You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to /i/v1/metrics — one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:
#411345f17ee Thanks @TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removed
Follow-up to the shadow-observer iframe-teardown fix: takeFullSnapshot's onSerialize registers every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot). addShadowRoot now derives the owning document from the host element, so per-document teardown matches iframe-nested roots too. (2026-07-08)
#4103be8242a Thanks @rafaeelaudibert! - Publish the code-split ESM toolbar bundle when the build emits one. The release tooling now recursively includes dist/toolbar/ (with explicit JS content types for the strict-MIME ESM chunks) across the immutable, major-alias, and compatibility upload prefixes, and the workflow accepts the canonical toolbar.js/toolbar.css layout. This is a no-op against today's single-file build.
(2026-07-08)
#411238bb185 Thanks @TueHaulund! - fix session replay silently dropping shadow DOM mutations after an iframe teardown
The single shared ShadowDomManager observes every shadow root on the page, but MutationBuffer.reset() disconnected it. That reset fires whenever any one buffer is torn down, so an iframe being removed or navigating away disconnected every shadow-root observer page-wide. Shadow DOM content (for example a widget mounted in an open shadow root) then stopped recording until the next periodic full snapshot re-registered it. Buffer teardown now releases only its own resources; global shadow observation is reset by takeFullSnapshot and on recording stop. (2026-07-08)
#406324aadd5 Thanks @posthog! - Fix a RangeError: Maximum call stack size exceeded that could originate from the shared patch() fetch/XHR wrapper. posthog-js wraps window.fetch in two independent places (tracing headers and session-recording network capture), so their restores routinely ran out of order. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated start/stop cycles grew the wrapper chain without bound until a real fetch walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Header-injection and network-capture behavior is unchanged.
(2026-07-07)
#4100e250a24 Thanks @marandaneto! - Stop adding the gzip compression query parameter to browser SDK requests.
(2026-07-07)
#4083f07e241 Thanks @posthog! - fix(replay): harden session-replay network capture so instrumentation that throws (e.g. new Request() rejecting a URL/method) degrades gracefully and never breaks or misattributes the host application's own xhr.open() / fetch() calls
(2026-07-07)
#4089cc340db Thanks @bs1180! - feat(web): add a posthog-js/customizations subpath entry point exposing the optional customizations (setAllPersonProfilePropertiesAsPersonPropertiesForFlags, the before-send sampling helpers, and the redux/kea loggers) as a proper ES module with bundled types, replacing the internal posthog-js/lib/src/customizations deep import. Also fixes the TypeScript definitions so setAllPersonProfilePropertiesAsPersonPropertiesForFlags accepts the instance passed to the loaded callback (the documented usage), and the loaded callback's instance type now includes config.
(2026-07-06)
#40622af0026 Thanks @posthog! - fix(web): prevent an infinite-recursion stack overflow in the logs console capture. The console wrapper's own capture path can emit internal debug lines through PostHog's logger, which wrote back to the wrapped console and re-entered capture until the stack blew (RangeError: Maximum call stack size exceeded). The wrapper now exposes the original console method via __rrweb_original__ (so the internal logger bypasses it) and guards against re-entrancy from any code that logs mid-capture.
(2026-07-06)
#405345d1b36 Thanks @posthog! - feat(web): add a graceful shutdown() to the browser client for parity with posthog-node, so isomorphic teardown code (e.g. the Nuxt module) that calls posthog.shutdown() on the client no longer throws TypeError: shutdown is not a function. It best-effort flushes the queued events and always resolves.
(2026-07-03)
#4054f0657eb Thanks @posthog! - fix(web): detect our own feature-flag request timeouts via a timedOut flag instead of the abort reason, so they are logged at warn (not error) on browsers that don't propagate controller.abort(reason) — keeping benign timeouts out of error tracking's console-error capture
(2026-07-03)
posthog-js: refresh the cached $surveys definitions after a short TTL (stale-while-revalidate) so server-side changes such as switching a survey from popover to API propagate to long-lived tabs without a page reload.
posthog-js: add posthog.surveys.markSurveyAsSeen(surveyId, { iteration }) so custom integrators that render surveys through their own backend can honour the "already seen" and wait-period checks.
posthog-react-native: guarantee the survey Modal notifies its parent on close even when iOS Modal.onDismiss fails to fire, so the transparent full-screen modal can no longer stay mounted intercepting touches and freezing the app. (2026-07-03)
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@angular/build@22.0.6. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
22.0.5→22.0.622.0.5→22.0.622.0.3→22.0.422.0.5→22.0.622.0.5→22.0.622.0.5→22.0.622.0.5→22.0.622.0.5→22.0.622.0.3→22.0.422.0.5→22.0.622.0.5→22.0.622.0.5→22.0.66.3.0→6.4.01.396.5→1.399.14.22.5→4.23.08.1.3→8.1.44.1.9→4.1.10Release Notes
angular/angular (@angular/animations)
v22.0.6Compare Source
compiler
compiler-cli
forms/signals
migrations
router
angular/angular-cli (@angular/build)
v22.0.6Compare Source
angular/components (@angular/cdk)
v22.0.4Compare Source
aria
material
sanity-io/sanity (@sanity/types)
v6.4.0Compare Source
Features
PostHog/posthog-js (posthog-js)
v1.399.1Compare Source
v1.399.0Compare Source
1.399.0
Minor Changes
#4115
86bb3a5Thanks @DanielVisca! - add the posthog.metrics API (count, gauge, histogram) — alphaA statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to
/i/v1/metrics— one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:Configure via
metrics: { serviceName, environment, flushIntervalMs, maxSeriesPerFlush, beforeSend, ... }. (2026-07-08)Patch Changes
86bb3a5]:v1.398.7Compare Source
1.398.7
Patch Changes
#4113
45f17eeThanks @TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removedFollow-up to the shadow-observer iframe-teardown fix:
takeFullSnapshot'sonSerializeregisters every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot).addShadowRootnow derives the owning document from the host element, so per-document teardown matches iframe-nested roots too. (2026-07-08)v1.398.6Compare Source
1.398.6
Patch Changes
c75c0baThanks @hpouillot! - fix: avoid throwing when rrweb recorder cleanup cannot remove a listener(2026-07-08)
v1.398.5Compare Source
1.398.5
Patch Changes
be8242aThanks @rafaeelaudibert! - Publish the code-split ESM toolbar bundle when the build emits one. The release tooling now recursively includesdist/toolbar/(with explicit JS content types for the strict-MIME ESM chunks) across the immutable, major-alias, and compatibility upload prefixes, and the workflow accepts the canonicaltoolbar.js/toolbar.csslayout. This is a no-op against today's single-file build.(2026-07-08)
v1.398.4Compare Source
v1.398.3Compare Source
1.398.3
Patch Changes
#4112
38bb185Thanks @TueHaulund! - fix session replay silently dropping shadow DOM mutations after an iframe teardownThe single shared ShadowDomManager observes every shadow root on the page, but MutationBuffer.reset() disconnected it. That reset fires whenever any one buffer is torn down, so an iframe being removed or navigating away disconnected every shadow-root observer page-wide. Shadow DOM content (for example a widget mounted in an open shadow root) then stopped recording until the next periodic full snapshot re-registered it. Buffer teardown now releases only its own resources; global shadow observation is reset by takeFullSnapshot and on recording stop. (2026-07-08)
v1.398.2Compare Source
1.398.2
Patch Changes
#4063
