chore(deps): bump @opentelemetry/core and posthog-js

[dependabot]

Removes @opentelemetry/core. It's no longer used after updating ancestor dependency posthog-js. These dependencies need to be updated together.

Removes @opentelemetry/core

Updates posthog-js from 1.372.9 to 1.388.1

Release notes

Sourced from posthog-js's releases.

posthog-js@1.388.1

1.388.1

Patch Changes

• #3851 5c453cd Thanks @​marandaneto! - Apply CSP nonce preparation hooks to style and script elements appended by site apps. (2026-06-17)

posthog-js@1.388.0

1.388.0

Minor Changes

• #3863 b6bc9be Thanks @​marandaneto! - Add autocapture-only CSS selector opt-outs for web interactions. (2026-06-17)

Patch Changes

• Updated dependencies [b6bc9be]:
  • @​posthog/types@​1.388.0

posthog-js@1.387.0

1.387.0

Minor Changes

• #3709 c6c163a Thanks @​posthog! - Add unsetPersonProperties() to remove person properties, the counterpart to setPersonProperties(). Previously the only way to unset a person property was to hand-pass a $unset array inside a capture() call. (2026-06-16)

Patch Changes

• #3756 b3ec845 Thanks @​archievi! - Drop the event and log a warning when a before_send hook removes the token property, instead of silently sending an event that ingest rejects with a 401. (2026-06-16)

• #3860 c9c7df1 Thanks @​marandaneto! - Add $unset to capture options and pass it through in browser capture payloads. (2026-06-16)

• #3855 fadaa4f Thanks @​haacked! - Stop sending the ip query parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match /flags…ip= to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged. (2026-06-16)

• #3830 0d837f5 Thanks @​dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present. (2026-06-16)

• #3853 f95a0ec Thanks @​TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA :fullscreen pseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event on fullscreenchange (standard plus webkit/moz/MS prefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reserved rr_fullscreen attribute, consistent with rrweb's existing rr_* attribute namespace.

  Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the <iframe> element rather than the inner element, so replay pins the iframe. (2026-06-16)

• Updated dependencies [b3ec845, c9c7df1, c6c163a]:

  • @​posthog/core@​1.33.0
  • @​posthog/types@​1.387.0

... (truncated)

Commits

• 21d62a3 chore: update versions and lockfile [version bump]
• 5c453cd fix(browser): apply CSP nonce hooks to site apps (#3851)
• 78f3c5f chore: update versions and lockfile [version bump]
• b6bc9be feat: add autocapture css selector ignorelist (#3863)
• f495510 chore: update versions and lockfile [version bump]
• bd07ec4 feat(flags): add disableRemoteFeatureFlags option and runtime updateFlags (#3...
• 9334420 test(logs): golden tests pinning current console-capture wire output (#3866)
• f13226a chore: add AI contribution policy (#3852)
• 4ff3bb3 chore: update versions and lockfile [version bump]
• a0553b3 feat(node): add person property helpers (#3845)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

package-lock.json

Package	Version	License	Issue Type
@posthog/core	1.34.0	Null	Unknown License
@posthog/types	1.388.0	Null	Unknown License
posthog-js	1.388.1	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/protobufjs	7.5.6	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@opentelemetry/core	2.2.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/core	2.7.1	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@posthog/core	1.34.0	Unknown	Unknown
npm/@posthog/types	1.388.0	Unknown	Unknown
npm/posthog-js	1.388.1	Unknown	Unknown
npm/@opentelemetry/api	1.9.1	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/api-logs	0.208.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/exporter-logs-otlp-http	0.208.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/otlp-exporter-base	0.208.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/otlp-transformer	0.208.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/resources	2.2.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/resources	2.7.1	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-logs	0.208.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-metrics	2.2.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/sdk-trace-base	2.2.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@opentelemetry/semantic-conventions	1.40.0	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 38 existing vulnerabilities detected CI-Tests 🟢 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 40 contributing companies or organizations
npm/@posthog/core	1.28.3	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 20/29 approved changesets -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Binary-Artifacts 🟢 7 binaries present in source code Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/@posthog/types	1.372.9	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 20/29 approved changesets -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Binary-Artifacts 🟢 7 binaries present in source code Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/@protobufjs/aspromise	1.1.2	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/base64	1.1.2	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/codegen	2.0.5	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/eventemitter	1.1.0	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/fetch	1.1.0	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/float	1.0.2	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/inquire	1.1.1	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/path	1.1.2	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/pool	1.1.0	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@protobufjs/utf8	1.1.1	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 9 Found 21/23 approved changesets -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 9 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@types/node	25.6.0	🟢 6.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 25/28 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed
npm/long	5.3.2	🟢 4	Details Check Score Reason Code-Review 🟢 3 GitHub code reviews found for 11 commits out of the last 30 -- score normalized to 3 Maintained ⚠️ 0 0 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
npm/posthog-js	1.372.9	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 20/29 approved changesets -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Binary-Artifacts 🟢 7 binaries present in source code Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/undici-types	7.19.2	🟢 7.7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 6 Found 17/27 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 8 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found SAST 🟢 9 SAST tool detected but not run on all commits License 🟢 10 license file detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected CI-Tests 🟢 10 22 out of 22 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 75 contributing companies or organizations

Scanned Manifest Files

package-lock.json

• protobufjs@7.5.6
• @opentelemetry/core@2.2.0
• @opentelemetry/core@2.7.1
• @posthog/core@1.34.0
• @posthog/types@1.388.0
• @types/node@25.6.0
• posthog-js@1.388.1
• undici-types@7.19.2
• @opentelemetry/api@1.9.1
• @opentelemetry/api-logs@0.208.0
• @opentelemetry/exporter-logs-otlp-http@0.208.0
• @opentelemetry/otlp-exporter-base@0.208.0
• @opentelemetry/otlp-transformer@0.208.0
• @opentelemetry/resources@2.2.0
• @opentelemetry/resources@2.7.1
• @opentelemetry/sdk-logs@0.208.0
• @opentelemetry/sdk-metrics@2.2.0
• @opentelemetry/sdk-trace-base@2.2.0
• @opentelemetry/semantic-conventions@1.40.0
• @posthog/core@1.28.3
• @posthog/types@1.372.9
• @protobufjs/aspromise@1.1.2
• @protobufjs/base64@1.1.2
• @protobufjs/codegen@2.0.5
• @protobufjs/eventemitter@1.1.0
• @protobufjs/fetch@1.1.0
• @protobufjs/float@1.0.2
• @protobufjs/inquire@1.1.1
• @protobufjs/path@1.1.2
• @protobufjs/pool@1.1.0
• @protobufjs/utf8@1.1.1
• @types/node@25.6.0
• long@5.3.2
• posthog-js@1.372.9
• undici-types@7.19.2