chore(deps): update npm packages#292
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
renovate
Bot
force-pushed
the
renovate/npm-packages
branch
from
a81d29c to
966b07c
Compare
renovate
Bot
force-pushed
the
renovate/npm-packages
branch
from
966b07c to
af76dfd
Compare
This PR contains the following updates:
21.2.13→21.2.1421.2.11→21.2.1221.2.11→21.2.1221.2.13→21.2.1421.2.13→21.2.1421.2.13→21.2.1421.2.13→21.2.1421.2.13→21.2.1421.2.11→21.2.1221.2.13→21.2.1421.2.13→21.2.1421.2.13→21.2.145.25.1→5.26.08.5.14→8.5.151.373.4→1.375.01.99.0→1.100.04.22.0→4.22.38.0.13→8.0.144.1.6→4.1.7Release Notes
angular/angular (@angular/animations)
v21.2.14Compare Source
compiler
core
router
angular/angular-cli (@angular/build)
v21.2.12Compare Source
@angular/build
angular/components (@angular/cdk)
v21.2.12Compare Source
material
sanity-io/sanity (@sanity/types)
v5.26.0Compare Source
Reverts
postcss/postcss (postcss)
v8.5.15Compare Source
PostHog/posthog-js (posthog-js)
v1.375.0Compare Source
1.375.0
Minor Changes
2e1d5f4Thanks @dustinbyrne! - Addflag_keysconfig to restrict browser feature flag remote evaluation to specific flag keys.(2026-05-21)
Patch Changes
2e1d5f4]:v1.374.4Compare Source
1.374.4
Patch Changes
#3638
87e2145Thanks @marandaneto! - Apply tracing headers to matching XMLHttpRequest requests(2026-05-21)
#3646
4f87827Thanks @marandaneto! - Avoid throwing or initializing PostHogProvider when no API key or client is provided(2026-05-21)
#3645
280832bThanks @TueHaulund! - Capture<link rel="stylesheet">URLs fromlink.sheet.hrefand trylink.sheetdirectly for inlining, so recordings survive SPAhistory.pushStatenavigations between routes of different path depths (wherelink.hrefre-resolves against a new baseURI butlink.sheet.hrefpreserves the URL the browser actually fetched).Ships the fix landed in #3635, which only bumped the internal
@posthog/rrweb-snapshotpackage — that package is bundled intoposthog-jsat build time but is not published to npm on its own, so aposthog-jsbump is needed to actually deliver the change. (2026-05-21)Updated dependencies []:
v1.374.3Compare Source
1.374.3
Patch Changes
557b893Thanks @eli-r-ph! - Enable $web_vitals reporting when cookieless mode is enabled(2026-05-20)
557b893,a880dbc]:v1.374.2Compare Source
1.374.2
Patch Changes
#3550
df91995Thanks @TueHaulund! - Preserve session-recording remote config acrossposthog.reset().posthog.reset()was clearing the entire persistence store, which wiped$session_recording_remote_configalong with user state. On the next sessionrotation triggered by the reset,
start('session_id_changed')would early-returnbecause the remote config was missing — leaving rrweb torn down and the new
session opening with no Meta + FullSnapshot until the next periodic 5-minute
checkout.
This affected any flow where an app calls
posthog.reset()mid-session(e.g. on sign-out / sign-in) and was particularly visible on Flutter Web
recordings that depend on a fresh FullSnapshot to anchor the CanvasKit DOM. (2026-05-18)
Updated dependencies []:
v1.374.1Compare Source
1.374.1
Patch Changes
07a0f5fThanks @marandaneto! - Respect transport overrides passed to posthog.capture.(2026-05-18)
v1.374.0Compare Source
1.374.0
Minor Changes
594ea11Thanks @pauldambra! - Dead clicks: add a.ph-no-deadclickCSS class (andcapture_dead_clicks.css_selector_ignorelistconfig option) to exclude specific elements from dead-click detection without affecting autocapture, session replay, or heatmaps. Mirrors the existing.ph-no-rageclickpattern.(2026-05-18)
Patch Changes
3c0a09fThanks @pauldambra! - Dead clicks: a click on an<a>(or any element inside an<a>, including across shadow DOM) is no longer flagged as a dead click — the browser navigates / downloads / opens a new window and we can't observe that. Reuses autocapture's existing DOM walker for the ancestor walk. Direct clicks on<button>,<input>,<select>,<textarea>,<label>, and<form>(previously all skipped) are now eligible for dead-click detection: if their JS handler ran, the existing mutation / scroll / selection observers see the effect; if it didn't, dead-click correctly surfaces the bug. A broken<button>with no handler, or an<svg>icon inside one, will now flag — which is exactly the dead-click case we want to catch.(2026-05-18)
594ea11]:v1.373.5Compare Source
1.373.5
Patch Changes
221973eThanks @lucasheriques! - Surveys: submit open text questions with Cmd/Ctrl+Enter. The textarea still inserts a newline on plain Enter (native behaviour), matching the convention used by Slack, GitHub, Discord, and ChatGPT for multi-line inputs. Single-line "Other:" inputs continue to submit on plain Enter as before.(2026-05-15)
sass/dart-sass (sass)
v1.100.0Compare Source
Writing two compound selectors adjacent to one another without any whitespace
between them, such as
[class]a, is now deprecated. This was always an errorin CSS and Sass only supported it by mistake.
See the Sass website for
details.
privatenumber/tsx (tsx)
v4.22.3Compare Source
v4.22.2Compare Source
v4.22.1Compare Source
vitejs/vite (vite)
v8.0.14Compare Source
Features
Bug Fixes
Miscellaneous Chores
Code Refactoring
Tests
vitest-dev/vitest (vitest)
v4.1.7Compare Source
🐞 Bug Fixes
View changes on GitHub
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.