You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#3942c9c8925 Thanks @hpouillot! - Fix browser console log capture when session activity timestamps are missing and refresh session attributes for each log.
(2026-06-24)
#39441c9a811 Thanks @ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.
(2026-06-24)
#391999bad9c Thanks @pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page's fetch. Off by default; enabled for defaults: '2026-06-25' and settable directly via session_recording.streamNetworkBody.
(2026-06-24)
#3921c28b161 Thanks @marandaneto! - Add disable_capture_url_hashes to strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically when config.defaults is '2026-06-25' or later. Enabling it (either explicitly or via the '2026-06-25' defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as $current_url, $initial_current_url, $session_entry_url, autocapture $elements[*].attr__href, $external_click_url, replay href URLs, heatmaps, web vitals $current_url, logs url.full, conversations current_url/request_url, or Next.js Pages Router $pageview$current_url.
If you only want to capture some hashes, leave hash capture enabled and use before_send to remove or redact sensitive hash values before events are sent. (2026-06-23)
#3895ce528ed Thanks @turnipdabeets! - Console log auto-capture (logs: { captureConsoleLogs: true }) now flows through the same pipeline as posthog.captureLog(), posthog.logger.*, and PostHog's other SDKs, instead of OpenTelemetry. As a result:
the bundled OpenTelemetry dependencies are removed, shrinking the lazily-loaded logs chunk
auto-captured console logs now run through logs.beforeSend (the same hook as captureLog/logger.*), so you can redact or drop sensitive console output before it's sent. To treat console logs differently from manual logs, branch on the record's log.source attribute: auto-captured console logs set it to console.<method> (e.g. console.error), while manual captureLog/logger.* logs leave it unset
console logs now link to the person's profile: they carry the person id as posthogDistinctId, the attribute PostHog uses to associate logs with a person (docs). The old path used distinct_id, which isn't used for person linking by default, so console logs previously didn't appear on person profiles unless you'd configured a custom key.
Console logs keep their posthog-browser-logsservice.name, their console instrumentation scope, and their log.source: console.<level> attribute.
As part of moving onto the shared pipeline, console records now use PostHog's standard log field names — the same ones programmatic web logs and other SDKs use, and the ones the Logs UI surfaces. For the fields below the values are unchanged — only the attribute names/locations differ:
location.href → url.full (record attribute; same value — the page URL)
session.id (resource attribute) → sessionId (record attribute) — renamed and moved
host and window.id move from resource attributes to record attributes (names unchanged)
records also now carry the standard SDK context shared by other logs, including feature_flags
For most projects this needs no action — these are already the canonical log fields. The only thing to update is a saved Logs query or dashboard built specifically on an old console attribute name, for example:
#392226aa9ba Thanks @posthog! - Exception autocapture: posthog-js's own fetch timeout now aborts with an explicit, descriptive reason (PostHog request timed out after <n>ms) instead of a reason-less DOMException: AbortError: signal is aborted without reason. This keeps name === 'AbortError' so existing timeout handling (e.g. feature flag timeout detection) is unchanged, but makes our own timeouts identifiable and stops them being re-captured as noise by console-error exception autocapture.
(2026-06-22)
#3914dac4edb Thanks @pauldambra! - Session replay network capture: redact credential-bearing headers on both request and response (previously only request), and match credential-shaped custom header names by substring (e.g. x-gist-encoded-user-token) in addition to the exact deny list - avoiding accidental capture of tokens/cookies in recordings.
(2026-06-22)
#3915beaccc3 Thanks @pauldambra! - Session replay: apply the existing base64 image size cap (maxBase64ImageLength) to SVG <image> elements with data: URIs on both href and xlink:href. Previously the cap only covered <img> elements, so large inline data URIs inside SVGs were recorded in full - this also covers them in mutations, replacing oversized ones with the striped placeholder.
(2026-06-22)
#3913ee9f2a8 Thanks @pauldambra! - Session replay network capture: expand the default payload host deny list to skip third-party analytics, RUM, and session-replay telemetry whose payloads have no replay value - Datadog, Segment, RudderStack, Amplitude, Mixpanel, Hotjar (both .com and .io), and FullStory. Also covers both Google Analytics beacon hosts (google-analytics.com, plus analytics.google.com which gtag uses when Google Signals is enabled) and widens New Relic to nr-data.net.
(2026-06-22)
#391278ac40c Thanks @pauldambra! - Session replay network capture: never record binary/asset response or request bodies (image, video, audio, font, octet-stream, pdf, zip, wasm) even when recordBody is enabled - they bloat recordings, duplicate what the replay already shows, and the body is no longer read.
(2026-06-22)
#3899d090a7c Thanks @lucasheriques! - Surveys: re-check eligibility when a popover's display delay elapses, instead of only re-checking the URL.
A survey with a display delay could be queued while a visitor was still anonymous (the targeting flag passed for the anonymous profile), and then displayed after the delay even though identify() had reloaded feature flags and the survey's internal targeting flag was now false for the identified profile (e.g. a "show once per user" survey the person had already dismissed). The delayed display now re-runs the full display predicate (eligibility, URL/device/selector conditions, event/action trigger, and feature flags) before rendering, so a survey that became ineligible during the delay is no longer shown. Pending delayed surveys are also cancelled promptly when a later evaluation cycle finds them ineligible. (2026-06-19)
Adds session_recording.canvasCapture.resolutionScale - a (0, 1] fraction of the canvas display size to capture replay frames at. The captured bitmap is downscaled (pixel-area savings are quadratic) while the canvas's true display size is still recorded, so playback stretches the smaller frame back to the correct dimensions and aspect ratio - only sharpness drops, never layout. It defaults to 1 (full resolution, matching today's behaviour), and the latest defaults bundle (2026-05-30) opts new installs into 0.6.
The canvas's true display size travels with each frame through the encode worker (as required message fields), so the encoded reply is always drawn back to the correct dimensions — no per-canvas state is retained on the main thread, and downscaling can never mislabel a canvas's dimensions. At full resolution the captured pixels are unchanged (the quality resampling hint is only applied when actually downscaling); the emitted drawImage now always uses the explicit destination-size form, which is pixel-equivalent on replay.
Mechanically, @posthog/rrweb's canvas FPS-snapshot observer takes an optional canvasResolutionScale record option and downscales each captured frame accordingly. (2026-06-19)
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@angular/build@22.0.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm posthog-js is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.393.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm posthog-js is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/posthog-js@1.393.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm web-vitals is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/web-vitals@5.3.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
22.0.2→22.0.322.0.3→22.0.422.0.2→22.0.322.0.2→22.0.322.0.2→22.0.322.0.2→22.0.322.0.2→22.0.322.0.2→22.0.322.0.2→22.0.322.0.2→22.0.31.61.0→1.61.16.1.0→6.2.010.5.0→10.5.21.390.2→1.393.58.0.16→8.1.0Release Notes
angular/angular (@angular/animations)
v22.0.3Compare Source
compiler
compiler-cli
core
http
service-worker
upgrade
angular/angular-cli (@angular/build)
v22.0.4: 22.0.4Compare Source
@angular/build
microsoft/playwright (@playwright/test)
v1.61.1Compare Source
sanity-io/sanity (@sanity/types)
v6.2.0Compare Source
Features
_systemto useDocumentVersions (#13094) (d4acef0)Bug Fixes
postcss/autoprefixer (autoprefixer)
v10.5.2Compare Source
-webkit-fill-availablebefore-moz-available, so Firefoxwill use
-webkit-version which is closer tostretch.v10.5.1Compare Source
grid-areaspan reset for overriding areas (by @puneetdixit200).PostHog/posthog-js (posthog-js)
v1.393.5Compare Source
1.393.5
Patch Changes
619d318Thanks @marandaneto! - Improve console log capture performance for truncated large objects.(2026-06-25)
v1.393.4Compare Source
1.393.4
Patch Changes
c9c8925Thanks @hpouillot! - Fix browser console log capture when session activity timestamps are missing and refresh session attributes for each log.(2026-06-24)
c9c8925]:v1.393.3Compare Source
1.393.3
Patch Changes
f94deafThanks @ioannisj! - fix(surveys): guard handlePageUnload against version-skewed surveys instance missing the method(2026-06-24)
v1.393.2Compare Source
1.393.2
Patch Changes
1c9a811Thanks @ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.(2026-06-24)
v1.393.1Compare Source
1.393.1
Patch Changes
99bad9cThanks @pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page'sfetch. Off by default; enabled fordefaults: '2026-06-25'and settable directly viasession_recording.streamNetworkBody.(2026-06-24)
99bad9c]:v1.393.0Compare Source
1.393.0
Minor Changes
#3921
c28b161Thanks @marandaneto! - Adddisable_capture_url_hashesto strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically whenconfig.defaultsis'2026-06-25'or later. Enabling it (either explicitly or via the'2026-06-25'defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as$current_url,$initial_current_url,$session_entry_url, autocapture$elements[*].attr__href,$external_click_url, replayhrefURLs, heatmaps, web vitals$current_url, logsurl.full, conversationscurrent_url/request_url, or Next.js Pages Router$pageview$current_url.If you only want to capture some hashes, leave hash capture enabled and use
before_sendto remove or redact sensitive hash values before events are sent. (2026-06-23)Patch Changes
c28b161]:v1.392.0Compare Source
1.392.0
Minor Changes
#3895
ce528edThanks @turnipdabeets! - Console log auto-capture (logs: { captureConsoleLogs: true }) now flows through the same pipeline asposthog.captureLog(),posthog.logger.*, and PostHog's other SDKs, instead of OpenTelemetry. As a result:logs.beforeSend(the same hook ascaptureLog/logger.*), so you can redact or drop sensitive console output before it's sent. To treat console logs differently from manual logs, branch on the record'slog.sourceattribute: auto-captured console logs set it toconsole.<method>(e.g.console.error), while manualcaptureLog/logger.*logs leave it unsetposthogDistinctId, the attribute PostHog uses to associate logs with a person (docs). The old path useddistinct_id, which isn't used for person linking by default, so console logs previously didn't appear on person profiles unless you'd configured a custom key.Console logs keep their
posthog-browser-logsservice.name, theirconsoleinstrumentation scope, and theirlog.source: console.<level>attribute.As part of moving onto the shared pipeline, console records now use PostHog's standard log field names — the same ones programmatic web logs and other SDKs use, and the ones the Logs UI surfaces. For the fields below the values are unchanged — only the attribute names/locations differ:
distinct_id→posthogDistinctId(record attribute)location.href→url.full(record attribute; same value — the page URL)session.id(resource attribute) →sessionId(record attribute) — renamed and movedhostandwindow.idmove from resource attributes to record attributes (names unchanged)feature_flagsFor most projects this needs no action — these are already the canonical log fields. The only thing to update is a saved Logs query or dashboard built specifically on an old console attribute name, for example:
attributes.distinct_id→attributes.posthogDistinctIdattributes.location.href→attributes.url.fullresource.attributes.session.id→attributes.sessionIdresource.attributes.host/resource.attributes.window.id→attributes.host/attributes.window.id(2026-06-22)Patch Changes
ce528ed]:v1.391.9Compare Source
1.391.9
Patch Changes
26aa9baThanks @posthog! - Exception autocapture: posthog-js's own fetch timeout now aborts with an explicit, descriptive reason (PostHog request timed out after <n>ms) instead of a reason-lessDOMException: AbortError: signal is aborted without reason. This keepsname === 'AbortError'so existing timeout handling (e.g. feature flag timeout detection) is unchanged, but makes our own timeouts identifiable and stops them being re-captured as noise by console-error exception autocapture.(2026-06-22)
v1.391.8Compare Source
1.391.8
Patch Changes
1fce04fThanks @marandaneto! - Apply CSP stylesheet preparation hook to Product Tours styles.(2026-06-22)
v1.391.7Compare Source
1.391.7
Patch Changes
dac4edbThanks @pauldambra! - Session replay network capture: redact credential-bearing headers on both request and response (previously only request), and match credential-shaped custom header names by substring (e.g.x-gist-encoded-user-token) in addition to the exact deny list - avoiding accidental capture of tokens/cookies in recordings.(2026-06-22)
v1.391.6Compare Source
1.391.6
Patch Changes
#3901
