posthog-js
100
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
watilotwixesfuziontechmariusandraben-posthogtimglrafael_posthogfraserhoppermanoelposthogrobbie-cdustinbyrnefeliperalmeidalucasheriquesfrankposthogtom-posthogadamleithpcat-phsarahxsanderspeterkirkhamposthogioannisjjoshuasnyderhuguespouillot
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() used in Proxy trap handlers for rrweb session recording — standard pattern, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@opentelemetry/api | AI (phantom-deps): Peer/transitive dep used by other @opentelemetry packages in the bundle. | ai | |
| source-diff | obfuscated-file:dist/rrweb.js | AI (source-diff): Minified dist bundle of rrweb session recording lib; standard for this package. | ai | |
| source-diff | obfuscated-file:dist/rrweb-plugin-console-record.js | AI (source-diff): Minified dist bundle of rrweb console-record plugin; standard for this package. | ai | |
| source-diff | obfuscated-file:dist/logs.js | AI (source-diff): Standard minified OpenTelemetry SDK logging code. Recognizable OTEL patterns, no malicious indicators. | ai | |
| provenance | publisher-changed | AI (provenance): posthog-js publishes via GitHub Actions CI/CD with SLSA provenance attestation. The move from personal account to automated CI is a security improvement, not a risk signal. | ai | |
| source-diff | obfuscated-file:dist/conversations.js | AI (source-diff): Standard minified Preact/JS build artifact for posthog-js dist/ folder. Code patterns are recognizable framework code, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/element-inference.js | AI (source-diff): Standard minified CSS selector utility code. Recognizable parsing patterns, no malicious indicators. | ai | |
| source-diff | obfuscated-file:lib/src/extensions/surveys/icons.js | AI (source-diff): Minified SVG icon definitions using Preact JSX runtime. Clearly benign build output. | ai | |
| source-diff | obfuscated-file:dist/product-tours-preview.js | AI (source-diff): Standard minified Preact component code for product tours feature. Recognizable VDOM patterns, no malicious indicators. | ai | |
| source-diff | obfuscated-file:dist/product-tours.js | AI (source-diff): Standard minified Preact component code for product tours feature. Recognizable VDOM patterns, no malicious indicators. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): posthog-js publishes ~every 2 days (1135 versions over 2257 days). Dormancy is relative to last approved version in this pipeline, not actual package inactivity. | ai | |
| source-diff | encoded-string-file:dist/lazy-recorder.js | AI (source-diff): Minified session-recording bundle; long strings are embedded assets (CSS/SVG). Same pattern already accepted in sibling dist files. No malicious indicators. | ai | |
| source-diff | encoded-string-file:dist/module.full.no-external.js | AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files. | ai | |
| source-diff | encoded-string-file:dist/recorder-v2.js | AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files. | ai | |
| source-diff | encoded-string-file:dist/recorder.js | AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files. | ai | |
| source-diff | encoded-string-file:dist/module.full.js | AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files. | ai | |
| source-diff | encoded-string-file:dist/array.full.no-external.js | AI (source-diff): Long strings in minified bundles are standard minification artifacts (rrweb DOM recording code), not encoded malicious payloads. | ai | |
| source-diff | large-new-source-files | AI (source-diff): posthog-js regularly adds new bundle variants; 49 new files reflects new extension/slim module additions, not injected code. | ai | |
| source-diff | obfuscated-file:dist/default-extensions.js | AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware. | ai | |
| source-diff | encoded-string-file:dist/all-external-dependencies.js | AI (source-diff): Long strings in minified bundles are standard minification artifacts (rrweb DOM recording code), not encoded malicious payloads. | ai | |
| source-diff | obfuscated-file:dist/module.slim.no-external.js | AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/module.slim.js | AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/extension-bundles.js | AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware. | ai | |
| source-diff | encoded-string-file:dist/array.full.js | AI (source-diff): Long strings in minified bundles are standard minification artifacts (rrweb DOM recording code), not encoded malicious payloads. | ai |
Versions (showing 100 of 324)
| Version | Deps | Published |
|---|---|---|
| 1.268.7 | 5 / 66 | |
| 1.268.6 | 5 / 66 | |
| 1.268.5 | 5 / 66 | |
| 1.268.4 | 5 / 66 | |
| 1.268.3 | 5 / 66 | |
| 1.268.2 | 5 / 66 | |
| 1.268.1 | 5 / 66 | |
| 1.268.0 | 5 / 66 | |
| 1.267.0 | 5 / 66 | |
| 1.266.3 | 5 / 66 | |
| 1.266.2 | 5 / 66 | |
| 1.266.1 | 5 / 66 | |
| 1.266.0 | 5 / 66 | |
| 1.265.1 | 5 / 66 | |
| 1.265.0 | 5 / 66 | |
| 1.264.2 | 5 / 66 | |
| 1.264.1 | 5 / 66 | |
| 1.264.0 | 5 / 66 | |
| 1.263.0 | 5 / 66 | |
| 1.262.1 | 5 / 66 | |
| 1.262.0 | 5 / 66 | |
| 1.261.8 | 5 / 66 | |
| 1.261.7 | 5 / 66 | |
| 1.261.6 | 5 / 66 | |
| 1.261.5 | 5 / 66 | |
| 1.261.4 | 5 / 66 | |
| 1.261.3 | 5 / 66 | |
| 1.261.2 | 5 / 66 | |
| 1.261.1 | 5 / 66 | |
| 1.261.0 | 5 / 69 | |
| 1.260.3 | 5 / 69 | |
| 1.260.2 | 4 / 69 | |
| 1.260.1 | 4 / 69 | |
| 1.260.0 | 4 / 69 | |
| 1.259.0 | 4 / 70 | |
| 1.258.6 | 4 / 70 | |
| 1.258.5 | 4 / 70 | |
| 1.258.4 | 4 / 70 | |
| 1.258.3 | 4 / 70 | |
| 1.258.2 | 4 / 70 | |
| 1.258.1 | 4 / 70 | |
| 1.258.0 | 4 / 70 | |
| 1.257.2 | 4 / 69 | |
| 1.257.1 | 4 / 69 | |
| 1.257.0 | 4 / 67 | |
| 1.256.2 | 4 / 67 | |
| 1.256.1 | 4 / 64 | |
| 1.256.0 | 4 / 64 | |
| 1.255.3 | 4 / 64 | |
| 1.255.2 | 4 / 64 | |
| 1.255.1 | 4 / 64 | |
| 1.255.0 | 4 / 64 | |
| 1.254.0 | 4 / 64 | |
| 1.253.4 | 4 / 64 | |
| 1.253.3 | 4 / 64 | |
| 1.253.2 | 4 / 64 | |
| 1.253.1 | 4 / 64 | |
| 1.252.1 | 4 / 77 | |
| 1.252.0 | 4 / 77 | |
| 1.251.1 | 4 / 77 | |
| 1.251.0 | 4 / 77 | |
| 1.250.2 | 4 / 77 | |
| 1.250.1 | 4 / 77 | |
| 1.250.0 | 4 / 77 | |
| 1.249.5 | 4 / 77 | |
| 1.249.4 | 4 / 77 | |
| 1.249.3 | 4 / 77 | |
| 1.249.2 | 4 / 77 | |
| 1.249.1 | 4 / 77 | |
| 1.249.0 | 4 / 77 | |
| 1.248.1 | 4 / 77 | |
| 1.248.0 | 4 / 77 | |
| 1.247.0 | 4 / 77 | |
| 1.246.0 | 4 / 77 | |
| 1.245.2 | 4 / 77 | |
| 1.245.1 | 4 / 77 | |
| 1.245.0 | 4 / 77 | |
| 1.244.0 | 4 / 77 | |
| 1.243.1 | 4 / 77 | |
| 1.242.3 | 4 / 77 | |
| 1.242.2 | 4 / 77 | |
| 1.242.1 | 4 / 77 | |
| 1.242.0 | 4 / 77 | |
| 1.241.1 | 4 / 77 | |
| 1.241.0 | 4 / 77 | |
| 1.240.6 | 4 / 77 | |
| 1.240.5 | 4 / 77 | |
| 1.240.4 | 4 / 71 | |
| 1.240.3 | 4 / 71 | |
| 1.240.2 | 4 / 71 | |
| 1.240.1 | 4 / 71 | |
| 1.240.0 | 4 / 71 | |
| 1.239.1 | 4 / 71 | |
| 1.239.0 | 4 / 71 | |
| 1.238.0 | 4 / 71 | |
| 1.237.1 | 4 / 71 | |
| 1.237.0 | 4 / 71 | |
| 1.236.8 | 4 / 71 | |
| 1.236.7 | 4 / 71 | |
| 1.236.6 | 4 / 71 |
v1.268.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.262.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.261.8
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.261.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.261.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.258.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.253.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.252.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.249.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.244.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.240.5
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.