fix(deps): update dependency @sentry/node to v8.49.0 [security] #2842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

dotansimha merged 1 commit into master from renovate/npm-sentry-node-vulnerability

Mar 20, 2025

Contributor

renovate bot commented Jan 28, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sentry/node (source)	`8.25.0` -> `8.49.0`

GitHub Vulnerability Alerts

GHSA-r5w7-f542-q2j4

Impact

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events.

The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS).

The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs that run in Node.js environments (@sentry/astro, @sentry/aws-serverless, @sentry/bun, @sentry/google-cloud-serverless, @sentry/nestjs, @sentry/nextjs, @sentry/nuxt, @sentry/remix, @sentry/solidstart, @sentry/sveltekit).

Patches

Users should upgrade to version 8.49.0 or higher.

Workarounds

To remediate this issue in affected versions without upgrading to version 8.49.0 and above you can disable the ContextLines integration. See the docs for more details.

Sentry.init({
  // ...
  integrations: function (integrations) {
    // integrations will be all default integrations
    return integrations.filter(function (integration) {
      return integration.name !== "ContextLines";
    });
  },
});

If you disable the ContextLines integration, you will lose source context on your error events.

References

Reported issue: https://github.com/getsentry/sentry-javascript/issues/14892
PR Fix: https://github.com/getsentry/sentry-javascript/pull/14997

Release Notes

getsentry/sentry-javascript (@sentry/node)

`v8.49.0`

feat(v8/browser): Flush offline queue on flush and browser online event (#14969)
feat(v8/react): Add a handled prop to ErrorBoundary (#14978)
fix(profiling/v8): Don't put require, __filename and __dirname on global object (#14952)
fix(v8/node): Enforce that ContextLines integration does not leave open file handles (#14997)
fix(v8/replay): Disable mousemove sampling in rrweb for iOS browsers (#14944)
fix(v8/sveltekit): Ensure source maps deletion is called after source ma… (#14963)
fix(v8/vue): Re-throw error when no errorHandler exists (#14943)

Work in this release was contributed by @HHK1 and @mstrokin. Thank you for your contributions!

`v8.48.0`

Deprecations

feat(v8/core): Deprecate getDomElement method (#14799)

Deprecates getDomElement. There is no replacement.

Other changes

fix(nestjs/v8): Use correct main/module path in package.json (#14791)
fix(v8/core): Use consistent continueTrace implementation in core (#14819)
fix(v8/node): Correctly resolve debug IDs for ANR events with custom appRoot (#14823)
fix(v8/node): Ensure NODE_OPTIONS is not passed to worker threads (#14825)
fix(v8/angular): Fall back to element tagName when name is not provided to TraceDirective (#14828)
fix(aws-lambda): Remove version suffix from lambda layer (#14843)
fix(v8/node): Ensure express requests are properly handled (#14851)
feat(v8/node): Add openTelemetrySpanProcessors option (#14853)
fix(v8/react): Use Set as the allRoutes container. (#14878) (#14884)
fix(v8/react): Improve handling of routes nested under path="/" (#14897)
feat(v8/core): Add normalizedRequest to samplingContext (#14903)
fix(v8/feedback): Avoid lazy loading code for syncFeedbackIntegration (#14918)

Work in this release was contributed by @arturovt. Thank you for your contribution!

`v8.47.0`

feat(v8/core): Add updateSpanName helper function (#14736)
feat(v8/node): Do not overwrite prisma db.system in newer Prisma versions (#14772)
feat(v8/node/deps): Bump @prisma/instrumentation from 5.19.1 to 5.22.0 (#14755)
feat(v8/replay): Mask srcdoc iframe contents per default (#14779)
ref(v8/nextjs): Fix typo in source maps deletion warning (#14776)

Work in this release was contributed by @aloisklink and @benjick. Thank you for your contributions!

`v8.46.0`

feat: Allow capture of more than 1 ANR event [v8] (#14713)
feat(node): Detect Railway release name [v8] (#14714)
fix: Normalise ANR debug image file paths if appRoot was supplied [v8] (#14709)
fix(nuxt): Remove build config from tsconfig (#14737)

Work in this release was contributed by @conor-ob. Thank you for your contribution!

`v8.45.1`

fix(feedback): Return when the sendFeedback promise resolves (#14683)

Work in this release was contributed by @antonis. Thank you for your contribution!

`v8.45.0`

feat(core): Add handled option to captureConsoleIntegration (#14664)
feat(browser): Attach virtual stack traces to HttpClient events (#14515)
feat(replay): Upgrade rrweb packages to 2.31.0 (#14689)
fix(aws-serverless): Remove v8 layer as it overwrites the current layer for docs (#14679)
fix(browser): Mark stack trace from captureMessage with attachStacktrace: true as synthetic (#14668)
fix(core): Mark stack trace from captureMessage with attatchStackTrace: true as synthetic (#14670)
fix(core): Set level in server runtime captureException (#10587)
fix(profiling-node): Guard invocation of native profiling methods (#14676)
fix(nuxt): Inline nitro-utils function (#14680)
fix(profiling-node): Ensure profileId is added to transaction event (#14681)
fix(react): Add React Router Descendant Routes support (#14304)
fix: Disable ANR and Local Variables if debugger is enabled via CLI args (#14643)

Work in this release was contributed by @anonrig and @Zih0. Thank you for your contributions!

`v8.44.0`

Deprecations

feat: Deprecate autoSessionTracking (#14640)

Deprecates autoSessionTracking.
To enable session tracking, it is recommended to unset autoSessionTracking and ensure that either, in browser environments
the browserSessionIntegration is added, or in server environments the httpIntegration is added.

To disable session tracking, it is recommended to unset autoSessionTracking and to remove the browserSessionIntegration in
browser environments, or in server environments configure the httpIntegration with the trackIncomingRequestsAsSessions option set to false.

Other Changes

feat: Reword log message around unsent spans (#14641)
feat(opentelemetry): Set response context for http.server spans (#14634)
fix(google-cloud-serverless): Update homepage link in package.json (#14411)
fix(nuxt): Add unbuild config to not fail on warn (#14662)

Work in this release was contributed by @robinvw1. Thank you for your contribution!

`v8.43.0`

Important Changes

feat(nuxt): Add option autoInjectServerSentry (no default import()) (#14553)

Using the dynamic import() as the default behavior for initializing the SDK on the server-side did not work for every project.
The default behavior of the SDK has been changed, and you now need to use the --import flag to initialize Sentry on the server-side to leverage full functionality.

Example with --import:
```
node --import ./.output/server/sentry.server.config.mjs .output/server/index.mjs
```
In case you are not able to use the --import flag, you can enable auto-injecting Sentry in the nuxt.config.ts (comes with limitations):
```
sentry: {
  autoInjectServerSentry: 'top-level-import', // or 'experimental_dynamic-import'
},
```
feat(browser): Adds LaunchDarkly and OpenFeature integrations (#14207)

Adds browser SDK integrations for tracking feature flag evaluations through the LaunchDarkly JS SDK and OpenFeature Web SDK:
```
import * as Sentry from '@&#8203;sentry/browser';

Sentry.init({
  integrations: [
    // Track LaunchDarkly feature flags
    Sentry.launchDarklyIntegration(),
    // Track OpenFeature feature flags
    Sentry.openFeatureIntegration(),
  ],
});
```
- Read more about the Feature Flags feature in Sentry.
- Read more about the LaunchDarkly SDK Integration.
- Read more about the OpenFeature SDK Integration.

feat(browser): Add featureFlagsIntegration for custom tracking of flag evaluations (#14582)

Adds a browser integration to manually track feature flags with an API. Feature flags are attached to subsequent error events:

import * as Sentry from '@&#8203;sentry/browser';

const featureFlagsIntegrationInstance = Sentry.featureFlagsIntegration();

Sentry.init({
  // Initialize the SDK with the feature flag integration
  integrations: [featureFlagsIntegrationInstance],
});

// Manually track a feature flag
featureFlagsIntegrationInstance.addFeatureFlag('my-feature', true);

feat(astro): Add Astro 5 support (#14613)

With this release, the Sentry Astro SDK officially supports Astro 5.

Deprecations

feat(nextjs): Deprecate typedef for hideSourceMaps (#14594)

The functionality of hideSourceMaps was removed in version 8 but was forgotten to be deprecated and removed.
It will be completely removed in the next major version.
feat(core): Deprecate APIs around RequestSessions (#14566)

The APIs around RequestSessions are mostly used internally.
Going forward the SDK will not expose concepts around RequestSessions.
Instead, functionality around server-side Release Health will be managed in integrations.

Other Changes

feat(browser): Add browserSessionIntegration (#14551)
feat(core): Add raw_security envelope types (#14562)
feat(deps): Bump @opentelemetry/instrumentation from 0.55.0 to 0.56.0 (#14625)
feat(deps): Bump @sentry/cli from 2.38.2 to 2.39.1 (#14626)
feat(deps): Bump @sentry/rollup-plugin from 2.22.6 to 2.22.7 (#14622)
feat(deps): Bump @sentry/webpack-plugin from 2.22.6 to 2.22.7 (#14623)
feat(nestjs): Add fastify support (#14549)
feat(node): Add @vercel/ai instrumentation (#13892)
feat(node): Add disableAnrDetectionForCallback function (#14359)
feat(node): Add trackIncomingRequestsAsSessions option to http integration (#14567)
feat(nuxt): Add option autoInjectServerSentry (no default import()) (#14553)
feat(nuxt): Add warning when Netlify or Vercel build is discovered (#13868)
feat(nuxt): Improve serverless event flushing and scope isolation (#14605)
feat(opentelemetry): Stop looking at propagation context for span creation (#14481)
feat(opentelemetry): Update OpenTelemetry dependencies to ^1.29.0 (#14590)
feat(opentelemetry): Update OpenTelemetry dependencies to 1.28.0 (#14547)
feat(replay): Upgrade rrweb packages to 2.30.0 (#14597)
fix(core): Decode filename and module stack frame properties in Node stack parser (#14544)
fix(core): Filter out unactionable CEFSharp promise rejection error by default (#14595)
fix(nextjs): Don't show warning about devtool option (#14552)
fix(nextjs): Only apply tracing metadata to data fetcher data when data is an object (#14575)
fix(node): Guard against invalid maxSpanWaitDuration values (#14632)
fix(react): Match routes with parseSearch option in TanStack Router instrumentation (#14328)
fix(sveltekit): Fix git SHA not being picked up for release (#14540)
fix(types): Fix generic exports with default (#14576)

Work in this release was contributed by @lsmurray. Thank you for your contribution!

`v8.42.0`

Important Changes

feat(react): React Router v7 support (library) (#14513)

This release adds support for React Router v7 (library mode).
Check out the docs on how to set up the integration: Sentry React Router v7 Integration Docs

Deprecations

feat: Warn about source-map generation (#14533)

In the next major version of the SDK we will change how source maps are generated when the SDK is added to an application.
Currently, the implementation varies a lot between different SDKs and can be difficult to understand.
Moving forward, our goal is to turn on source maps for every framework, unless we detect that they are explicitly turned off.
Additionally, if we end up enabling source maps, we will emit a log message that we did so.

With this particular release, we are emitting warnings that source map generation will change in the future and we print instructions on how to prepare for the next major.
feat(nuxt): Deprecate tracingOptions in favor of vueIntegration (#14530)

Currently it is possible to configure tracing options in two places in the Sentry Nuxt SDK:
- In Sentry.init()
- Inside tracingOptions in Sentry.init()
For tree-shaking purposes and alignment with the Vue SDK, it is now recommended to instead use the newly exported vueIntegration() and its tracingOptions option to configure tracing options in the Nuxt SDK:
```
// sentry.client.config.ts
import * as Sentry from '@&#8203;sentry/nuxt';

Sentry.init({
  // ...
  integrations: [
    Sentry.vueIntegration({
      tracingOptions: {
        trackComponents: true,
      },
    }),
  ],
});
```

