chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/youtube (source)	^0.1.0 → ^0.1.2			peerDependencies	patch
@unhead/vue (source)	^2.0.3 → ^2.1.13			peerDependencies	minor
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/stale	v10.0.0 → v10.2.0			action	minor
posthog-js (source)	^1.0.0 → ^1.367.0			peerDependencies	minor

---

Release Notes

unjs/unhead (@​unhead/vue)

v2.1.13

Compare Source

   🐞 Bug Fixes

• schema-org: Normalize target to array before merging potentialAction  -  by @​harlan-zw and Claude Opus 4.6 (1M context) in #​709 (22ac9)

    View changes on GitHub

v2.1.12

Compare Source

   🐞 Bug Fixes

• Harden prototype pollution  -  by @​harlan-zw (a6ed9)
• Case insensitive attr dedupe  -  by @​harlan-zw (3146b)

    View changes on GitHub

v2.1.11

Compare Source

    ⚠️ Security

• Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

• addons,schema-org: Permissive peer dependencies  -  by @​harlan-zw (4c5d1)

    View changes on GitHub

v2.1.10

Compare Source

   🐞 Bug Fixes

• solid-js: Correct peerDependency version  -  by @​tyeporter in #​671 (64e17)

    View changes on GitHub

v2.1.9

Compare Source

   🐞 Bug Fixes

• schema-org: Nuxt test utils compat bug  -  by @​harlan-zw (ef838)

    View changes on GitHub

v2.1.8

Compare Source

   🐞 Bug Fixes

• schema-org: Avoid crashing from 3+ duplicate nodes  -  by @​harlan-zw (4baf9)

    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes

• unhead:
  • deduplicate matching tags inside same render cycle  -  by @​harlan-zw in #​668 (5c0b2)

    View changes on GitHub

v2.1.6

Compare Source

   🐞 Bug Fixes

• react: Ssr regression  -  by @​harlan-zw (6adff)

    View changes on GitHub

v2.1.5

Compare Source

   🐞 Bug Fixes

• react: Dispose head entries on unmount in React 18 StrictMode  -  by @​harlan-zw in #​664 (50ffe)
• scripts: Prevent scope disposal from aborting unrelated trigger in useScript  -  by @​cernymatej in #​660 (e8f5b)
• unhead: Dedupe link rel without hreflang or type  -  by @​danielroe in #​658 (1487d)

    View changes on GitHub

v2.1.4

Compare Source

   🐞 Bug Fixes

• schema-org: Remove unimplemented SchemaOrgDebug  -  by @​onmax in #​649 (642dc)
• unhead: Dedupe <link rel="alternate"> by hreflang/type only, drop href from key  -  by @​harlan-zw in #​656 (86175)

    View changes on GitHub

v2.1.3

Compare Source

   🐞 Bug Fixes

• unhead:
  • Dedupe <link rel="alternate">  -  by @​danielroe and onmax in #​655 (fdabe)
• vue:
  • Support computed getter trigger  -  by @​harlan-zw in #​638 (fd63a)
  • Guard s._statusRef  -  by @​danielroe in #​642 (4ef03)

   🏎 Performance

• vue: Avoid duplicating error message in the bundle  -  by @​panstromek in #​652 (194e5)

    View changes on GitHub

v2.1.2

Compare Source

   🐞 Bug Fixes

• Broken cjs environment  -  by @​harlan-zw (ce989)

    View changes on GitHub

v2.1.1

Compare Source

No significant changes

    View changes on GitHub

v2.1.0

Compare Source

   🚀 Features

• schema-org: 12 new nodes  -  by @​harlan-zw in #​612 (1a9b8)

   🐞 Bug Fixes

• react:
  • Recursive function resolves broken  -  by @​harlan-zw (4e0c7)
• schema-org:
  • Correct month off-by-one  -  by @​harlan-zw in #​603 (a3e70)
  • Missing schema.org properties  -  by @​harlan-zw in #​614 (54e05)
• unhead:
  • Enforce boolean string meta contents  -  by @​kfreezen in #​594 (0b8e7)
  • Capo module scripts ordering  -  by @​Barbapapazes in #​600 (3c661)
  • Capo inline scripts ordering  -  by @​Barbapapazes in #​596 (7be75)
  • Normalize script type  -  by @​harlan-zw (e51b6)
  • Safer handling of input  -  by @​harlan-zw (b4b6c)

   🏎 Performance

• schema-org:
  • Remove ohash and defu dependencies  -  by @​harlan-zw in #​605 (0d508)
  • Rework graph resolution  -  by @​harlan-zw in #​616 (b79e4)

    View changes on GitHub

v2.0.19

Compare Source

   🐞 Bug Fixes

• vue: Tree shaking breaking some reactivity  -  by @​harlan-zw (7abb5)

    View changes on GitHub

v2.0.18

Compare Source

   🏎 Performance

• unhead: Avoid server side effects  -  by @​harlan-zw in #​585 (3fd09)

    View changes on GitHub

v2.0.17

Compare Source

No significant changes

    View changes on GitHub

v2.0.14

Compare Source

   🐞 Bug Fixes

• unhead: Multiword attributes in template  -  by @​NikSimonov in #​568 (f635b)

    View changes on GitHub

v2.0.13

Compare Source

   🐞 Bug Fixes

• unhead:
  • Canonical plugin modifying non-url properties  -  by @​paraboul (ee8fd)
  • Avoid normalizing template param input  -  by @​harlan-zw (1d205)
  • Safer removal of leading / trailing separators  -  by @​harlan-zw (d4501)

    View changes on GitHub

v2.0.12

Compare Source

   🐞 Bug Fixes

• react: Force invalidation on entry disposal  -  by @​harlan-zw in #​559 (4ee5e)

    View changes on GitHub

v2.0.11

Compare Source

   🐞 Bug Fixes

• Allow non-standard meta tags to be intentionally duped  -  by @​harlan-zw (9a899)

    View changes on GitHub

v2.0.10

Compare Source

   🐞 Bug Fixes

• Safer meta array deduping  -  by @​harlan-zw (32486)

    View changes on GitHub

v2.0.9

Compare Source

   🏎 Performance

• unhead: Normalize canonicalHost only once in canonical plugin  -  by @​negezor in #​550 (92713)

    View changes on GitHub

v2.0.8

Compare Source

No significant changes

    View changes on GitHub

v2.0.7

Compare Source

   🐞 Bug Fixes

• schema-org: unhead hoisting issue  -  by @​harlan-zw (bb0e4)

    View changes on GitHub

v2.0.6

Compare Source

   🐞 Bug Fixes

• ssr: Less aggressive encoding of non-title tags  -  by @​harlan-zw (f4d4f)

    View changes on GitHub

v2.0.5

Compare Source

   🐞 Bug Fixes

• vue: Use setTimeout as render's debounced delayer  -  by @​kricsleo in #​540 (8f7c5)

    View changes on GitHub

v2.0.4

Compare Source

   🐞 Bug Fixes

• InferSeoMetaPlugin: Template param replacement broken  -  by @​harlan-zw (4e1c8)

    View changes on GitHub

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/stale (actions/stale)

v10.2.0

Compare Source

v10.1.1

Compare Source

What's Changed

Bug Fix

• Add Missing Input Reading for only-issue-types by @​Bibo-Joshi in #​1298

Improvement

• Improves error handling when rate limiting is disabled on GHES. by @​chiranjib-swain in #​1300

Dependency Upgrades

• Upgrade eslint-config-prettier from 8.10.0 to 10.1.8 by @​dependabot in #​1276
• Upgrade @​types/node from 20.10.3 to 24.2.0 and document breaking changes in v10 by @​dependabot in #​1280
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​1291
• Upgrade actions/checkout from 4 to 6 by @​dependabot in #​1306

