You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer navigator.credentials.create() / navigator.credentials.get() ceremonies in the page — no real hardware key required, works in all browsers:
constcontext=awaitbrowser.newContext();// Seed a passkey your backend provisioned for a test user.awaitcontext.credentials.create('example.com',{id: credentialId,
userHandle,
privateKey,
publicKey,});awaitcontext.credentials.install();constpage=awaitcontext.newPage();awaitpage.goto('https://example.com/login');// The page's navigator.credentials.get() is answered with the seeded passkey.
You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.
New option artifactsDir in browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.
New option cursor in screencast.showActions() controls the cursor decoration rendered for pointer actions.
The onFrame callback in screencast.start() now receives a timestamp of when the frame was presented by the browser.
Test runner
The testOptions.video option now supports the same set of modes as trace: new 'on-all-retries', 'retain-on-first-failure' and 'retain-on-failure-and-retries' values. See the video modes table for which runs are recorded and kept in each mode.
Supported expect.soft.poll(...).
New fullConfig.argv — a snapshot of process.argv from the runner process, handy for reading custom arguments passed after the -- separator.
Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#20130)
Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#20137)
Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#20139)
Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#20198)
Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#19588)
Allow @variant to be used inside addBase (#19480)
Ensure @source globs with symlinks are preserved (#20203)
Ensure later @source rules can re-include files excluded by earlier @source not rules (#20203)
Upgrade: don't migrate empty class rules to invalid @utility rules (#20205)
Ensure transitions between inset-shadow-none and other inset shadows work correctly (#20208)
Ensure explicitly referenced @source directories are scanned even when ignored by git (#20214)
Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#20217)
Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#20221)
Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#20228)
Changed
Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#20196)
Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#20196)
#3868a5dd54a Thanks @pauldambra! - fix(replay): scope the session-recording flushed-size tracker to the session
$sdk_debug_replay_flushed_size was stored as a single device-global value in persistence and only reset on an in-page session rotation, so it leaked across page loads and tabs and over-counted on returning visitors. The tracker now keys the running total to the current session id, so a new session starts from zero and a fresh load reading an ongoing session sees the correct total.
The internal persistence key backing this counter ($sess_rec_flush_size) was also unintentionally attached to every captured event as a super-property; it is now marked hidden so it no longer ships on events. The value remains available on session-replay debug events as $sdk_debug_replay_flushed_size. (2026-06-17)
#386981b79fb Thanks @turnipdabeets! - Add a beforeSend option to the logs config, so you can inspect, redact, or drop log records before they're sent:
posthog.init('<token>',{logs: {beforeSend: (log)=>{// return null to drop the log, or return the (optionally modified) log to keep itif(log.body.includes('password')){returnnull}returnlog},},})
beforeSend accepts a single function or an array of functions (applied left to right); returning null from any of them drops the record. It runs for logs sent via both posthog.captureLog() and posthog.logger.*. (2026-06-17)
#3709c6c163a Thanks @posthog! - Add unsetPersonProperties() to remove person properties, the counterpart to setPersonProperties(). Previously the only way to unset a person property was to hand-pass a $unset array inside a capture() call.
(2026-06-16)
Patch Changes
#3756b3ec845 Thanks @archievi! - Drop the event and log a warning when a before_send hook removes the token property, instead of silently sending an event that ingest rejects with a 401.
(2026-06-16)
#3860c9c7df1 Thanks @marandaneto! - Add $unset to capture options and pass it through in browser capture payloads.
(2026-06-16)
#3855fadaa4f Thanks @haacked! - Stop sending the ip query parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match /flags…ip= to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged.
(2026-06-16)
#38300d837f5 Thanks @dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present.
(2026-06-16)
#3853f95a0ec Thanks @TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA :fullscreen pseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event on fullscreenchange (standard plus webkit/moz/MS prefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reserved rr_fullscreen attribute, consistent with rrweb's existing rr_* attribute namespace.
Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the <iframe> element rather than the inner element, so replay pins the iframe. (2026-06-16)
#38383094f73 Thanks @TueHaulund! - fix(replay): discard the prior session's buffer when start() bails out a pending stop(). On a stopSessionRecording() → reset() → identify(newUser) → startSessionRecording() sequence, stopSessionRecording() takes the async compression-drain path, deferring its buffer flush and teardown. start() correctly invalidates that pending cleanup so the new recorder survives, but it left the stopped session's snapshot buffer in place. The re-entrant session-id restart then flushed those previous-user snapshots under the OLD session id, producing a mixed-distinct_id session that server-side any(distinct_id) attribution resolves to the wrong person — recordings showing the previous user's identity. start() now clears that stale buffer alongside invalidating the compression queue, matching the drop-trailing-data trade-off the bailed-out stop() path already accepts.
(2026-06-15)
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@angular/build@22.0.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
22.0.1→22.0.222.0.1→22.0.322.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.222.0.1→22.0.21.60.0→1.61.06.0.0→6.1.04.3.0→4.3.12.1.2→2.1.31.386.6→1.390.24.3.0→4.3.14.1.8→4.1.9Release Notes
angular/angular (@angular/animations)
v22.0.2Compare Source
common
compiler
core
http
migrations
angular/angular-cli (@angular/build)
v22.0.3Compare Source
v22.0.2Compare Source
@angular/cli
@angular/build
@angular/ssr
angular/components (@angular/cdk)
v22.0.2Compare Source
cdk
material
multiple
microsoft/playwright (@playwright/test)
v1.61.0Compare Source
🔑 WebAuthn passkeys
New Credentials virtual authenticator, available via browserContext.credentials, lets tests register passkeys and answer
navigator.credentials.create()/navigator.credentials.get()ceremonies in the page — no real hardware key required, works in all browsers:You can also let the app register a passkey once in a setup test, read it back with credentials.get(), and seed it into later tests — see Credentials for details.
🗃️ Web Storage
New WebStorage API, available via page.localStorage and page.sessionStorage, reads and writes the page's storage for the current origin:
New APIs
Network
Browser and Screencast
artifactsDirin browserType.connectOverCDP() controls where artifacts such as traces and downloads are stored when attached to an existing browser.cursorin screencast.showActions() controls the cursor decoration rendered for pointer actions.onFramecallback in screencast.start() now receives atimestampof when the frame was presented by the browser.Test runner
trace: new'on-all-retries','retain-on-first-failure'and'retain-on-failure-and-retries'values. See the video modes table for which runs are recorded and kept in each mode.expect.soft.poll(...).process.argvfrom the runner process, handy for reading custom arguments passed after the--separator.AggregateErroras a separate entry.-Gcommand line shorthand for--grep-invert.🛠️ Other improvements
Browser Versions
This version was also tested against the following stable channels:
sanity-io/sanity (@sanity/types)
v6.1.0Compare Source
Bug Fixes
tailwindlabs/tailwindcss (@tailwindcss/vite)
v4.3.1Compare Source
Added
--silentoption to suppress output in@tailwindcss/cli(#20100)Fixed
Module#registerHooksinstead ofModule#registeron Node 26+ (#20028)@applyto be used with CSS mixins (#19427)not-*correctly negates@containerqueries, includingstyle(…)queries (#20059)drop-shadow-*color utilities work with custom shadow values containingcalc(…)(#20080)@tailwindcss/vite(#20103)@tailwindcss/webpackcan be installed in Rspack projects without requiringwebpackas a peer dependency (#20027)calc(…)expressions (e.g.px-[calc(1rem+0px)]→px-[calc(1rem+0)]) (#20127)left-[99999px]→left-[99999px], notleft-24999.75) (#20130)@tailwindcss/cliin--watchmode recovers when a tracked dependency is deleted and restored (#20137)@tailwindcss/clibinaries are ignored when scanning for class candidates (#20139)addClass(…)andremoveClass(…)calls (#20198)@variantto be used insideaddBase(#19480)@sourceglobs with symlinks are preserved (#20203)@sourcerules can re-include files excluded by earlier@source notrules (#20203)@utilityrules (#20205)inset-shadow-noneand other inset shadows work correctly (#20208)@sourcedirectories are scanned even when ignored by git (#20214)@sourceglobs ending in**/*preserve dynamic path segments to avoid scanning too many files (#20217)calc(…)divisions when the result would require high precision (e.g.w-[calc(100%/3.5)]→w-[calc(100%/3.5)], notw-[28.571428571428573%]) (#20221)@tailwindcss/postcss(#20228)Changed
0instead ofcalc(var(--spacing) * 0)for spacing utilities likem-0andleft-0(#20196)var(--spacing)instead ofcalc(var(--spacing) * 1)for spacing utilities likem-1andleft-1(#20196)sxzz/obug (obug)
v2.1.3Compare Source
🚀 Features
sideEffectsfield - by @sxzz (01458)View changes on GitHub
PostHog/posthog-js (posthog-js)
v1.390.2Compare Source
1.390.2
Patch Changes
#3868
a5dd54aThanks @pauldambra! - fix(replay): scope the session-recording flushed-size tracker to the session$sdk_debug_replay_flushed_sizewas stored as a single device-global value in persistence and only reset on an in-page session rotation, so it leaked across page loads and tabs and over-counted on returning visitors. The tracker now keys the running total to the current session id, so a new session starts from zero and a fresh load reading an ongoing session sees the correct total.The internal persistence key backing this counter (
$sess_rec_flush_size) was also unintentionally attached to every captured event as a super-property; it is now marked hidden so it no longer ships on events. The value remains available on session-replay debug events as$sdk_debug_replay_flushed_size. (2026-06-17)v1.390.1Compare Source
v1.390.0Compare Source
1.390.0
Minor Changes
#3869
81b79fbThanks @turnipdabeets! - Add abeforeSendoption to the logs config, so you can inspect, redact, or drop log records before they're sent:beforeSendaccepts a single function or an array of functions (applied left to right); returningnullfrom any of them drops the record. It runs for logs sent via bothposthog.captureLog()andposthog.logger.*. (2026-06-17)Patch Changes
81b79fb]:v1.389.1Compare Source
1.389.1
Patch Changes
43b4137Thanks @marandaneto! - Limit retries for transport failures without an HTTP response.(2026-06-17)
v1.389.0Compare Source
v1.388.2Compare Source
v1.388.1Compare Source
1.388.1
Patch Changes
5c453cdThanks @marandaneto! - Apply CSP nonce preparation hooks to style and script elements appended by site apps.(2026-06-17)
v1.388.0Compare Source
1.388.0
Minor Changes
b6bc9beThanks @marandaneto! - Add autocapture-only CSS selector opt-outs for web interactions.(2026-06-17)
Patch Changes
b6bc9be]:v1.387.0Compare Source
1.387.0
Minor Changes
c6c163aThanks @posthog! - AddunsetPersonProperties()to remove person properties, the counterpart tosetPersonProperties(). Previously the only way to unset a person property was to hand-pass a$unsetarray inside acapture()call.(2026-06-16)
Patch Changes
#3756
b3ec845Thanks @archievi! - Drop the event and log a warning when abefore_sendhook removes thetokenproperty, instead of silently sending an event that ingest rejects with a 401.(2026-06-16)
#3860
c9c7df1Thanks @marandaneto! - Add$unsetto capture options and pass it through in browser capture payloads.(2026-06-16)
#3855
fadaa4fThanks @haacked! - Stop sending theipquery parameter on feature flag requests. The flags endpoint ignores it, and some ad blockers match/flags…ip=to block flag evaluation on any domain. Dropping it from flag requests avoids the block with no functional change. Event and session recording requests are unchanged.(2026-06-16)
#3830
0d837f5Thanks @dustinbyrne! - Avoid reloading exception and dead-click autocapture external scripts when they are already present.(2026-06-16)
#3853
f95a0ecThanks @TueHaulund! - Capture native Fullscreen API transitions in session replay. Entering native fullscreen (element.requestFullscreen()) is rendered by the browser via the UA:fullscreenpseudo-class with no DOM mutation, so the recorder previously captured nothing and replays showed the element at its pre-fullscreen size with drifted click coordinates. The recorder now emits a reserved custom event onfullscreenchange(standard pluswebkit/moz/MSprefixes), and the replayer re-applies fullscreen layout to the element on playback (including when scrubbing into a fullscreen region) via a reservedrr_fullscreenattribute, consistent with rrweb's existingrr_*attribute namespace.Known limitation: fullscreen of an element inside a same-origin iframe is recorded against the
<iframe>element rather than the inner element, so replay pins the iframe. (2026-06-16)Updated dependencies [
b3ec845,c9c7df1,c6c163a]:v1.386.8Compare Source
1.386.8
Patch Changes
3094f73Thanks @TueHaulund! - fix(replay): discard the prior session's buffer when start() bails out a pending stop(). On a stopSessionRecording() → reset() → identify(newUser) → startSessionRecording() sequence, stopSessionRecording() takes the async compression-drain path, deferring its buffer flush and teardown. start() correctly invalidates that pending cleanup so the new recorder survives, but it left the stopped session's snapshot buffer in place. The re-entrant session-id restart then flushed those previous-user snapshots under the OLD session id, producing a mixed-distinct_id session that server-sideany(distinct_id)attribution resolves to the wrong person — recordings showing the previous user's identity. start() now clears that stale buffer alongside invalidating the compression queue, matching the drop-trailing-data trade-off the bailed-out stop() path already accepts.(2026-06-15)
v1.386.7Compare Source
vitest-dev/vitest (vitest)
v4.1.9Compare Source
🐞 Bug Fixes
importOriginalwith optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)View changes on GitHub
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.