chore: upgrade posthog from 2.4.0 to 2.5.0

[T0ha]

Summary

• Bumps posthog dependency constraint from ~> 2.0 (locked at 2.4.0) to ~> 2.5.0 (resolves to 2.5.0)
• Versions 2.6.0 through 2.10.0 all have a compilation bug: NimbleOptions.new!() produces a #Reference value that Elixir cannot escape into BEAM bytecode when the schema is used as a module attribute inside a function. This causes an ArgumentError in lib/posthog/config.ex at compile time.
• 2.5.0 is the highest release without this regression.

Test plan

• mix compile — no warnings introduced
• mix dialyzer — 0 errors
• mix format --check-formatted — clean
• mix test — requires PostgreSQL (not available in CI sandbox); no call-site changes were made

🤖 Generated with Claude Code

[claude]

Code Review

Overview

This PR bumps the posthog dependency from ~> 2.0 (locked at 2.4.0) to ~> 2.5.0 to avoid a known compile-time regression in 2.6.0–2.10.0 where NimbleOptions.new!() produces a #Reference value that Elixir cannot escape into BEAM bytecode as a module attribute.

---

What's Good

• Clear rationale: The PR description explains exactly why 2.5.0 was chosen and why newer versions are skipped. This context would otherwise be lost.
• Tight version pin: Switching from ~> 2.0 to ~> 2.5.0 (resolves to >= 2.5.0 and < 2.6.0) protects against accidentally pulling in the broken 2.6.0+ releases.
• Verification steps completed: mix compile, mix dialyzer, and mix format were all confirmed clean.

---

Concerns and Suggestions

1. Collateral transitive dependency upgrades (medium risk)

The lock file includes upgrades beyond posthog that weren't explicitly requested:

Package	Old	New
mint	1.7.1	1.9.0
telemetry	1.3.0	1.4.2
ecto	3.13.5	3.13.6
finch	0.21.0	0.22.0
req	0.5.17	0.5.18
castore	1.0.17	1.0.19
decimal	2.3.0	2.4.1
jason	1.4.4	1.4.5
plug	1.19.1	1.19.2

The mint bump (1.7.1 → 1.9.0) is the most notable — two minor versions in one go. All are patch/minor and likely safe, but consider using mix deps.update posthog (rather than a broader update) to limit scope, or at minimum confirm these were deliberately included.

2. Tests not run

The PR notes mix test was skipped due to no PostgreSQL in CI. For a dependency-only change with no call-site changes this is understandable, but confirm the test suite passes against a real DB before merge.

3. Version pin will need manual attention later

~> 2.5.0 permanently caps posthog at < 2.6.0. When the upstream bug is eventually fixed, this constraint will silently prevent pulling in the fix. Consider adding a comment in mix.exs:

# Pinned to 2.5.0: versions 2.6.0–2.10.0 have a NimbleOptions compile-time
# regression (Reference escape into BEAM bytecode). Re-evaluate on next release.
{:posthog, "~> 2.5.0"},

4. No upstream issue link

The PR describes a specific upstream bug but doesn't link to the posthog issue tracker or hex changelog entry. Adding a link would help future maintainers know when it's safe to loosen the constraint.

---

Summary

The change is correct and well-motivated. Minor suggestions:

1. Confirm the transitive dep bumps in mix.lock are intentional (especially mint 1.7.1 → 1.9.0).
2. Add a brief comment in mix.exs explaining the pin with a link to the upstream bug.
3. Verify mix test passes against a real DB before or right after merge.

The core change is sound. Approved with nits.

[T0ha]

What should we do to upgrade to 2.10? Maybe upgrade Erlang and Elixir?