Skip to content

chore(deps): update npm packages#396

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-packages
Jul 13, 2026
Merged

chore(deps): update npm packages#396
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-packages

Conversation

@renovate

@renovate renovate Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@angular/animations (source) 22.0.522.0.6 age adoption passing confidence
@angular/build 22.0.522.0.6 age adoption passing confidence
@angular/cdk 22.0.322.0.4 age adoption passing confidence
@angular/common (source) 22.0.522.0.6 age adoption passing confidence
@angular/compiler (source) 22.0.522.0.6 age adoption passing confidence
@angular/compiler-cli (source) 22.0.522.0.6 age adoption passing confidence
@angular/core (source) 22.0.522.0.6 age adoption passing confidence
@angular/forms (source) 22.0.522.0.6 age adoption passing confidence
@angular/material 22.0.322.0.4 age adoption passing confidence
@angular/platform-browser (source) 22.0.522.0.6 age adoption passing confidence
@angular/platform-browser-dynamic (source) 22.0.522.0.6 age adoption passing confidence
@angular/router (source) 22.0.522.0.6 age adoption passing confidence
@sanity/types (source) 6.3.06.4.0 age adoption passing confidence
posthog-js (source) 1.396.51.399.1 age adoption passing confidence
tsx (source) 4.22.54.23.0 age adoption passing confidence
vite (source) 8.1.38.1.4 age adoption passing confidence
vitest (source) 4.1.94.1.10 age adoption passing confidence

Release Notes

angular/angular (@​angular/animations)

v22.0.6

Compare Source

compiler
Commit Type Description
fd4ddcafed fix use regular optional chaining expression for safe function calls in TCBs
compiler-cli
Commit Type Description
534fe81a89 fix apply debugName transform to required signal queries
3b08201bfb fix detect uninvoked signals in bound expressions using ternary
forms/signals
Commit Type Description
171669f7b2 fix make extractValue reactive for compat AbstractControl values
migrations
Commit Type Description
0a6af1496b fix preserve transitive NgModule references when pruning
d4a926a762 fix remove stale model import in model-output migration
router
Commit Type Description
c238bd2ad7 fix handle outlet named proto in segment group maps
8e6d7f7190 fix use safe hasOwnProperty when parsing query params
angular/angular-cli (@​angular/build)

v22.0.6

Compare Source

angular/components (@​angular/cdk)

v22.0.4

Compare Source

aria
Commit Type Description
918090a07 fix listbox: allow navigation to specific index (#​33485)
material
Commit Type Description
c86b024e3 fix core: rework error state matcher to handle signal forms (#​33500)
sanity-io/sanity (@​sanity/types)

v6.4.0

Compare Source

Features
PostHog/posthog-js (posthog-js)

v1.399.1

Compare Source

v1.399.0

Compare Source

1.399.0

Minor Changes
  • #​4115 86bb3a5 Thanks @​DanielVisca! - add the posthog.metrics API (count, gauge, histogram) — alpha

    A statsd-style pre-aggregating metrics client for the PostHog Metrics product (alpha). Samples are folded into per-series aggregates in memory (counts sum, gauges keep the last value, histograms accumulate buckets) and flushed periodically as OTLP/JSON to /i/v1/metrics — one data point per series per flush window, no matter how many calls. No OpenTelemetry SDK setup required:

    posthog.metrics.count('orders_created', 1)
    posthog.metrics.gauge('active_connections', 42)
    posthog.metrics.histogram('api_latency', 187, { unit: 'ms' })

    Configure via metrics: { serviceName, environment, flushIntervalMs, maxSeriesPerFlush, beforeSend, ... }. (2026-07-08)

Patch Changes

v1.398.7

Compare Source

1.398.7

Patch Changes
  • #​4113 45f17ee Thanks @​TueHaulund! - fix session replay leaking a shadow-root observer when a same-origin iframe is removed

    Follow-up to the shadow-observer iframe-teardown fix: takeFullSnapshot's onSerialize registers every shadow root with the top-level document, so a root nested in a same-origin iframe was keyed to the wrong document and its observer/buffer were not disconnected when that iframe was removed (they lingered until the next full snapshot). addShadowRoot now derives the owning document from the host element, so per-document teardown matches iframe-nested roots too. (2026-07-08)

v1.398.6

Compare Source

1.398.6

Patch Changes

v1.398.5

Compare Source

1.398.5

Patch Changes
  • #​4103 be8242a Thanks @​rafaeelaudibert! - Publish the code-split ESM toolbar bundle when the build emits one. The release tooling now recursively includes dist/toolbar/ (with explicit JS content types for the strict-MIME ESM chunks) across the immutable, major-alias, and compatibility upload prefixes, and the workflow accepts the canonical toolbar.js/toolbar.css layout. This is a no-op against today's single-file build.
    (2026-07-08)

v1.398.4

Compare Source

v1.398.3

Compare Source

1.398.3

Patch Changes
  • #​4112 38bb185 Thanks @​TueHaulund! - fix session replay silently dropping shadow DOM mutations after an iframe teardown

    The single shared ShadowDomManager observes every shadow root on the page, but MutationBuffer.reset() disconnected it. That reset fires whenever any one buffer is torn down, so an iframe being removed or navigating away disconnected every shadow-root observer page-wide. Shadow DOM content (for example a widget mounted in an open shadow root) then stopped recording until the next periodic full snapshot re-registered it. Buffer teardown now releases only its own resources; global shadow observation is reset by takeFullSnapshot and on recording stop. (2026-07-08)

v1.398.2

Compare Source

1.398.2

Patch Changes
  • #​4063 24aadd5 Thanks @​posthog! - Fix a RangeError: Maximum call stack size exceeded that could originate from the shared patch() fetch/XHR wrapper. posthog-js wraps window.fetch in two independent places (tracing headers and session-recording network capture), so their restores routinely ran out of order. Previously an out-of-order restore silently no-op'd, leaving the wrapper in the call path; repeated start/stop cycles grew the wrapper chain without bound until a real fetch walked a chain deep enough to overflow the stack. Wrappers now delegate through a mutable link so any layer can be torn down even when newer wrappers sit on top of it, keeping the chain bounded. Header-injection and network-capture behavior is unchanged.
    (2026-07-07)

  • #​4100 e250a24 Thanks @​marandaneto! - Stop adding the gzip compression query parameter to browser SDK requests.
    (2026-07-07)

  • #​4083 f07e241 Thanks @​posthog! - fix(replay): harden session-replay network capture so instrumentation that throws (e.g. new Request() rejecting a URL/method) degrades gracefully and never breaks or misattributes the host application's own xhr.open() / fetch() calls
    (2026-07-07)

v1.398.1

Compare Source

1.398.1

Patch Changes

v1.398.0

Compare Source

v1.397.0

Compare Source

1.397.0

Minor Changes
  • #​4089 cc340db Thanks @​bs1180! - feat(web): add a posthog-js/customizations subpath entry point exposing the optional customizations (setAllPersonProfilePropertiesAsPersonPropertiesForFlags, the before-send sampling helpers, and the redux/kea loggers) as a proper ES module with bundled types, replacing the internal posthog-js/lib/src/customizations deep import. Also fixes the TypeScript definitions so setAllPersonProfilePropertiesAsPersonPropertiesForFlags accepts the instance passed to the loaded callback (the documented usage), and the loaded callback's instance type now includes config.
    (2026-07-06)

v1.396.9

Compare Source

v1.396.8

Compare Source

1.396.8

Patch Changes
  • #​4062 2af0026 Thanks @​posthog! - fix(web): prevent an infinite-recursion stack overflow in the logs console capture. The console wrapper's own capture path can emit internal debug lines through PostHog's logger, which wrote back to the wrapped console and re-entered capture until the stack blew (RangeError: Maximum call stack size exceeded). The wrapper now exposes the original console method via __rrweb_original__ (so the internal logger bypasses it) and guards against re-entrancy from any code that logs mid-capture.
    (2026-07-06)

v1.396.7

Compare Source

v1.396.6

Compare Source

1.396.6

Patch Changes
  • #​4053 45d1b36 Thanks @​posthog! - feat(web): add a graceful shutdown() to the browser client for parity with posthog-node, so isomorphic teardown code (e.g. the Nuxt module) that calls posthog.shutdown() on the client no longer throws TypeError: shutdown is not a function. It best-effort flushes the queued events and always resolves.
    (2026-07-03)

  • #​4054 f0657eb Thanks @​posthog! - fix(web): detect our own feature-flag request timeouts via a timedOut flag instead of the abort reason, so they are logged at warn (not error) on browsers that don't propagate controller.abort(reason) — keeping benign timeouts out of error tracking's console-error capture
    (2026-07-03)

  • #​4031 94a0530 Thanks @​posthog! - Improve survey display reliability:

    • posthog-js: refresh the cached $surveys definitions after a short TTL (stale-while-revalidate) so server-side changes such as switching a survey from popover to API propagate to long-lived tabs without a page reload.
    • posthog-js: add posthog.surveys.markSurveyAsSeen(surveyId, { iteration }) so custom integrators that render surveys through their own backend can honour the "already seen" and wait-period checks.
    • posthog-react-native: guarantee the survey Modal notifies its parent on close even when iOS Modal.onDismiss fails to fire, so the transparent full-screen modal can no longer stay mounted intercepting touches and freezing the app. (2026-07-03)
  • Updated dependencies [45d1b36]:

privatenumber/tsx (tsx)

v4.23.0

Compare Source

Bug Fixes
Features

This release is also available on:

vitejs/vite (vite)

v8.1.4

Compare Source

Features
Bug Fixes
Documentation
Miscellaneous Chores
Code Refactoring
Tests
Build System
vitest-dev/vitest (vitest)

v4.1.10

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • "before 10am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) July 12, 2026 19:10
@socket-security

socket-security Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @angular/build is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: napi/playground/package.jsonnpm/@angular/build@22.0.6

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@angular/build@22.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/npm-packages branch from 57af618 to 16f2fa8 Compare July 13, 2026 00:58
@renovate renovate Bot merged commit d51a33d into main Jul 13, 2026
10 checks passed
@renovate renovate Bot deleted the renovate/npm-packages branch July 13, 2026 02:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant