chore(deps): bump @opentelemetry/core, @sentry/nextjs and posthog-js

[dependabot]

Bumps @opentelemetry/core to 2.8.0 and updates ancestor dependencies @opentelemetry/core, @sentry/nextjs and posthog-js. These dependencies need to be updated together.

Updates @opentelemetry/core from 2.7.1 to 2.8.0

Release notes

Sourced from @​opentelemetry/core's releases.

v2.8.0

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

Changelog

Sourced from @​opentelemetry/core's changelog.

2.8.0

🚀 Features

• feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
• feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
• feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

• fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Updates @sentry/nextjs from 10.51.0 to 10.58.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.58.0

Important Changes

• feat(hono): Add support for the Deno runtime (#21450)

  @sentry/hono now supports the Deno runtime via a new @sentry/hono/deno entry point. Install @sentry/deno as a peer dependency and initialize Sentry through the sentry() middleware:

  import { Hono } from 'hono';
  import { sentry } from '@sentry/hono/deno';
  const app = new Hono();
  app.use(
  sentry(app, {
  dsn: 'DSN', // or Deno.env.get('SENTRY_DSN')
  tracesSampleRate: 1.0,
  }),
  );
  Deno.serve(app.fetch);

• feat(core): Extract objects as structured logs in consoleLoggingIntegration (#21385)

  The consoleLoggingIntegration now extracts structured log attributes when the first argument is a plain object.

  // Object keys become log attributes
  console.log({ userId: 123, action: 'login' }, 'User logged in');
  // → attributes: { userId: 123, action: "login" }
  // Non-object first args use template + parameters (unchanged)
  console.log('Hello', 'world', 123);
  // → sentry.message.template: "Hello {} {}"

• feat(react-router): Stabilize the instrumentation API (#21470)

  React Router's instrumentation API is now stable — the @experimental markers have been removed from createSentryServerInstrumentation, createSentryClientInstrumentation, and the related helpers and types. The manual server wrappers wrapServerLoader and wrapServerAction are now deprecated in favor of it. Export instrumentations = [Sentry.createSentryServerInstrumentation()] from your entry.server.tsx to instrument all loaders and actions without wrapping them individually.

Other Changes

• feat(hono): Add HTTP connection info to server spans (#21408)
• feat(node-core): Attach log message and fields to pino error events (#21422)
• feat(react-router): Always build client instrumentation and deprecate useInstrumentationAPI (#21432)
• feat(react-router): Rename client navigation roots from the route pattern (#21463)
• fix(astro): Resolve middleware export types (#21414)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.58.0

Important Changes

• feat(hono): Add support for the Deno runtime (#21450)

  @sentry/hono now supports the Deno runtime via a new @sentry/hono/deno entry point. Install @sentry/deno as a peer dependency and initialize Sentry through the sentry() middleware:

  import { Hono } from 'hono';
  import { sentry } from '@sentry/hono/deno';
  const app = new Hono();
  app.use(
  sentry(app, {
  dsn: 'DSN', // or Deno.env.get('SENTRY_DSN')
  tracesSampleRate: 1.0,
  }),
  );
  Deno.serve(app.fetch);

• feat(core): Extract objects as structured logs in consoleLoggingIntegration (#21385)

  The consoleLoggingIntegration now extracts structured log attributes when the first argument is a plain object.

  // Object keys become log attributes
  console.log({ userId: 123, action: 'login' }, 'User logged in');
  // → attributes: { userId: 123, action: "login" }
  // Non-object first args use template + parameters (unchanged)
  console.log('Hello', 'world', 123);
  // → sentry.message.template: "Hello {} {}"

• feat(react-router): Stabilize the instrumentation API (#21470)

  React Router's instrumentation API is now stable — the @experimental markers have been removed from createSentryServerInstrumentation, createSentryClientInstrumentation, and the related helpers and types. The manual server wrappers wrapServerLoader and wrapServerAction are now deprecated in favor of it. Export instrumentations = [Sentry.createSentryServerInstrumentation()] from your entry.server.tsx to instrument all loaders and actions without wrapping them individually.

Other Changes

• feat(hono): Add HTTP connection info to server spans (#21408)
• feat(node-core): Attach log message and fields to pino error events (#21422)
• feat(react-router): Always build client instrumentation and deprecate useInstrumentationAPI (#21432)
• feat(react-router): Rename client navigation roots from the route pattern (#21463)

... (truncated)

Commits

• 29a6f45 release: 10.58.0
• 7fa42c9 Merge pull request #21530 from getsentry/prepare-release/10.58.0
• 0486221 meta(changelog): Update changelog for 10.58.0
• 66b04b6 chore(deps): Bump nx to 22.7.5 (#21527)
• d8dcc45 ref(node): Migrate vendored generic-pool instrumentation to Sentry APIs (#21523)
• b35c4de test(node): Replace lru-memoizer fake unit test with integration coverage (#2...
• 0d3f1b1 fix(nextjs): Mark redirect server actions as ok instead of internal_error...
• 1bf2bad ref(node): Streamline dataloader instrumentation (#21475)
• 0a6e864 test: Skip nuxt-5 E2E test (#21524)
• 73024d4 test(astro): Add Astro 7 e2e app (#21471)
• Additional commits viewable in compare view

Updates posthog-js from 1.331.1 to 1.388.1

Release notes

Sourced from posthog-js's releases.

posthog-js@1.388.1

1.388.1

Patch Changes

• #3851 5c453cd Thanks @​marandaneto! - Apply CSP nonce preparation hooks to style and script elements appended by site apps. (2026-06-17)

posthog-js@1.388.0

1.388.0

Minor Changes

• #3863 b6bc9be Thanks @​marandaneto! - Add autocapture-only CSS selector opt-outs for web interactions. (2026-06-17)

Patch Changes

• Updated dependencies [b6bc9be]:
  • @​posthog/types@​1.388.0

posthog-js@1.387.0

1.387.0

Minor Changes

• #3709 c6c163a Thanks @​posthog! - Add unsetPersonProperties() to remove person properties, the counterpart to setPersonProperties(). Previously the only way to unset a person property was to hand-pass a $unset array inside a capture() call. (2026-06-16)

Patch Changes

• #3756 b3ec845 Thanks @​archievi! - Drop the event and log a warning when a before_send hook removes the token property, instead of silently sending an event that ingest rejects with a 401. (2026-06-16)

• #3860 c9c7df1 Thanks @​marandaneto! - Add $unset to capture options and pass it through in browser capture payloads. (2026-06-16)

• #3855 fadaa4f Thanks @​haacked! - Stop sending the ip query parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match /flags…ip= to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged. (2026-06-16)

• #3830 0d837f5 Thanks @​dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present. (2026-06-16)

• #3853 f95a0ec Thanks @​TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA :fullscreen pseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event on fullscreenchange (standard plus webkit/moz/MS prefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reserved rr_fullscreen attribute, consistent with rrweb's existing rr_* attribute namespace.

  Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the <iframe> element rather than the inner element, so replay pins the iframe. (2026-06-16)

• Updated dependencies [b3ec845, c9c7df1, c6c163a]:

  • @​posthog/core@​1.33.0
  • @​posthog/types@​1.387.0

... (truncated)

Commits

• 21d62a3 chore: update versions and lockfile [version bump]
• 5c453cd fix(browser): apply CSP nonce hooks to site apps (#3851)
• 78f3c5f chore: update versions and lockfile [version bump]
• b6bc9be feat: add autocapture css selector ignorelist (#3863)
• f495510 chore: update versions and lockfile [version bump]
• bd07ec4 feat(flags): add disableRemoteFeatureFlags option and runtime updateFlags (#3...
• 9334420 test(logs): golden tests pinning current console-capture wire output (#3866)
• f13226a chore: add AI contribution policy (#3852)
• 4ff3bb3 chore: update versions and lockfile [version bump]
• a0553b3 feat(node): add person property helpers (#3845)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.