Gathering detailed insights and metrics for posthog-js
Gathering detailed insights and metrics for posthog-js
Send usage data from your web app or site to PostHog, with autocapture.
Installations
npm install posthog-jsDeveloper
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
Typescript Support
Yes
Node Version
18.20.5
NPM Version
10.8.2
Statistics
303 Stars
1,964 Commits
126 Forks
10 Watching
140 Branches
78 Contributors
Updated on 27 Nov 2024
Languages
TypeScript (97.63%)
HTML (1.59%)
JavaScript (0.77%)
CSS (0.01%)
Vue (0.01%)
Total Downloads
Cumulative downloads
Total Downloads
34,976,742
Last day
-8.5%
131,975
Compared to previous day
Last week
-0.4%
680,085
Compared to previous week
Last month
16.2%
2,895,597
Compared to previous month
Last year
188.1%
23,537,184
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
4
Dev Dependencies
69
@babel/core@babel/plugin-syntax-decorators@babel/plugin-transform-exponentiation-operator@babel/plugin-transform-nullish-coalescing-operator@babel/plugin-transform-react-jsx@babel/preset-env@babel/preset-typescript@cypress/skip-test@jest/globals@rollup/plugin-babel@rollup/plugin-commonjs@rollup/plugin-json@rollup/plugin-node-resolve@rollup/plugin-terser@rollup/plugin-typescript@rrweb/record@rrweb/rrweb-plugin-console-record@rrweb/types@sentry/types@testing-library/dom@testing-library/jest-dom@testing-library/preact@types/eslint@types/jest@types/node@types/react-dom@types/sinon@types/web@typescript-eslint/eslint-plugin@typescript-eslint/parserbabel-jestbrowserslistcompare-versionscypresscypress-localstorage-commandsdate-fnseslinteslint-config-posthog-jseslint-config-prettiereslint-plugin-compateslint-plugin-jesteslint-plugin-no-only-testseslint-plugin-posthog-jseslint-plugin-prettiereslint-plugin-reacteslint-plugin-react-hooksexpectfast-checkhuskyjestjsdomjsdom-globallint-stagedlocalStoragemswnode-fetchposthog-jspreact-render-to-stringprettierrolluprollup-plugin-dtsrollup-plugin-visualizersinontestcafetestcafe-browser-provider-browserstackts-nodetslibtypescriptyargs
Versions
PostHog Browser JS Library
For information on using this library in your app, see PostHog Docs.
This README is intended for developing the library itself.
Testing
Unit tests: run pnpm test.
Cypress: run pnpm start to have a test server running and separately pnpm cypress to launch Cypress test engine.
Running TestCafe E2E tests with BrowserStack
Testing on IE11 requires a bit more setup. TestCafe tests will use the
playground application to test the locally built array.full.js bundle. It will
also verify that the events emitted during the testing of playground are loaded
into the PostHog app. By default it uses https://us.i.posthog.com and the
project with ID 11213. See the testcafe tests to see how to override these if
needed. For PostHog internal users ask @benjackwhite or @hazzadous to invite you
to the Project. You'll need to set POSTHOG_API_KEY to your personal API key, and
POSTHOG_PROJECT_KEY to the key for the project you are using.
You'll also need to sign up to BrowserStack. Note that if you are using CodeSpaces, these variables will already be available in your shell env variables.
After all this, you'll be able to run through the below steps:
- Optional: rebuild array.js on changes:
nodemon -w src/ --exec bash -c "pnpm build-rollup". - Export browserstack credentials:
export BROWSERSTACK_USERNAME=xxx BROWSERSTACK_ACCESS_KEY=xxx. - Run tests:
npx testcafe "browserstack:ie" testcafe/e2e.spec.js.
Running local create react app example
You can use the create react app setup in playground/nextjs to test posthog-js as an npm module in a Nextjs application.
- Run
posthoglocally on port 8000 (DEBUG=1 TEST=1 ./bin/start). - Run
python manage.py setup_dev --no-dataon posthog repo, which sets up a demo account. - Copy Project API key found in
http://localhost:8000/project/settingsand save it for the last step. - Run
cd playground/nextjs. - Run
pnpm ito install dependencies. - Run
pnpm run build-posthog-jsto buildposthog-jslocally. - Run
NEXT_PUBLIC_POSTHOG_KEY='<your-local-api-key>' NEXT_PUBLIC_POSTHOG_HOST='http://localhost:8000' pnpm devto start the application.
Tiers of testing
- Unit tests - this verifies the behavior of the library in bite-sized chunks. Keep this coverage close to 100%, test corner cases and internal behavior here
- Cypress tests - integrates with a real chrome browser and is capable of testing timing, browser requests, etc. Useful for testing high-level library behavior, ordering and verifying requests. We shouldn't aim for 100% coverage here as it's impossible to test all possible combinations.
- TestCafe E2E tests - integrates with a real posthog instance sends data to it. Hardest to write and maintain - keep these very high level
Developing together with another project
Install pnpm to link a local version of posthog-js in another JS project: npm install -g pnpm
Run this to link the local version
We have 2 options for linking this project to your local version: via pnpm link or via local paths
local paths (preferred)
- from whichever repo needs to require
posthog-js, go to thepackage.jsonof that file, and replace theposthog-jsdependency version number withfile:<relative_or_absolute_path_to_local_module> - e.g. from the
package.jsonwithinposthog, replace"posthog-js": "1.131.4"with"posthog-js": "file:../posthog-js" - run
pnpm installfrom the root of the project in which you just created a local path
Then, once this link has been created, any time you need to make a change to posthog-js, you can run pnpm build from the posthog-js root and the changes will appear in the other repo.
pnpm link
- In the
posthog-jsdirectory:pnpm link --global - (for
posthogthis means:pnpm link --global posthog-js && pnpm i && pnpm copy-scripts) - You can then remove the link by, e.g., running
pnpm link --global posthog-jsfrom withinposthog
Releasing a new version
Just put a bump patch/minor/major label on your PR! Once the PR is merged, a new version with the appropriate version bump will be released, and the dependency will be updated in posthog/PostHog – automatically.
If you forget to add the label, don't try to update the version locally as you won't be able to push that commit to the main branch. Instead, just make a new PR.
Prereleases
To release an alpha or beta version, you'll need to use the CLI locally:
CLI
Only one person is set as a collaborator on NPM, so they're the only person that can manually publish alphas
-
Make sure you're a collaborator on
posthog-jsin npm (check here). -
Make sure you're logged into the npm CLI (
npm login). -
Check out your work-in-progress branch (do not release an alpha/beta from
main). -
Run the following commands, using the same bump level (major/minor/patch) as your PR:
1npm version [premajor | preminor | prepatch] --preid=beta 2npm publish --tag beta 3git push --tags -
Enjoy the new prerelease version. You can now use it locally, in a dummy app, or in the main repo.
Automagically
Use the "release alpha" label on your PR to have an alpha version published automatically. This automation currently doesn't check whether an alpha exists for the version it will try to publish. If you need to publish two alphas from one PR you'll need to fix that
Remember that these versions are public and folk might use them, so make sure they're not too alpha 🙈
Stable Version
The latest stable version of the package.
Stable Version
1.190.2
MODERATE
1
MODERATE
5.4/10
Summary
Potential for cross-site scripting in PostHog-js
Affected Versions
< 1.57.2
Patched Versions
1.57.2
Reason
30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/cd.yml:24
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
Found 18/30 approved changesets -- score normalized to 6
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/bundled-size.yaml:1
- Warn: no topLevel permission defined: .github/workflows/cd.yml:1
- Warn: no topLevel permission defined: .github/workflows/es-check.yml:1
- Warn: no topLevel permission defined: .github/workflows/label-alpha-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/label-version-bump.yml:1
- Warn: no topLevel permission defined: .github/workflows/library-ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/lint-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/new-pr.yml:1
- Warn: no topLevel permission defined: .github/workflows/react.yml:1
- Warn: no topLevel permission defined: .github/workflows/stale.yaml:1
- Warn: no topLevel permission defined: .github/workflows/testcafe.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundled-size.yaml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/bundled-size.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bundled-size.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/bundled-size.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bundled-size.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/bundled-size.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bundled-size.yaml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/bundled-size.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:139: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cd.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:222: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/cd.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/es-check.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/es-check.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/es-check.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/es-check.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/es-check.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/es-check.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-alpha-release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-alpha-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-alpha-release.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-alpha-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-alpha-release.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-alpha-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-alpha-release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-alpha-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-version-bump.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-version-bump.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-version-bump.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-version-bump.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-version-bump.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/label-version-bump.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/library-ci.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/library-ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/library-ci.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/library-ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/library-ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/library-ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/library-ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/lint-pr.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/lint-pr.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/react.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/react.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/react.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/react.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/react.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/react.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/stale.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/testcafe.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/testcafe.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/testcafe.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/testcafe.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/testcafe.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/PostHog/posthog-js/testcafe.yml/main?enable=pin
- Info: 0 out of 29 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 21 third-party GitHubAction dependencies pinned
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 19 are checked with a SAST tool
Reason
23 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3
- Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-xvf7-4v9q-58w6
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
- Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
- Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
4.7
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More