Other Changes

feat(browser-utils): Update web-vitals to v4.2.4 (#14439)
feat(nuxt): Expose vueIntegration (#14526)
fix(feedback): Handle css correctly in screenshot mode (#14535)

`v8.41.0`

Important Changes

meta(nuxt): Require minimum Nuxt v3.7.0 (#14473)

We formalized that the Nuxt SDK is at minimum compatible with Nuxt version 3.7.0 and above.
Additionally, the SDK requires the implicit nitropack dependency to satisfy version ^2.10.0 and ofetch to satisfy ^1.4.0.
It is recommended to check your lock-files and manually upgrade these dependencies if they don't match the version ranges.

Deprecations

We are deprecating a few APIs which will be removed in the next major.

The following deprecations will potentially affect you:

feat(core): Update & deprecate undefined option handling (#14450)

In the next major version we will change how passing undefined to tracesSampleRate / tracesSampler / enableTracing will behave.

Currently, doing the following:
```
Sentry.init({
  tracesSampleRate: undefined,
});
```
Will result in tracing being enabled (although no spans will be generated) because the tracesSampleRate key is present in the options object.
In the next major version, this behavior will be changed so that passing undefined (or rather having a tracesSampleRate key) will result in tracing being disabled, the same as not passing the option at all.
If you are currently relying on undefined being passed, and and thus have tracing enabled, it is recommended to update your config to set e.g. tracesSampleRate: 0 instead, which will also enable tracing in v9.

The same applies to tracesSampler and enableTracing.
feat(core): Log warnings when returning null in beforeSendSpan (#14433)

Currently, the beforeSendSpan option in Sentry.init() allows you to drop individual spans from a trace by returning null from the hook.
Since this API lends itself to creating "gaps" inside traces, we decided to change how this API will work in the next major version.

With the next major version the beforeSendSpan API can only be used to mutate spans, but no longer to drop them.
With this release the SDK will warn you if you are using this API to drop spans.
Instead, it is recommended to configure instrumentation (i.e. integrations) directly to control what spans are created.

Additionally, with the next major version, root spans will also be passed to beforeSendSpan.
feat(utils): Deprecate @sentry/utils (#14431)

With the next major version the @sentry/utils package will be merged into the @sentry/core package.
It is therefore no longer recommended to use the @sentry/utils package.
feat(vue): Deprecate configuring Vue tracing options anywhere else other than through the vueIntegration's tracingOptions option (#14385)

Currently it is possible to configure tracing options in various places in the Sentry Vue SDK:
- In Sentry.init()
- Inside tracingOptions in Sentry.init()
- In the vueIntegration() options
- Inside tracingOptions in the vueIntegration() options
Because this is a bit messy and confusing to document, the only recommended way to configure tracing options going forward is through the tracingOptions in the vueIntegration().
The other means of configuration will be removed in the next major version of the SDK.
feat: Deprecate registerEsmLoaderHooks.include and registerEsmLoaderHooks.exclude (#14486)

Currently it is possible to define registerEsmLoaderHooks.include and registerEsmLoaderHooks.exclude options in Sentry.init() to only apply ESM loader hooks to a subset of modules.
This API served as an escape hatch in case certain modules are incompatible with ESM loader hooks.

Since this API was introduced, a way was found to only wrap modules that there exists instrumentation for (meaning a vetted list).
To only wrap modules that have instrumentation, it is recommended to instead set registerEsmLoaderHooks.onlyIncludeInstrumentedModules to true.

Note that onlyIncludeInstrumentedModules: true will become the default behavior in the next major version and the registerEsmLoaderHooks will no longer accept fine-grained options.

The following deprecations will most likely not affect you unless you are building an SDK yourself:

feat(core): Deprecate arrayify (#14405)
feat(core): Deprecate flatten (#14454)
feat(core): Deprecate urlEncode (#14406)
feat(core): Deprecate validSeverityLevels (#14407)
feat(core/utils): Deprecate getNumberOfUrlSegments (#14458)
feat(utils): Deprecate memoBuilder, BAGGAGE_HEADER_NAME, and makeFifoCache (#14434)
feat(utils/core): Deprecate addRequestDataToEvent and extractRequestData (#14430)

Other Changes

feat: Streamline sentry-trace, baggage and DSC handling (#14364)
feat(core): Further optimize debug ID parsing (#14365)
feat(node): Add openTelemetryInstrumentations option (#14484)
feat(nuxt): Add filter for not found source maps (devtools) (#14437)
feat(nuxt): Only delete public source maps (#14438)
fix(nextjs): Don't report NEXT_REDIRECT from browser (#14440)
perf(opentelemetry): Bucket spans for cleanup (#14154)

Work in this release was contributed by @NEKOYASAN and @fmorett. Thank you for your contributions!

`v8.40.0`

Important Changes

feat(angular): Support Angular 19 (#14398)

The @sentry/angular SDK can now be used with Angular 19. If you're upgrading to the new Angular version, you might want to migrate from the now deprecated APP_INITIALIZER token to provideAppInitializer.
In this case, change the Sentry TraceService initialization in app.config.ts:

// Angular 18
export const appConfig: ApplicationConfig = {
  providers: [
    // other providers
    {
      provide: TraceService,
      deps: [Router],
    },
    {
      provide: APP_INITIALIZER,
      useFactory: () => () => {},
      deps: [TraceService],
      multi: true,
    },
  ],
};

// Angular 19
export const appConfig: ApplicationConfig = {
  providers: [
    // other providers
    {
      provide: TraceService,
      deps: [Router],
    },
    provideAppInitializer(() => {
      inject(TraceService);
    }),
  ],
};

feat(core): Deprecate debugIntegration and sessionTimingIntegration (#14363)

The debugIntegration was deprecated and will be removed in the next major version of the SDK.
To log outgoing events, use Hook Options (beforeSend, beforeSendTransaction, ...).

The sessionTimingIntegration was deprecated and will be removed in the next major version of the SDK.
To capture session durations alongside events, use Context (Sentry.setContext()).
feat(nestjs): Deprecate @WithSentry in favor of @SentryExceptionCaptured (#14323)

The @WithSentry decorator was deprecated. Use @SentryExceptionCaptured instead. This is a simple renaming and functionality stays identical.
feat(nestjs): Deprecate SentryTracingInterceptor, SentryService, SentryGlobalGenericFilter, SentryGlobalGraphQLFilter (#14371)

The SentryTracingInterceptor was deprecated. If you are using @sentry/nestjs you can safely remove any references to the SentryTracingInterceptor. If you are using another package migrate to @sentry/nestjs and remove the SentryTracingInterceptor afterwards.

The SentryService was deprecated and its functionality was added to Sentry.init. If you are using @sentry/nestjs you can safely remove any references to the SentryService. If you are using another package migrate to @sentry/nestjs and remove the SentryService afterwards.

The SentryGlobalGenericFilter was deprecated. Use the SentryGlobalFilter instead which is a drop-in replacement.

The SentryGlobalGraphQLFilter was deprecated. Use the SentryGlobalFilter instead which is a drop-in replacement.
feat(node): Deprecate nestIntegration and setupNestErrorHandler in favor of using @sentry/nestjs (#14374)

The nestIntegration and setupNestErrorHandler functions from @sentry/node were deprecated and will be removed in the next major version of the SDK. If you're using @sentry/node in a NestJS application, we recommend switching to our new dedicated @sentry/nestjs package.

Other Changes

feat(browser): Send additional LCP timing info (#14372)
feat(replay): Clear event buffer when full and in buffer mode (#14078)
feat(core): Ensure normalizedRequest on sdkProcessingMetadata is merged (#14315)
feat(core): Hoist everything from @sentry/utils into @sentry/core (#14382)
fix(core): Do not throw when trying to fill readonly properties (#14402)
fix(feedback): Fix __self and __source attributes on feedback nodes (#14356)
fix(feedback): Fix non-wrapping form title (#14355)
fix(nextjs): Update check for not found navigation error (#14378)

`v8.39.0`

Important Changes

feat(nestjs): Instrument event handlers (#14307)

The @sentry/nestjs SDK will now capture performance data for NestJS Events (@nestjs/event-emitter)

Other Changes

feat(nestjs): Add alias @SentryExceptionCaptured for @WithSentry (#14322)
feat(nestjs): Duplicate SentryService behaviour into @sentry/nestjs SDK init() (#14321)
feat(nestjs): Handle GraphQL contexts in SentryGlobalFilter (#14320)
feat(node): Add alias childProcessIntegration for processThreadBreadcrumbIntegration and deprecate it (#14334)
feat(node): Ensure request bodies are reliably captured for http requests (#13746)
feat(replay): Upgrade rrweb packages to 2.29.0 (#14160)
fix(cdn): Ensure _sentryModuleMetadata is not mangled (#14344)
fix(core): Set sentry.source attribute to custom when calling span.updateName on SentrySpan (#14251)
fix(mongo): rewrite Buffer as ? during serialization (#14071)
fix(replay): Remove replay id from DSC on expired sessions (#14342)
ref(profiling) Fix electron crash (#14216)
ref(types): Deprecate Request type in favor of RequestEventData (#14317)
ref(utils): Stop setting transaction in requestDataIntegration (#14306)
ref(vue): Reduce bundle size for starting application render span (#14275)

`v8.38.0`

docs: Improve docstrings for node otel integrations (#14217)
feat(browser): Add moduleMetadataIntegration lazy loading support (#13817)
feat(core): Add trpc path to context in trpcMiddleware (#14218)
feat(deps): Bump @opentelemetry/instrumentation-amqplib from 0.42.0 to 0.43.0 (#14230)
feat(deps): Bump @sentry/cli from 2.37.0 to 2.38.2 (#14232)
feat(node): Add knex integration (#13526)
feat(node): Add tedious integration (#13486)
feat(utils): Single implementation to fetch debug ids (#14199)
fix(browser): Avoid recording long animation frame spans starting before their parent span (#14186)
fix(node): Include debug_meta with ANR events (#14203)
fix(nuxt): Fix dynamic import rollup plugin to work with latest nitro (#14243)
fix(react): Support wildcard routes on React Router 6 (#14205)
fix(spotlight): Export spotlightBrowserIntegration from the main browser package (#14208)
ref(browser): Ensure start time of interaction root and child span is aligned (#14188)
ref(nextjs): Make build-time value injection turbopack compatible (#14081)

Work in this release was contributed by @grahamhency, @Zen-cronic, @gilisho and @phuctm97. Thank you for your contributions!

`v8.37.1`

feat(deps): Bump @opentelemetry/instrumentation from 0.53.0 to 0.54.0 for @sentry/opentelemetry (#14187)

`v8.37.0`

Important Changes

feat(nuxt): Add piniaIntegration (#14138)

The Nuxt SDK now allows you to track Pinia state for captured errors. To enable the Pinia plugin, add the piniaIntegration to your client config:

// sentry.client.config.ts
import { usePinia } from '#imports';

Sentry.init({
  integrations: [
    Sentry.piniaIntegration(usePinia(), {
      /* optional Pinia plugin options */
    }),
  ],
});

feat: Deprecate metrics API (#14157)

The Sentry Metrics beta has ended in favour of revisiting metrics in another form at a later date.

This new approach will include different APIs, making the current metrics API unnecessary. This release
deprecates the metrics API with the plan to remove in the next SDK major version. If you currently use the
metrics API in your code, you can safely continue to do so but sent data will no longer be processed by Sentry.

Learn more about the end of the Metrics beta.

Other Changes

feat(browser): Add http.response_delivery_type attribute to resource spans (#14056)
feat(browser): Add skipBrowserExtensionCheck escape hatch option (#14147)
feat(deps): Bump @opentelemetry/instrumentation from 0.53.0 to 0.54.0 (#14174)
feat(deps): Bump @opentelemetry/instrumentation-fastify from 0.40.0 to 0.41.0 (#14175)
feat(deps): Bump @opentelemetry/instrumentation-graphql from 0.43.0 to 0.44.0 (#14173)
feat(deps): Bump @opentelemetry/instrumentation-mongodb from 0.47.0 to 0.48.0 (#14171)
feat(deps): Bump @opentelemetry/propagator-aws-xray from 1.25.1 to 1.26.0 (#14172)
feat(nuxt): Add asyncFunctionReExports to define re-exported server functions (#14104)
feat(nuxt): Add piniaIntegration (#14138)
fix(browser): Avoid recording long task spans starting before their parent span (#14183)
fix(core): Ensure errors thrown in async cron jobs bubble up (#14182)
fix(core): Silently fail maybeInstrument (#14140)
fix(nextjs): Resolve path for dynamic webpack import (#13751)
fix(node): Make sure modulesIntegration does not crash esm apps (#14169)

Work in this release was contributed by @rexxars. Thank you for your contribution!

`v8.36.0`

Important Changes

feat(nextjs/vercel-edge/cloudflare): Switch to OTEL for performance monitoring (#13889)

With this release, the Sentry Next.js, and Cloudflare SDKs will now capture performance data based on OpenTelemetry.
Some exceptions apply in cases where Next.js captures inaccurate data itself.

NOTE: You may experience minor differences in transaction names in Sentry.
Most importantly transactions for serverside pages router invocations will now be named GET /[param]/my/route instead of /[param]/my/route.
This means that those transactions are now better aligned with the OpenTelemetry semantic conventions.

Other Changes

deps: Bump bundler plugins and CLI to 2.22.6 and 2.37.0 respectively (#14050)
feat(deps): bump @opentelemetry/instrumentation-aws-sdk from 0.44.0 to 0.45.0 (#14099)
feat(deps): bump @opentelemetry/instrumentation-connect from 0.39.0 to 0.40.0 (#14101)
feat(deps): bump @opentelemetry/instrumentation-express from 0.43.0 to 0.44.0 (#14102)
feat(deps): bump @opentelemetry/instrumentation-fs from 0.15.0 to 0.16.0 (#14098)
feat(deps): bump @opentelemetry/instrumentation-kafkajs from 0.3.0 to 0.4.0 (#14100)
feat(nextjs): Add method and url to route handler request data (#14084)
feat(node): Add breadcrumbs for child_process and worker_thread (#13896)
fix(core): Ensure standalone spans are not sent if SDK is disabled (#14088)
fix(nextjs): Await flush in api handlers (#14023)
fix(nextjs): Don't leak webpack types into exports (#14116)
fix(nextjs): Fix matching logic for file convention type for root level components (#14038)
fix(nextjs): Respect directives in value injection loader (#14083)
fix(nuxt): Only wrap .mjs entry files in rollup (#14060)
fix(nuxt): Re-export all exported bindings (#14086)
fix(nuxt): Server-side setup in readme (#14049)
fix(profiling-node): Always warn when running on incompatible major version of Node.js (#14043)
fix(replay): Fix onError callback (#14002)
perf(otel): Only calculate current timestamp once (#14094)
test(browser-integration): Add sentry DSN route handler by default (#14095)

`v8.35.0`

Beta release of the official Nuxt Sentry SDK

This release marks the beta release of the @sentry/nuxt Sentry SDK. For details on how to use it, check out the
Sentry Nuxt SDK README. Please reach out on
GitHub if you have any feedback or concerns.

feat(nuxt): Make dynamic import() wrapping default
(#13958) (BREAKING)
feat(nuxt): Add Rollup plugin to wrap server entry with import()
(#13945)

It is no longer required to add a Node --import flag. Please update your start command to avoid initializing Sentry
twice (BREAKING CHANGE). The SDK will now apply modifications during the build of your application to allow for
patching of libraries during runtime. If run into issues with this change, you can disable this behavior in your
nuxt.config.ts and use the --import flag instead:

sentry: {
  dynamicImportForServerEntry: false;
}

feat(nuxt): Respect user-provided source map generation settings
(#14020)

We now require you to explicitly enable sourcemaps for the clientside so that Sentry can un-minify your errors. We made
this change so source maps aren't accidentally leaked to the public. Enable source maps on the client as follows:

export default defineNuxtConfig({
  sourcemap: {
    client: true,
  },
});

feat(nuxt): Log server instrumentation might not work in dev
(#14021)
feat(nuxt): Add Http responseHook with waitUntil
(#13986)

Important Changes

feat(vue): Add Pinia plugin (#13841)

Support for Pinia is added in this release for @sentry/vue. To capture Pinia state data,
add createSentryPiniaPlugin() to your Pinia store:

import { createPinia } from 'pinia';
import { createSentryPiniaPlugin } from '@&#8203;sentry/vue';

const pinia = createPinia();

pinia.use(createSentryPiniaPlugin());

feat(node): Implement Sentry-specific http instrumentation
(#13763)

This change introduces a new SentryHttpInstrumentation to handle non-span related HTTP instrumentation, allowing it to
run side-by-side with OTel's HttpInstrumentation. This improves support for custom OTel setups and avoids conflicts
with Sentry's instrumentation. Additionally, the spans: false option is reintroduced for httpIntegration to disable
span emission while still allowing custom HttpInstrumentation instances (httpIntegration({ spans: false })).

feat(core): Make stream instrumentation opt-in
(#13951)

This change adds a new option trackFetchStreamPerformance to the browser tracing integration. Only when set to true,
Sentry will instrument streams via fetch.

Other Changes

feat(node): Expose suppressTracing API (#13875)
feat(replay): Do not log "timeout while trying to read resp body" as exception
(#13965)
chore(node): Bump @opentelemetry/instrumentation-express to 0.43.0
(#13948)
chore(node): Bump @opentelemetry/instrumentation-fastify to 0.40.0
(#13983)
fix: Ensure type for init is correct in meta frameworks
(#13938)
fix(core): .set the sentry-trace header instead of .appending in fetch instrumentation
(#13907)
fix(module): keep version for node ESM package (#13922)
fix(node): Ensure ignoreOutgoingRequests of httpIntegration applies to breadcrumbs
(#13970)
fix(replay): Fix onError sampling when loading an expired buffered session
(#13962)
fix(replay): Ignore older performance entries when starting manually
(#13969)
perf(node): Truncate breadcrumb messages created by console integration
(#14006)

Work in this release was contributed by @ZakrepaShe and @zhiyan114. Thank you for your contributions!

`v8.34.0`

Important Changes

ref(nextjs): Remove dead code (#13828)

Relevant for users of the @sentry/nextjs package: If you have previously configured a
SENTRY_IGNORE_API_RESOLUTION_ERROR environment variable, it is now safe to unset it.

Other Changes

feat(cdn): Export getReplay in replay CDN bundles
(#13881)
feat(replay): Clear fallback buffer when switching buffers
(#13914)
feat(replay): Upgrade rrweb packages to 2.28.0 (#13732)
fix(docs): Correct supported browsers due to globalThis
(#13788)
fix(nextjs): Adjust path to requestAsyncStorageShim.js template file
(#13928)
fix(nextjs): Detect new locations for request async storage to support Next.js v15.0.0-canary.180 and higher
(#13920)
fix(nextjs): Drop _not-found spans for all HTTP methods
(#13906)
fix(nextjs): Fix resolution of request storage shim fallback
(#13929)
fix(node): Ensure graphql options are correct when preloading
(#13769)
fix(node): Local variables handle error (#13827)
fix(node)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency @sentry/node to v8.49.0 [security]

bacd91c

renovate bot added the dependencies label

changeset-bot bot commented Jan 28, 2025

⚠️ No Changeset found

Latest commit: bacd91c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Contributor

github-actions bot commented Jan 28, 2025

💻 Website Preview

The latest changes are available as preview in: https://14ba5484.graphql-inspector.pages.dev

dotansimha merged commit 5a68d5c into master

7 checks passed

dotansimha deleted the renovate/npm-sentry-node-vulnerability branch

March 20, 2025 07:21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels