mixpanel-browser 2.73.0 → 2.74.0

package/.claude/settings.local.json

@@ -0,0 +1,12 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(mkdir:*)",
+      "Bash(cat:*)",
+      "Bash(node --input-type=module -e \"import { expect } from 'chai'; console.log\\('works'\\);\":*)",
+      "Bash(BABEL_ENV=test node:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

package/.eslintrc.json

@@ -8,7 +8,9 @@
         "sourceType": "module"
     },
     "rules": {
-        "camelcase": "error",
+        "camelcase": ["error", {
+            "properties": "never"
+        }],
         "eol-last": "error",
         "eqeqeq": "error",
         "indent":
@@ -29,13 +31,14 @@
         ]
     },
     "overrides": [{
-        "files": ["tests/unit/**/*.js"],
+        "files": ["tests/unit/**/*.js", "tests/browser/**/*.js", "*.mjs"],
         "parserOptions": {
-            "ecmaVersion": 8,
+            "ecmaVersion": 9,
             "sourceType": "module"
         },
         "env": {
-            "mocha": true
+            "mocha": true,
+            "node": true
         },
         "rules": {
             "camelcase": "error",

package/.github/workflows/integration-tests.yml

@@ -0,0 +1,52 @@
+name: Integration Tests
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      checks: write  # for dorny/test-reporter to post results
+
+    strategy:
+      fail-fast: false
+      matrix:
+        browser: [chrome-latest, edge-latest, safari-latest, firefox-latest, ios-safari-sim, android-chrome-sim]
+
+    env:
+      SAUCE_USERNAME: ${{ secrets.SAUCE_USERNAME }}
+      SAUCE_ACCESS_KEY: ${{ secrets.SAUCE_ACCESS_KEY }}
+      SAUCE_TUNNEL_NAME: ci-js-sdk-test-${{ matrix.browser }}-${{ github.run_id }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 22.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Install Dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build-full
+
+      - name: Sauce test
+        # for some reason, android emulator tests don't work with localhost so we need an IP to give to the runner...
+        run: BROWSER=${{ matrix.browser }} ROOT_DIR=$(pwd) SAUCE_HOST=$(hostname -I | awk '{print $1; exit}') npm run integration-test:sauce
+
+      - name: Test Report
+        uses: dorny/test-reporter@7b7927aa7da8b82e81e755810cb51f39941a2cc7 # v2
+        if: success() || failure() # run this step even if previous step failed
+        with:
+          name: Browser Tests            # Name of the check run which will be created
+          reporter: mocha-json        # Format of test results
+          path: 'tests/browser/results/*.json'    # Path to test results
+          list-tests: 'failed'
+          fail-on-error: 'false'

package/.github/workflows/unit-tests.yml

@@ -0,0 +1,40 @@
+name: Unit Tests
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      checks: write  # for dorny/test-reporter to post results
+
+    strategy:
+      matrix:
+        node-version: [20.x, 22.x]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm run test:ci
+      - run: npm run build-dist
+
+      - name: Test Report
+        uses: dorny/test-reporter@7b7927aa7da8b82e81e755810cb51f39941a2cc7 # v2
+        if: success() || failure()
+        with:
+          name: Unit Tests
+          reporter: mocha-json
+          path: 'tests/unit/results/*.json'
+          list-tests: 'failed'
+          fail-on-error: 'false'
+

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+**2.74.0** (27 Jan 2026)
+- New session recording masking configuration options, including the ability to unmask inputs and allowlist-based selector masking.
+- Adds initial support for the remote settings API, allowing remote configuration of SDK config options.
+- Adds new automated browser test suite that runs in CI and locally in chrome headless. See tests/browser/README.html for more information.
+- Fixes type definitions for api_routes
+- Removes outdated examples in the examples/ dir
+
 **2.73.0** (23 Dec 2025)
 - Adds several new hooks: `before_identify`, `before_register`, `before_register_once`, `before_track`, `before_unregister`
 - Adds instance-initialization notification to allow Data Inspector browser extension to hook into SDK actions

package/README.md

@@ -67,7 +67,7 @@ mixpanel.init('YOUR_TOKEN', {autocapture: true, debug: true, persistence: 'local
 - Install development dependencies: `npm install`
 - Run unit tests: `npm test`
 - Start test server for browser tests: `npm run integration_test`
-- Browse to [http://localhost:3000/tests/](http://localhost:3000/tests/) and choose a scenario to run
+- Browse to [http://localhost:3001/tests/](http://localhost:3001/tests/) and choose a scenario to run
 
 In the future we plan to automate the last step with a headless browser to streamline development (although
 Mixpanel production releases are tested against a large matrix of browsers and operating systems).

package/build.sh

@@ -19,15 +19,11 @@ if [ ! -z "$FULL" ]; then
     npx webpack tests/module-cjs.js tests/module-cjs.bundle.js
     npx browserify tests/module-es2015.js -t [ babelify --compact false ] --outfile tests/module-es2015.bundle.js
 
-    echo 'Bundling module-loader examples'
-    pushd examples/commonjs-browserify; npm install && npm run build; popd
-    pushd examples/es2015-babelify; npm install && npm run build; popd
-    pushd examples/umd-webpack; npm install && npm run build; popd
     pushd examples/typescript; npm install && npm run build; popd
 fi
 
 if [ ! -z "$DIST" ]; then
     echo 'Copying to dist/'
     rm -r dist
-    cp -r build dist
+    rsync -av --exclude='test' build/ dist/
 fi

package/dist/mixpanel-core.cjs.d.ts

@@ -6,6 +6,8 @@ export type PushItem = Array<string | Dict | ((this: Mixpanel) => void)>;
 
 export type Query = string | Element | Element[];
 
+export type RemoteSettingType = "disabled" | "fallback" | "strict";
+
 export interface Dict {
   [key: string]: any;
 }
@@ -166,6 +168,8 @@ export interface Config {
     track?: string;
     engage?: string;
     groups?: string;
+    record?: string;
+    flags?: string;
   };
   api_method: string;
   api_transport: string;
@@ -225,12 +229,18 @@ export interface Config {
   record_idle_timeout_ms: number;
   record_inline_images: boolean;
   record_mask_text_class: string | RegExp;
-  record_mask_text_selector: string;
+  record_mask_text_selector: string | string[];
+  record_unmask_text_selector: string | string[];
+  record_mask_all_text: boolean;
+  record_mask_input_selector: string | string[];
+  record_unmask_input_selector: string | string[];
+  record_mask_all_inputs: boolean;
   record_min_ms: number;
   record_max_ms: number;
   record_sessions_percent: number;
   record_canvas: boolean;
   record_heatmap_data: boolean;
+  remote_settings_mode: RemoteSettingType;
   hooks: {
     before_identify?: (new_distinct_id: string) => string | null;
     before_register?: (
@@ -256,6 +266,7 @@ export interface Config {
   };
 }
 
+
 export type VerboseResponse =
   | {
       status: 1;

package/dist/mixpanel-core.cjs.js

@@ -2,7 +2,7 @@
 
 var Config = {
     DEBUG: false,
-    LIB_VERSION: '2.73.0'
+    LIB_VERSION: '2.74.0'
 };
 
 // since es6 imports are static and we run unit tests from the console, window won't be defined when importing this file
@@ -1504,8 +1504,17 @@ function _storageWrapper(storage, name, is_supported_fn) {
     };
 }
 
-_.localStorage = _storageWrapper(win.localStorage, 'localStorage', localStorageSupported);
-_.sessionStorage = _storageWrapper(win.sessionStorage, 'sessionStorage', sessionStorageSupported);
+// Safari errors out accessing localStorage/sessionStorage when cookies are disabled,
+// so create dummy storage wrappers that silently fail as a fallback.
+var windowLocalStorage = null, windowSessionStorage = null;
+try {
+    windowLocalStorage = win.localStorage;
+    windowSessionStorage = win.sessionStorage;
+    // eslint-disable-next-line no-empty
+} catch (_err) {}
+
+_.localStorage = _storageWrapper(windowLocalStorage, 'localStorage', localStorageSupported);
+_.sessionStorage = _storageWrapper(windowSessionStorage, 'sessionStorage', sessionStorageSupported);
 
 _.register_event = (function() {
     // written by Dean Edwards, 2005
@@ -2655,6 +2664,18 @@ function shouldTrackDomEvent(el, ev) {
     }
 }
 
+function elementLooksSensitive(el) {
+    var name = (el.name || el.id || '').toString().toLowerCase();
+    if (typeof name === 'string') { // it's possible for el.name or el.id to be a DOM element if el is a form with a child input[name="name"]
+        var sensitiveNameRegex = /^cc|cardnum|ccnum|creditcard|csc|cvc|cvv|exp|pass|pwd|routing|seccode|securitycode|securitynum|socialsec|socsec|ssn/i;
+        if (sensitiveNameRegex.test(name.replace(/[^a-zA-Z0-9]/g, ''))) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 /*
  * Check whether a DOM element should be "tracked" or if it may contain sensitive data
  * using a variety of heuristics.
@@ -2707,13 +2728,8 @@ function shouldTrackElementDetails(el, ev, allowElementCallback, allowSelectors)
         }
     }
 
-    // filter out data from fields that look like sensitive fields
-    var name = el.name || el.id || '';
-    if (typeof name === 'string') { // it's possible for el.name or el.id to be a DOM element if el is a form with a child input[name="name"]
-        var sensitiveNameRegex = /^cc|cardnum|ccnum|creditcard|csc|cvc|cvv|exp|pass|pwd|routing|seccode|securitycode|securitynum|socialsec|socsec|ssn/i;
-        if (sensitiveNameRegex.test(name.replace(/[^a-zA-Z0-9]/g, ''))) {
-            return false;
-        }
+    if (elementLooksSensitive(el)) {
+        return false;
     }
 
     return true;
@@ -6841,6 +6857,9 @@ var INIT_SNIPPET = 1;
 /** @const */ var PAYLOAD_TYPE_BASE64   = 'base64';
 /** @const */ var PAYLOAD_TYPE_JSON     = 'json';
 /** @const */ var DEVICE_ID_PREFIX      = '$device:';
+/** @const */ var SETTING_STRICT        = 'strict';
+/** @const */ var SETTING_FALLBACK      = 'fallback';
+/** @const */ var SETTING_DISABLED      = 'disabled';
 
 
 /*
@@ -6869,7 +6888,8 @@ var DEFAULT_API_ROUTES = {
     'engage': 'engage/',
     'groups': 'groups/',
     'record': 'record/',
-    'flags':  'flags/'
+    'flags':  'flags/',
+    'settings': 'settings/'
 };
 
 /*
@@ -6933,12 +6953,12 @@ var DEFAULT_CONFIG = {
     'record_console':                    true,
     'record_heatmap_data':               false,
     'record_idle_timeout_ms':            30 * 60 * 1000, // 30 minutes
-    'record_mask_text_class':            new RegExp('^(mp-mask|fs-mask|amp-mask|rr-mask|ph-mask)$'),
-    'record_mask_text_selector':         '*',
+    'record_mask_inputs':                true,
     'record_max_ms':                     MAX_RECORDING_MS,
     'record_min_ms':                     0,
     'record_sessions_percent':           0,
-    'recorder_src':                      'https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js'
+    'recorder_src':                      'https://cdn.mxpnl.com/libs/mixpanel-recorder.min.js',
+    'remote_settings_mode':              SETTING_DISABLED // 'strict', 'fallback', 'disabled'
 };
 
 var DOM_LOADED = false;
@@ -7176,7 +7196,16 @@ MixpanelLib.prototype._init = function(token, config, name) {
     this.autocapture.init();
 
     this._init_tab_id();
-    this._check_and_start_session_recording();
+
+    // Based on remote_settings_mode, fetch remote settings and then start session recording if applicable
+    var mode = this.get_config('remote_settings_mode');
+    if (mode === SETTING_STRICT || mode === SETTING_FALLBACK) {
+        this._fetch_remote_settings(mode).then(_.bind(function() {
+            this._check_and_start_session_recording();
+        }, this));
+    } else {
+        this._check_and_start_session_recording();
+    }
 };
 
 /**
@@ -7601,6 +7630,77 @@ MixpanelLib.prototype._send_request = function(url, data, options, callback) {
     return succeeded;
 };
 
+MixpanelLib.prototype._fetch_remote_settings = function(mode) {
+    var disableRecordingIfStrict = function() {
+        if (mode === 'strict') {
+            self.set_config({'record_sessions_percent': 0});
+        }
+    };
+
+    if (!win['AbortController']) {
+        console.critical('Remote settings unavailable: missing minimum required APIs');
+        disableRecordingIfStrict();
+        return Promise.resolve();
+    }
+
+    var settings_endpoint = this.get_api_host('settings') + '/' + this.get_config('api_routes')['settings'];
+    var request_params = {
+        '$lib_version': Config.LIB_VERSION,
+        'mp_lib': 'web',
+        'sdk_config': '1',
+    };
+    var query_string = _.HTTPBuildQuery(request_params);
+    var full_url = settings_endpoint + '?' + query_string;
+    var self = this;
+
+    var abortController = new AbortController();
+    var timeout_id = setTimeout(function() {
+        abortController.abort();
+    }, 500);
+    var fetchOptions = {
+        'method': 'GET',
+        'headers': {
+            'Authorization': 'Basic ' + btoa(self.get_config('token') + ':'),
+        },
+        'signal': abortController.signal
+    };
+
+    return win['fetch'](full_url, fetchOptions).then(function(response) {
+        clearTimeout(timeout_id);
+        if (!response['ok']) {
+            console.critical('Network response was not ok');
+            disableRecordingIfStrict();
+            return;
+        }
+        return response.json();
+    }).then(function(result) {
+        if (result && result['sdk_config'] && result['sdk_config']['config']) {
+            var remote_config = result['sdk_config']['config'];
+
+            // Verify that remote config contains only valid keys from DEFAULT_CONFIG
+            var valid_config = {};
+            _.each(remote_config, function(value, key) {
+                if (DEFAULT_CONFIG.hasOwnProperty(key)) {
+                    valid_config[key] = value;
+                }
+            });
+
+            if (_.isEmptyObject(valid_config)) {
+                console.critical('No valid config keys found in remote settings.');
+                disableRecordingIfStrict();
+            } else {
+                self.set_config(valid_config);
+            }
+        } else {
+            disableRecordingIfStrict();
+        }
+    }).catch(function(err) {
+        clearTimeout(timeout_id);
+        console.critical('Failed to fetch remote settings', err);
+        disableRecordingIfStrict();
+    });
+};
+
 /**
  * _execute_array() deals with processing any mixpanel function
  * calls that were called before the Mixpanel library were loaded