[Snyk] Upgrade mixpanel-browser from 2.41.0 to 2.53.0

[iamsuganthi]

Snyk has created this PR to upgrade mixpanel-browser from 2.41.0 to 2.53.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 13 versions ahead of your current version.

• The recommended version was released on 2 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Information Exposure SNYK-JS-NANOID-2332193	300	Proof of Concept

Release notes

Package name: mixpanel-browser

• 2.53.0 - 2024-06-21
  
  • Network payload format for session recording batches has changed, including client-side compression on browsers which support it
  • Google Tag Manager wrapper now includes session-recording start/stop methods
• 2.52.0 - 2024-06-07
  

  This release reverts the UTM param persistence change introduced in v2.51.0, to minimize disruption for older implementations. UTM parameters will be persisted by default in super property storage when the SDK finds them on pageload. To opt in to the recommended modern behavior, use initialization option {stop_utm_persistence: true}.

• 2.51.0 - 2024-05-30
  
  • UTM parameters are no longer persisted as superproperties by default. Mixpanel analyses now have attribution support that does not require client-side persistence of these properties. To opt in to the previous behavior, use initialization option {stop_utm_persistence: false}.
  • localStorage->cookie migration support: when switching an implementation from localStorage persistence to cookie persistence (to support cross-subdomain tracking), the SDK will now automatically copy any existing superproperties from localStorage into the new superprop cookie. This migration behavior already existed in the opposite direction (going from cookie to localStorage).
  • The initialization options record_block_class, record_block_selector, and record_mask_text_class offer finer-grained control over elements to block in session recording, and provide stricter defaults.
  • New method mixpanel.get_session_recording_properties() exposes Replay ID property for tagging events controlled by other client-side SDKs such as Segment or mParticle.
• 2.50.0 - 2024-04-29
  No content.
• 2.49.0 - 2024-02-06
  

  This release updates capabilities related to web/marketing/attribution analytics.

  The track_pageview init option now accepts three string values to support SPA pageview tracking:

  • "url-with-path": fire pageview events only when main url path changes (https://example.com/foo -> https://example.com/bar but not https://example.com/foo?bar=1 -> https://example.com/foo?bar=2)
  • "url-with-path-and-query-string": fire pageview events only when main url path or query string changes (https://example.com/foo?bar=1 -> https://example.com/foo?bar=2 but not https://example.com/foo?bar=1#baz -> https://example.com/foo?bar=1#qux)
  • "full-url": fire pageview events when anything on the URL changes

  Example:

  mixpanel.init(`my token`, {track_pageview: `url-with-path-and-query-string`});

  Profile properties storing referrer info ($initial_referrer and $initial_referring_domain) are now saved with set_once instead of set, to prevent overwriting.

  Persistence of UTM parameters can now be turned off with the init option {stop_utm_persistence: true}. This is opt-in today but will be the default setting in a future release. The stop_utm_persistence option will also override the store_google option, which is responsible persisting UTM parameters today. If store_google and stop_utm_persistence are both true, any persisted UTM parameters will be cleared from storage.

  Visits from AhrefsSiteAudit crawler are now ignored.

• 2.48.1 - 2023-11-14
  

  This update patches a discrepancy between the minified and unminified versions of the packaged SDK. Campaign parameters will now be stored as super properties persistently in all versions.

• 2.48.0 - 2023-11-13
  

  API endpoint routes can now be configured individually, so you can rename /track, /engage, and /groups HTTP endpoints arbitrarily. Configure with the api_routes option:

  mixpanel.init(`my token`, {
    api_host: `https://my-proxy.example.com`,
    api_routes: {
      track: `foo/`,
      engage: `bar/`,
      groups: `baz/`,
    },
  ));

  In the above example, event-tracking requests will go to https://my-proxy.example.com/foo/, user profile updates to https://my-proxy.example.com/bar/, etc.

  Other fixes:

  • Event properties object passed to mixpanel.track() will no longer be mutated
  • Super properties are now reloaded from persistence when making every tracking call (i.e., kept fresh when another tab/window in the same browser has updated them)
  • Extra failsafe behavior for trying to clear queued requests when localStorage doesn't work on startup, e.g., when localStorage is full so writes fail
  • Block Chrome-Lighthouse user agent
  • Fix for error in add_group() when adding a new group to an existing list
• 2.47.0 - 2023-04-28
  

  New default event properties are now captured with each event, holding campaign data present on the URL at the time of tracking. These include UTM parameters (in the format utm_source, utm_campaign, etc.) and Click Identifiers (e.g., gclid, fbclid, etc.). This functionality can be disabled with the initialization setting {track_marketing: false}.

  UTM parameter properties are no longer persisted across pageloads as superproperties. They will be present only on events tracked on the same pageload where they were present initially. (2023-09-13) Correction: UTM parameter properties still persist across pageloads as superproperties. Persistence will be removed in a future release.

  For better first-touch attribution, UTM parameters present on the URL on pageload will be "set once" as profile properties (meaning that a new value will not overwrite any existing value on the profile property). These property names take the format initial_utm_source, initial_utm_campaign, etc. This functionality can be disabled with the initialization setting {skip_first_touch_marketing: true}.

  Support for automatic page-view tracking has been restored. With the init option {track_pageview: true}, an event named $mp_web_page_view will be tracked on pageload, containing properties identifying the current page (current_page_title, current_url_path, etc.) as well as any UTM parameters and Click Identifiers. Pageview events with these properties can also be triggered manually:

  // track a pageview event
  mixpanel.track_pageview();

  // track pageview with additional properties
  mixpanel.track_pageview({'Test variant': 'control'});

  Automatic page-view tracking may be turned on by default in a future release.

  Miscellaneous updates:

  • UUID generation now uses performance.now() when available as part of its time-based entropy algorithm
  • The network payload format now defaults to JSON for any API host containing the string mixpanel.com (looser than previous host checks)
• 2.46.0 - 2023-03-23
  

  The mixpanel.identify() implementation has been updated for compatibility with Mixpanel's new identity management system (v3). From this version, we will prefix randomly-generated device-specific distinct_ids with "$device:". The prefix is applied the next time a new random ID is generated; any IDs generated by previous SDK versions and persisted in the browser will continue to be used as-is until reset is called to generate a new ID. This does not change the value sent for the $device_id property, which will continue to be the randomly-generated ID without a prefix. Mixpanel's $identify endpoint has been updated to accept UUIDs with this prefix to coordinate with this change.

  This release also contains more aggressive client-side deduplication in the event-batching system, to reduce superfluous network sends in edge cases where parts of the queue/batch system fail. Related to this update, events now include a property mp_sent_by_lib_version which can distinguish the version of the library that actually sent an event over the network vs the version that originally queued the event.

• 2.45.0 - 2022-02-18
  

  All code relating to in-app notifications has been removed, as the "Messages & Experiments" product is now entirely inactive after a 1.5 year deprecation cycle. The only noticeable changes should be:

  • The SDK no longer makes network calls to the /decide API endpoint.
  • The gzipped size of the minified full SDK is now 17435 bytes.

  There is now also support for surfacing SDK errors/warnings via the error_reporter configuration option. Exceptions and error messages which the SDK catches and handles will be passed to your handler function if supplied, e.g.:

  mixpanel.init('my token', {
    error_reporter: function(msg, err) {
      Rollbar.warn(msg, err); // send to your 3rd-party error monitor
      console.error(...arguments); // blow up your dev console locally
    },
  });

  The err argument is an Error object preserving the stack. Note that errors that make it to the user-configured reporter are generally already handled by the SDK and should be used just for informational/debugging/monitoring purposes (e.g., "Error; retry in 10000 ms" is the batch/retry system responding to a network failure). Some errors are informative for uncovering implementation issues, e.g. "No event name provided to mixpanel.track".

  Several fixes are included in this release:

  • Several var declarations were missing for the asynchronous HTML "snippet" loader (#215)
  • Some edge cases of the batch/retry system have been fixed that could cause many extraneous network requests (primarily in cases where localStorage becomes unusable after an event has already been queued).
• 2.43.0 - 2022-01-06
• 2.42.1 - 2021-12-22
• 2.42.0 - 2021-11-12
• 2.41.0 - 2021-01-28

from mixpanel-browser GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs