Remote code inclusion (mixpanel-recorder.min.js)

[revmischa]

I have been using mixpanel-browser in my chrome extension for some time, it's included in content scripts which are injected into pages along with our UI and features and we use mixpanel to track their usage.

After upgrading to a recent mixpanel-browser version, we're unable to get our extension approved now because of remote code inclusion of mixpanel-recorder.min.js:

I believe caused by this behavior: https://github.com/mixpanel/mixpanel-js/blob/34b4396de534e4f5cf4b5cac80afd14a8322ce1f/src/mixpanel-core.js#L380 Added in https://github.com/mixpanel/mixpanel-js/commit/4b2d17314efd0c222ead912a451fc56e74f2bfe3

I'm not sure what can be done about this other than rolling back to an older version of mixpanel-browser. I don't need session recording just event tracking. Ideally there would be a version of this library that does not include remote code execution.