the config is a public API (documented for linking LLM traces to session replays). __add_tracing_headers continues to work as a deprecated alias on the browser SDK.

    Also exposes patchFetchForTracingHeaders from @posthog/core so non-browser SDKs can reuse the implementation. (2026-04-23)

  • Updated dependencies [1a8b727]:

v1.370.1

Compare Source

1.370.1

Patch Changes

v1.370.0

Compare Source

1.370.0

Minor Changes
Patch Changes

v1.369.5

Compare Source

1.369.5

Patch Changes

v1.369.4

Compare Source

1.369.4

Patch Changes

v1.369.3

Compare Source

1.369.3

Patch Changes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone US/Eastern)

  • Branch creation
    • "every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown

OpenAPI Changes

Show/hide ## Changes for v0.yaml:
## Changes for v0.yaml:
No changes detected

## Changes for v1.yaml:
No changes detected

## Changes for v2.yaml:
No changes detected

Unexpected changes? Ensure your branch is up-to-date with main (consider rebasing).

@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 10 times, most recently from 381de3e to ad5528e Compare May 7, 2026 18:47
@renovate renovate Bot changed the title Update dependency posthog-js to v1.372.6 Update dependency posthog-js to v1.372.8 May 7, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 5 times, most recently from 00c93ac to ae051f4 Compare May 10, 2026 23:07
@renovate renovate Bot changed the title Update dependency posthog-js to v1.372.8 Update dependency posthog-js to v1.372.10 May 10, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from ae051f4 to f998cce Compare May 19, 2026 14:39
@renovate renovate Bot changed the title Update dependency posthog-js to v1.372.10 Update dependency posthog-js to v1.373.5 May 19, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from f998cce to 545adf4 Compare May 21, 2026 15:58
@renovate renovate Bot changed the title Update dependency posthog-js to v1.373.5 Update dependency posthog-js to v1.374.0 May 21, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from 545adf4 to ebafd75 Compare May 21, 2026 18:57
@renovate renovate Bot changed the title Update dependency posthog-js to v1.374.0 Update dependency posthog-js to v1.374.1 May 21, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from ebafd75 to 488b3e9 Compare May 21, 2026 20:25
@renovate renovate Bot changed the title Update dependency posthog-js to v1.374.1 Update dependency posthog-js to v1.374.2 May 21, 2026
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch 2 times, most recently from 7b981c1 to c2d1146 Compare May 22, 2026 10:18
@renovate renovate Bot force-pushed the renovate/posthog-js-1.x-lockfile branch from c2d1146 to 8ea19aa Compare June 7, 2026 20:06
@renovate renovate Bot changed the title Update dependency posthog-js to v1.374.2 Update dependency posthog-js to v1.380.0 Jun 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants