fix(webapp): upgrade posthog-node to v5, drop axios + stale override

[nicktrn]

Follow-up to #3796, which bumped the slack-client axios paths but left posthog-node's transitive axios@1.15.1 in place.

posthog-node 4.17.1 → 5.35.6. v5 drops the axios dependency entirely (it's now fetch-based via @posthog/core), so posthog's old axios path disappears. With #3796 already on main (webapp + d3 references on @slack/web-api@7.16.0), nothing else pins the old line, so the now-dead axios@>=1.0.0 <1.15.0 override is removed and axios resolves to a single patched 1.16.1 repo-wide. This closes the remaining axios advisories.

Compat: the webapp's usage in telemetry.server.ts (new PostHog(key, { host }), .identify, .groupIdentify, .capture) is all object-form API that v5 preserves; pnpm run typecheck --filter webapp passes.

Node: posthog-node v5 requires Node ^20.20.0 || >=22.22.0. We run 20.20.0 in dev (.nvmrc), CI, and the published Docker image (node:20.20-bullseye-slim), so we're compliant.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 840be67

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: afa0f6fe-a2c0-422c-893b-1351dac86761

📥 Commits

Reviewing files that changed from the base of the PR and between 952139d and 840be67.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .server-changes/bump-posthog-node-v5.md
• apps/webapp/package.json
• package.json

💤 Files with no reviewable changes (1)

• package.json

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (29)

• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
• GitHub Check: internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
• GitHub Check: typecheck / typecheck
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

Code formatting must be enforced using Prettier before committing

Files:

• apps/webapp/package.json

🧠 Learnings (2)

📚 Learning: 2026-05-14T14:54:39.095Z

Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3545
File: .server-changes/agent-view-sessions.md:10-10
Timestamp: 2026-05-14T14:54:39.095Z
Learning: In the `trigger.dev` repository, do not flag inconsistent dot vs slash notation in route/path strings inside `.server-changes/*.md` files. These markdown files are consumed verbatim into the changelog, so the mixed notation (e.g., `resources.orgs.../runs.$runParam/...`) is intentional and should be preserved as-is.

Applied to files:

• .server-changes/bump-posthog-node-v5.md

📚 Learning: 2026-04-27T16:46:03.861Z

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3456
File: apps/webapp/package.json:152-152
Timestamp: 2026-04-27T16:46:03.861Z
Learning: In `apps/webapp/package.json`, treat the `effect` npm package as an intentional runtime dependency (not unused/misplaced) for the Schedule + Fiber-based metadata update logic. This should apply when reviewing `apps/webapp` code paths used by `apps/webapp/app/utils/updateMetadata.server.ts` (and closely related modules) that use Effect APIs such as `Duration.divide`, `STM.cond`, namespace exports for `Effect`/`Schedule`/`Duration`/`Fiber`, and the `Fiber.RuntimeFiber` type.

Applied to files:

• apps/webapp/package.json

🔇 Additional comments (2)

apps/webapp/package.json (1)

186-186: LGTM!

.server-changes/bump-posthog-node-v5.md (1)

1-6: LGTM!

---

Walkthrough

This PR upgrades the posthog-node dependency from version 4.17.1 to 5.35.6 in apps/webapp/package.json. The upgrade removes posthog-node's axios dependency, eliminating the need for a previously configured axios version override in the root pnpm.overrides. The axios constraint (>=1.0.0 <1.15.0) is removed, allowing axios to resolve naturally to version 1.16.1. A changelog entry documents this upgrade and the override removal.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading posthog-node to v5 while removing axios overrides.
Description check	✅ Passed	The description is detailed and complete, covering the rationale, technical details, compatibility checks, and testing. However, the required template sections (Checklist, Testing, Changelog, Screenshots) are not explicitly included.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/posthog-node-v5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.