chore(deps): Bump the all-minor-patch group across 1 directory with 4 updates

[dependabot]

Bumps the all-minor-patch group with 4 updates in the /js directory: happy-dom, import-in-the-middle, posthog-js and baseline-browser-mapping.

Updates happy-dom from 20.10.5 to 20.10.6

Release notes

Sourced from happy-dom's releases.

v20.10.6

👷‍♂️ Patch fixes

• Await NodeJS internal ReadableStream promise during teardown - By @​capricorn86 in task #2217

Commits

• fed1de2 fix: #2217 Await NodeJS internal ReadableStream promise during teardown (#2...
• See full diff in compare view

Updates import-in-the-middle from 3.0.2 to 3.1.0

Release notes

Sourced from import-in-the-middle's releases.

import-in-the-middle: v3.1.0

3.1.0 (2026-06-17)

Features

• add synchronous loader hooks via module.registerHooks (#253) (dd7e550)

Changelog

Sourced from import-in-the-middle's changelog.

3.1.0 (2026-06-17)

Features

• add synchronous loader hooks via module.registerHooks (#253) (dd7e550)

Commits

• 834de8d chore: release v3.1.0 (#254)
• dd7e550 feat: add synchronous loader hooks via module.registerHooks (#253)
• See full diff in compare view

Updates posthog-js from 1.387.0 to 1.390.2

Release notes

Sourced from posthog-js's releases.

posthog-js@1.390.2

1.390.2

Patch Changes

• #3868 a5dd54a Thanks @​pauldambra! - fix(replay): scope the session-recording flushed-size tracker to the session

  $sdk_debug_replay_flushed_size was stored as a single device-global value in persistence and only reset on an in-page session rotation, so it leaked across page loads and tabs and over-counted on returning visitors. The tracker now keys the running total to the current session id, so a new session starts from zero and a fresh load reading an ongoing session sees the correct total.

  The internal persistence key backing this counter ($sess_rec_flush_size) was also unintentionally attached to every captured event as a super-property; it is now marked hidden so it no longer ships on events. The value remains available on session-replay debug events as $sdk_debug_replay_flushed_size. (2026-06-17)

posthog-js@1.390.1

1.390.1

Patch Changes

• #3784 e25e629 Thanks @​lucasheriques! - Surveys: event-triggered surveys are now scoped to the page load the event fired in, and only persist across a page reload once they have actually been shown.

  Previously an event armed a survey by writing it to localStorage, where it stayed until shown. Because the activation survived reloads and the URL condition was only checked at display time, a survey armed by an exit-intent event (which fires as the user is leaving or reloading) could surface on a later page load with no event behind it. Activations now live in memory until the survey is shown, so an armed-but-unshown survey no longer reappears after a reload.

  Once a survey is shown it is promoted to persistence, so a non-repeatable survey survives a reload and re-displays until the user dismisses or answers it (instead of vanishing if they reload before interacting). Repeatable surveys (schedule: 'always' or "Show every time the event is captured") are still consumed when shown, so each captured trigger shows them once. Product tours follow the same model. Cross-page deferral (arm on one full page load, display on a later one) is no longer supported via event triggers; use audience targeting for that. (2026-06-17)

posthog-js@1.390.0

1.390.0

Minor Changes

• #3869 81b79fb Thanks @​turnipdabeets! - Add a beforeSend option to the logs config, so you can inspect, redact, or drop log records before they're sent:

  posthog.init('<token>', {
      logs: {
          beforeSend: (log) => {
              // return null to drop the log, or return the (optionally modified) log to keep it
              if (log.body.includes('password')) {
                  return null
              }
              return log
          },
      },
  })

  beforeSend accepts a single function or an array of functions (applied left to right); returning null from any of them drops the record. It runs for logs sent via both posthog.captureLog() and posthog.logger.*. (2026-06-17)

Patch Changes

• Updated dependencies [81b79fb]:
  • @​posthog/types@​1.390.0

... (truncated)

Commits

• f079599 chore: update versions and lockfile [version bump]
• a5dd54a fix(replay): scope flushed-size tracker to the session (#3868)
• 5b1a212 refactor(react-native): read payload via getFeatureFlagResult in useFeatureFl...
• 45eeaea chore: update versions and lockfile [version bump]
• e25e629 fix(surveys): scope event-trigger activations to the session until shown (#3784)
• f4bc980 chore: update versions and lockfile [version bump]
• 81b79fb feat(logs): add beforeSend to the web logs config (#3869)
• a652700 chore: update versions and lockfile [version bump]
• 43b4137 fix(browser): limit statusCode 0 retries (#3875)
• d6b1ea0 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Updates baseline-browser-mapping from 2.10.37 to 2.10.38

Release notes

Sourced from baseline-browser-mapping's releases.

v2.9.3 - remove process.loadEnvFile()

What's Changed

• Remove process.loadEnfFile() from main script by @​tonypconway in web-platform-dx/baseline-browser-mapping#112

Full Changelog: web-platform-dx/baseline-browser-mapping@v2.9.2...v2.9.3

Commits

• 37f3dae Patch to 2.10.38 because browser or feature data changed
• c5c2841 Browser or feature data changed
• 14903f7 Updating static site
• See full diff in compare view

[gcko]

@dependabot recreate

[gcko]

Code Review: PR #1436

SHA 03513d3d · Verdict NO-GO

Issues

1. js/packages/ui/package.json:163 — Raises the published @datarecce/ui posthog-js floor ^1.372.1 → ^1.390.2; this is a consumer-facing dependency and the bump narrows the compatible range with nothing in @datarecce/ui requiring it.
   Evidence: posthog-js resolves to dependencies (not dev/peer) in the package; DEPENDENCIES.md:93 — "Only raise the floor when @datarecce/ui code actually requires a feature/fix from the newer version. Consumers must satisfy these ranges." The 1.387→1.390 changes are replay flush-size, survey-trigger, and beforeSend log fixes — none consumed by this package. No CVE in range, so the security exception (DEPENDENCIES.md / PR chore(deps): consolidate Dependabot updates + missed minor/patch bumps #1402) does not apply.
   Pass F.

   Fix: revert js/packages/ui/package.json posthog-js to ^1.372.1. Keep the root js/package.json bump (^1.387.0 → ^1.390.2) and the lockfile — those are monorepo-internal and do not affect consumers.

Notes

• Root-only updates are clean: happy-dom ^20.10.6 stays within the pnpm-workspace.yaml happy-dom: ^20.9.0 override; import-in-the-middle 3.0.2→3.1.0 (additive sync loader hooks) and baseline-browser-mapping 2.10.37→2.10.38 are dev/build deps with no consumer impact. Transitive dompurify 3.4.8→3.4.10 via posthog-js.
• Verification: pnpm install --frozen-lockfile consistent, tsc --noEmit clean, all 8 PR CI checks green.

[gcko]

Claude Code Review: NO-GO — published @datarecce/ui posthog-js floor bumped against DEPENDENCIES.md policy. See review comment.

[gcko]

Consolidating into PR #1442. Closing this PR in favor of the consolidated branch.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml