chore(deps): upgrade posthog-node 4 -> 5 in daemon

[neogenix]

Why

posthog-node 4.18.0 is a major version behind the current 5.x line. v5 restructures the library around a shared @posthog/core package and drops axios in favor of native fetch — reducing the transitive closure by three packages (axios, follow-redirects, proxy-from-env). follow-redirects in particular has a history of CVEs; removing it entirely is a net security improvement.

Note: open PR #2285 (feat/analytics-2.0) is a PostHog event schema change, not an SDK version change — no conflict.

What users will see

No user-visible change. Analytics continue to emit exactly as before.

Surface area

• UI
• Keyboard shortcut
• CLI / env var
• API / contract
• Extension point
• i18n keys
• New top-level dependency
• Default behavior change
• None — internal refactor, docs, tests, or translation update only

Screenshots

N/A

Bug fix verification

N/A — this is a dependency upgrade, not a bug fix.

Validation

• pnpm install — lockfile updated; posthog-node 5.34.6 resolved with @posthog/core 1.29.5
• pnpm --filter @open-design/daemon typecheck — passed (exit 0)
• pnpm --filter @open-design/daemon test — 240 test files passed, 2867 tests passed, 1 skipped, 4 todo
• pnpm guard — passed
• pnpm typecheck — passed (exit 0, all workspace packages)
• protobufjs resolved version after upgrade: 7.5.7 (pre-existing; posthog-node v5 does not pull in @opentelemetry, so no change to protobufjs from this bump)

Breaking changes addressed

posthog-node v5 replaces the axios-based HTTP transport with @posthog/core (native fetch). The public API surface used by apps/daemon/src/analytics.ts is stable across the major boundary:

• PostHog constructor: unchanged (new PostHog(key, { host, flushAt, flushInterval }))
• client.capture({ distinctId, event, properties }): unchanged
• client.on('error', cb): unchanged
• client.shutdown(): still async at runtime via @posthog/core base class (PostHogCoreStateless.shutdown() returns Promise<void>); the IPostHog interface in posthog-node types it as void but TypeScript compiles cleanly since the concrete implementation satisfies the stricter type from the base class

No call-site changes were required in apps/daemon/src/analytics.ts.

[PerishCode]

@neogenix Thanks for picking this one up — a tight, well-scoped bump.

What I verified on 308a1c6b:

• Only apps/daemon/package.json and pnpm-lock.yaml change; posthog-node 4.18.0 → 5.34.6 with @posthog/[email protected] already present in the lockfile via posthog-js, so the v5 client just becomes a second consumer rather than a brand-new top-level package.
• The dropped transitives (axios, follow-redirects, proxy-from-env) are no longer referenced anywhere in the lockfile after the bump — a genuine surface-area reduction, and removing follow-redirects is a real win given its CVE history.
• apps/daemon/src/analytics.ts still uses the v5-stable surface — new PostHog(key, { host, flushAt, flushInterval }), client.on?.('error', ...) (already optional-chained, so safe even if it were dropped), client.capture({ distinctId, event, properties }), and await client.shutdown() — so no call-site edits are needed.
• v5's engine constraint ^20.20.0 || >=22.22.0 is comfortably satisfied by the repo's pinned node: "~24" in the root package.json#engines.
• Validation evidence in the PR body (lockfile resolve, daemon typecheck, daemon test suite, pnpm guard, root pnpm typecheck) covers exactly the surfaces this bump touches.

Nice clean upgrade — appreciate the careful framing of the v5 API stability in the PR body so reviewers didn't have to re-derive it.

_{🔁 Powered by Looper · runner=reviewer · agent=claude-code · An autonomous AI dev team for your GitHub repos.}

[open-design-bot]

🎉 📡 You just leveled up to Giotto

📡 ✨ Sending steady signals.

🙌 Your contributions are sending a clear signal across the network: you care about making Open Design better. Keep transmitting.

💛 Thanks for helping Open Design move forward. Keep building in the open. 🚀

---

📊 Rank #46 among 96 contributors

🔗 Share on X (English) · 分享到 X（中文）

[leilei926524-tech]

Hi @neogenix!

Your first Open Design PR has been merged! Huge thanks for jumping in and improving the project!

You contributed:

Merged PR: #2309 chore(deps): upgrade posthog-node 4 -> 5 in daemon
#2309

That is a real contribution to the daemon/tooling side of Open Design, and we would love to help you keep the momentum going!

For your next contribution, we picked two issues that look like a good follow-up:

1. Lint craft section references to surface typos without losing the forward-reference allowance #1886 Lint craft section references to surface typos without losing the forward-reference allowance
   Lint craft section references to surface typos without losing the forward-reference allowance #1886

This is a focused tooling/chore task, which matches the kind of maintenance work you just helped with!

2. Routine page remains in English when the app language is set to Chinese #1372 Routine page remains in English when the app language is set to Chinese
   Routine page remains in English when the app language is set to Chinese #1372

This is a good first issue with a clear user-facing bug, and it should be a nice next step if you want something smaller and product-visible!

If one of these looks interesting, feel free to comment /claim on the issue and we will help you get started!

Once your second PR gets merged, you will move into our Continuous Contributor tier. We are also starting to highlight repeat contributors more actively in the community, so this is a great time to keep going!

Thanks again for the first PR, and welcome to the Open Design contributor community!

The Open Design team

P.S. We hang out in Discord — come say hi: https://discord.gg/3C6EWXbdQQ
There's a #contributors channel where folks share what they're working on.