Bump @opentelemetry/core and posthog-js in /ui/frontend

[dependabot]

Removes @opentelemetry/core. It's no longer used after updating ancestor dependency posthog-js. These dependencies need to be updated together.

Removes @opentelemetry/core

Updates posthog-js from 1.352.0 to 1.386.8

Release notes

Sourced from posthog-js's releases.

posthog-js@1.386.8

1.386.8

Patch Changes

• #3838 3094f73 Thanks @​TueHaulund! - fix(replay): discard the prior session's buffer when start() bails out a pending stop(). On a stopSessionRecording() → reset() → identify(newUser) → startSessionRecording() sequence, stopSessionRecording() takes the async compression-drain path, deferring its buffer flush and teardown. start() correctly invalidates that pending cleanup so the new recorder survives, but it left the stopped session's snapshot buffer in place. The re-entrant session-id restart then flushed those previous-user snapshots under the OLD session id, producing a mixed-distinct_id session that server-side any(distinct_id) attribution resolves to the wrong person — recordings showing the previous user's identity. start() now clears that stale buffer alongside invalidating the compression queue, matching the drop-trailing-data trade-off the bailed-out stop() path already accepts. (2026-06-15)

posthog-js@1.386.7

1.386.7

Patch Changes

• #3837 29bf8e3 Thanks @​marandaneto! - Add missing bugs metadata to package manifests. (2026-06-15)

• #3832 d3a9462 Thanks @​archievi! - Surveys: guard the remaining unprotected localStorage accesses (reset() and the lastSeenSurveyDate write) so a SecurityError in cross-origin iframes is swallowed instead of bubbling up to user monitoring. (2026-06-15)

• Updated dependencies [29bf8e3]:

  • @​posthog/core@​1.32.4
  • @​posthog/types@​1.386.4

posthog-js@1.386.6

1.386.6

Patch Changes

• #3804 a27b163 Thanks @​pauldambra! - fix(product-tours): drop the cached tours blob when product tours is not enabled

  Tours fetched while product tours was enabled are cached under ph_product_tours in the main persistence blob. Once product tours is disabled (remote config or the disable_product_tours option) that cache was never cleaned up, so a potentially large stale blob kept riding on every persistence write — and on every cross-tab storage event those writes broadcast. onRemoteConfig now clears the cached tours whenever product tours resolves to disabled; they are re-fetched if it is ever re-enabled. (2026-06-11)

posthog-js@1.386.5

1.386.5

Patch Changes

• #3801 bd06ac7 Thanks @​ksvat! - fix(replay): prevent silent recorder teardown on session-id rotation. When the session id rotates during active rrweb capture, _updateWindowAndSessionIds calls stop() then synchronously start('session_id_changed'). If stop() took the _stopAfterCompressionQueueDrains path (which fires whenever the compression queue is non-empty — common during steady recording), its async cleanup would later resolve and call _teardown() against the freshly-started recorder, stopping rrweb, removing event listeners, and emptying the V2 trigger-group matchers. From that point on, the recorder's status getter kept reporting active/sampled (the _strategy reference was still set), but rrweb was no longer producing events, no listeners were registered, and no $snapshot data reached the server — the session looked recording-eligible from event metadata yet produced no replay. start() now invalidates the compression-queue state (generation bump plus reset of the stop-in-progress flag and queued-event count), so any pending cleanup from a prior stop() bails at its existing generation check and a later stop() of the new recorder is not mistaken for the old in-progress one. Affects long-running tabs that rotate session id mid-use (idle timeout, session-past-max-length, or posthog.reset()). (2026-06-11)

posthog-js@1.386.4

1.386.4

Patch Changes

• #3767 fdc07f3 Thanks @​arnohillen! - replay: jump scrolls instantly when seeking past pages that use scroll-behavior: smooth. During fast-forward the replayer applied scrolls with behavior: 'auto', which inherits the page's CSS scroll-behavior — so on sites that set scroll-behavior: smooth (e.g. Silk bottom sheets/modals) a seeked scroll animated from 0 instead of jumping, leaving scroll-revealed content (the open sheet) out of view and showing only the backdrop until the animation caught up. Sync scrolls now use behavior: 'instant', matching the method's stated intent that smooth scrolling be disabled while fast-forwarding. Full snapshot rebuilds apply their initial offset with behavior: 'instant' too, so the document-level scroll doesn't animate either. (2026-06-11)

posthog-js@1.386.3

1.386.3

... (truncated)

Commits

• c826954 chore: update versions and lockfile [version bump]
• 3094f73 fix(replay): discard prior session buffer on restart across reset (#3838)
• 47aea13 chore: update versions and lockfile [version bump]
• 29bf8e3 fix: add missing bugs metadata (#3837)
• d3a9462 fix: Guard remaining survey localStorage accesses against SecurityError (#358...
• a3eff27 chore(deps): bump turbo to 2.9.16 (#3836)
• 5e8c4b7 chore: update versions and lockfile [version bump]
• d6fc0a5 feat(flags): support early_exit in posthog-node local evaluation (#3705)
• be08a64 docs: centralize SDK examples in official docs (#3825)
• 1a2ddb7 chore: update versions and lockfile [version bump]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.