chore(deps): bump posthog-node from 5.10.0 to 5.35.0 in /extension/secureflow/packages/secureflow-cli

[dependabot]

Bumps posthog-node from 5.10.0 to 5.35.0.

Release notes

Sourced from posthog-node's releases.

posthog-node@5.35.0

5.35.0

Minor Changes

• #3642 18ea8b5 Thanks @​dustinbyrne! - Promote feature flag definition cache provider types to the main posthog-node export and deprecate posthog-node/experimental imports. (2026-05-21)

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.29.8

posthog-node@5.34.10

5.34.10

Patch Changes

• #3643 f42f371 Thanks @​dmarticus! - Reject semver values with leading zeros in local flag evaluation. Per semver 2.0.0 §2, numeric identifiers must not include leading zeros — values like 1.07.3 are not valid semver and should not match targeting conditions. Both override values and flag values are now validated; invalid inputs surface as InconclusiveMatchError so the condition does not match. (2026-05-21)

posthog-node@5.34.9

5.34.9

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.29.7

posthog-node@5.34.8

5.34.8

Patch Changes

• #3640 12ef3f6 Thanks @​hpouillot! - Fix identifyImmediate to await the underlying network request. Previously the returned promise resolved before the $identify event was sent, causing events to be dropped when called from short-lived runtimes (Vercel/Cloudflare Workers, Convex actions) that exit immediately after await. (2026-05-21)

posthog-node@5.34.7

5.34.7

Patch Changes

• Updated dependencies [a880dbc]:
  • @​posthog/core@​1.29.6

posthog-node@5.34.6

5.34.6

Patch Changes

... (truncated)

Changelog

Sourced from posthog-node's changelog.

5.35.0

Minor Changes

• #3642 18ea8b5 Thanks @​dustinbyrne! - Promote feature flag definition cache provider types to the main posthog-node export and deprecate posthog-node/experimental imports. (2026-05-21)

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.29.8

5.34.10

Patch Changes

• #3643 f42f371 Thanks @​dmarticus! - Reject semver values with leading zeros in local flag evaluation. Per semver 2.0.0 §2, numeric identifiers must not include leading zeros — values like 1.07.3 are not valid semver and should not match targeting conditions. Both override values and flag values are now validated; invalid inputs surface as InconclusiveMatchError so the condition does not match. (2026-05-21)

5.34.9

Patch Changes

• Updated dependencies []:
  • @​posthog/core@​1.29.7

5.34.8

Patch Changes

• #3640 12ef3f6 Thanks @​hpouillot! - Fix identifyImmediate to await the underlying network request. Previously the returned promise resolved before the $identify event was sent, causing events to be dropped when called from short-lived runtimes (Vercel/Cloudflare Workers, Convex actions) that exit immediately after await. (2026-05-21)

5.34.7

Patch Changes

• Updated dependencies [a880dbc]:
  • @​posthog/core@​1.29.6

5.34.6

Patch Changes

• #3623 e119eec Thanks @​richardsolomou! - Fix six edge cases in local feature flag evaluation. gt/gte/lt/lte now compare numerically when both sides parse as finite numbers — previously a string override like "10" against numeric value 9 slipped into lexicographic comparison and returned false, and parseFloat's NaN return value leaked through the old != null guard. is_not_set now resolves locally — true when the property key is absent, false when present — instead of always throwing InconclusiveMatchError and forcing the flag to return undefined. Flag-level condition properties with negation: true are now correctly inverted, matching the existing cohort-path behavior in matchPropertyGroup. An inactive flag (active: false) now short-circuits to false even when ensure_experience_continuity: true — previously it threw InconclusiveMatchError and resolved to undefined. is_set now returns true for properties whose value is null or undefined as long as the key is present — is_set is about key presence, not value. Cohort property groups containing a flag-type property no longer silently skip the dependency; the cohort eval is now marked inconclusive so the flag returns undefined instead of a wrong definitive answer. (2026-05-19)

5.34.5

Patch Changes

... (truncated)

Commits

• a05405d chore: update versions and lockfile [version bump]
• 18ea8b5 feat(node): promote flag definition cache provider types (#3642)
• 1fcb5ae chore: update versions and lockfile [version bump]
• f42f371 fix(node): reject leading-zero semver values in local evaluation (#3643)
• 2f46fe6 chore: update versions and lockfile [version bump]
• 993a165 chore: update versions and lockfile [version bump]
• 12ef3f6 fix(node): identifyImmediate does not await its network request (#3640)
• e59c337 chore: update versions and lockfile [version bump]
• 5f95335 chore: update versions and lockfile [version bump]
• e119eec fix(node): correct edge cases in local feature flag evaluation (#3623)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for posthog-node since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
@posthog/core @ 1.29.8 extension/secureflow/packages/secureflow-cli/package-lock.json				🔗
@posthog/types @ 1.375.0 extension/secureflow/packages/secureflow-cli/package-lock.json				🔗
posthog-node @ 5.35.0 extension/secureflow/packages/secureflow-cli/package-lock.json				🔗

View complete scan results →

_{This report is generated by SafeDep Github App}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	1
Rules	205

---

_{Powered by Code Pathfinder}

[code-pathfinder]

Pathfinder Report

✅ No security findings on the changed files. This pull request is clean.

View report on the dashboard

---

Powered by Code Pathfinder.

[shivasurya]

Closing as part of switching Dependabot to security-only mode (see #713). Routine version-bump PRs are suppressed via open-pull-requests-limit: 0; security update PRs for actual advisories will continue to open automatically. Reopen if a specific bump here is needed urgently.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.