Skip to content

chore: update posthog-node dependency to version 5.14.0 - FIXES #14158 #14157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

chore: update posthog-node dependency to version 5.14.0 - FIXES #14158 #14157

wants to merge 2 commits into from
+25 −17

Conversation

@adevinwild
Copy link
Contributor

@adevinwild adevinwild commented Nov 28, 2025
edited
Loading

Summary

What — What changes are introduced in this PR?

Upgrade the posthog-node dependency to 5.14.0 as stated by the PostHog team due to SHA1 HULUD attack :
PostHog/posthog-js#2633

Why — Why are these changes relevant or necessary?

Security

How — How have these changes been implemented?

Upgraded deps in package.json

Checklist

Please ensure the following before requesting a review:

  • I have added a changeset for this PR
    • Every non-breaking change should be marked as a patch
    • To add a changeset, run yarn changeset and follow the prompts
  • The changes are covered by relevant tests
  • I have verified the code works as intended locally
  • I have linked the related issue(s) if applicable

Additional Context

PostHog/posthog-js#2633

@adevinwild adevinwild requested review from a team as code owners November 28, 2025 14:08
@cursor
Copy link

cursor bot commented Nov 28, 2025

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on December 17.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

@changeset-bot
Copy link

changeset-bot bot commented Nov 28, 2025

🦋 Changeset detected

Latest commit: 05875f9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 74 packages
Name Type
@medusajs/analytics-posthog Patch
@medusajs/medusa Patch
@medusajs/test-utils Patch
@medusajs/medusa-oas-cli Patch
integration-tests-http Patch
@medusajs/analytics Patch
@medusajs/api-key Patch
@medusajs/auth Patch
@medusajs/caching Patch
@medusajs/cart Patch
@medusajs/currency Patch
@medusajs/customer Patch
@medusajs/file Patch
@medusajs/fulfillment Patch
@medusajs/index Patch
@medusajs/inventory Patch
@medusajs/link-modules Patch
@medusajs/locking Patch
@medusajs/notification Patch
@medusajs/order Patch
@medusajs/payment Patch
@medusajs/pricing Patch
@medusajs/product Patch
@medusajs/promotion Patch
@medusajs/region Patch
@medusajs/sales-channel Patch
@medusajs/settings Patch
@medusajs/stock-location Patch
@medusajs/store Patch
@medusajs/tax Patch
@medusajs/user Patch
@medusajs/workflow-engine-inmemory Patch
@medusajs/workflow-engine-redis Patch
@medusajs/draft-order Patch
@medusajs/oas-github-ci Patch
@medusajs/cache-inmemory Patch
@medusajs/cache-redis Patch
@medusajs/event-bus-local Patch
@medusajs/event-bus-redis Patch
@medusajs/analytics-local Patch
@medusajs/auth-emailpass Patch
@medusajs/auth-github Patch
@medusajs/auth-google Patch
@medusajs/caching-redis Patch
@medusajs/file-local Patch
@medusajs/file-s3 Patch
@medusajs/fulfillment-manual Patch
@medusajs/locking-postgres Patch
@medusajs/locking-redis Patch
@medusajs/notification-local Patch
@medusajs/notification-sendgrid Patch
@medusajs/payment-stripe Patch
@medusajs/core-flows Patch
@medusajs/framework Patch
@medusajs/js-sdk Patch
@medusajs/modules-sdk Patch
@medusajs/orchestration Patch
@medusajs/types Patch
@medusajs/utils Patch
@medusajs/workflows-sdk Patch
@medusajs/cli Patch
@medusajs/deps Patch
@medusajs/telemetry Patch
@medusajs/admin-bundler Patch
@medusajs/admin-sdk Patch
@medusajs/admin-shared Patch
@medusajs/admin-vite-plugin Patch
@medusajs/dashboard Patch
@medusajs/icons Patch
@medusajs/toolbox Patch
@medusajs/ui-preset Patch
create-medusa-app Patch
medusa-dev-cli Patch
@medusajs/ui Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Nov 28, 2025

@adevinwild is attempting to deploy a commit to the medusajs Team on Vercel.

A member of the Team first needs to authorize it.

@adevinwild adevinwild mentioned this pull request Nov 28, 2025
Open
@olivermrbl
Copy link
Contributor

olivermrbl commented Nov 28, 2025
edited
Loading

Thanks for the contribution. Definitely makes sense to upgrade.

But just to be clear and in case anyone sees this PR, the version we currently depend on was not compromised according to the Posthog team.

@adevinwild
Copy link
Contributor Author

adevinwild commented Nov 28, 2025

Thanks for the contribution. Definitely makes sense to upgrade.

But just to be clear and in case anyone sees this PR, the version we currently depend on was not compromised according to the Posthog team.

Okay, that's good to know. It's true that when I saw ^5.11.0 I thought the installation had automatically switched to 5.11.3 thanks for the clarification 🙌

@adevinwild adevinwild changed the title chore: update posthog-node dependency to version 5.14.0 across multip… chore: update posthog-node dependency to version 5.14.0 - FIXES #14158 Nov 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adevinwild @olivermrbl