build(deps): bump posthog-js from 1.387.0 to 1.390.2

[dependabot]

Bumps posthog-js from 1.387.0 to 1.390.2.

Release notes

Sourced from posthog-js's releases.

[email protected]

1.390.2

Patch Changes

• #3868 a5dd54a Thanks @​pauldambra! - fix(replay): scope the session-recording flushed-size tracker to the session

  $sdk_debug_replay_flushed_size was stored as a single device-global value in persistence and only reset on an in-page session rotation, so it leaked across page loads and tabs and over-counted on returning visitors. The tracker now keys the running total to the current session id, so a new session starts from zero and a fresh load reading an ongoing session sees the correct total.

  The internal persistence key backing this counter ($sess_rec_flush_size) was also unintentionally attached to every captured event as a super-property; it is now marked hidden so it no longer ships on events. The value remains available on session-replay debug events as $sdk_debug_replay_flushed_size. (2026-06-17)

[email protected]

1.390.1

Patch Changes

• #3784 e25e629 Thanks @​lucasheriques! - Surveys: event-triggered surveys are now scoped to the page load the event fired in, and only persist across a page reload once they have actually been shown.

  Previously an event armed a survey by writing it to localStorage, where it stayed until shown. Because the activation survived reloads and the URL condition was only checked at display time, a survey armed by an exit-intent event (which fires as the user is leaving or reloading) could surface on a later page load with no event behind it. Activations now live in memory until the survey is shown, so an armed-but-unshown survey no longer reappears after a reload.

  Once a survey is shown it is promoted to persistence, so a non-repeatable survey survives a reload and re-displays until the user dismisses or answers it (instead of vanishing if they reload before interacting). Repeatable surveys (schedule: 'always' or "Show every time the event is captured") are still consumed when shown, so each captured trigger shows them once. Product tours follow the same model. Cross-page deferral (arm on one full page load, display on a later one) is no longer supported via event triggers; use audience targeting for that. (2026-06-17)

[email protected]

1.390.0

Minor Changes

• #3869 81b79fb Thanks @​turnipdabeets! - Add a beforeSend option to the logs config, so you can inspect, redact, or drop log records before they're sent:

  posthog.init('<token>', {
      logs: {
          beforeSend: (log) => {
              // return null to drop the log, or return the (optionally modified) log to keep it
              if (log.body.includes('password')) {
                  return null
              }
              return log
          },
      },
  })

  beforeSend accepts a single function or an array of functions (applied left to right); returning null from any of them drops the record. It runs for logs sent via both posthog.captureLog() and posthog.logger.*. (2026-06-17)

Patch Changes

• Updated dependencies [81b79fb]:
  • @​posthog/types@​1.390.0

... (truncated)

Commits

• f079599 chore: update versions and lockfile [version bump]
• a5dd54a fix(replay): scope flushed-size tracker to the session (#3868)
• 5b1a212 refactor(react-native): read payload via getFeatureFlagResult in useFeatureFl...
• 45eeaea chore: update versions and lockfile [version bump]
• e25e629 fix(surveys): scope event-trigger activations to the session until shown (#3784)
• f4bc980 chore: update versions and lockfile [version bump]
• 81b79fb feat(logs): add beforeSend to the web logs config (#3869)
• a652700 chore: update versions and lockfile [version bump]
• 43b4137 fix(browser): limit statusCode 0 retries (#3875)
• d6b1ea0 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)