chore(deps): bump @opentelemetry/core and posthog-js

[dependabot]

Removes @opentelemetry/core. It's no longer used after updating ancestor dependency posthog-js. These dependencies need to be updated together.

Removes @opentelemetry/core

Updates posthog-js from 1.363.3 to 1.388.1

Release notes

Sourced from posthog-js's releases.

posthog-js@1.388.1

1.388.1

Patch Changes

• #3851 5c453cd Thanks @​marandaneto! - Apply CSP nonce preparation hooks to style and script elements appended by site apps. (2026-06-17)

posthog-js@1.388.0

1.388.0

Minor Changes

• #3863 b6bc9be Thanks @​marandaneto! - Add autocapture-only CSS selector opt-outs for web interactions. (2026-06-17)

Patch Changes

• Updated dependencies [b6bc9be]:
  • @​posthog/types@​1.388.0

posthog-js@1.387.0

1.387.0

Minor Changes

• #3709 c6c163a Thanks @​posthog! - Add unsetPersonProperties() to remove person properties, the counterpart to setPersonProperties(). Previously the only way to unset a person property was to hand-pass a $unset array inside a capture() call. (2026-06-16)

Patch Changes

• #3756 b3ec845 Thanks @​archievi! - Drop the event and log a warning when a before_send hook removes the token property, instead of silently sending an event that ingest rejects with a 401. (2026-06-16)

• #3860 c9c7df1 Thanks @​marandaneto! - Add $unset to capture options and pass it through in browser capture payloads. (2026-06-16)

• #3855 fadaa4f Thanks @​haacked! - Stop sending the ip query parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match /flags…ip= to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged. (2026-06-16)

• #3830 0d837f5 Thanks @​dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present. (2026-06-16)

• #3853 f95a0ec Thanks @​TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA :fullscreen pseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event on fullscreenchange (standard plus webkit/moz/MS prefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reserved rr_fullscreen attribute, consistent with rrweb's existing rr_* attribute namespace.

  Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the <iframe> element rather than the inner element, so replay pins the iframe. (2026-06-16)

• Updated dependencies [b3ec845, c9c7df1, c6c163a]:

  • @​posthog/core@​1.33.0
  • @​posthog/types@​1.387.0

... (truncated)

Commits

• 21d62a3 chore: update versions and lockfile [version bump]
• 5c453cd fix(browser): apply CSP nonce hooks to site apps (#3851)
• 78f3c5f chore: update versions and lockfile [version bump]
• b6bc9be feat: add autocapture css selector ignorelist (#3863)
• f495510 chore: update versions and lockfile [version bump]
• bd07ec4 feat(flags): add disableRemoteFeatureFlags option and runtime updateFlags (#3...
• 9334420 test(logs): golden tests pinning current console-capture wire output (#3866)
• f13226a chore: add AI contribution policy (#3852)
• 4ff3bb3 chore: update versions and lockfile [version bump]
• a0553b3 feat(node): add person property helpers (#3845)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	posthog-js@​1.363.3 ⏵ 1.388.1			-27	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/posthog-js@1.388.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.388.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm posthog-js is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/posthog-js@1.388.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/posthog-js@1.388.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report