New Contributors

• @​chiranjib-swain made their first contribution in #​1300

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

• Add only-issue-types option to filter issues by type by @​Bibo-Joshi in #​1255

New Contributors

• @​Bibo-Joshi made their first contribution in #​1255

Full Changelog: actions/stale@v10...v10.1.0

PostHog/posthog-js (posthog-js)

v1.367.0

Compare Source

1.367.0

Minor Changes

• #​3242 353be9a Thanks @​dustinbyrne! - feat: Add support for pre-loaded remote-config
  (2026-04-09)

Patch Changes

• Updated dependencies []:
  • @​posthog/types@​1.367.0

v1.366.2

Compare Source

1.366.2

Patch Changes

• #​3364 575e354 Thanks @​lucasheriques! - Add a hover state to numeric survey rating options so they provide clearer pointer feedback before selection.
  (2026-04-09)
• Updated dependencies []:
  • @​posthog/types@​1.366.2

v1.366.1

Compare Source

1.366.1

Patch Changes

• #​3360 802bf39 Thanks @​jabahamondes! - Re-evaluate consent persistent store when config changes to support cross-subdomain consent sharing
  (2026-04-09)
• Updated dependencies []:
  • @​posthog/types@​1.366.1

v1.366.0

Compare Source

1.366.0

Minor Changes

• #​3305 b599672 Thanks @​veryayskiy! - Add customer side identification
  (2026-04-09)

Patch Changes

• Updated dependencies []:
  • @​posthog/types@​1.366.0

v1.365.5

Compare Source

1.365.5

Patch Changes

• Updated dependencies [c735b08]:
  • @​posthog/core@​1.25.2
  • @​posthog/types@​1.365.5

v1.365.4

Compare Source

v1.365.3

Compare Source

1.365.3

Patch Changes

• #​3357 dbdddca Thanks @​pauldambra! - Bump @​posthog/rrweb packages to 0.0.56, which includes:
  • PostHog/posthog-rrweb#157: fix: clear mutation buffer on iframe pagehide to prevent recording corruption
  • PostHog/posthog-rrweb#158: fix: skip unchanged setAttribute calls to prevent replay flicker
  • PostHog/posthog-rrweb#159: fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation
  • PostHog/posthog-rrweb#163: fix: handle SecurityError in IframeManager destroy and removeIframeById
  • PostHog/posthog-rrweb#166: fix: remove postcss from @​posthog/rrweb-record bundle (420KB → 170KB) (2026-04-08)
• Updated dependencies []:
  • @​posthog/types@​1.365.3

v1.365.2

Compare Source

v1.365.1

Compare Source

1.365.1

Patch Changes

• Updated dependencies [57ee5b2]:
  • @​posthog/core@​1.25.1
  • @​posthog/types@​1.365.1

v1.365.0

Compare Source

1.365.0

Minor Changes

• #​3302 fc5589f Thanks @​dmarticus! - preserve $set_once semantics in local flag evaluation cache
  (2026-04-07)

Patch Changes

• Updated dependencies [fc5589f]:
  • @​posthog/core@​1.25.0
  • @​posthog/types@​1.365.0

v1.364.7

Compare Source

1.364.7

Patch Changes

• #​3319 b25b689 Thanks @​dustinbyrne! - fix: send $groupidentify for new groups even when no properties are provided
  (2026-04-03)
• Updated dependencies []:
  • @​posthog/types@​1.364.7

v1.364.6

Compare Source

1.364.6

Patch Changes

• #​3316 68cd4e5 Thanks @​dustinbyrne! - Fix slim bundle + extension bundles crash caused by inconsistent property mangling
  (2026-04-02)
• Updated dependencies [a01a3d5]:
  • @​posthog/core@​1.24.6
  • @​posthog/types@​1.364.6

v1.364.5

Compare Source

1.364.5

Patch Changes

• #​3309 197eeda Thanks @​marandaneto! - Extract CLI and sourcemap utilities from @​posthog/core into @​posthog/plugin-utils to remove cross-spawn from React Native dependencies
  (2026-04-01)

• #​3312 c5feb5c Thanks @​TueHaulund! - Bump @​posthog/rrweb-* to 0.0.52 — adds error recovery to the canvas FPS snapshot pipeline, preventing canvas recording from permanently stopping when createImageBitmap or the worker encounters an error
  (2026-04-01)

• #​3315 7b944fc Thanks @​TueHaulund! - Bump @​posthog/rrweb-* to 0.0.53 — fixes infinite recursion crash ("Maximum call stack size exceeded") when calling posthog.reset() or restarting the recorder on pages with shadow DOM elements (e.g. CometChat)
  (2026-04-01)

• Updated dependencies [197eeda]:

  • @​posthog/core@​1.24.5
  • @​posthog/types@​1.364.5

v1.364.4

Compare Source

1.364.4

Patch Changes

• #​3298 2365df5 Thanks @​TueHaulund! - fix: skip deep copy for snapshot/exception events to prevent stack overflow on deeply nested DOM trees
  (2026-03-31)
• Updated dependencies []:
  • @​posthog/types@​1.364.4

v1.364.3

Compare Source

1.364.3

Patch Changes

• #​3300 bab5f3a Thanks @​dustinbyrne! - Strip workspace:* references from lib/package.json after build
  (2026-03-31)
• Updated dependencies []:
  • @​posthog/types@​1.364.3

v1.364.2

Compare Source

1.364.2

Patch Changes

• #​3297 341caaf Thanks @​marandaneto! - fix: wrap sendBeacon body in Blob to ensure Content-Type header is set
  (2026-03-30)
• Updated dependencies [a863914]:
  • @​posthog/core@​1.24.4
  • @​posthog/types@​1.364.2

v1.364.1

Compare Source

1.364.1

Patch Changes

• Updated dependencies [4bdfdbc]:
  • @​posthog/core@​1.24.3
  • @​posthog/types@​1.364.1

v1.364.0

Compare Source

1.364.0

Minor Changes

• #​3285 00a5079 Thanks @​pauldambra! - Reject the strings "undefined" and "null" in posthog.identify(). All invalid distinct IDs now log a critical console error (always visible, not debug-only).
  (2026-03-27)

Patch Changes

• #​3286 8d34289 Thanks @​marandaneto! - Use async native CompressionStream for gzip compression to avoid blocking the main thread
  (2026-03-27)
• Updated dependencies [8d34289]:
  • @​posthog/core@​1.24.2
  • @​posthog/types@​1.364.0

v1.363.6

Compare Source

1.363.6

Patch Changes

• #​3279 32edaad Thanks @​pauldambra! - Bump @​posthog/rrweb packages to 0.0.51, which includes:
  • PostHog/posthog-rrweb#145: fix: handle cross-origin iframe errors during stop handler cleanup
  • PostHog/posthog-rrweb#148: fix: mask textarea innerText mutations
  • PostHog/posthog-rrweb#150: fix: guard WebGLRenderingContext access for iOS compatibility
  • PostHog/posthog-rrweb#151: refactor: extract slimDOMDefaults into shared function
  • PostHog/posthog-rrweb#152: fix: improve nested CSS rule handling
  • PostHog/posthog-rrweb#153: fix: allow clearing adopted stylesheets with empty strings
  • PostHog/posthog-rrweb#154: fix: prevent object reference mutation breaking remote CSS replay
  • PostHog/posthog-rrweb#156: fix: catch all SecurityError variants in stop handler cleanup (2026-03-26)
• Updated dependencies []:
  • @​posthog/types@​1.363.6

v1.363.5

Compare Source

1.363.5

Patch Changes

• #​3278 c59dc90 Thanks @​dustinbyrne! - Add tree-shakeable ESM extension-bundles entry point for slim builds
  (2026-03-25)

• #​3274 ba08262 Thanks @​pauldambra! - fix: document visibility change shoudln't capture dead click
  (2026-03-25)

• Updated dependencies [ba08262]:

  • @​posthog/types@​1.363.5

v1.363.4

Compare Source

1.363.4

Patch Changes

• #​3275 664a11b Thanks @​fasyy612! - bump rrweb dependency version
  (2026-03-24)
• Updated dependencies []:
  • @​posthog/types@​1.363.4

v1.363.3

Compare Source

1.363.3

Patch Changes

• #​3253 42fbd41 Thanks @​marandaneto! - Reduce browser SDK bundle size by ~6.6 KB (-3.7%) through code modernization, build config tuning, string deduplication, enum-to-const conversions, and property access shorthand getters.
  (2026-03-23)
• Updated dependencies []:
  • @​posthog/types@​1.363.3

v1.363.2

Compare Source

1.363.2

Patch Changes

• #​3267 e5ef520 Thanks @​ksvat! - bump rrweb dependency version
  (2026-03-23)

• #​3260 1435ec8 Thanks @​kyleswank! - Log warning instead of throwing error when session recording script is blocked by ad blockers
  (2026-03-23)

• Updated dependencies []:

  • @​posthog/types@​1.363.2

v1.363.1

Compare Source

1.363.1

Patch Changes

• Updated dependencies [314120a]:
  • @​posthog/core@​1.24.1
  • @​posthog/types@​1.363.1

v1.363.0

Compare Source

1.363.0

Minor Changes

• #​3247 7efa558 Thanks @​dmarticus! - prevent silent identity switch during bootstrap and auto-identify anonymous users
  (2026-03-20)

Patch Changes

• #​3245 1acd6fd Thanks @​dmarticus! - handle plain array and object forms in overrideFeatureFlags
  (2026-03-20)
• Updated dependencies [1acd6fd]:
  • @​posthog/types@​1.363.0

v1.362.0

Compare Source

1.362.0

Minor Changes

• #​3244 ff8a93e Thanks @​sampennington! - Fixed $set_once initial person properties (e.g. $initial_current_url) not being included with $identify calls when they had already been sent with a prior event. This ensures initial properties are reliably set when identifying users across subdomains, even if an anonymous event was captured first.
  (2026-03-18)

Patch Changes

• Updated dependencies [9cd2313]:
  • @​posthog/core@​1.24.0
  • @​posthog/types@​1.362.0

v1.361.1

Compare Source

1.361.1

Patch Changes

• #​3249 c265d62 Thanks @​marandaneto! - fix: preserve _overrideSDKInfo from terser mangling so wrapper SDKs can call it
  (2026-03-18)
• Updated dependencies []:
  • @​posthog/types@​1.361.1

v1.361.0

Compare Source

1.361.0

Minor Changes

• #​3201 552c018 Thanks @​frankh! - Add a serviceName config option to logs config
  (2026-03-18)

• #​3240 e4a58d0 Thanks @​marandaneto! - Add internal _overrideSDKInfo method to allow wrapper SDKs to override $lib and $lib_version event properties
  (2026-03-18)

• #​3241 fe1fd7b Thanks @​dustinbyrne! - feat: add advanced_feature_flags_dedup_per_session config option to scope $feature_flag_called deduplication to the current session
  (2026-03-18)

Patch Changes

• #​3239 bf4f078 Thanks @​jonathanlab! - fix: debug mode not persisting across page navigations
  (2026-03-18)

• #​3228 8773fdf Thanks @​TueHaulund! - fix: restart session recorder when session rotates externally while idle, preventing "Recording not found" for sessions where analytics events triggered session rotation
  (2026-03-18)

• Updated dependencies [552c018, fe1fd7b]:

  • @​posthog/types@​1.361.0

v1.360.2

Compare Source

1.360.2

Patch Changes

• #​3236 bc30c2d Thanks @​dustinbyrne! - fix: Calling reset() now automatically reloads feature flags
  (2026-03-13)
• Updated dependencies [bc30c2d, bc30c2d]:
  • @​posthog/core@​1.23.4
  • @​posthog/types@​1.360.2

v1.360.1

Compare Source

1.360.1

Patch Changes

• Updated dependencies [4009c15]:
  • @​posthog/core@​1.23.3
  • @​posthog/types@​1.360.1

v1.360.0

Compare Source

1.360.0

Patch Changes

• #​3213 db089fd Thanks @​TueHaulund! - fix(replay): treat legacy configs without cache_timestamp as fresh

  Configs persisted by older SDK versions never include a cache_timestamp.
  Defaulting to 0 treats them as always stale, causing the persisted config
  to be cleared before start() runs — so recording never starts for
  customers on older core SDK versions paired with the latest CDN recorder. (2026-03-09)

• #​3207 c5a37cb Thanks @​dustinbyrne! - fix: PostHogFeatureFlags uses a TreeShakeable type
  (2026-03-09)

• Updated dependencies [c5a37cb]:

  • @​posthog/types@​1.360.0

v1.359.1

Compare Source

1.359.1

Patch Changes

• #​3204 2b0cd52 Thanks @​marandaneto! - chore: upgrade dompurify to 3.3.2
  (2026-03-06)
• Updated dependencies []:
  • @​posthog/types@​1.359.1

v1.359.0

Compare Source

1.359.0

Minor Changes

• #​3166 9180726 Thanks @​dustinbyrne! - feat: Tree-shake feature flags
  (2026-03-05)

Patch Changes

• Updated dependencies []:
  • @​posthog/types@​1.359.0

v1.358.1

Compare Source

1.358.1

Patch Changes

• #​3191 9f41d26 Thanks @​TueHaulund! - fix(replay): fall back to persisted config when remote config fetch fails

  When the remote config fetch failed (network error, ad blocker, CDN outage), the SDK received an empty {} response with no sessionRecording key. The onRemoteConfig handler returned early without ever setting _receivedFlags = true, leaving the recording permanently stuck in pending_config status for the entire page session.

  This removes the _receivedFlags gate entirely. The 1-hour TTL on persisted config (added in #​3051, increased from 5 minutes) and the stale-config retry in _onScriptLoaded (added in #​3093) already prevent recording from starting with outdated config. The additional gate was redundant and created a deadlock when the config fetch failed.

  Now when the config fetch fails, startIfEnabledOrStop() is called and falls back to persisted config from a previous page load. If no persisted config exists (first-ever visit), recording is correctly disabled rather than silently stuck. (2026-03-04)

• #​3198 9d0df0e Thanks @​TueHaulund! - Red

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scripts-docs	Error		Apr 10, 2026 2:22am
scripts-playground	Error		Apr 10, 2026 2:22am

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@446

commit: cef369f

[vercel]

Suggested change

	"@nuxt/ui": "4.2.1",
	"@nuxt/ui": "^4.2.1",

The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.

View Details

Analysis

Inconsistent version pinning for @nuxt/ui dependency

What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.

How to reproduce:

cat docs/package.json | grep -A 15 '"dependencies"'

Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:

• "@nuxt/content": "^3.8.2"
• "@nuxt/fonts": "^0.12.1"
• "@nuxthq/studio": "^2.2.1"
• All other 10 dependencies also use ^ prefix

Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.

Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.

[vercel]

Suggested change

	"posthog-js": "^1.321.2"
	"posthog-js": "^1.0.0"

The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).

View Details

Analysis

Overly restrictive posthog-js peer dependency breaks backward compatibility

What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.

How to reproduce:

# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2

Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"

Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:

• Code only uses posthog.init() and basic config options (api_host, capture_pageview, disable_session_recording) available since 1.0.0
• The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
• Peer dependencies should be permissive to maximize compatibility
• Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible

This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.