Skip to content

build(deps): bump @opentelemetry/core and posthog-js#35

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-428b133397
Jun 17, 2026
Merged

build(deps): bump @opentelemetry/core and posthog-js#35
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-428b133397

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Removes @opentelemetry/core. It's no longer used after updating ancestor dependency posthog-js. These dependencies need to be updated together.

Removes @opentelemetry/core

Updates posthog-js from 1.369.0 to 1.387.0

Release notes

Sourced from posthog-js's releases.

posthog-js@1.387.0

1.387.0

Minor Changes

  • #3709 c6c163a Thanks @​posthog! - Add unsetPersonProperties() to remove person properties, the counterpart to setPersonProperties(). Previously the only way to unset a person property was to hand-pass a $unset array inside a capture() call. (2026-06-16)

Patch Changes

  • #3756 b3ec845 Thanks @​archievi! - Drop the event and log a warning when a before_send hook removes the token property, instead of silently sending an event that ingest rejects with a 401. (2026-06-16)

  • #3860 c9c7df1 Thanks @​marandaneto! - Add $unset to capture options and pass it through in browser capture payloads. (2026-06-16)

  • #3855 fadaa4f Thanks @​haacked! - Stop sending the ip query parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match /flags…ip= to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged. (2026-06-16)

  • #3830 0d837f5 Thanks @​dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present. (2026-06-16)

  • #3853 f95a0ec Thanks @​TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA :fullscreen pseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event on fullscreenchange (standard plus webkit/moz/MS prefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reserved rr_fullscreen attribute, consistent with rrweb's existing rr_* attribute namespace.

    Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the <iframe> element rather than the inner element, so replay pins the iframe. (2026-06-16)

  • Updated dependencies [b3ec845, c9c7df1, c6c163a]:

    • @​posthog/core@​1.33.0
    • @​posthog/types@​1.387.0

posthog-js@1.386.8

1.386.8

Patch Changes

  • #3838 3094f73 Thanks @​TueHaulund! - fix(replay): discard the prior session's buffer when start() bails out a pending stop(). On a stopSessionRecording() → reset() → identify(newUser) → startSessionRecording() sequence, stopSessionRecording() takes the async compression-drain path, deferring its buffer flush and teardown. start() correctly invalidates that pending cleanup so the new recorder survives, but it left the stopped session's snapshot buffer in place. The re-entrant session-id restart then flushed those previous-user snapshots under the OLD session id, producing a mixed-distinct_id session that server-side any(distinct_id) attribution resolves to the wrong person — recordings showing the previous user's identity. start() now clears that stale buffer alongside invalidating the compression queue, matching the drop-trailing-data trade-off the bailed-out stop() path already accepts. (2026-06-15)

posthog-js@1.386.7

1.386.7

Patch Changes

  • #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)

  • #3832 d3a9462 Thanks @​archievi! - Surveys: guard the remaining unprotected localStorage accesses (reset() and the lastSeenSurveyDate write) so a SecurityError in cross-origin iframes is swallowed instead of bubbling up to user monitoring. (2026-06-15)

  • Updated dependencies [29bf8e3]:

    • @​posthog/core@​1.32.4

... (truncated)

Commits
  • 4ff3bb3 chore: update versions and lockfile [version bump]
  • a0553b3 feat(node): add person property helpers (#3845)
  • c9c7df1 fix(browser): support unset capture option (#3860)
  • 0323540 chore: remove posthog.com types upgrade workflow (#3864)
  • f95a0ec feat(replay): capture native fullscreen transitions in session replay (#3853)
  • b3ec845 fix: drop events whose token property is removed by before_send (#3438) (#3756)
  • c6c163a feat: add unsetPersonProperties() to remove person properties (#3709)
  • fadaa4f fix(flags): drop ip query param from flags requests (#3855)
  • 0d837f5 fix: prevent autocapture extension script reloads (#3830)
  • 70d3dde chore: Generate versioned references only on release (#3858)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Removes [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js). It's no longer used after updating ancestor dependency [posthog-js](https://github.com/PostHog/posthog-js). These dependencies need to be updated together.


Removes `@opentelemetry/core`

Updates `posthog-js` from 1.369.0 to 1.387.0
- [Release notes](https://github.com/PostHog/posthog-js/releases)
- [Changelog](https://github.com/PostHog/posthog-js/blob/main/CHANGELOG.md)
- [Commits](https://github.com/PostHog/posthog-js/compare/posthog-js@1.369.0...posthog-js@1.387.0)

---
updated-dependencies:
- dependency-name: "@opentelemetry/core"
  dependency-version:
  dependency-type: indirect
- dependency-name: posthog-js
  dependency-version: 1.387.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 17, 2026
@github-actions github-actions Bot enabled auto-merge (squash) June 17, 2026 05:47
@github-actions github-actions Bot merged commit 59c3929 into main Jun 17, 2026
5 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-428b133397 branch June 17, 2026 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants