[Snyk] Upgrade posthog-js from 1.262.0 to 1.281.0

[sestinj]

Snyk has created this PR to upgrade posthog-js from 1.262.0 to 1.281.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 49 versions ahead of your current version.

• The recommended version was released 23 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-DAGRED3ES-13110069	636	Proof of Concept

Release notes

Package name: posthog-js

• 1.281.0 - 2025-10-27
• 1.280.1 - 2025-10-23
• 1.280.0 - 2025-10-23
• 1.279.3 - 2025-10-22
• 1.279.2 - 2025-10-22
• 1.279.1 - 2025-10-21
• 1.279.0 - 2025-10-21
• 1.278.0 - 2025-10-21
• 1.277.0 - 2025-10-20
• 1.276.0 - 2025-10-16
• 1.275.3 - 2025-10-14
• 1.275.2 - 2025-10-14
• 1.275.1 - 2025-10-10
• 1.275.0 - 2025-10-10
• 1.274.3 - 2025-10-10
• 1.274.2 - 2025-10-10
• 1.274.1 - 2025-10-09
• 1.274.0 - 2025-10-09
• 1.273.1 - 2025-10-08
• 1.273.0 - 2025-10-07
• 1.272.1 - 2025-10-07
• 1.272.0 - 2025-10-06
• 1.271.0 - 2025-10-06
• 1.270.1 - 2025-10-03
• 1.270.0 - 2025-10-03
• 1.269.1 - 2025-10-02
• 1.269.0 - 2025-10-02
• 1.268.9 - 2025-09-30
• 1.268.8 - 2025-09-29
• 1.268.7 - 2025-09-29
• 1.268.6 - 2025-09-26
• 1.268.5 - 2025-09-25
• 1.268.4 - 2025-09-24
• 1.268.3 - 2025-09-24
• 1.268.2 - 2025-09-24
• 1.268.1 - 2025-09-23
• 1.268.0 - 2025-09-22
• 1.267.0 - 2025-09-22
• 1.266.3 - 2025-09-20
• 1.266.2 - 2025-09-19
• 1.266.1 - 2025-09-19
• 1.266.0 - 2025-09-14
• 1.265.1 - 2025-09-13
• 1.265.0 - 2025-09-12
• 1.264.2 - 2025-09-11
• 1.264.1 - 2025-09-11
• 1.264.0 - 2025-09-11
• 1.263.0 - 2025-09-11
• 1.262.1 - 2025-09-11
• 1.262.0 - 2025-09-09

from posthog-js GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

Summary by cubic

Upgrade posthog-js to ^1.281.0 to keep the analytics SDK current and address a Snyk-reported vulnerability. No app code changes.

• Dependencies

  • Bumped posthog-js in gui/package.json from ^1.130.1 to ^1.281.0; lockfile resolves to 1.297.0 and updates @posthog/core to 1.5.3.
  • Includes security fixes, covering the prototype pollution advisory (SNYK-JS-DAGRED3ES-13110069).

• Migration

  • Reinstall deps to update the lockfile.
  • Smoke test analytics: initialization, event capture, identify calls, and feature flags.

^{Written for commit 9e85f41. Summary will update automatically on new commits.}

[github-actions]

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

• feat: add changelog generation support
• fix: resolve login redirect issue
• docs: update README with new instructions
• chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

• 📝 Automatic changelog generation
• 🚀 Automated semantic versioning
• 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

[github-actions]

✅ Review Complete

Code Review Summary

⚠️ Continue configuration error. Please verify that the assistant exists in Continue Hub.

---

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="gui/package.json">

<violation number="1" location="gui/package.json:55">
posthog-js was bumped to ^1.281.0 here, but gui/package-lock.json still locks ^1.130.1/1.262.0, so npm ci will fail and the vulnerable version keeps being installed. Regenerate the lockfile after upgrading so the new version is actually resolved.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

posthog-js was bumped to ^1.281.0 here, but gui/package-lock.json still locks ^1.130.1/1.262.0, so npm ci will fail and the vulnerable version keeps being installed. Regenerate the lockfile after upgrading so the new version is actually resolved.

Prompt for AI agents

Address the following comment on gui/package.json at line 55:

<comment>posthog-js was bumped to ^1.281.0 here, but gui/package-lock.json still locks ^1.130.1/1.262.0, so npm ci will fail and the vulnerable version keeps being installed. Regenerate the lockfile after upgrading so the new version is actually resolved.</comment>

<file context>
@@ -52,7 +52,7 @@
     &quot;minisearch&quot;: &quot;^7.0.2&quot;,
     &quot;mustache&quot;: &quot;^4.2.0&quot;,
-    &quot;posthog-js&quot;: &quot;^1.130.1&quot;,
+    &quot;posthog-js&quot;: &quot;^1.281.0&quot;,
     &quot;react&quot;: &quot;^18.2.0&quot;,
     &quot;react-dom&quot;: &quot;^18.2.0&quot;,
</file context>