chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@types/google.maps (source)	^3.58.1 → ^3.64.1			peerDependencies	minor
@types/youtube (source)	^0.1.0 → ^0.2.0			peerDependencies	minor
@unhead/vue (source)	^2.0.3 → ^2.1.15			peerDependencies	minor
Hebilicious/reproduire	v0.0.9-mp → v0.0.9			action	patch
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/stale	v10.0.0 → v10.2.0			action	minor
eslint-plugin-harlanzw	^0.14.3 → ^0.15.0			pnpm.catalog.default	minor
posthog-js (source)	^1.0.0 → ^1.373.4			peerDependencies	minor
rollup (source)	^4.60.3 → ^4.60.4			pnpm.catalog.default	patch
unimport	^6.2.0 → ^6.3.0			pnpm.catalog.default	minor

---

Release Notes

unjs/unhead (@​unhead/vue)

v2.1.15

Compare Source

No significant changes

    View changes on GitHub

v2.1.13

Compare Source

   🐞 Bug Fixes

• schema-org: Normalize target to array before merging potentialAction  -  by @​harlan-zw and Claude Opus 4.6 (1M context) in #​709 (22ac9)

    View changes on GitHub

v2.1.12

Compare Source

   🐞 Bug Fixes

• Harden prototype pollution  -  by @​harlan-zw (a6ed9)
• Case insensitive attr dedupe  -  by @​harlan-zw (3146b)

    View changes on GitHub

v2.1.11

Compare Source

    ⚠️ Security

• Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

• addons,schema-org: Permissive peer dependencies  -  by @​harlan-zw (4c5d1)

    View changes on GitHub

v2.1.10

Compare Source

   🐞 Bug Fixes

• solid-js: Correct peerDependency version  -  by @​tyeporter in #​671 (64e17)

    View changes on GitHub

v2.1.9

Compare Source

   🐞 Bug Fixes

• schema-org: Nuxt test utils compat bug  -  by @​harlan-zw (ef838)

    View changes on GitHub

v2.1.8

Compare Source

   🐞 Bug Fixes

• schema-org: Avoid crashing from 3+ duplicate nodes  -  by @​harlan-zw (4baf9)

    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes

• unhead:
  • deduplicate matching tags inside same render cycle  -  by @​harlan-zw in #​668 (5c0b2)

    View changes on GitHub

v2.1.6

Compare Source

   🐞 Bug Fixes

• react: Ssr regression  -  by @​harlan-zw (6adff)

    View changes on GitHub

v2.1.5

Compare Source

   🐞 Bug Fixes

• react: Dispose head entries on unmount in React 18 StrictMode  -  by @​harlan-zw in #​664 (50ffe)
• scripts: Prevent scope disposal from aborting unrelated trigger in useScript  -  by @​cernymatej in #​660 (e8f5b)
• unhead: Dedupe link rel without hreflang or type  -  by @​danielroe in #​658 (1487d)

    View changes on GitHub

v2.1.4

Compare Source

   🐞 Bug Fixes

• schema-org: Remove unimplemented SchemaOrgDebug  -  by @​onmax in #​649 (642dc)
• unhead: Dedupe <link rel="alternate"> by hreflang/type only, drop href from key  -  by @​harlan-zw in #​656 (86175)

    View changes on GitHub

v2.1.3

Compare Source

   🐞 Bug Fixes

• unhead:
  • Dedupe <link rel="alternate">  -  by @​danielroe and onmax in #​655 (fdabe)
• vue:
  • Support computed getter trigger  -  by @​harlan-zw in #​638 (fd63a)
  • Guard s._statusRef  -  by @​danielroe in #​642 (4ef03)

   🏎 Performance

• vue: Avoid duplicating error message in the bundle  -  by @​panstromek in #​652 (194e5)

    View changes on GitHub

v2.1.2

Compare Source

   🐞 Bug Fixes

• Broken cjs environment  -  by @​harlan-zw (ce989)

    View changes on GitHub

v2.1.1

Compare Source

No significant changes

    View changes on GitHub

v2.1.0

Compare Source

   🚀 Features

• schema-org: 12 new nodes  -  by @​harlan-zw in #​612 (1a9b8)

   🐞 Bug Fixes

• react:
  • Recursive function resolves broken  -  by @​harlan-zw (4e0c7)
• schema-org:
  • Correct month off-by-one  -  by @​harlan-zw in #​603 (a3e70)
  • Missing schema.org properties  -  by @​harlan-zw in #​614 (54e05)
• unhead:
  • Enforce boolean string meta contents  -  by @​kfreezen in #​594 (0b8e7)
  • Capo module scripts ordering  -  by @​Barbapapazes in #​600 (3c661)
  • Capo inline scripts ordering  -  by @​Barbapapazes in #​596 (7be75)
  • Normalize script type  -  by @​harlan-zw (e51b6)
  • Safer handling of input  -  by @​harlan-zw (b4b6c)

   🏎 Performance

• schema-org:
  • Remove ohash and defu dependencies  -  by @​harlan-zw in #​605 (0d508)
  • Rework graph resolution  -  by @​harlan-zw in #​616 (b79e4)

    View changes on GitHub

v2.0.19

Compare Source

   🐞 Bug Fixes

• vue: Tree shaking breaking some reactivity  -  by @​harlan-zw (7abb5)

    View changes on GitHub

v2.0.18

Compare Source

   🏎 Performance

• unhead: Avoid server side effects  -  by @​harlan-zw in #​585 (3fd09)

    View changes on GitHub

v2.0.17

Compare Source

No significant changes

    View changes on GitHub

v2.0.14

Compare Source

   🐞 Bug Fixes

• unhead: Multiword attributes in template  -  by @​NikSimonov in #​568 (f635b)

    View changes on GitHub

v2.0.13

Compare Source

   🐞 Bug Fixes

• unhead:
  • Canonical plugin modifying non-url properties  -  by @​paraboul (ee8fd)
  • Avoid normalizing template param input  -  by @​harlan-zw (1d205)
  • Safer removal of leading / trailing separators  -  by @​harlan-zw (d4501)

    View changes on GitHub

v2.0.12

Compare Source

   🐞 Bug Fixes

• react: Force invalidation on entry disposal  -  by @​harlan-zw in #​559 (4ee5e)

    View changes on GitHub

v2.0.11

Compare Source

   🐞 Bug Fixes

• Allow non-standard meta tags to be intentionally duped  -  by @​harlan-zw (9a899)

    View changes on GitHub

v2.0.10

Compare Source

   🐞 Bug Fixes

• Safer meta array deduping  -  by @​harlan-zw (32486)

    View changes on GitHub

v2.0.9

Compare Source

   🏎 Performance

• unhead: Normalize canonicalHost only once in canonical plugin  -  by @​negezor in #​550 (92713)

    View changes on GitHub

v2.0.8

Compare Source

No significant changes

    View changes on GitHub

v2.0.7

Compare Source

   🐞 Bug Fixes

• schema-org: unhead hoisting issue  -  by @​harlan-zw (bb0e4)

    View changes on GitHub

v2.0.6

Compare Source

   🐞 Bug Fixes

• ssr: Less aggressive encoding of non-title tags  -  by @​harlan-zw (f4d4f)

    View changes on GitHub

v2.0.5

Compare Source

   🐞 Bug Fixes

• vue: Use setTimeout as render's debounced delayer  -  by @​kricsleo in #​540 (8f7c5)

    View changes on GitHub

v2.0.4

Compare Source

   🐞 Bug Fixes

• InferSeoMetaPlugin: Template param replacement broken  -  by @​harlan-zw (4e1c8)

    View changes on GitHub

Hebilicious/reproduire (Hebilicious/reproduire)

v0.0.9

Compare Source

compare changes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/stale (actions/stale)

v10.2.0

Compare Source

v10.1.1

Compare Source

What's Changed

Bug Fix

• Add Missing Input Reading for only-issue-types by @​Bibo-Joshi in #​1298

Improvement

• Improves error handling when rate limiting is disabled on GHES. by @​chiranjib-swain in #​1300

Dependency Upgrades

• Upgrade eslint-config-prettier from 8.10.0 to 10.1.8 by @​dependabot in #​1276
• Upgrade @​types/node from 20.10.3 to 24.2.0 and document breaking changes in v10 by @​dependabot in #​1280
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in #​1291
• Upgrade actions/checkout from 4 to 6 by @​dependabot in #​1306

New Contributors

• @​chiranjib-swain made their first contribution in #​1300

Full Changelog: actions/stale@v10...v10.1.1

v10.1.0

Compare Source

What's Changed

• Add only-issue-types option to filter issues by type by @​Bibo-Joshi in #​1255

New Contributors

• @​Bibo-Joshi made their first contribution in #​1255

Full Changelog: actions/stale@v10...v10.1.0

harlan-zw/eslint-plugin-harlanzw (eslint-plugin-harlanzw)

v0.15.0

Compare Source

   🚀 Features

• nuxt-prefer-layer-alias  -  by @​harlan-zw (bc9e0)

    View changes on GitHub

PostHog/posthog-js (posthog-js)

v1.373.4

Compare Source

1.373.4

Patch Changes

• #​3602 4b895bf Thanks @​marandaneto! - Validate gzip request bodies at the browser send boundary and fall back to JSON if the outgoing body is not gzip data.
  (2026-05-12)
• Updated dependencies [4b895bf]:
  • @​posthog/core@​1.29.1
  • @​posthog/types@​1.373.4

v1.373.3

Compare Source

1.373.3

Patch Changes

• Updated dependencies [ad60818]:
  • @​posthog/core@​1.29.0
  • @​posthog/types@​1.373.3

v1.373.2

Compare Source

1.373.2

Patch Changes

• #​3568 223d925 Thanks @​marandaneto! - Validate native gzip output before sending requests and fall back when CompressionStream returns malformed data.
  (2026-05-11)
• Updated dependencies [223d925]:
  • @​posthog/core@​1.28.7
  • @​posthog/types@​1.373.2

v1.373.1

Compare Source

1.373.1

Patch Changes

• #​3566 7d027bc Thanks @​dustinbyrne! - Prevent browser log capture from throwing when console arguments contain unreadable properties.
  (2026-05-11)
• Updated dependencies []:
  • @​posthog/types@​1.373.1
  • @​posthog/core@​1.28.6

v1.373.0

Compare Source

1.373.0

Minor Changes

• #​3547 4c0c7d9 Thanks @​williamchong! - capture() now accepts an optional uuid on CaptureOptions.
  (2026-05-11)

Patch Changes

• #​3561 3511848 Thanks @​marandaneto! - Handle invalid persisted session replay config JSON gracefully
  (2026-05-11)

• #​3559 0a835fa Thanks @​marandaneto! - Skip remote config background refreshes when no document is available.
  (2026-05-11)

• Updated dependencies [4c0c7d9, 0a835fa]:

  • @​posthog/types@​1.373.0
  • @​posthog/core@​1.28.5

v1.372.10

Compare Source

1.372.10

Patch Changes

• #​3544 d120042 Thanks @​ksvat! - fix: stop session recording before destroying sessionManager in opt_out_capturing() with cookieless_mode: "on_reject". Previously, queued/throttled rrweb events (e.g. mousemove) could fire after the sessionManager was set to undefined and throw [SessionRecording] must be started with a valid sessionManager. Also adds a defensive early-return in onRRwebEmit so any remaining late events bail out instead of throwing.
  (2026-05-07)

• #​3542 94a5ba0 Thanks @​TueHaulund! - Preserve <style> textContent when the browser's CSSOM serialization would
  emit empty longhands from var() inside a shorthand. When a stylesheet has
  e.g. padding: var(--p); padding-bottom: var(--pb);, browsers store the
  shorthand's longhands with empty token lists per the CSS Custom Properties
  spec, and CSSStyleRule.cssText re-emits them as padding-top: ; padding-right: ; padding-left: ;. The previous behavior replaced the
  <style> text with that corrupted output, silently dropping layout rules
  on replay. We now detect the empty-longhand pattern and keep the original
  textContent in that case. Affects users of any CSS-in-JS framework that
  combines var() with shorthands (Chakra UI v3, Panda CSS, Emotion, etc.).
  Same class of bug as rrweb-io/rrweb#1667. (2026-05-07)

• Updated dependencies []:

  • @​posthog/types@​1.372.10
  • @​posthog/core@​1.28.4

v1.372.9

Compare Source

1.372.9

Patch Changes

• #​3537 026e09d Thanks @​TueHaulund! - Pull in the canvas-manager fix from @posthog/rrweb 0.0.61: skip canvas
  snapshots while the WebGL context is lost so transparent bitmaps don't
  poison the worker's fingerprint dedup map and silently kill canvas
  recording for the rest of the session. Also wraps getCanvas() in
  try/catch so DOM/shadow-root traversal errors can't cancel the rAF
  loop. See PR #​3527 for context. (2026-05-05)
• Updated dependencies []:
  • @​posthog/types@​1.372.9
  • @​posthog/core@​1.28.3

v1.372.8

Compare Source

1.372.8

Patch Changes

• #​3515 255b273 Thanks @​marandaneto! - Gate survey translation logs behind SDK debug logging to avoid production console spam.
  (2026-05-04)
• Updated dependencies [220cd61, 255b273]:
  • @​posthog/core@​1.28.2
  • @​posthog/types@​1.372.8

v1.372.7

Compare Source

1.372.7

Patch Changes

• Updated dependencies [8aee3d5]:
  • @​posthog/core@​1.28.1
  • @​posthog/types@​1.372.7

v1.372.6

Compare Source

1.372.6

Patch Changes

• #​3492 cf56753 Thanks @​lucasheriques! - Add translated survey rendering support in React Native and share survey translation logic through @posthog/core.
  (2026-05-01)
• Updated dependencies [cf56753, 04db756]:
  • @​posthog/core@​1.28.0
  • @​posthog/types@​1.372.6

v1.372.5

Compare Source

1.372.5

Patch Changes

• #​3448 c726aae Thanks @​posthog! - fix(exceptions): avoid cross-origin property access when calling the previous window.onunhandledrejection handler
  (2026-04-29)
• Updated dependencies []:
  • @​posthog/types@​1.372.5
  • @​posthog/core@​1.27.9

v1.372.4

Compare Source

1.372.4

Patch Changes

• #​3495 5a6b2a5 Thanks @​posthog! - Fix copy autocapture when copying or cutting text from Shadow DOM or document fragment contexts.
  (2026-04-29)
• Updated dependencies []:
  • @​posthog/types@​1.372.4
  • @​posthog/core@​1.27.8

v1.372.3

Compare Source

1.372.3

Patch Changes

• #​3488 5b8efc3 Thanks @​lucasheriques! - Add browser survey translation rendering and language tracking.
  (2026-04-27)
• Updated dependencies []:
  • @​posthog/types@​1.372.3
  • @​posthog/core@​1.27.7

v1.372.2

Compare Source

1.372.2

Patch Changes

• #​3484 cba2570 Thanks @​veryayskiy! - Fix autofocus
  (2026-04-27)
• Updated dependencies []:
  • @​posthog/types@​1.372.2
  • @​posthog/core@​1.27.6

v1.372.1

Compare Source

1.372.1

Patch Changes

• #​3464 70508df Thanks @​dustinbyrne! - Avoid using Blob.stream() for native async gzip compression to prevent Safari NotReadableError stream failures.
  (2026-04-24)
• Updated dependencies [70508df]:
  • @​posthog/core@​1.27.5
  • @​posthog/types@​1.372.1

v1.372.0

Compare Source

1.372.0

Minor Changes

• #​3470 eaa1322 Thanks @​veryayskiy! - You cannot write to a resolve ticket. Start a new one.
  (2026-04-24)

Patch Changes

• Updated dependencies []:
  • @​posthog/types@​1.372.0
  • @​posthog/core@​1.27.4

v1.371.4

Compare Source

1.371.4

Patch Changes

• #​3469 3c4fc1e Thanks @​fasyy612! - bump rrweb to 0.0.60
  (2026-04-24)
• Updated dependencies []:
  • @​posthog/types@​1.371.4
  • @​posthog/core@​1.27.3

v1.371.3

Compare Source

1.371.3

Patch Changes

• #​3445 61cf83e Thanks @​dustinbyrne! - Fix session recording in the full no-external browser bundles
  (2026-04-24)
• Updated dependencies [daf028d]:
  • @​posthog/core@​1.27.2
  • @​posthog/types@​1.371.3

v1.371.2

Compare Source

1.371.2

Patch Changes

• #​3453 96f19b7 Thanks @​turnipdabeets! - Lift OTLP log serialization helpers from posthog-js into @​posthog/core so the
  upcoming React Native logs feature consumes the same builders. Browser gains
  two fixes as a side effect: NaN and ±Infinity attribute values no longer get
  silently dropped during JSON encoding, and the scope.version OTLP field is
  now populated with the SDK version (changes the server's instrumentation_scope
  column from "posthog-js@" to "posthog-js@"). (2026-04-23)
• Updated dependencies [96f19b7]:
  • @​posthog/types@​1.371.2
  • @​posthog/core@​1.27.1

v1.371.1

Compare Source

1.371.1

Patch Changes

• #​3425 2da17e8 Thanks @​marandaneto! - Classify SDK-owned persistence keys with an explicit event exposure policy so new internal persistence state must be intentionally marked as event-visible, hidden, or derived.
  (2026-04-23)
• Updated dependencies []:
  • @​posthog/types@​1.371.1

v1.371.0

Compare Source

1.371.0

Patch Changes

• #​3432 1a8b727 Thanks @​richardsolomou! - refactor: rename __add_tracing_headers to addTracingHeaders. The __ prefix signalled an internal/experimental option, but the config is a public API (documented for linking LLM traces to session replays). __add_tracing_headers continues to work as a deprecated alias on the browser SDK.

  Also exposes patchFetchForTracingHeaders from @posthog/core so non-browser SDKs can reuse the implementation. (2026-04-23)

• Updated dependencies [1a8b727]:

  • @​posthog/core@​1.27.0
  • @​posthog/types@​1.371.0

v1.370.1

Compare Source

1.370.1

Patch Changes

• #​3442 6f19ce8 Thanks @​marandaneto! - fix(surveys): guard survey seen localStorage access
  (2026-04-22)
• Updated dependencies []:
  • @​posthog/types@​1.370.1

v1.370.0

Compare Source

1.370.0

Minor Changes

• #​3389 922a1c1 Thanks @​hpouillot! - Add exception steps to error tracking (aka breadcrumbs)
  (2026-04-22)

Patch Changes

• Updated dependencies [922a1c1]:
  • @​posthog/types@​1.370.0
  • @​posthog/core@​1.26.0

v1.369.5

Compare Source

1.369.5

Patch Changes

• Updated dependencies [1a0b58d]:
  • @​posthog/core@​1.25.3
  • @​posthog/types@​1.369.5

v1.369.4

Compare Source

1.369.4

Patch Changes

• #​3362 d61bce1 Thanks @​sampennington! - fix(cookieless): start in cookieless mode when opt_out_capturing_by_default is set
  (2026-04-21)
• Updated dependencies []:
  • @​posthog/types@​1.369.4

v1.369.3

Compare Source

1.369.3

Patch Changes

• #​3419 ea08727 Thanks @​haacked! - Reinstate $feature_flag_payloads and $surveys_activated in captured event properties.
  (2026-04-18)

• #​3416 3d8b2e2 Thanks @​feliperalmeida! - Updated dependencies: - protobufjs@​7.5.5
  (2026-04-18)

• Updated dependencies []:

  • @​posthog/types@​1.369.3

v1.369.2

Compare Source

1.369.2

Patch Changes

• #​3386 4a65604 Thanks @​dustinbyrne! - Add a preview flag for versioned browser lazy bundle asset paths.
  (2026-04-16)
• Updated dependencies [4a65604]:
  • @​posthog/types@​1.369.2

v1.369.1

Compare Source

1.369.1

Patch Changes

• #​3393 85ae4d9 Thanks @​haacked! - Exclude active feature flag payloads from event properties
  (2026-04-16)

• #​3392 00cd1ce Thanks @​haacked! - Fix unnecessary persisted config and activation properties (including product tours, surveys, and session recording config) added to captured events
  (2026-04-16)

• Updated dependencies []:

  • @​posthog/types@​1.369.1

v1.369.0

Compare Source

1.369.0

Minor Changes

• #​3342 eea5260 Thanks @​ksvat! - Account for property filters on events in recording triggers for v2 triggers
  (2026-04-14)

• #​3281 b1fd228 Thanks @​ksvat! - Add session replay trigger groups handling (V2)
  (2026-04-14)

Patch Changes

• Updated dependencies []:
  • @​posthog/types@​1.369.0

v1.368.2

Compare Source

1.368.2

Patch Changes

• #​3378 f1bea33 Thanks @​marandaneto! - Disable native gzip compression after a NotReadableError in the browser SDK
  (2026-04-14)
• Updated dependencies []:
  • @​posthog/types@​1.368.2

v1.368.1

Compare Source

1.368.1

Patch Changes

• #​3379 d7c71b1 Thanks @​dmarticus! - Fix bootstrapped feature flags being overwritten by partial /flags response when advanced_only_evaluate_survey_feature_flags is enabled
  (2026-04-14)
• Updated dependencies []:
  • @​posthog/types@​1.368.1

v1.368.0

[Compare Source](https://redirect.github.com/PostHog/posthog-js/compare/posthog-js@1.367.0..

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scripts-docs	Error		May 15, 2026 10:17am
scripts-playground	Error		May 15, 2026 10:17am

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@446

commit: c51ec7f

[vercel]

Suggested change

	"@nuxt/ui": "4.2.1",
	"@nuxt/ui": "^4.2.1",

The @nuxt/ui dependency is pinned to 4.2.1 without a caret, which is inconsistent with all other dependencies in this file that use flexible versioning with the ^ prefix.

View Details

Analysis

Inconsistent version pinning for @nuxt/ui dependency

What fails: docs/package.json line 20 specifies @nuxt/ui as pinned version 4.2.1 (without caret prefix), while all 13 other dependencies use caret versioning (^) for flexible version constraints within the major version.

How to reproduce:

cat docs/package.json | grep -A 15 '"dependencies"'

Result: Shows "@nuxt/ui": "4.2.1" (pinned) while all surrounding dependencies have caret prefix:

• "@nuxt/content": "^3.8.2"
• "@nuxt/fonts": "^0.12.1"
• "@nuxthq/studio": "^2.2.1"
• All other 10 dependencies also use ^ prefix

Expected behavior: According to npm semantic versioning, caret versioning allows compatible updates (minor/patch versions) within a major version. The project consistently uses this pattern for all other dependencies, so @nuxt/ui should be ^4.2.1 to match the established convention and allow patch/minor updates like other dependencies.

Root cause: Automated dependency update (Renovate bot commit 0b37709) preserved the previous pinned format when bumping the version from 4.0.0 to 4.2.1, rather than applying the project's standard caret versioning pattern used throughout the file.

[vercel]

Suggested change

	"posthog-js": "^1.321.2"
	"posthog-js": "^1.0.0"

The posthog-js peer dependency constraint changed from ^1.0.0 to ^1.321.2, which is unusually restrictive and appears unintentional given the patch version bump in devDependencies (1.321.1 → 1.321.2).

View Details

Analysis

Overly restrictive posthog-js peer dependency breaks backward compatibility

What fails: The posthog-js peer dependency constraint in package.json was changed from ^1.0.0 to ^1.321.2 (commit 1536ad2), restricting supported versions to 1.321.2+ and rejecting all prior versions (1.0.0-1.321.1) that would previously install.

How to reproduce:

# User has posthog-js 1.200.0 installed (legitimate version under old ^1.0.0 constraint)
npm install @nuxt/scripts
# After update, npm now rejects this version because 1.200.0 does not satisfy ^1.321.2

Result: npm/pnpm install fails with: "posthog-js@1.200.0 not satisfied by ^1.321.2"

Expected: The peer dependency should remain at ^1.0.0 (or similar permissive constraint) since:

• Code only uses posthog.init() and basic config options (api_host, capture_pageview, disable_session_recording) available since 1.0.0
• The devDependency update was only a patch bump (1.222.0 → 1.321.2), not a major version requiring API changes
• Peer dependencies should be permissive to maximize compatibility
• Semantic versioning guidance indicates patch/minor version updates within the same major version should be backward compatible

This change appears to be an error from automated dependency update tooling (Renovate) that applied the same pinpoint version to both devDependencies and peerDependencies.

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request