Update dependency posthog-js to v1.393.6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
posthog-js (source)	1.392.0 → 1.393.6

---

Release Notes

PostHog/posthog-js (posthog-js)

v1.393.5

Compare Source

1.393.5

Patch Changes

• #​3960 619d318 Thanks @​marandaneto! - Improve console log capture performance for truncated large objects.
  (2026-06-25)

v1.393.4

Compare Source

1.393.4

Patch Changes

• #​3942 c9c8925 Thanks @​hpouillot! - Fix browser console log capture when session activity timestamps are missing and refresh session attributes for each log.
  (2026-06-24)
• Updated dependencies [c9c8925]:
  • @​posthog/core@​1.37.2

v1.393.3

Compare Source

1.393.3

Patch Changes

• #​3945 f94deaf Thanks @​ioannisj! - fix(surveys): guard handlePageUnload against version-skewed surveys instance missing the method
  (2026-06-24)

v1.393.2

Compare Source

1.393.2

Patch Changes

• #​3944 1c9a811 Thanks @​ioannisj! - Stop logging a misleading "upgrade your PostHog server" warning for valid v2 flags responses that have no flags.
  (2026-06-24)

v1.393.1

Compare Source

1.393.1

Patch Changes

• #​3919 99bad9c Thanks @​pauldambra! - Session replay network capture: add an opt-in streaming reader for request/response bodies that stops at the payload size limit instead of buffering the whole body and then discarding it — bounding memory and pre-request latency when a body is very large. It reads only a clone of the body, so it never consumes the stream the page itself reads, and always resolves (never rejects) into the page's fetch. Off by default; enabled for defaults: '2026-06-25' and settable directly via session_recording.streamNetworkBody.
  (2026-06-24)
• Updated dependencies [99bad9c]:
  • @​posthog/types@​1.391.1

v1.393.0

Compare Source

1.393.0

Minor Changes

• #​3921 c28b161 Thanks @​marandaneto! - Add disable_capture_url_hashes to strip URL fragments from automatically captured URLs. It is disabled by default for backwards compatibility, and enabled automatically when config.defaults is '2026-06-25' or later. Enabling it (either explicitly or via the '2026-06-25' defaults) is a breaking behavior change for SPAs that rely on URL hashes for routing or analytics, because hash-based routes will be collapsed to the same URL without the fragment in fields such as $current_url, $initial_current_url, $session_entry_url, autocapture $elements[*].attr__href, $external_click_url, replay href URLs, heatmaps, web vitals $current_url, logs url.full, conversations current_url/request_url, or Next.js Pages Router $pageview $current_url.

  If you only want to capture some hashes, leave hash capture enabled and use before_send to remove or redact sensitive hash values before events are sent. (2026-06-23)

Patch Changes

• Updated dependencies [c28b161]:
  • @​posthog/core@​1.36.0
  • @​posthog/types@​1.391.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	posthog-js@​1.392.0 ⏵ 1.393.6	+7		-8

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Telemetry collection: npm posthog-js Note: The file package/dist/array.no-external.js is part of a web analytics/telemetry SDK that loads remote transforms and optional extensions, persists consent/state, and can apply server-provided transforms that mutate the DOM. If untrusted transforms are loaded, this can enable XSS-like DOM mutations and data exfiltration, with ongoing privacy, compliance, and supply-chain risks from external/script loading; mitigations include strict allowlists, server-side sanitization, integrity checks, CSP, and careful governance of debug/consent handling. From: package.json → npm/posthog-js@1.393.6 ℹ Read more on: This package | This alert | What is telemetry? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.393.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report