meta(changelog): Update changelog for 10.38.0 by chargome · Pull Request #19085 · getsentry/sentry-javascript

chargome · 2026-01-29T13:34:22Z

No description provided.

Before submitting a pull request, please take a look at our [Contributing](https://github.com/getsentry/sentry-javascript/blob/master/CONTRIBUTING.md) guidelines and verify: - [x] If you've added code that should be tested, please add tests. - [x] Ensure your code lints and the test suite passes (`yarn lint`) & (`yarn test`). - [x] Link an issue if there is one related to your pull request. If no issue is linked, one will be auto-generated and linked. Closes #18779 --------- Co-authored-by: Andrei Borza <andrei.borza@sentry.io>

[Gitflow] Merge master into develop

The run to add the contributor failed to do so: https://github.com/getsentry/sentry-javascript/actions/runs/21393991938/job/61609775062 Closes #19006 (added automatically)

Resolves: #18966

Follow up to #18844 Extending auto-instrumentation to non-global server request middleware. [TSS request middleware docs](https://tanstack.com/start/latest/docs/framework/react/guide/middleware#request-middleware) Closes #18846

…ts (#19016) Handles: https://github.com/getsentry/sentry-javascript/security/code-scanning/434 Closes #19017 (added automatically)

Also ran `yarn-deduplicate --strategy highest` Closes https://github.com/getsentry/sentry-javascript/security/dependabot/952 Closes #19019 (added automatically)

Closes https://github.com/getsentry/sentry-javascript/security/dependabot/971 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/970 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/969 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/968 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/967 **Those PRs can be closed** They all upgrade wrangler to `4.59.1` and some are failing in CI because of problems in the lock file. - #18931 - #18932 - #18933 - #18963 Closes #19025 (added automatically)

A very bold move. Let's make dependabot update all our packages. This was once added in #9752. But I think if we explicilty add an "allow" block, it will automatically ignore others. Which also means when we remove the "allow" block it would also include the ones I just removed.

…ts/test-applications/nextjs-16-cacheComponents (#19012) Bumps [next](https://github.com/vercel/next.js) from 16.0.9 to 16.1.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v16.1.5</h2> <p>Please refer the following changelogs for more information about this security release:</p> <p><a href="https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472">https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472</a> <a href="https://vercel.com/changelog/summary-of-cve-2026-23864">https://vercel.com/changelog/summary-of-cve-2026-23864</a></p> <h2>v16.1.4</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Only filter next config if experimental flag is enabled (<a href="https://redirect.github.com/vercel/next.js/issues/88733">#88733</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/mischnic"><code>@mischnic</code></a> for helping!</p> <h2>v16.1.3</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Fix linked list bug in LRU deleteFromLru (<a href="https://redirect.github.com/vercel/next.js/issues/88652">#88652</a>)</li> <li>Fix relative same host redirects in node middleware (<a href="https://redirect.github.com/vercel/next.js/issues/88253">#88253</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/acdlite"><code>@acdlite</code></a> and <a href="https://github.com/ijjk"><code>@ijjk</code></a> for helping!</p> <h2>v16.1.2</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Turbopack: Update to swc_core v50.2.3 (<a href="https://redirect.github.com/vercel/next.js/issues/87841">#87841</a>) (<a href="https://redirect.github.com/vercel/next.js/issues/88296">#88296</a>) <ul> <li>Fixes a crash when processing mdx files with multibyte characters. (<a href="https://redirect.github.com/vercel/next.js/issues/87713">#87713</a>)</li> </ul> </li> <li>Turbopack: <a href="https://microsoft.github.io/mimalloc/">mimalloc</a> upgrade and enabling it on musl (<a href="https://redirect.github.com/vercel/next.js/issues/88503">#88503</a>) (<a href="https://redirect.github.com/vercel/next.js/issues/87815">#87815</a>) (<a href="https://redirect.github.com/vercel/next.js/issues/88426">#88426</a>) <ul> <li>Fixes <a href="https://redirect.github.com/vercel/next.js/pull/88426">a significant performance issue</a> on musl-based Linux distributions (e.g. Alpine in Docker) related to musl's allocator.</li> <li>Other platforms have always used mimalloc, but we previously did not use mimalloc on musl because of compilation issues that have since been resolved.</li> </ul> </li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/mischnic"><code>@mischnic</code></a> for helping!</p> <h2>v16.1.1</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/next.js/commit/acba4a6b9f48e0a067c592dac322410c0e122018"><code>acba4a6</code></a> v16.1.5</li> <li><a href="https://github.com/vercel/next.js/commit/e1d1fc6525ef74b2bf78149f1669c2eab437c06a"><code>e1d1fc6</code></a> Add maximum size limit for postponed body parsing (<a href="https://redirect.github.com/vercel/next.js/issues/88175">#88175</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c"><code>500ec83</code></a> fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (<a href="https://redirect.github.com/vercel/next.js/issues/88588">#88588</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/1caaca3cdbd2da76698bb9e60ff07d21a6fb6e77"><code>1caaca3</code></a> feat(next/image)!: add <code>images.maximumResponseBody</code> config (<a href="https://redirect.github.com/vercel/next.js/issues/88183">#88183</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/522ed840be26899bb88e73e2a5d3695f3c640d22"><code>522ed84</code></a> Sync DoS mitigations for React Flight</li> <li><a href="https://github.com/vercel/next.js/commit/8cad197c76dd9583b1a6d52f5e423e7075f6bee9"><code>8cad197</code></a> [backport][cna] Ensure created app is not considered the workspace root in pn...</li> <li><a href="https://github.com/vercel/next.js/commit/27186615d7c792f2c6627d3ac750d14951221e4c"><code>2718661</code></a> Backport/docs fixes (<a href="https://redirect.github.com/vercel/next.js/issues/89031">#89031</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/53336250b3a4b2b23198aaa9cf9549f9fff1bb39"><code>5333625</code></a> Backport/docs fixes 16.1.5 (<a href="https://redirect.github.com/vercel/next.js/issues/88916">#88916</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/60de6c21144a78622eb8c4763f364fcb59f7aa59"><code>60de6c2</code></a> v16.1.4</li> <li><a href="https://github.com/vercel/next.js/commit/5f75d22b804d444d6c27240f5f7af32aee4a8f92"><code>5f75d22</code></a> backport: Only filter next config if experimental flag is enabled (<a href="https://redirect.github.com/vercel/next.js/issues/88733">#88733</a>) (#...</li> <li>Additional commits viewable in <a href="https://github.com/vercel/next.js/compare/v16.0.9...v16.1.5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=16.0.9&new-version=16.1.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ts/test-applications/cloudflare-hono (#19009) Bumps [hono](https://github.com/honojs/hono) from 4.11.4 to 4.11.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.11.7</h2> <h1>Security Release</h1> <p>This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.</p> <h2>Components</h2> <h3>IP Restriction Middleware</h3> <p>Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.</p> <h3>Cache Middleware</h3> <p>Fixed an issue where responses marked with <code>Cache-Control: private</code> or <code>no-store</code> could be cached, potentially leading to information disclosure on some runtimes.</p> <h3>Serve Static Middleware (Cloudflare Workers adapter)</h3> <p>Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.</p> <h3>hono/jsx <code>ErrorBoundary</code></h3> <p>Fixed a reflected Cross-Site Scripting (XSS) issue in the <code>ErrorBoundary</code> component that could occur when untrusted strings were rendered without proper escaping.</p> <h2>Recommendation</h2> <p>Users are encouraged to upgrade to this release, especially if they:</p> <ul> <li>Use IP Restriction Middleware</li> <li>Use Cache Middleware on Deno, Bun, or Node.js</li> <li>Use Serve Static Middleware with user-controlled paths on Cloudflare Workers</li> <li>Render untrusted data inside <code>ErrorBoundary</code> components</li> </ul> <h2>Security Advisories & CVEs</h2> <ul> <li> <p><strong>IP Restriction Middleware – IPv4 address validation bypass</strong></p> <ul> <li>Advisory: <a href="https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh">https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh</a></li> <li>CVE: CVE-2026-24398</li> </ul> </li> <li> <p><strong>Cache Middleware ignores <code>Cache-Control: private</code></strong></p> <ul> <li>Advisory: <a href="https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4">https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4</a></li> <li>CVE: CVE-2026-24472</li> </ul> </li> <li> <p><strong>Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read</strong></p> <ul> <li>Advisory: <a href="https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p">https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p</a></li> <li>CVE: CVE-2026-24473</li> </ul> </li> <li> <p><strong>hono/jsx <code>ErrorBoundary</code> – Cross-Site Scripting (XSS)</strong></p> <ul> <li>Advisory: <a href="https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5">https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5</a></li> <li>CVE: Pending</li> </ul> </li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/f7d272abe1644e50ab5fe9cb53f5965c35d77226"><code>f7d272a</code></a> 4.11.7</li> <li><a href="https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990"><code>2cf6004</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817"><code>cf9a78d</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37"><code>edbf6ee</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1"><code>12c5117</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/7343487e620631d30bf3da54650546fd2e6a9bee"><code>7343487</code></a> 4.11.6</li> <li><a href="https://github.com/honojs/hono/commit/b6e5a97cd44b3572320b2f14763ff83ff826aeb8"><code>b6e5a97</code></a> feat(bun): export getBunServer (<a href="https://redirect.github.com/honojs/hono/issues/4626">#4626</a>)</li> <li><a href="https://github.com/honojs/hono/commit/2a9cd953b6e94ecef45894654ec5e765e1e9e411"><code>2a9cd95</code></a> fix(sse): handle <code>\r</code> and <code>\r\n</code> line endings in writeSSE (<a href="https://redirect.github.com/honojs/hono/issues/4644">#4644</a>)</li> <li><a href="https://github.com/honojs/hono/commit/8078bbf7591ec133ac8a4f7cfc4f2666a50909a9"><code>8078bbf</code></a> docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant (<a href="https://redirect.github.com/honojs/hono/issues/4630">#4630</a>)</li> <li><a href="https://github.com/honojs/hono/commit/a5be555b3163236909f5699f783bbd03e28ea226"><code>a5be555</code></a> refactor: use <code>unique symbol</code> for more accurate typing. (<a href="https://redirect.github.com/honojs/hono/issues/4651">#4651</a>)</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.11.4...v4.11.7">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.11.4&new-version=4.11.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

closes #19002

This resurrects #18885 and also adds a glob to the `exclude-paths`. I suspect that `dev-packages` still got updates because there were missing glob patterns: `**`. At least this is what I understood from the docs: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#exclude-paths-

Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1 to 2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's releases</a>.</em></p> <blockquote> <h2>v2.0.0</h2> <h1><a href="https://github.com/actions/create-github-app-token/compare/v1.12.0...v2.0.0">2.0.0</a> (2025-04-03)</h1> <ul> <li>feat!: remove deprecated inputs (<a href="https://redirect.github.com/actions/create-github-app-token/issues/213">#213</a>) (<a href="https://github.com/actions/create-github-app-token/commit/5cc811bc40176329bb642bff9e5d9e356099ad2a">5cc811b</a>)</li> </ul> <h3>BREAKING CHANGES</h3> <ul> <li>Removed deprecated inputs (<code>app_id</code>, <code>private_key</code>, <code>skip_token_revoke</code>) and made <code>app-id</code> and <code>private-key</code> required in the action configuration.</li> </ul> <h2>v1.12.0</h2> <h1><a href="https://github.com/actions/create-github-app-token/compare/v1.11.7...v1.12.0">1.12.0</a> (2025-03-27)</h1> <h3>Features</h3> <ul> <li>permissions (<a href="https://redirect.github.com/actions/create-github-app-token/issues/168">#168</a>) (<a href="https://github.com/actions/create-github-app-token/commit/0e0aa99a86bd82ec98421533ae985fef61554361">0e0aa99</a>)</li> </ul> <h2>v1.11.7</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v1.11.6...v1.11.7">1.11.7</a> (2025-03-20)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump undici from 5.28.4 to 7.5.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/214">#214</a>) (<a href="https://github.com/actions/create-github-app-token/commit/a24b46a4626bf0f67abb297b82d863218920d5e2">a24b46a</a>)</li> </ul> <h2>v1.11.6</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v1.11.5...v1.11.6">1.11.6</a> (2025-03-03)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump the production-dependencies group with 2 updates (<a href="https://redirect.github.com/actions/create-github-app-token/issues/210">#210</a>) (<a href="https://github.com/actions/create-github-app-token/commit/1ff1dea6a9d1de5b4795e5314291e04acc63c38b">1ff1dea</a>)</li> </ul> <h2>v1.11.5</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v1.11.4...v1.11.5">1.11.5</a> (2025-02-15)</h2> <h3>Bug Fixes</h3>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/create-github-app-token/commit/29824e69f54612133e76f7eaac726eef6c875baf"><code>29824e6</code></a> build(release): 2.2.1 [skip ci]</li> <li><a href="https://github.com/actions/create-github-app-token/commit/b212e6a739dec02d8488610fbaf8f049f82ee999"><code>b212e6a</code></a> fix(deps): bump the production-dependencies group with 2 updates (<a href="https://redirect.github.com/actions/create-github-app-token/issues/311">#311</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/8efbf9bf0ff7093c26fd1720e1722fd9cdd30fac"><code>8efbf9b</code></a> ci: create stale workflow (<a href="https://redirect.github.com/actions/create-github-app-token/issues/309">#309</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/7e473efe3cb98aa54f8d4bac15400b15fad77d94"><code>7e473ef</code></a> build(release): 2.2.0 [skip ci]</li> <li><a href="https://github.com/actions/create-github-app-token/commit/dce3be8b284f45e65caed11a610e2bef738d15b4"><code>dce3be8</code></a> fix(deps): bump p-retry from 6.2.1 to 7.1.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/294">#294</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/5480f4325a18c025ee16d7e081413854624e9edc"><code>5480f43</code></a> fix(deps): bump glob from 10.4.5 to 10.5.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/305">#305</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/d90aa532332d33f6dc9656fd4491a98441595a37"><code>d90aa53</code></a> feat: update permission inputs (<a href="https://redirect.github.com/actions/create-github-app-token/issues/296">#296</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/55e2a4b2ccaaa8364303e6ab9f77e31ad02298e5"><code>55e2a4b</code></a> fix(deps): bump the production-dependencies group with 2 updates (<a href="https://redirect.github.com/actions/create-github-app-token/issues/292">#292</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/cc6f999683e9e6150699fa443589ab389e4d3334"><code>cc6f999</code></a> ci(test): trigger on merge_group (<a href="https://redirect.github.com/actions/create-github-app-token/issues/308">#308</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/40fa6b52b33cc945b40f86ff422cb3991908649f"><code>40fa6b5</code></a> build(deps-dev): bump <code>@sinonjs/fake-timers</code> from 14.0.0 to 15.0.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/295">#295</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/create-github-app-token/compare/v1...v2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/create-github-app-token&package-manager=github_actions&previous-version=1&new-version=2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [@types/rsvp](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/rsvp) from 4.0.4 to 4.0.9. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/rsvp">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@types/rsvp&package-manager=npm_and_yarn&previous-version=4.0.4&new-version=4.0.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…n span (#18898) Following up on #18346 Fixes a remaining race condition where the `args.patch` callback and completion handler in `wrapPatchRoutesOnNavigation` were still calling `getActiveRootSpan()` at resolution time instead of using the captured span. This caused wrong span updates when users navigated away during lazy route loading. The fix uses the captured `activeRootSpan` consistently, adds a `!spanJson.timestamp` check to skip updates on ended spans, and removes the `WINDOW.location` fallback. In `captureCurrentLocation`, returns `null` when navigation context exists but `targetPath` is `undefined`, instead of falling back to stale `WINDOW.location`. Also added E2E tests that simulate rapid navigation scenarios where a slow lazy route handler completes after the user navigated elsewhere.

This changes the commit message for dev dependencies to `chore`. We had `feat` before but it doesn't really affect a user, and can be treated as a patch update once we update dev dependencies. But if we update normal dependencies I think `feat` still make sense, as it could potentially provide more features. This one is also excluding `typescript` Closes #19044 (added automatically)

Ignore .claude/settings.local.json as these are local settings not intended for version control. Closes #18894 (added automatically)

Closes https://github.com/getsentry/sentry-javascript/security/dependabot/933 Closes #19046 (added automatically)

I know we'll be using the craft release notes soon, but this can be beneficial for the time being. I've never had a lot of luck with the cursor command and this deterministic script might help other people as well. Closes #19000 (added automatically)

closes #19003

…disabled (#19010) This PR adds an additional check to make sure we only inject debug IDs if sourcemaps are NOT disabled. The issue isn't present when sourcemaps are enabled and since debug IDs are only relevant for sourcemap correlation then this should be a safe change AFAIK. Closes #18983

Bumps [@actions/artifact](https://github.com/actions/toolkit/tree/HEAD/packages/artifact) from 2.1.11 to 5.0.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/toolkit/blob/main/packages/artifact/RELEASES.md"><code>@actions/artifact</code>'s changelog</a>.</em></p> <blockquote> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/http-client</code> to <code>3.0.2</code></li> </ul> <h3>5.0.1</h3> <ul> <li>Fix Node.js 24 punycode deprecation warning by updating <code>@azure/storage-blob</code> from <code>^12.15.0</code> to <code>^12.29.1</code> <a href="https://redirect.github.com/actions/toolkit/pull/2211">#2211</a></li> <li>Removed direct <code>@azure/core-http</code> dependency (now uses <code>@azure/core-rest-pipeline</code> via storage-blob)</li> </ul> <h3>5.0.0</h3> <ul> <li>Dependency updates for Node.js 24 runtime support</li> <li>Update <code>@actions/core</code> to v2</li> <li>Update <code>@actions/http-client</code> to v3</li> </ul> <h3>4.0.0</h3> <ul> <li>Add support for Node 24 <a href="https://redirect.github.com/actions/toolkit/pull/2110">#2110</a></li> <li>Fix: artifact pagination bugs and configurable artifact count limits <a href="https://redirect.github.com/actions/toolkit/pull/2165">#2165</a></li> <li>Fix: reject the promise on timeout <a href="https://redirect.github.com/actions/toolkit/pull/2124">#2124</a></li> <li>Update dependency versions</li> </ul> <h3>2.3.3</h3> <ul> <li>Dependency updates <a href="https://redirect.github.com/actions/toolkit/pull/2049">#2049</a></li> </ul> <h3>2.3.2</h3> <ul> <li>Added masking for Shared Access Signature (SAS) artifact URLs <a href="https://redirect.github.com/actions/toolkit/pull/1982">#1982</a></li> <li>Change hash to digest for consistent terminology across runner logs <a href="https://redirect.github.com/actions/toolkit/pull/1991">#1991</a></li> </ul> <h3>2.3.1</h3> <ul> <li>Fix comment typo on expectedHash. <a href="https://redirect.github.com/actions/toolkit/pull/1986">#1986</a></li> </ul> <h3>2.3.0</h3> <ul> <li>Allow ArtifactClient to perform digest comparisons, if supplied. <a href="https://redirect.github.com/actions/toolkit/pull/1975">#1975</a></li> </ul> <h3>2.2.2</h3> <ul> <li>Default concurrency to 5 for uploading artifacts <a href="https://redirect.github.com/actions/toolkit/pull/1962">#1962</a></li> </ul> <h3>2.2.1</h3> <ul> <li>Add <code>ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY</code> and <code>ACTIONS_ARTIFACT_UPLOAD_TIMEOUT_MS</code> environment variables <a href="https://redirect.github.com/actions/toolkit/pull/1928">#1928</a></li> </ul> <h3>2.2.0</h3> <ul> <li>Return artifact digest on upload <a href="https://redirect.github.com/actions/toolkit/pull/1896">#1896</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/actions/toolkit/commits/HEAD/packages/artifact">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for <code>@actions/artifact</code> since your current version.</p> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@actions/artifact&package-manager=npm_and_yarn&previous-version=2.1.11&new-version=5.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io> Co-authored-by: JPeer264 <jan.peer@sentry.io>

The latest bundler plugins have some significant performance improvements, especially when using Rolldown. Closes #18994 (added automatically)

Closes https://github.com/getsentry/sentry-javascript/security/dependabot/879 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/876 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/875 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/895 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/894 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/893 Closes #19056 (added automatically)

Bumps [@edge-runtime/types](https://github.com/vercel/edge-runtime/tree/HEAD/packages/types) from 3.0.1 to 4.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/edge-runtime/releases"><code>@edge-runtime/types</code>'s releases</a>.</em></p> <blockquote> <h2><code>@edge-runtime/types</code><a href="https://github.com/4"><code>@4</code></a>.0.0</h2> <h3>Major Changes</h3> <ul> <li>drop node16 (<a href="https://redirect.github.com/vercel/edge-runtime/pull/1045">#1045</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/vercel/edge-runtime/commit/b1e3795b4c293fae271f580f0f51c16f200c1c8d"><code>b1e3795</code></a>]: <ul> <li><code>@edge-runtime/primitives</code><a href="https://github.com/6"><code>@6</code></a>.0.0</li> </ul> </li> </ul> <h2><code>@edge-runtime/types</code><a href="https://github.com/3"><code>@3</code></a>.0.3</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/vercel/edge-runtime/commit/c3978db8c785a41a4de87cb20da1e8764b52f97c"><code>c3978db</code></a>]: <ul> <li><code>@edge-runtime/primitives</code><a href="https://github.com/5"><code>@5</code></a>.1.1</li> </ul> </li> </ul> <h2><code>@edge-runtime/types</code><a href="https://github.com/3"><code>@3</code></a>.0.2</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/vercel/edge-runtime/commit/6a869f12121f80cc6490ec2b81484453672b7b6b"><code>6a869f12121f80cc6490ec2b81484453672b7b6b</code></a>]: <ul> <li><code>@edge-runtime/primitives</code><a href="https://github.com/5"><code>@5</code></a>.1.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vercel/edge-runtime/blob/main/packages/types/CHANGELOG.md"><code>@edge-runtime/types</code>'s changelog</a>.</em></p> <blockquote> <h2>4.0.0</h2> <h3>Major Changes</h3> <ul> <li>drop node16 (<a href="https://redirect.github.com/vercel/edge-runtime/pull/1045">#1045</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/vercel/edge-runtime/commit/b1e3795b4c293fae271f580f0f51c16f200c1c8d"><code>b1e3795</code></a>]: <ul> <li><code>@edge-runtime/primitives</code><a href="https://github.com/6"><code>@6</code></a>.0.0</li> </ul> </li> </ul> <h2>3.0.3</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/vercel/edge-runtime/commit/c3978db8c785a41a4de87cb20da1e8764b52f97c"><code>c3978db</code></a>]: <ul> <li><code>@edge-runtime/primitives</code><a href="https://github.com/5"><code>@5</code></a>.1.1</li> </ul> </li> </ul> <h2>3.0.2</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/vercel/edge-runtime/commit/6a869f12121f80cc6490ec2b81484453672b7b6b"><code>6a869f12121f80cc6490ec2b81484453672b7b6b</code></a>]: <ul> <li><code>@edge-runtime/primitives</code><a href="https://github.com/5"><code>@5</code></a>.1.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/edge-runtime/commit/440c123a37284d6a852ce453af810ad484ecfc01"><code>440c123</code></a> Version Packages (<a href="https://github.com/vercel/edge-runtime/tree/HEAD/packages/types/issues/1049">#1049</a>)</li> <li><a href="https://github.com/vercel/edge-runtime/commit/f33095c20ebec679bdb7ca03a525837a9733c5d1"><code>f33095c</code></a> chore: setup node18 as the minimum version (<a href="https://github.com/vercel/edge-runtime/tree/HEAD/packages/types/issues/1050">#1050</a>)</li> <li><a href="https://github.com/vercel/edge-runtime/commit/3d592c1709a6f22558435adb3f13e2013a106b1b"><code>3d592c1</code></a> Version Packages (<a href="https://github.com/vercel/edge-runtime/tree/HEAD/packages/types/issues/1028">#1028</a>)</li> <li><a href="https://github.com/vercel/edge-runtime/commit/8b521742931e89e04b0f06b598adcf3f1ad44cfc"><code>8b52174</code></a> Version Packages (<a href="https://github.com/vercel/edge-runtime/tree/HEAD/packages/types/issues/943">#943</a>)</li> <li>See full diff in <a href="https://github.com/vercel/edge-runtime/commits/@edge-runtime/types@4.0.0/packages/types">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@edge-runtime/types&package-manager=npm_and_yarn&previous-version=3.0.1&new-version=4.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) This PR fixes a bug where classes extending from `AggregateError` would not correctly be identified as exception groups in Sentry because the `is_exception_group` flag was missing in the error's mechanism.

closes #19004

…les (#19048) I have used this for creating the latest logs/metrics bundles and this worked reasonably well. If we have to adapt the bundles again this would serve as a good starting point. Closes #19049 (added automatically)

Bumps [@vercel/nft](https://github.com/vercel/nft) from 0.29.4 to 1.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/nft/releases"><code>@vercel/nft</code>'s releases</a>.</em></p> <blockquote> <h2>1.3.0</h2> <h1><a href="https://github.com/vercel/nft/compare/1.2.0...1.3.0">1.3.0</a> (2026-01-21)</h1> <h3>Features</h3> <ul> <li>add depth option (<a href="https://redirect.github.com/vercel/nft/issues/561">#561</a>) (<a href="https://github.com/vercel/nft/commit/34f1ec7e81b59c97d12fb1152ad7aa50dad19d69">34f1ec7</a>), closes <a href="https://redirect.github.com/vercel/nft/issues/559">#559</a></li> </ul> <h2>1.2.0</h2> <h1><a href="https://github.com/vercel/nft/compare/1.1.1...1.2.0">1.2.0</a> (2026-01-07)</h1> <h3>Features</h3> <ul> <li>support <code>module.createRequire</code> when <code>mixedModules: false</code> (<a href="https://redirect.github.com/vercel/nft/issues/558">#558</a>) (<a href="https://github.com/vercel/nft/commit/67038d59bd548f04974d49a9a61f764991181652">67038d5</a>), closes <a href="https://redirect.github.com/vercel/nft/issues/543">#543</a></li> </ul> <h2>1.1.1</h2> <h2><a href="https://github.com/vercel/nft/compare/1.1.0...1.1.1">1.1.1</a> (2025-11-26)</h2> <h3>Bug Fixes</h3> <ul> <li>evaluate nested export conditions when resolving a module-sync fallback (<a href="https://redirect.github.com/vercel/nft/issues/557">#557</a>) (<a href="https://github.com/vercel/nft/commit/1e455b0531a388e1382c76fdb0d90133a1b5c7eb">1e455b0</a>)</li> </ul> <h2>1.1.0</h2> <h1><a href="https://github.com/vercel/nft/compare/1.0.0...1.1.0">1.1.0</a> (2025-11-24)</h1> <h3>Features</h3> <ul> <li>Ensure module-sync conditions also trace cjs fallback (<a href="https://redirect.github.com/vercel/nft/issues/550">#550</a>) (<a href="https://github.com/vercel/nft/commit/684032b43b8d3c21b770be9cb6b36a595ddd35a4">684032b</a>)</li> </ul> <h2>1.0.0</h2> <h1><a href="https://github.com/vercel/nft/compare/0.30.4...1.0.0">1.0.0</a> (2025-11-20)</h1> <h3>Features</h3> <ul> <li>bump glob@13 and set engines node@20 (<a href="https://redirect.github.com/vercel/nft/issues/554">#554</a>) (<a href="https://github.com/vercel/nft/commit/6fb86804211e39a9f634179cbd71b3ff69fdb18a">6fb8680</a>)</li> </ul> <h3>BREAKING CHANGES</h3> <ul> <li>(requires node@20 or newer)</li> </ul> <ul> <li>Fixes <a href="https://redirect.github.com/vercel/nft/issues/553">vercel/nft#553</a></li> </ul> <h2>0.30.4</h2> <h2><a href="https://github.com/vercel/nft/compare/0.30.3...0.30.4">0.30.4</a> (2025-11-19)</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/nft/commit/34f1ec7e81b59c97d12fb1152ad7aa50dad19d69"><code>34f1ec7</code></a> feat: add depth option (<a href="https://redirect.github.com/vercel/nft/issues/561">#561</a>)</li> <li><a href="https://github.com/vercel/nft/commit/67038d59bd548f04974d49a9a61f764991181652"><code>67038d5</code></a> feat: support <code>module.createRequire</code> when <code>mixedModules: false</code> (<a href="https://redirect.github.com/vercel/nft/issues/558">#558</a>)</li> <li><a href="https://github.com/vercel/nft/commit/1e455b0531a388e1382c76fdb0d90133a1b5c7eb"><code>1e455b0</code></a> fix: evaluate nested export conditions when resolving a module-sync fallback ...</li> <li><a href="https://github.com/vercel/nft/commit/684032b43b8d3c21b770be9cb6b36a595ddd35a4"><code>684032b</code></a> feat: Ensure module-sync conditions also trace cjs fallback (<a href="https://redirect.github.com/vercel/nft/issues/550">#550</a>)</li> <li><a href="https://github.com/vercel/nft/commit/b327dba6e07b4baece19a31ae8ca2a9f9178622a"><code>b327dba</code></a> chore: bump npm@11.6.3 (<a href="https://redirect.github.com/vercel/nft/issues/555">#555</a>)</li> <li><a href="https://github.com/vercel/nft/commit/6fb86804211e39a9f634179cbd71b3ff69fdb18a"><code>6fb8680</code></a> feat: bump glob@13 and set engines node@20 (<a href="https://redirect.github.com/vercel/nft/issues/554">#554</a>)</li> <li><a href="https://github.com/vercel/nft/commit/4e0a9a2acd7aef25fc66dbd1ec0e875e584f33ba"><code>4e0a9a2</code></a> fix: Bump glob from 10.4.5 to 10.5.0 (<a href="https://redirect.github.com/vercel/nft/issues/551">#551</a>)</li> <li><a href="https://github.com/vercel/nft/commit/b2ac206ce69b70054971e5075cabeb2bf03ff36e"><code>b2ac206</code></a> chore: Bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 ...</li> <li><a href="https://github.com/vercel/nft/commit/45dea496fbf5924aa285ceca5223fe70106532db"><code>45dea49</code></a> chore: Bump validator from 13.11.0 to 13.15.20 (<a href="https://redirect.github.com/vercel/nft/issues/548">#548</a>)</li> <li><a href="https://github.com/vercel/nft/commit/78b3823b557582b3f35925df5df522abd63a50d9"><code>78b3823</code></a> fix: Revert "fs.readFile emit relative assets using cwd" (<a href="https://redirect.github.com/vercel/nft/issues/547">#547</a>)</li> <li>Additional commits viewable in <a href="https://github.com/vercel/nft/compare/0.29.4...1.3.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@vercel/nft&package-manager=npm_and_yarn&previous-version=0.29.4&new-version=1.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Closes https://github.com/getsentry/sentry-javascript/security/dependabot/986 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/987 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/982 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/980 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/981 Closes #19058 (added automatically)

closes https://github.com/getsentry/sentry-javascript/security/dependabot/900 Closes #19067 (added automatically)

- Updates CI cross-browser tests (webkit/firefox) to use the full bundle with logs+metrics - Updates `test:bundle:full` scripts to use `bundle_tracing_replay_feedback_logs_metrics` Closes #19069 (added automatically)

Closes https://github.com/getsentry/sentry-javascript/security/dependabot/915 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/912 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/908 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/907 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/904 Closes #19041 (added automatically)

Seroval is a dependency of `@solidjs/start` and we use the `^` in our dev dependencies, so the peer deps are updated in the lock file. Closes https://github.com/getsentry/sentry-javascript/security/dependabot/962 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/961 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/963 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/964 Closes https://github.com/getsentry/sentry-javascript/security/dependabot/972 Closes #19052 (added automatically)

Until we find a way to automatically instrument AI integrations in Meta frameworks, we shouldn't block users from using the manual instrumentation. Docs for this are TBD. Closes #19064 (added automatically)

…0.0 (#19047) React Router was a dev dependency and pinned to 5.0.0. This here upgrade `node-fetch` and remove https://github.com/getsentry/sentry-javascript/security/dependabot/59 Before the upgrade: <img width="577" height="182" alt="Screenshot 2026-01-28 at 14 13 02" src="https://github.com/user-attachments/assets/0e3053e6-6567-4c65-a1dd-f746d140c9fe" /> After the upgrade: <img width="556" height="151" alt="Screenshot 2026-01-28 at 14 13 36" src="https://github.com/user-attachments/assets/3d55345f-0387-45cd-859f-fe35bace5ddd" />

Most of the times `@sentry/aws-serverless:build:transpile` was failing locally: <img width="1146" height="398" alt="Screenshot 2026-01-29 at 12 24 00" src="https://github.com/user-attachments/assets/a51974c4-dd7f-4701-b61f-229c59b5a284" /> I now had some time to investigate on it. It seems that the caching is sometimes not working pretty nicely with yarn if you have add another working directory. With the power of `--cache-folder` we can temporarily give another cache folder and mitigate the problem. In total the fix is not ideal and more of a band-aid solution. If there are other ideas I'm fully up for it.

This upgrades Lerna to v8. I this case after the upgrade I followed the upgrade guide and ran `lerna repair`: https://github.com/lerna/lerna/releases/tag/v8.0.0 Based on the breaking changes we are not affected. The most "critical" one is that Node v16 got dropped, but we are still running the CI in v18. The "tasksRunnerOptions" were removed, but they are not inline with the other options, so it is easier to configure in the future (this was done automatically with `lerna repair`)

nicohrubec · 2026-01-29T13:42:25Z

CHANGELOG.md

 - "You miss 100 percent of the chances you don't take. — Wayne Gretzky" — Michael Scott

+## 10.38.0
+


Suggested change

### Important Changes

- **feat(tanstackstart-react): Auto-instrument request middleware ([#18989](https://github.com/getsentry/sentry-javascript/pull/18989))**

The `sentryTanstackStart` Vite plugin now automatically instruments `middleware` arrays in `createFileRoute()`. This captures performance data without requiring manual wrapping with `wrapMiddlewaresWithSentry()`.

### Other Changes

Please add this section in your PR next time! Will update

Thanks, I know I forgot sorry

github-actions · 2026-01-29T13:44:07Z

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.33 kB	added	added
@sentry/browser - with treeshaking flags	23.83 kB	added	added
@sentry/browser (incl. Tracing)	42.14 kB	added	added
@sentry/browser (incl. Tracing, Profiling)	46.79 kB	added	added
@sentry/browser (incl. Tracing, Replay)	80.76 kB	added	added
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.41 kB	added	added
@sentry/browser (incl. Tracing, Replay with Canvas)	85.47 kB	added	added
@sentry/browser (incl. Tracing, Replay, Feedback)	97.66 kB	added	added
@sentry/browser (incl. Feedback)	42.05 kB	added	added
@sentry/browser (incl. sendFeedback)	30.02 kB	added	added
@sentry/browser (incl. FeedbackAsync)	35.01 kB	added	added
@sentry/browser (incl. Metrics)	26.43 kB	added	added
@sentry/browser (incl. Logs)	26.58 kB	added	added
@sentry/browser (incl. Metrics & Logs)	27.25 kB	added	added
@sentry/react	27.06 kB	added	added
@sentry/react (incl. Tracing)	44.38 kB	added	added
@sentry/vue	29.76 kB	added	added
@sentry/vue (incl. Tracing)	43.94 kB	added	added
@sentry/svelte	25.34 kB	added	added
CDN Bundle	27.9 kB	added	added
CDN Bundle (incl. Tracing)	42.93 kB	added	added
CDN Bundle (incl. Logs, Metrics)	28.74 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics)	43.75 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics)	67.68 kB	added	added
CDN Bundle (incl. Tracing, Replay)	79.67 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	80.54 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback)	85.12 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.04 kB	added	added
CDN Bundle - uncompressed	81.61 kB	added	added
CDN Bundle (incl. Tracing) - uncompressed	127.16 kB	added	added
CDN Bundle (incl. Logs, Metrics) - uncompressed	84.45 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	129.99 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	207.83 kB	added	added
CDN Bundle (incl. Tracing, Replay) - uncompressed	243.76 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	246.58 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	256.56 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	259.37 kB	added	added
@sentry/nextjs (client)	46.73 kB	added	added
@sentry/sveltekit (client)	42.51 kB	added	added
@sentry/node-core	52.08 kB	added	added
@sentry/node	166.08 kB	added	added
@sentry/node - without tracing	93.87 kB	added	added
@sentry/aws-serverless	109.36 kB	added	added

nicohrubec · 2026-01-29T13:44:18Z

CHANGELOG.md

+- feat(browser): Add `tracing.replay.logs.metrics` bundle ([#19039](https://github.com/getsentry/sentry-javascript/pull/19039))
+- feat(deps): bump import-in-the-middle from 2.0.1 to 2.0.6 ([#19042](https://github.com/getsentry/sentry-javascript/pull/19042))
+- feat(node): Add AI manual instrumentation exports to Node ([#19063](https://github.com/getsentry/sentry-javascript/pull/19063))
+- feat(tanstackstart-react): Auto-instrument request middleware ([#18989](https://github.com/getsentry/sentry-javascript/pull/18989))


Suggested change

- feat(tanstackstart-react): Auto-instrument request middleware ([#18989](https://github.com/getsentry/sentry-javascript/pull/18989))

github-actions · 2026-01-29T13:46:11Z

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,001	-	-	added
GET With Sentry	1,733	19%	-	added
GET With Sentry (error only)	6,075	67%	-	added
POST Baseline	1,187	-	-	added
POST With Sentry	582	49%	-	added
POST With Sentry (error only)	1,050	88%	-	added
MYSQL Baseline	3,260	-	-	added
MYSQL With Sentry	452	14%	-	added
MYSQL With Sentry (error only)	2,659	82%	-	added

harshit078 and others added 30 commits January 27, 2026 11:40

Merge pull request #18988 from getsentry/master

0b847d0

[Gitflow] Merge master into develop

chore: Add external contributor to CHANGELOG.md (#19005)

8db9376

The run to add the contributor failed to do so: https://github.com/getsentry/sentry-javascript/actions/runs/21393991938/job/61609775062 Closes #19006 (added automatically)

fix(react): Avoid String(key) to fix Symbol conversion error (#18982)

809d578

Resolves: #18966

chore(tests): Reject messages from unknown origins in integration tes…

6a1143f

…ts (#19016) Handles: https://github.com/getsentry/sentry-javascript/security/code-scanning/434 Closes #19017 (added automatically)

chore(solidstart): Upgrade Vinxi to update h3 peer dependency (#19018)

4b7e82a

Also ran `yarn-deduplicate --strategy highest` Closes https://github.com/getsentry/sentry-javascript/security/dependabot/952 Closes #19019 (added automatically)

feat(browser): Add logs.metrics bundle (#19020)

e60f960

closes #19002

chore(llm): Ignore local Claude settings (#18893)

bf6087c

Ignore .claude/settings.local.json as these are local settings not intended for version control. Closes #18894 (added automatically)

chore(remix): Upgrade @remix-run/router to ^1.23.2 (#19045)

aa986f5

Closes https://github.com/getsentry/sentry-javascript/security/dependabot/933 Closes #19046 (added automatically)

feat(browser): Add replay.logs.metrics bundle (#19021)

23133dc

closes #19003

feat: Use v4.8.0 bundler plugins (#18993)

034daa5

The latest bundler plugins have some significant performance improvements, especially when using Rolldown. Closes #18994 (added automatically)

fix(core): Classify custom AggregateErrors as exception groups (#19053

0c4875e

) This PR fixes a bug where classes extending from `AggregateError` would not correctly be identified as exception groups in Sentry because the `is_exception_group` flag was missing in the error's mechanism.

chargome and others added 12 commits January 28, 2026 16:35

feat(browser): Add tracing.replay.logs.metrics bundle (#19039)

f4afc39

closes #19004

chore(deps): Bump trpc v11 dependecy in e2e test (#19061)

f7dd67e

closes https://github.com/getsentry/sentry-javascript/security/dependabot/900 Closes #19067 (added automatically)

feat(node): Add AI manual instrumentation exports to Node (#19063)

46ad70e

Until we find a way to automatically instrument AI integrations in Meta frameworks, we shouldn't block users from using the manual instrumentation. Docs for this are TBD. Closes #19064 (added automatically)

chargome self-assigned this Jan 29, 2026

chargome requested review from JPeer264, andreiborza and s1gr1d January 29, 2026 13:35

andreiborza approved these changes Jan 29, 2026

View reviewed changes

nicohrubec reviewed Jan 29, 2026

View reviewed changes

JPeer264 approved these changes Jan 29, 2026

View reviewed changes

meta(changelog): Update changelog for 10.38.0

717399f

chargome force-pushed the prepare-release/10.38.0 branch from 9295fae to 717399f Compare January 29, 2026 13:49

nicohrubec approved these changes Jan 29, 2026

View reviewed changes

chargome merged commit 0712f23 into master Jan 29, 2026
215 checks passed

chargome deleted the prepare-release/10.38.0 branch January 29, 2026 14:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

meta(changelog): Update changelog for 10.38.0#19085

meta(changelog): Update changelog for 10.38.0#19085
chargome merged 43 commits intomasterfrom
prepare-release/10.38.0

chargome commented Jan 29, 2026

Uh oh!

nicohrubec Jan 29, 2026

Uh oh!

chargome Jan 29, 2026

Uh oh!

nicohrubec Jan 29, 2026

Uh oh!

github-actions bot commented Jan 29, 2026 •

edited

Loading

Uh oh!

nicohrubec Jan 29, 2026

Uh oh!

github-actions bot commented Jan 29, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

		- "You miss 100 percent of the chances you don't take. — Wayne Gretzky" — Michael Scott

		## 10.38.0

+### Important Changes
+- **feat(tanstackstart-react): Auto-instrument request middleware ([#18989](https://github.com/getsentry/sentry-javascript/pull/18989))**
+  The `sentryTanstackStart` Vite plugin now automatically instruments `middleware` arrays in `createFileRoute()`. This captures performance data without requiring manual wrapping with `wrapMiddlewaresWithSentry()`.
+### Other Changes

Uh oh!

Conversation

chargome commented Jan 29, 2026

Uh oh!

nicohrubec Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

chargome Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

nicohrubec Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Jan 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

nicohrubec Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Jan 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

node-overhead report 🧳

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

github-actions bot commented Jan 29, 2026 •

edited

Loading

github-actions bot commented Jan 29, 2026 •

edited

Loading