fix(deps): update dependency posthog-js to v1.393.5

[ZxBot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
posthog-js (source)	1.379.0 → 1.393.5

---

Release Notes

PostHog/posthog-js (posthog-js)

v1.393.5

Compare Source

1.393.5

Patch Changes

• #​3960 619d318 Thanks @​marandaneto! - Improve console log capture performance for truncated large objects.
  (2026-06-25)

v1.393.4

Compare Source

1.393.4

Patch Changes

• #​3942 c9c8925 Thanks @​hpouillot! - Fix browser console log capture when session activity timestamps are missing and refresh session attributes for each log.
  (2026-06-24)
• Updated dependencies [c9c8925]:
  • @​posthog/core@​1.37.2

v1.393.3

Compare Source

1.393.3

Patch Changes

• #​3945 f94deaf Thanks @​ioannisj! - fix(surveys): guard handlePageUnload against version-skewed surveys instance missing the method
  (2026-06-24)

v1.393.2

Compare Source

1.393.2

Patch Changes

• #​3944 1c9a811 Thanks @​ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.
  (2026-06-24)

v1.393.1

Compare Source

1.393.1

Patch Changes

• #​3919 99bad9c Thanks @​pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page's fetch. Off by default; enabled for defaults: '2026-06-25' and settable directly via session_recording.streamNetworkBody.
  (2026-06-24)
• Updated dependencies [99bad9c]:
  • @​posthog/types@​1.391.1

v1.393.0

Compare Source

1.393.0

Minor Changes

• #​3921 c28b161 Thanks @​marandaneto! - Add disable_capture_url_hashes to strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically when config.defaults is '2026-06-25' or later. Enabling it (either explicitly or via the '2026-06-25' defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as $current_url, $initial_current_url, $session_entry_url, autocapture $elements[*].attr__href, $external_click_url, replay href URLs, heatmaps, web vitals $current_url, logs url.full, conversations current_url/request_url, or Next.js Pages Router $pageview $current_url.

  If you only want to capture some hashes, leave hash capture enabled and use before_send to remove or redact sensitive hash values before events are sent. (2026-06-23)

Patch Changes

• Updated dependencies [c28b161]:
  • @​posthog/core@​1.36.0
  • @​posthog/types@​1.391.0

v1.392.0

Compare Source

1.392.0

Minor Changes

• #​3895 ce528ed Thanks @​turnipdabeets! - Console log auto-capture (logs: { captureConsoleLogs: true }) now flows through the same pipeline as posthog.captureLog(), posthog.logger.*, and PostHog's other SDKs, instead of OpenTelemetry. As a result:

  • the bundled OpenTelemetry dependencies are removed, shrinking the lazily-loaded logs chunk
  • auto-captured console logs now run through logs.beforeSend (the same hook as captureLog/logger.*), so you can redact or drop sensitive console output before it's sent. To treat console logs differently from manual logs, branch on the record's log.source attribute: auto-captured console logs set it to console.<method> (e.g. console.error), while manual captureLog/logger.* logs leave it unset
  • console logs now link to the person's profile: they carry the person id as posthogDistinctId, the attribute PostHog uses to associate logs with a person (docs). The old path used distinct_id, which isn't used for person linking by default, so console logs previously didn't appear on person profiles unless you'd configured a custom key.

  Console logs keep their posthog-browser-logs service.name, their console instrumentation scope, and their log.source: console.<level> attribute.

  As part of moving onto the shared pipeline, console records now use PostHog's standard log field names — the same ones programmatic web logs and other SDKs use, and the ones the Logs UI surfaces. For the fields below the values are unchanged — only the attribute names/locations differ:

  • distinct_id → posthogDistinctId (record attribute)
  • location.href → url.full (record attribute; same value — the page URL)
  • session.id (resource attribute) → sessionId (record attribute) — renamed and moved
  • host and window.id move from resource attributes to record attributes (names unchanged)
  • records also now carry the standard SDK context shared by other logs, including feature_flags

  For most projects this needs no action — these are already the canonical log fields. The only thing to update is a saved Logs query or dashboard built specifically on an old console attribute name, for example:

  • attributes.distinct_id → attributes.posthogDistinctId
  • attributes.location.href → attributes.url.full
  • resource.attributes.session.id → attributes.sessionId
  • resource.attributes.host / resource.attributes.window.id → attributes.host / attributes.window.id (2026-06-22)

Patch Changes

• Updated dependencies [ce528ed]:
  • @​posthog/core@​1.35.4

v1.391.9

Compare Source

1.391.9

Patch Changes

• #​3922 26aa9ba Thanks @​posthog! - Exception autocapture: posthog-js's own fetch timeout now aborts with an explicit, descriptive reason (PostHog request timed out after <n>ms) instead of a reason-less DOMException: AbortError: signal is aborted without reason. This keeps name === 'AbortError' so existing timeout handling (e.g. feature flag timeout detection) is unchanged, but makes our own timeouts identifiable and stops them being re-captured as noise by console-error exception autocapture.
  (2026-06-22)

v1.391.8

Compare Source

1.391.8

Patch Changes

• #​3908 1fce04f Thanks @​marandaneto! - Apply CSP stylesheet preparation hook to Product Tours styles.
  (2026-06-22)

v1.391.7

Compare Source

1.391.7

Patch Changes

• #​3914 dac4edb Thanks @​pauldambra! - Session replay network capture: redact credential-bearing headers on both request and response (previously only request), and match credential-shaped custom header names by substring (e.g. x-gist-encoded-user-token) in addition to the exact deny list - avoiding accidental capture of tokens/cookies in recordings.
  (2026-06-22)

v1.391.6

Compare Source

1.391.6

Patch Changes

• #​3901 049eeb6 Thanks @​marandaneto! - Stop adding the unused beacon query parameter to browser SDK sendBeacon requests.
  (2026-06-22)

• #​3900 3ee8667 Thanks @​marandaneto! - Stop adding the unused ip query parameter to browser SDK requests.
  (2026-06-22)

v1.391.5

Compare Source

1.391.5

Patch Changes

• #​3915 beaccc3 Thanks @​pauldambra! - Session replay: apply the existing base64 image size cap (maxBase64ImageLength) to SVG <image> elements with data: URIs on both href and xlink:href. Previously the cap only covered <img> elements, so large inline data URIs inside SVGs were recorded in full - this also covers them in mutations, replacing oversized ones with the striped placeholder.
  (2026-06-22)

v1.391.4

Compare Source

1.391.4

Patch Changes

• #​3913 ee9f2a8 Thanks @​pauldambra! - Session replay network capture: expand the default payload host deny list to skip third-party analytics, RUM, and session-replay telemetry whose payloads have no replay value - Datadog, Segment, RudderStack, Amplitude, Mixpanel, Hotjar (both .com and .io), and FullStory. Also covers both Google Analytics beacon hosts (google-analytics.com, plus analytics.google.com which gtag uses when Google Signals is enabled) and widens New Relic to nr-data.net.
  (2026-06-22)

v1.391.3

Compare Source

1.391.3

Patch Changes

• #​3909 ab4a220 Thanks @​marandaneto! - Avoid style-src-attr CSP violations when diffing rrweb style mutations.
  (2026-06-22)

• #​3912 78ac40c Thanks @​pauldambra! - Session replay network capture: never record binary/asset response or request bodies (image, video, audio, font, octet-stream, pdf, zip, wasm) even when recordBody is enabled - they bloat recordings, duplicate what the replay already shows, and the body is no longer read.
  (2026-06-22)

v1.391.2

Compare Source

1.391.2

Patch Changes

• #​3903 6b21f77 Thanks @​marandaneto! - Validate custom event UUID overrides and generate new UUIDs when invalid.
  (2026-06-19)
• Updated dependencies [6b21f77]:
  • @​posthog/core@​1.35.3
  • @​posthog/types@​1.390.2

v1.391.1

Compare Source

1.391.1

Patch Changes

• #​3899 d090a7c Thanks @​lucasheriques! - Surveys: re-check eligibility when a popover's display delay elapses, instead of only re-checking the URL.

  A survey with a display delay could be queued while a visitor was still anonymous (the targeting flag passed for the anonymous profile), and then displayed after the delay even though identify() had reloaded feature flags and the survey's internal targeting flag was now false for the identified profile (e.g. a "show once per user" survey the person had already dismissed). The delayed display now re-runs the full display predicate (eligibility, URL/device/selector conditions, event/action trigger, and feature flags) before rendering, so a survey that became ineligible during the delay is no longer shown. Pending delayed surveys are also cancelled promptly when a later evaluation cycle finds them ineligible. (2026-06-19)

v1.391.0

Compare Source

1.391.0

Minor Changes

• #​3885 5392a55 Thanks @​pauldambra! - feat(replay): capture canvas at reduced resolution

  Adds session_recording.canvasCapture.resolutionScale - a (0, 1] fraction of the canvas display size to capture replay frames at. The captured bitmap is downscaled (pixel-area savings are quadratic) while the canvas's true display size is still recorded, so playback stretches the smaller frame back to the correct dimensions and aspect ratio - only sharpness drops, never layout. It defaults to 1 (full resolution, matching today's behaviour), and the latest defaults bundle (2026-05-30) opts new installs into 0.6.

  The canvas's true display size travels with each frame through the encode worker (as required message fields), so the encoded reply is always drawn back to the correct dimensions — no per-canvas state is retained on the main thread, and downscaling can never mislabel a canvas's dimensions. At full resolution the captured pixels are unchanged (the quality resampling hint is only applied when actually downscaling); the emitted drawImage now always uses the explicit destination-size form, which is pixel-equivalent on replay.

  Mechanically, @posthog/rrweb's canvas FPS-snapshot observer takes an optional canvasResolutionScale record option and downscales each captured frame accordingly. (2026-06-19)

Patch Changes

• Updated dependencies [5392a55]:
  • @​posthog/types@​1.390.1

v1.390.2

Compare Source

1.390.2

Patch Changes

• #​3868 a5dd54a Thanks @​pauldambra! - fix(replay): scope the session-recording flushed-size tracker to the session

  $sdk_debug_replay_flushed_size was stored as a single device-global value in persistence and only reset on an in-page session rotation, so it leaked across page loads and tabs and over-counted on returning visitors. The tracker now keys the running total to the current session id, so a new session starts from zero and a fresh load reading an ongoing session sees the correct total.

  The internal persistence key backing this counter ($sess_rec_flush_size) was also unintentionally attached to every captured event as a super-property; it is now marked hidden so it no longer ships on events. The value remains available on session-replay debug events as $sdk_debug_replay_flushed_size. (2026-06-17)

v1.390.1

Compare Source

1.390.1

Patch Changes

• #​3784 e25e629 Thanks @​lucasheriques! - Surveys: event-triggered surveys are now scoped to the page load the event fired in, and only persist across a page reload once they have actually been shown.

  Previously an event armed a survey by writing it to localStorage, where it stayed until shown. Because the activation survived reloads and the URL condition was only checked at display time, a survey armed by an exit-intent event (which fires as the user is leaving or reloading) could surface on a later page load with no event behind it. Activations now live in memory until the survey is shown, so an armed-but-unshown survey no longer reappears after a reload.

  Once a survey is shown it is promoted to persistence, so a non-repeatable survey survives a reload and re-displays until the user dismisses or answers it (instead of vanishing if they reload before interacting). Repeatable surveys (schedule: 'always' or "Show every time the event is captured") are still consumed when shown, so each captured trigger shows them once. Product tours follow the same model. Cross-page deferral (arm on one full page load, display on a later one) is no longer supported via event triggers; use audience targeting for that. (2026-06-17)

v1.390.0

Compare Source

1.390.0

Minor Changes

• #​3869 81b79fb Thanks @​turnipdabeets! - Add a beforeSend option to the logs config, so you can inspect, redact, or drop log records before they're sent:

  posthog.init('<token>', {
      logs: {
          beforeSend: (log) => {
              // return null to drop the log, or return the (optionally modified) log to keep it
              if (log.body.includes('password')) {
                  return null
              }
              return log
          },
      },
  })

  beforeSend accepts a single function or an array of functions (applied left to right); returning null from any of them drops the record. It runs for logs sent via both posthog.captureLog() and posthog.logger.*. (2026-06-17)

Patch Changes

• Updated dependencies [81b79fb]:
  • @​posthog/types@​1.390.0

v1.389.1

Compare Source

1.389.1

Patch Changes

• #​3875 43b4137 Thanks @​marandaneto! - Limit retries for transport failures without an HTTP response.
  (2026-06-17)

v1.389.0

Compare Source

1.389.0

Minor Changes

• #​3865 b469830 Thanks @​turnipdabeets! - The browser's programmatic logs API (posthog.captureLog() / posthog.logger.*) now runs through the shared @posthog/core logs pipeline that React Native already uses — no change to the public API or existing behavior. Log delivery is more resilient as a result: oversized batches are split automatically, failed sends retry with exponential backoff, and delivery resumes when the browser comes back online.
  (2026-06-17)

Patch Changes

• Updated dependencies [b469830]:
  • @​posthog/core@​1.35.0
  • @​posthog/types@​1.389.0

v1.388.2

Compare Source

1.388.2

Patch Changes

• #​3870 5edfee1 Thanks @​turnipdabeets! - Fix updateFlags(flags, payloads, { merge: true }) baking an active feature flag override into the stored flags. The merge now seeds from the raw stored flags rather than the override-applied values, so clearing the override afterwards correctly restores the original flag.
  (2026-06-17)

v1.388.1

Compare Source

1.388.1

Patch Changes

• #​3851 5c453cd Thanks @​marandaneto! - Apply CSP nonce preparation hooks to style and script elements appended by site apps.
  (2026-06-17)

v1.388.0

Compare Source

1.388.0

Minor Changes

• #​3863 b6bc9be Thanks @​marandaneto! - Add autocapture-only CSS selector opt-outs for web interactions.
  (2026-06-17)

Patch Changes

• Updated dependencies [b6bc9be]:
  • @​posthog/types@​1.388.0

v1.387.0

Compare Source

1.387.0

Minor Changes

• #​3709 c6c163a Thanks @​posthog! - Add unsetPersonProperties() to remove person properties, the counterpart to setPersonProperties(). Previously the only way to unset a person property was to hand-pass a $unset array inside a capture() call.
  (2026-06-16)

Patch Changes

• #​3756 b3ec845 Thanks @​archievi! - Drop the event and log a warning when a before_send hook removes the token property, instead of silently sending an event that ingest rejects with a 401.
  (2026-06-16)

• #​3860 c9c7df1 Thanks @​marandaneto! - Add $unset to capture options and pass it through in browser capture payloads.
  (2026-06-16)

• #​3855 fadaa4f Thanks @​haacked! - Stop sending the ip query parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match /flags…ip= to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged.
  (2026-06-16)

• #​3830 0d837f5 Thanks @​dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present.
  (2026-06-16)

• #​3853 f95a0ec Thanks @​TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA :fullscreen pseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event on fullscreenchange (standard plus webkit/moz/MS prefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reserved rr_fullscreen attribute, consistent with rrweb's existing rr_* attribute namespace.

  Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the <iframe> element rather than the inner element, so replay pins the iframe. (2026-06-16)

• Updated dependencies [b3ec845, c9c7df1, c6c163a]:

  • @​posthog/core@​1.33.0
  • @​posthog/types@​1.387.0

v1.386.8

Compare Source

1.386.8

Patch Changes

• #​3838 3094f73 Thanks @​TueHaulund! - fix(replay): discard the prior session's buffer when start() bails out a pending stop(). On a stopSessionRecording() → reset() → identify(newUser) → startSessionRecording() sequence, stopSessionRecording() takes the async compression-drain path, deferring its buffer flush and teardown. start() correctly invalidates that pending cleanup so the new recorder survives, but it left the stopped session's snapshot buffer in place. The re-entrant session-id restart then flushed those previous-user snapshots under the OLD session id, producing a mixed-distinct_id session that server-side any(distinct_id) attribution resolves to the wrong person — recordings showing the previous user's identity. start() now clears that stale buffer alongside invalidating the compression queue, matching the drop-trailing-data trade-off the bailed-out stop() path already accepts.
  (2026-06-15)

v1.386.7

Compare Source

1.386.7

Patch Changes

• #​3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests.
  (2026-06-15)

• #​3832 d3a9462 Thanks @​archievi! - Surveys: guard the remaining unprotected localStorage accesses (reset() and the lastSeenSurveyDate write) so a SecurityError in cross-origin iframes is swallowed instead of bubbling up to user monitoring.
  (2026-06-15)

• Updated dependencies [29bf8e3]:

  • @​posthog/core@​1.32.4
  • @​posthog/types@​1.386.4

v1.386.6

Compare Source

1.386.6

Patch Changes

• #​3804 a27b163 Thanks @​pauldambra! - fix(product-tours): drop the cached tours blob when product tours is not enabled

  Tours fetched while product tours was enabled are cached under ph_product_tours in the main persistence blob. Once product tours is disabled (remote config or the disable_product_tours option) that cache was never cleaned up, so a potentially large stale blob kept riding on every persistence write — and on every cross-tab storage event those writes broadcast. onRemoteConfig now clears the cached tours whenever product tours resolves to disabled; they are re-fetched if it is ever re-enabled. (2026-06-11)

v1.386.5

Compare Source

1.386.5

Patch Changes

• #​3801 bd06ac7 Thanks @​ksvat! - fix(replay): prevent silent recorder teardown on session-id rotation. When the session id rotates during active rrweb capture, _updateWindowAndSessionIds calls stop() then synchronously start('session_id_changed'). If stop() took the _stopAfterCompressionQueueDrains path (which fires whenever the compression queue is non-empty — common during steady recording), its async cleanup would later resolve and call _teardown() against the freshly-started recorder, stopping rrweb, removing event listeners, and emptying the V2 trigger-group matchers. From that point on, the recorder's status getter kept reporting active/sampled (the _strategy reference was still set), but rrweb was no longer producing events, no listeners were registered, and no $snapshot data reached the server — the session looked recording-eligible from event metadata yet produced no replay. start() now invalidates the compression-queue state (generation bump plus reset of the stop-in-progress flag and queued-event count), so any pending cleanup from a prior stop() bails at its existing generation check and a later stop() of the new recorder is not mistaken for the old in-progress one. Affects long-running tabs that rotate session id mid-use (idle timeout, session-past-max-length, or posthog.reset()).
  (2026-06-11)

v1.386.4

Compare Source

1.386.4

Patch Changes

• #​3767 fdc07f3 Thanks @​arnohillen! - replay: jump scrolls instantly when seeking past pages that use scroll-behavior: smooth. During fast-forward the replayer applied scrolls with behavior: 'auto', which inherits the page's CSS scroll-behavior — so on sites that set scroll-behavior: smooth (e.g. Silk bottom sheets/modals) a seeked scroll animated from 0 instead of jumping, leaving scroll-revealed content (the open sheet) out of view and showing only the backdrop until the animation caught up. Sync scrolls now use behavior: 'instant', matching the method's stated intent that smooth scrolling be disabled while fast-forwarding. Full snapshot rebuilds apply their initial offset with behavior: 'instant' too, so the document-level scroll doesn't animate either.
  (2026-06-11)

v1.386.3

Compare Source

1.386.3

Patch Changes

• #​3760 5ddfd44 Thanks @​benben! - fix(conversations): re-attach the support widget after SPA navigations that replace document.body (e.g. Turbo Drive), so the widget no longer disappears until a full page reload
  (2026-06-11)

• #​3690 dbf2377 Thanks @​pauldambra! - fix(sessionid): keep the session id stable across tabs

  A session now rotates only when every tab has been idle past the timeout, rather than whenever a single background tab decides it is idle. On the active event path an idle tab re-reads the session id from storage before rotating: if a sibling tab kept the session alive it does not rotate, and if a sibling already rotated it adopts that id instead of minting a new one. This removes spurious cross-tab session fragmentation (inflated session counts, truncated session durations, split replays). When a sibling session is adopted, onSessionId handlers fire with changeReason.crossTabAdoption: true so session recording, pageview state, and session-scoped properties follow the new session. When persistence_save_debounce_ms > 0 (the 2026-05-30 default) the refresh reads only the session-id key so it cannot clobber a sibling's write.

  Note: projects with significant multi-tab usage will see fewer but longer sessions after upgrading — this is a correction of previously over-counted sessions, not a traffic change. (2026-06-11)

• #​3795 21441a8 Thanks @​pauldambra! - fix(persistence): stop per-request metadata rewriting the split-storage entries on every load

  $feature_flag_evaluated_at, $feature_flag_request_id, and $surveys_loaded_at change on every /flags (or /surveys) load even when the flag and survey content is unchanged. With split_storage enabled that made the multi-hundred-KB __flags / __surveys localStorage entries dirty on every SPA navigation, re-broadcasting the full payload to every open same-origin tab via cross-tab storage events — the exact pressure the split exists to remove. These keys are now marked volatile: a value-only change neither dirties the group nor alters its fingerprint, so the write is skipped and the freshest value rides along on the next real content write. Adding or deleting a volatile key still writes through (presence is fingerprinted, the moving value is not), and the in-memory value is always current — only the on-disk copy may lag until the next content change. (2026-06-11)

• Updated dependencies [dbf2377]:

  • @​posthog/types@​1.386.3
  • @​posthog/core@​1.32.3

v1.386.2

Compare Source

1.386.2

Patch Changes

• Updated dependencies [25822ac]:
  • @​posthog/core@​1.32.2
  • @​posthog/types@​1.386.2

v1.386.1

Compare Source

1.386.1

Patch Changes

• #​3780 93e0461 Thanks @​dustinbyrne! - Fix stale sampled-in session replay decisions after the configured replay sample rate changes.
  (2026-06-10)

• #​3788 6da86d0 Thanks @​TueHaulund! - fix(replay): never record or flush snapshots while the sampling decision is missing

  When the stored sampling decision was wiped while the recorder was running (e.g. by posthog.reset()), the undecided session reported an active status and could leak short junk recordings from sessions that then decided not to record. Sampling decisions are now persisted tagged with the session id they were made for ('!' + sessionId when sampled out), are re-made on every session id change regardless of config availability, and a buffer is never flushed without a decision when sampling is configured. Because the decision is a deterministic hash of the session id, re-deciding never flips the outcome for the same session. This also stops a stale false decision from a previous session being inherited by a new session, which chronically under-recorded returning visitors. (2026-06-10)

• Updated dependencies []:

  • @​posthog/types@​1.386.1
  • @​posthog/core@​1.32.1

v1.386.0

Compare Source

1.386.0

Minor Changes

• #​3634 612f97a Thanks @​lucasheriques! - feat(surveys): add opt-in appearance.allowGoBack for multi-question surveys, and make button labels translatable

  Renders a "Back" button on web surveys after the first question. Default is off — existing surveys are unchanged. Uses a visited-index history stack so back-navigation respects branching paths (response_based, specific_question), and abandoned-branch responses are pruned before submission so analytics aren't polluted. Returning to a question pre-fills the prior answer. appearance.backButtonText overrides the default label. The button uses the survey's text color so it stays readable on any background, and it also shows in survey previews.

  Also adds submitButtonText and backButtonText to survey-level translations, so both the submit and back button labels can be localized via appearance translations (previously only the per-question button text was translatable). (2026-06-10)

Patch Changes

• Updated dependencies [612f97a]:
  • @​posthog/core@​1.32.0
  • @​posthog/types@​1.386.0

v1.385.0

Compare Source

1.385.0

Minor Changes

• #​3777 f601c49 Thanks @​dustinbyrne! - Promote external dependency script versioning to supported strict_script_versioning and asset_host config options.
  (2026-06-10)

Patch Changes

• #​3753 c11794d Thanks @​dustinbyrne! - Reload feature flags by default when resetting person properties for flags.
  (2026-06-10)

• #​3742 23b2af1 Thanks @​arnohillen! - record: capture resting scroll offset on scrollend when a reveal scroll clamps to 0 before its target is scrollable (e.g. Silk sheets). Deduped against scroll so normal gestures don't double event volume.
  (2026-06-10)

• Updated dependencies [c11794d, f601c49]:

  • @​posthog/types@​1.385.0
  • @​posthog/core@​1.31.4

v1.384.3

Compare Source

1.384.3

Patch Changes

• #​3791 2d21ada Thanks @​marandaneto! - Deprecate __preview_disable_beacon in favor of disable_beacon and mark __preview_disable_xhr_credentials as a no-op.
  (2026-06-10)
• Updated dependencies [2d21ada]:
  • @​posthog/types@​1.384.3
  • @​posthog/core@​1.31.3

v1.384.2

Compare Source

1.384.2

Patch Changes

• #​3789 d9462b3 Thanks @​marandaneto! - Deprecate __preview_eager_load_replay as a no-op now that session replay lazy loading is the default.
  (2026-06-10)
• Updated dependencies [d9462b3]:
  • @​posthog/types@​1.384.2
  • @​posthog/core@​1.31.2

v1.384.1

Compare Source

1.384.1

Patch Changes

• #​3787 0e22d77 Thanks @​TueHaulund! - replayer: stop corrupting recordings when events are added behind the playhead. addEvent() used to apply any event older than the playback baseline synchronously onto the current DOM — correct for live-mode catch-up, but wrong for on-demand playback where snapshot chunks can finish loading after the user has seeked ahead. Applying those past mutations onto a DOM at a different position made their removes fail mirror lookups, and applyMutation then deleted the failed entries from the event objects themselves, so every later seek rebuilt from corrupted data (DOM nodes accumulating, e.g. duplicated text) and exports serialized the stripped events. Past events are now only applied synchronously in live mode (otherwise they are just inserted for the next seek to pick up), and applyMutation filters removes into a local copy instead of mutating the event data.
  (2026-06-10)
• Updated dependencies []:
  • @​posthog/types@​1.384.1
  • @​posthog/core@​1.31.1

v1.384.0

Compare Source

1.384.0

Minor Changes

• #​3782 0c2acb9 Thanks @​pauldambra! - Detect the Google Search App (GSA) as its own $browser value (Google Search App) via the cross-platform GSA/ UA marker, instead of reporting the embedded webview as Mobile Safari (iOS) or Chrome (Android). Gated behind the new detect_google_search_app config option, which the 2026-05-30 config defaults opt into automatically — left off otherwise to keep existing browser attribution backwards-compatible.

  Note: $browser_version for Google Search App is not comparable across platforms — iOS yields a version like 284.0 (from GSA/284.0.564099828) while Android yields a version like 14.21 (from GSA/14.21.20.28.arm64), since Google maintains separate versioning schemes for the two apps. Avoid building cross-platform version dashboards on $browser_version for this browser. (2026-06-10)

Patch Changes

• Updated dependencies [0c2acb9]:
  • @​posthog/core@​1.31.0
  • @​posthog/types@​1.384.0

v1.383.3

Compare Source

1.383.3

Patch Changes

• #​3776 783ba46 Thanks @​marandaneto! - Deprecate the no-op __preview_flags_v2 browser SDK config option. The SDK already uses the /flags/?v=2 endpoint by default.
  (2026-06-09)
• Updated dependencies [783ba46]:
  • @​posthog/types@​1.383.3
  • @​posthog/core@​1.30.14

v1.383.2

Compare Source

1.383.2

Patch Changes

• #​3748 7820929 Thanks @​marandaneto! - Reduce duplicate internal code found by dry4ts.
  (2026-06-09)
• Updated dependencies []:
  • @​posthog/types@​1.383.2
  • @​posthog/core@​1.30.13

v1.383.1

Compare Source

1.383.1

Patch Changes

• [#​3770](ht

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Rome)

• Branch creation
  • "after 9am and before 6pm every weekday except after 12pm and before 2pm"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[sonarqube-zextras]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage (77.10% Estimated after merge)
• No data about duplications (0.00% Estimated after merge)

Project ID: carbonio-shell-ui

View in SonarQube