049eeb6Thanks @marandaneto! - Stop adding the unusedbeaconquery parameter to browser SDK sendBeacon requests.(2026-06-22)
#3900
3ee8667Thanks @marandaneto! - Stop adding the unusedipquery parameter to browser SDK requests.(2026-06-22)
v1.391.5Compare Source
1.391.5
Patch Changes
beaccc3Thanks @pauldambra! - Session replay: apply the existing base64 image size cap (maxBase64ImageLength) to SVG<image>elements withdata:URIs on bothhrefandxlink:href. Previously the cap only covered<img>elements, so large inline data URIs inside SVGs were recorded in full - this also covers them in mutations, replacing oversized ones with the striped placeholder.(2026-06-22)
v1.391.4Compare Source
1.391.4
Patch Changes
ee9f2a8Thanks @pauldambra! - Session replay network capture: expand the default payload host deny list to skip third-party analytics, RUM, and session-replay telemetry whose payloads have no replay value - Datadog, Segment, RudderStack, Amplitude, Mixpanel, Hotjar (both.comand.io), and FullStory. Also covers both Google Analytics beacon hosts (google-analytics.com, plusanalytics.google.comwhich gtag uses when Google Signals is enabled) and widens New Relic tonr-data.net.(2026-06-22)
v1.391.3Compare Source
1.391.3
Patch Changes
#3909
ab4a220Thanks @marandaneto! - Avoidstyle-src-attrCSP violations when diffing rrweb style mutations.(2026-06-22)
#3912
78ac40cThanks @pauldambra! - Session replay network capture: never record binary/asset response or request bodies (image, video, audio, font, octet-stream, pdf, zip, wasm) even whenrecordBodyis enabled - they bloat recordings, duplicate what the replay already shows, and the body is no longer read.(2026-06-22)
v1.391.2Compare Source
1.391.2
Patch Changes
6b21f77Thanks @marandaneto! - Validate custom event UUID overrides and generate new UUIDs when invalid.(2026-06-19)
6b21f77]:v1.391.1Compare Source
1.391.1
Patch Changes
#3899
d090a7cThanks @lucasheriques! - Surveys: re-check eligibility when a popover's display delay elapses, instead of only re-checking the URL.A survey with a display delay could be queued while a visitor was still anonymous (the targeting flag passed for the anonymous profile), and then displayed after the delay even though
identify()had reloaded feature flags and the survey's internal targeting flag was now false for the identified profile (e.g. a "show once per user" survey the person had already dismissed). The delayed display now re-runs the full display predicate (eligibility, URL/device/selector conditions, event/action trigger, and feature flags) before rendering, so a survey that became ineligible during the delay is no longer shown. Pending delayed surveys are also cancelled promptly when a later evaluation cycle finds them ineligible. (2026-06-19)v1.391.0Compare Source
1.391.0
Minor Changes
#3885
5392a55Thanks @pauldambra! - feat(replay): capture canvas at reduced resolutionAdds
session_recording.canvasCapture.resolutionScale- a(0, 1]fraction of the canvas display size to capture replay frames at. The captured bitmap is downscaled (pixel-area savings are quadratic) while the canvas's true display size is still recorded, so playback stretches the smaller frame back to the correct dimensions and aspect ratio - only sharpness drops, never layout. It defaults to1(full resolution, matching today's behaviour), and the latestdefaultsbundle (2026-05-30) opts new installs into0.6.The canvas's true display size travels with each frame through the encode worker (as required message fields), so the encoded reply is always drawn back to the correct dimensions — no per-canvas state is retained on the main thread, and downscaling can never mislabel a canvas's dimensions. At full resolution the captured pixels are unchanged (the quality resampling hint is only applied when actually downscaling); the emitted
drawImagenow always uses the explicit destination-size form, which is pixel-equivalent on replay.Mechanically,
@posthog/rrweb's canvas FPS-snapshot observer takes an optionalcanvasResolutionScalerecord option and downscales each captured frame accordingly. (2026-06-19)Patch Changes
5392a55]:vitejs/vite (vite)
v8.1.0Compare Source
Features
server.fs.denylist with common files (#22707) (61ba8fd)~for Rolldown (#22693) (9928722)Bug Fixes
Code Refactoring
rolldownOptionsproperty for chunkImportMap (#22692) (8e8816c)Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.