releases.shpreview
PostHog/PostHog JS/posthog-js@1.379.1

Session recording no longer leaks iframe documents and observers

posthog-js@1.379.1

June 3, 2026PostHog JSView original ↗
2 fixesThis release2 fixesBug fixesAI-tallied from the release notes

1.379.1

Patch Changes

  • #3570 4a27ced Thanks @gruessi! - fix(record): release iframe documents and observers on iframe removal — same-origin iframes mounted and unmounted while session recording is active no longer leak their Document, every node serialized into the mirror, or one MutationObserver per mount. Closes eight retainer chains: load-listener disposers, named pagehide handlers, the recordCrossOriginIframes cleanup gate (now applied to same-origin too), captured Document / Window sets that survive iframe.src swap-to-about:blank before removal, and the global mutationBuffers[] / handlers[] arrays which previously accumulated forever. Validated end-to-end: a host page that mounts/unmounts 5 blob-URL iframes every 2s for 110s went from +118 MB / +390 leaked HTMLDocuments to ~0 MB / 0. (2026-06-03)

  • #3717 1688b38 Thanks @turnipdabeets! - Move the OpenTelemetry logs dependencies to devDependencies. They are only used to build the CDN-served logs extension chunk, which inlines them, so consumers no longer install the transitive protobufjs (whose eval("require") tripped unsafe-eval Content Security Policies).

    If you imported @opentelemetry/* directly while relying on it being hoisted from posthog-js, add it to your own dependencies. (2026-06-03)

  • Updated dependencies []:

    • @posthog/types@1.379.1
    • @posthog/core@1.30.4

Fetched June 3, 2026