24aadd5Thanks @posthog! - Fix aRangeError: Maximum call stack size exceededthat could originate from the sharedpatch()fetch/XHR wrapper. posthog-js wrapswindow.fetchin two independent places (tracing headers and session-recording network capture), so their restores routinely ran out of order. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated start/stop cycles grew the wrapper chain without bound until a realfetchwalked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Header-injection and network-capture behavior is unchanged.(2026-07-07)
#4100
e250a24Thanks @marandaneto! - Stop adding the gzip compression query parameter to browser SDK requests.(2026-07-07)
#4083
f07e241Thanks @posthog! - fix(replay): harden session-replay network capture so instrumentation that throws (e.g.new Request()rejecting a URL/method) degrades gracefully and never breaks or misattributes the host application's ownxhr.open()/fetch()calls(2026-07-07)
v1.398.1Compare Source
1.398.1
Patch Changes
5013ab6Thanks @marandaneto! - Stop sending the deprecatedverquery parameter to capture and session recording endpoints.(2026-07-07)
v1.398.0Compare Source
v1.397.0Compare Source
1.397.0
Minor Changes
cc340dbThanks @bs1180! - feat(web): add aposthog-js/customizationssubpath entry point exposing the optional customizations (setAllPersonProfilePropertiesAsPersonPropertiesForFlags, thebefore-sendsampling helpers, and the redux/kea loggers) as a proper ES module with bundled types, replacing the internalposthog-js/lib/src/customizationsdeep import. Also fixes the TypeScript definitions sosetAllPersonProfilePropertiesAsPersonPropertiesForFlagsaccepts the instance passed to theloadedcallback (the documented usage), and theloadedcallback's instance type now includesconfig.(2026-07-06)
v1.396.9Compare Source
v1.396.8Compare Source
1.396.8
Patch Changes
2af0026Thanks @posthog! - fix(web): prevent an infinite-recursion stack overflow in the logs console capture. The console wrapper's own capture path can emit internal debug lines through PostHog's logger, which wrote back to the wrapped console and re-entered capture until the stack blew (RangeError: Maximum call stack size exceeded). The wrapper now exposes the original console method via__rrweb_original__(so the internal logger bypasses it) and guards against re-entrancy from any code that logs mid-capture.(2026-07-06)
v1.396.7Compare Source
v1.396.6Compare Source
1.396.6
Patch Changes
#4053
45d1b36Thanks @posthog! - feat(web): add a gracefulshutdown()to the browser client for parity with posthog-node, so isomorphic teardown code (e.g. the Nuxt module) that callsposthog.shutdown()on the client no longer throwsTypeError: shutdown is not a function. It best-effort flushes the queued events and always resolves.(2026-07-03)
#4054
f0657ebThanks @posthog! - fix(web): detect our own feature-flag request timeouts via atimedOutflag instead of the abort reason, so they are logged atwarn(noterror) on browsers that don't propagatecontroller.abort(reason)— keeping benign timeouts out of error tracking's console-error capture(2026-07-03)
#4031
94a0530Thanks @posthog! - Improve survey display reliability:$surveysdefinitions after a short TTL (stale-while-revalidate) so server-side changes such as switching a survey from popover to API propagate to long-lived tabs without a page reload.posthog.surveys.markSurveyAsSeen(surveyId, { iteration })so custom integrators that render surveys through their own backend can honour the "already seen" and wait-period checks.Modalnotifies its parent on close even when iOSModal.onDismissfails to fire, so the transparent full-screen modal can no longer stay mounted intercepting touches and freezing the app. (2026-07-03)Updated dependencies [
45d1b36]:privatenumber/tsx (tsx)
v4.23.0Compare Source
Bug Fixes
Features
This release is also available on:
vitejs/vite (vite)
v8.1.4Compare Source
Features
Bug Fixes
import.meta.urlin preload function as-is (#22839) (f1f90ed)Documentation
@defaultforserver.cors(#22859) (70435b2)Miscellaneous Chores
Code Refactoring
Tests
Build System
onwarnwithonLog(#22741) (c581b55)vitest-dev/vitest (vitest)
v4.1.10Compare Source
🐞 Bug Fixes
View changes on GitHub
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.