meta(changelog): Update changelog for 10.40.0#19459
Draft
meta(changelog): Update changelog for 10.40.0#19459
Conversation
…19193) Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve) from 15.2.3 to 16.0.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md"><code>@rollup/plugin-node-resolve</code>'s changelog</a>.</em></p> <blockquote> <h2>v16.0.3</h2> <p><em>2025-10-13</em></p> <h3>Bugfixes</h3> <ul> <li>fix: resolve bare targets of package "imports" using export maps; avoid fileURLToPath(null) (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1908">#1908</a>)</li> </ul> <h2>v16.0.2</h2> <p><em>2025-10-04</em></p> <h3>Bugfixes</h3> <ul> <li>fix: error thrown with empty entry (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1893">#1893</a>)</li> </ul> <h2>v16.0.1</h2> <p><em>2025-03-11</em></p> <h3>Bugfixes</h3> <ul> <li>fix: add <code>ignoreSideEffectsForRoot</code> to exported interface (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1841">#1841</a>)</li> </ul> <h2>v16.0.0</h2> <p><em>2024-12-15</em></p> <h3>Breaking Changes</h3> <ul> <li>feat!: set development or production condition (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1823">#1823</a>)</li> </ul> <h2>v15.3.1</h2> <p><em>2024-12-15</em></p> <h3>Updates</h3> <ul> <li>refactor: replace <code>test</code> with <code>includes</code> (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1787">#1787</a>)</li> </ul> <h2>v15.3.0</h2> <p><em>2024-09-23</em></p> <h3>Features</h3> <ul> <li>feat: allow preferBuiltins to be a function (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1694">#1694</a>)</li> </ul> <h2>v15.2.4</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rollup/plugins/commit/764910a09d57e3b55cb4d027765b717a50341253"><code>764910a</code></a> chore(release): node-resolve v16.0.3</li> <li><a href="https://github.com/rollup/plugins/commit/35697207a44aa9f1b474dc6e1cc6054f575765ad"><code>3569720</code></a> fix(node-resolve): resolve bare targets of package "imports" using export map...</li> <li><a href="https://github.com/rollup/plugins/commit/516ed1db422c5dfa0d29c5cbb18ca488b3ad95f6"><code>516ed1d</code></a> chore(release): node-resolve v16.0.2</li> <li><a href="https://github.com/rollup/plugins/commit/7ad50574b269ae9e1ebd5263f8d211a5103ef27d"><code>7ad5057</code></a> fix(node-resolve): error thrown with empty entry (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1893">#1893</a>)</li> <li><a href="https://github.com/rollup/plugins/commit/e1a5ef99f1578eb38a8c87563cb9651db228f3bd"><code>e1a5ef9</code></a> chore(release): node-resolve v16.0.1</li> <li><a href="https://github.com/rollup/plugins/commit/d455fff64e1ae418d69e1ac1b6f0e13bc23c70db"><code>d455fff</code></a> fix(node-resolve): add <code>ignoreSideEffectsForRoot</code> to exported interface (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1841">#1841</a>)</li> <li><a href="https://github.com/rollup/plugins/commit/d64f8d69d0ca138161fc98c0b2cd2b5df73c2895"><code>d64f8d6</code></a> chore(release): node-resolve v16.0.0</li> <li><a href="https://github.com/rollup/plugins/commit/ebd0969f67f9e4e69f4341ad812852b068657fd0"><code>ebd0969</code></a> feat(node-resolve)!: set development or production condition (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1823">#1823</a>)</li> <li><a href="https://github.com/rollup/plugins/commit/f89ca92a1bab70277e91d9da66bede48d7a13bc2"><code>f89ca92</code></a> chore(release): node-resolve v15.3.1</li> <li><a href="https://github.com/rollup/plugins/commit/4cfc1c31c2e03851fd3dca5808d20f93b315bb02"><code>4cfc1c3</code></a> refactor(pluginutils,node-resolve): replace <code>test</code> with <code>includes</code> (<a href="https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve/issues/1787">#1787</a>)</li> <li>Additional commits viewable in <a href="https://github.com/rollup/plugins/commits/node-resolve-v16.0.3/packages/node-resolve">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump nuxt from ^3.13.2 to ^3.21.1 in @sentry/nuxt devDependencies. This pulls in @nuxt/devtools@3.1.1 which depends on diff@^8.0.2, replacing the vulnerable diff@7.0.0 (DoS via parsePatch infinite loop). Nuxt can only be upgraded to `3.17.7` because later versions are using Vite v7 as dependency and this causes our Node 18 tests to fail. --- Summary of Vite dependency chain: `nuxt` - [@nuxt/vite-builder](https://github.com/nuxt/nuxt/blob/617b266c732267755a8771b967d693b32e74fca4/packages/nuxt/package.json#L83) -> [vite-node](https://github.com/nuxt/nuxt/blob/617b266c732267755a8771b967d693b32e74fca4/packages/vite/package.json#L66) -> [vite](https://github.com/antfu-collective/vite-node/blob/48f3ec7044513349597045ac7053efd8c3db2ba4/package.json#L89) And from Nuxt `3.20.1`, vite-node was bumped from [major 3 to 5](nuxt/nuxt#33674) which uses [vite 7](https://github.com/antfu-collective/vite-node/blob/2a2d77749c6f97117557c6a584abef15e1f7a46e/package.json#L56) But also, Nuxt `3.17.7` is the last version which uses Vite 6: https://github.com/nuxt/nuxt/blob/b56bc134455391f3ea43d29140162f0b04b615b0/packages/vite/package.json#L62 --- Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/958 --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: s1gr1d <32902192+s1gr1d@users.noreply.github.com>
This caused issues in releases where the file got modified somewhere in the lerna pipeline which then failed our prettier job.
#19296) Enhances the AI integration guidelines with: - Runtime-specific placement rules (Node.js, Cloudflare Workers, Browser only SDKs should stay in their respective packages) - Mandatory auto-detection requirement for all AI integrations - E2E testing references for Cloudflare Workers and Browser runtimes - Attribute restriction rule (only use attributes from https://getsentry.github.io/sentry-conventions/attributes/gen_ai/) Closes #19297 (added automatically)
…l option (#19280) - Adds `sourcemaps.filesToDeleteAfterUpload` to the Next.js SDK's SentryBuildOptions type, allowing users to specify custom glob patterns for source map deletion after upload. - When set, this option overrides the default deletion patterns computed by `deleteSourcemapsAfterUpload`, giving users fine-grained control — including the ability to target server-side source maps if desired. closes #19235
…vents (#19316) Calls to `Sentry.captureException()` inside a Next.js App Router route handler, lead to unparameterized transaction names - This happens because non-transaction events read their `transaction` from the isolation scope's `transactionName`, which is set to the raw URL by `httpServerIntegration`. On turbopack, the webpack wrapping loader doesn't run, so `wrapRouteHandlerWithSentry` (which sets the parameterized name on the current scope) is never called. - The fix updates `handleOnSpanStart` to also set the parameterized route on the isolation scope when hoisting the `next.route` attribute to the root span. This ensures manually captured events get the parameterized route regardless of bundler. - Adds E2E tests for route handler errors (`throw`), `captureException`, and `captureMessage` with parameterized routes in the `nextjs-16` test app. closes #19312
- Adds a new E2E test application (nextjs-16-bun) that runs Next.js 16 on Bun's runtime via `bun --bun next build/start` - Update CI to pick up this test for the bun runtime Some limitations we ran into: **1. Outgoing fetch trace propagation is broken** `sentry-trace` and `baggage` headers are not attached to outgoing fetch() requests. The OTel `nativeNodeFetchIntegration` does not intercept Bun's native fetch implementation, so distributed tracing across services does not work. The inbound request starts a new trace instead of continuing the caller's trace. **2. HTTP request headers not extracted as span attributes** Inbound HTTP request headers (e.g. User-Agent, custom headers) are not populated as http.request.header.* attributes on server spans. The OTel HTTP instrumentation doesn't extract these when running on Bun. Will create tickets for the findings. ref https://linear.app/getsentry/issue/FE-713/investigate-nextjsbun-setup
This PR migrates our formatting tool from `prettier` to `oxfmt` which is part of the oxc toolchain and offers faster checking and format fixing speeds while [maintaining the same coverage](https://x.com/boshen_c/status/2018329440607203471). I created a follow up PR in #19311 to unignore a few rules and fix the associated snapshot tests affected by it. ### Benchmarks Benchmark | Prettier | oxfmt | Speedup -- | -- | -- | -- CI | 45s | 6.0s-7.0s | ~5x-7.5× Local M3 Pro | 22s | 1.22s-1.98s | ~11× --- closes #19223
[Gitflow] Merge master into develop
When using `captureUnderscoreErrorException` on an `_error` page, the events were mostly dropped because it already existed from a Sentry-wrapped data fetcher (like `getServerProps`). This resulted in not sending the error to Sentry but still generating a new event ID which was used as `lastEventId` (and thus was wrong). Closes #19217 Also, check out this specific comment within the issue as it gives more context: #19217 (comment)
The wrapper is not needed, as it's just making the sure the types are correct. We can just use the type. For reference, this is the code for the wrapper: https://github.com/nitrojs/nitro/blob/f663e76df6b25610432c915f19d3cf7c5c19f72e/src/runtime/internal/plugin.ts Closes #19277
…19336) This resolves a leak where `SentryNonRecordingSpan` are pilled up when `tracingSampleRate` is set to `0`. Theoretically `SentryNonRecordingSpan` are still treated as spans and added to the `spans` list, but never removed By moving `shouldCreateSpanResult` closer to the actual span logic, this is now resolved. Closes #19337 (added automatically)
## Summary - Add `metrics` to the `@sentry/core` re-export block in `packages/deno/src/index.ts` - The `metrics` namespace is already exported from `@sentry/core` and re-exported by `@sentry/node`, but was missing from the Deno SDK ## Test plan - [x] `yarn build:dev:filter @sentry/deno` passes - [x] `cd packages/deno && yarn test` — all 12 tests pass - [x] `eslint src/index.ts` — no lint issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Closes #19307 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…19291) OTel's `PgInstrumentation` exposes an option to ignore `pg(.pool).connect` spans. This option was added recently in open-telemetry/opentelemetry-js-contrib#3280. We should allow users to configure our wrapping `postgresIntegration` with the same option.
…h null/undefined array elements (#19346) Added a guard against null/undefined elements in isPromiseAllSettledResult which caused TypeError: Cannot convert undefined or null to object when captureAllSettledReasons: true and the Lambda handler returned an array containing nullish values. closes #19344
## Summary - Re-export `logger` and `consoleLoggingIntegration` from `@sentry/core` in the Deno SDK - Add integration test verifying `logger.info()` produces a log envelope item with correct `level` and `body` ## Test plan - [x] `yarn build:dev:filter @sentry/deno` — builds successfully - [x] `cd packages/deno && yarn test` — all 13 tests pass - [x] `eslint packages/deno/src/index.ts` — no lint errors 🤖 Generated with [Claude Code](https://claude.com/claude-code) Closes #19314 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Replace lerna with Nx for all monorepo task execution (`lerna run` → `nx run-many`). Lerna was already using Nx under the hood, so this removes the wrapper layer and uses Nx directly. - Replace `lerna version` with a custom `scripts/bump-version.js` for release version bumping. The script replicates `lerna version --force-publish --exact --no-git-tag-version --no-push` – bumps all workspace package versions and updates internal dependency references to exact versions. Also added some unit tests. - Remove lerna dependency (`lerna.json`, `lerna` devDependency) and add `nx` as a direct devDependency (22.5.0). - Move lockfile stability check to its own CI jo (`job_check_lockfile`) that runs in parallel with the build. - Configure Nx TUI to auto-exit so `yarn build` doesn't hang waiting for ESC. - Adds a `.version.json` as a single source of truth for the current version (this works well with triggering gitflow) - Update docs (`CLAUDE.md`, `CONTRIBUTING.md`, `.cursor/rules`) to reflect the migration. Closes #19340 (added automatically)
Closes #19362 (added automatically)
…iring pino >= 9.10 (#18631) We discussed this in Bikeshedding, apm-js runtime hooks gets bundled in frameworks still using CJS like Next.js, even if the user was not using Pino integration at all. Attempts to tree-shake it failed as Next.js is still using CJS. We can drop support for older versions of Pino, given that `pino@9.10` already exposes a tracing channel that we use, and that the injected channel was a backup for `pino<9.10` This will reduce bundle sizes and ensure frameworks incapable of esm tree-shaking don't pick it up as a dependency. I will remove `@apm-js-collab/tracing-hooks` as a dep from `node-core` since nothing else uses it. closes #18199
Adds `WebFetch` permissions for `docs.sentry.io` and `develop.sentry.dev` to Claude Code settings, enabling Claude to fetch documentation content directly from Sentry's official documentation sites. This follows the same pattern used in the sentry-cocoa repository. Closes #18891 (added automatically) --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
…19330) This PR adds `sentryGlobalRequestMiddleware` and `sentryGlobalFunctionMiddleware` that capture unhandled errors from all HTTP requests and server function invocations. Users add these as the first entries in the `requestMiddleware` / `functionMiddleware` arrays of `createStart()`. These internal middlewares get marked with a `__SENTRY_INTERNAL__`, so that they can be easily skipped in the vite plugin to exclude them from middleware auto-instrumentation. Originally we wanted to do this in the server-entry-point, but since there haven't been any updates on this front in months I propose this as an alternative solution for now. This is probably slightly worse UX but in my case better than having nothing in place. We could also think about auto-injecting this during the build, but maybe not worth the effort since this is a one-time setup step. **Limitations** Tanstack Start has three types of server-side errors that we care about. With these middlewares we can capture 2 of these (route, function exceptions). We cannot capture SSR exceptions like this, because the exceptions are serialized at a deeper layer and newer thrown. **Usage** ``` import { sentryGlobalFunctionMiddleware, sentryGlobalRequestMiddleware } from '@sentry/tanstackstart-react'; import { createStart } from '@tanstack/react-start'; export const startInstance = createStart(() => ({ requestMiddleware: [sentryGlobalRequestMiddleware, ...otherMiddleware], functionMiddleware: [sentryGlobalFunctionMiddleware, ...otherMiddleware], })); ``` **Tests** - Updated E2E tests to verify server side function/route errors are being captured - Added an E2E test to document that SSR exceptions are NOT being captured Closes #18283
…hen `skipOpenTelemetrySetup` is enabled (#19333) When users bring their own OpenTelemetry setup, we were still mutating their OTel spans by setting `sentry.drop_transaction` as a span attribute. Added early returns in `dropNextjsRootContext()` and `dropMiddlewareTunnelRequests()` to skip span mutation when skipOpenTelemetrySetup is enabled closes #19169
Builds on #19200 by: - Removing the ignores that were affecting `*.hbs` and `*.html` files - Fixed some malformed HTML in our tests I initially thought it was some extra stuff done by oxfmt, but its just we didn't have those file extensions in the extension list for the format script. so, its the same output if prettier ran over those files. closes #19223
closes #19215 closes [JS-1656](https://linear.app/getsentry/issue/JS-1656/support-astro-on-cloudflare-workers) This allows to deploy Astro on CF Workers and instrument it with Sentry The main issue was that within CF Workers everything needs to be wrapped with `withSentry` from the `@sentry/cloudflare` SDK. With this PR the config cannot be changed via code and it is for now only possible to update the config on Cloudflare via [Environment Variables](https://developers.cloudflare.com/workers/configuration/environment-variables/). I couldn't come up with a nice solution to have the config and bundle it with the entrypoint of `@astro/cloudflare`. ### Future ideas However, in `@astro/cloudflare@13` the entry point is not [exporting a function](https://github.com/withastro/astro/blob/%40astrojs/cloudflare%4012.6.12/packages/integrations/cloudflare/src/entrypoints/server.ts) anymore, but a real module: https://github.com/withastro/astro/blob/%40astrojs/cloudflare%4013.0.0-beta.6/packages/integrations/cloudflare/src/entrypoints/server.ts With this we could possibly change the entrypoint entirely to a Sentry entrypoint where `withSentry` is available as code. ### Merge checks - [x] Create docs issue to update Astro on Cloudflare docs
- Adds a new local Claude Code skill at `.claude/skills/triage-issue/SKILL.md` - Invoked via `/triage-issue <issue-number-or-url> [--ci]` to triage GitHub issues on getsentry/sentry-javascript - Produces a structured report with classification, root cause analysis, cross-repo search results, and actionable next steps - Optional --ci flag outputs a Linear payload stub (to be wired up later) Closes #19357 (added automatically)
This patch fixes multiple bugs and problems around browser sessions, mostly related to user id assignment: 1. When calling `Sentry.setUser()` on static pages (i.e. no soft navigations), the user id would never be added to sessions. This is because in static pages, we don't send an `"exited"` session update. **The fix**: We send a session update whenever the user is set on the isolationScope (see comment about limitations) 2. When calling `Sentry.setUser()` in a single page application (i.e. with soft navigations), we would update the initial session with the user data when starting a new session for a new navigation. However, we did not include the user id on the new session, because the `getCurrentScope().getUser() || getIsolationScope().getUser()` check was flawed. **The fix**: we use our `getCombinedScopeData` helper to get the "correct" (read, consistently like in other telemetry items) user. 3. It seems like we had an incorrect check that would skip creating a new sessions for the first soft navigation after the pageload (in the default `'route'`) session lifecycle. **The fix**: We no longer check for `from` being undefined. --------- Co-authored-by: Jan Peer Stöcklmair <jan.peer@sentry.io>
…19401) 1. **Removes file cleanup instructions** - The report markdown file no longer needs to be deleted when running in CI, since the Docker container shuts down automatically. This eliminates unnecessary cleanup logic. 2. **Makes cross-repo searches conditional** - Cross-repo searches in `sentry-javascript-bundler-plugins` and `sentry-docs` are now optional and only performed when relevant to the issue: - Bundler plugins: Only search when the issue involves build tools, bundlers, source maps, or webpack/vite/rollup - Docs: Only search when clarification is needed about documented behavior Closes #19402 (added automatically)
Adds some rules (not enabled by default) for fetching the develop docs (in markdown format) in case they are needed. I added the develop docs that contain mostly prose text and are not too focused on the technical details (as this info can be retrieved from the code itself). Closes #19378 (added automatically)
Co-authored-by: Charly Gomez <charly.gomez@sentry.io>
Closes #19368 (added automatically)
The error tests for langchain v1 were commented out a while back, since they started failing for some reason. I had another look and after getting the attributes up to date they seem to work fine now, so I think we can put them back in. Closes #18835
Closes #19413 (added automatically)
Maybe we need a smarter clanker Closes #19417 (added automatically)
Closes #19353 Co-Authored-By: John Dengis <jadengis@users.noreply.github.com>
Closes #19351 (added automatically)
…med URIs (#19400) This PR wraps `decodeURI` in `node-stack-trace.ts` with a try/catch so that malformed URIs (e.g. filenames containing `%` sequences that are not valid percent-encoding) no longer throw a `URIError` and crash the SDK. The raw filename is returned as a fallback. In addition, we only call `getModule` if we successfully decode the filename, since in `getModule` implementations, we also again attempt to decode filenames. Since we don't have a concrete filename in #19391 which we can reproduce this, this is rather a "best effort" fix. But I think it's worth having this either way. Closes #19391 --------- Co-authored-by: Cursor <cursoragent@cursor.com>
Bumps [@actions/glob](https://github.com/actions/toolkit/tree/HEAD/packages/glob) from 0.4.0 to 0.6.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/toolkit/blob/main/packages/glob/RELEASES.md"><code>@actions/glob</code>'s changelog</a>.</em></p> <blockquote> <h2>0.6.1</h2> <ul> <li>Fix a bad import for <code>minimatch</code></li> </ul> <h2>0.6.0</h2> <ul> <li><strong>Breaking change</strong>: Package is now ESM-only <ul> <li>CommonJS consumers must use dynamic <code>import()</code> instead of <code>require()</code></li> </ul> </li> </ul> <h2>0.5.1</h2> <ul> <li>Bump <code>@actions/core</code> to <code>2.0.3</code></li> </ul> <h2>0.5.0</h2> <ul> <li>Added <code>excludeHiddenFiles</code> option, which is disabled by default to preserve existing behavior <a href="https://redirect.github.com/actions/toolkit/pull/1791">#1791: Add glob option to ignore hidden files</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/actions/toolkit/commits/HEAD/packages/glob">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for <code>@actions/glob</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@types/ember__debug](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__debug) from 3.16.5 to 4.0.8. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__debug">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…sts/test-applications/cloudflare-hono (#19438) Bumps [hono](https://github.com/honojs/hono) from 4.11.7 to 4.11.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.11.10</h2> <h2>What's Changed</h2> <ul> <li>fix: fixed to be more properly timing safe (Merge commit from fork 91def7ca)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.11.9...v4.11.10">https://github.com/honojs/hono/compare/v4.11.9...v4.11.10</a></p> <h2>v4.11.9</h2> <h2>What's Changed</h2> <ul> <li>fix(url): ignore fragment identifiers in getPath() by <a href="https://github.com/sano-suguru"><code>@sano-suguru</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4627">honojs/hono#4627</a></li> <li>fix: determine if rendered or not by <code>node.vC[0]</code> instead of referring to <code>node.pP</code> by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4663">honojs/hono#4663</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.11.8...v4.11.9">https://github.com/honojs/hono/compare/v4.11.8...v4.11.9</a></p> <h2>v4.11.8</h2> <h2>What's Changed</h2> <ul> <li>fix(jsx): preserve context when using await before html helper by <a href="https://github.com/kaigritun"><code>@kaigritun</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li> <li>fix(bearer-auth): make auth-scheme case-insensitive by <a href="https://github.com/bytaesu"><code>@bytaesu</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4659">honojs/hono#4659</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/kaigritun"><code>@kaigritun</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.8">https://github.com/honojs/hono/compare/v4.11.7...v4.11.8</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/a40d210834adfa4f24cc42faaed5661cd025e6af"><code>a40d210</code></a> 4.11.10</li> <li><a href="https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e"><code>91def7c</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/8b179354c10f13eaca87a24507d909886c39f124"><code>8b17935</code></a> test(types): add regression tests for <a href="https://redirect.github.com/honojs/hono/issues/4388">#4388</a> (routes before .use() with explic...</li> <li><a href="https://github.com/honojs/hono/commit/4a03f4f9cded9f0ed95aeefe7ed95e8a5170260b"><code>4a03f4f</code></a> doc(jwt): mark <code>options.secret</code> as required in JSDoc (<a href="https://redirect.github.com/honojs/hono/issues/4718">#4718</a>)</li> <li><a href="https://github.com/honojs/hono/commit/730055133f2579ee56d2d8327bf0040c310293ae"><code>7300551</code></a> chore(ci): bump typescript-go to the latest (<a href="https://redirect.github.com/honojs/hono/issues/4716">#4716</a>)</li> <li><a href="https://github.com/honojs/hono/commit/4b2978060888718351941140a7e8e028b2e9d69b"><code>4b29780</code></a> chore: update Zod import examples to use namespace imports (<a href="https://redirect.github.com/honojs/hono/issues/4715">#4715</a>)</li> <li><a href="https://github.com/honojs/hono/commit/69ad8857df4eeef1a02e628ab8f5b2b60e643f19"><code>69ad885</code></a> 4.11.9</li> <li><a href="https://github.com/honojs/hono/commit/3d536ff38d5c24ca584866a7f01cf5691b96e983"><code>3d536ff</code></a> fix: determine if rendered or not by <code>node.vC[0]</code> instead of referring to `no...</li> <li><a href="https://github.com/honojs/hono/commit/0c1d4c76cf6b2aace8bbef745d375c2cc176d99f"><code>0c1d4c7</code></a> fix(url): ignore fragment identifiers in getPath() (<a href="https://redirect.github.com/honojs/hono/issues/4627">#4627</a>)</li> <li><a href="https://github.com/honojs/hono/commit/5ca5c3e9764486b31ad7db4c0c19b2c926753ae3"><code>5ca5c3e</code></a> 4.11.8</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.10">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds a request -> response handler for accepting and forwarding Sentry envelope requests from a client SDK to Sentry. Only forwards requests to DSNs matching a list of allowed DSNs. This will be used as a base for more framework-specific handlers, middleware, etc to simplify tunneling setup.
Bumps [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) from 2.50.1 to 2.52.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/kit/releases"><code>@sveltejs/kit</code>'s releases</a>.</em></p> <blockquote> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.52.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: validate <code>form</code> file information to prevent amplification attacks (<a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p> </li> <li> <p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p> </li> <li> <p>fix: parse file offset table more strictly (<a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p> </li> </ul> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: <code>match</code> function to map a path back to a route id and params (<a href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: respect scroll-margin when navigating to a url-supplied anchor (<a href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p> </li> <li> <p>fix: <code>resolve</code> will narrow types to follow trailing slash page settings (<a href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p> </li> </ul> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.51.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>feat: add <code>scroll</code> property to <code>NavigationTarget</code> in navigation callbacks (<a href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</p> <p>Navigation callbacks (<code>beforeNavigate</code>, <code>onNavigate</code>, and <code>afterNavigate</code>) now include scroll position information via the <code>scroll</code> property on <code>from</code> and <code>to</code> targets:</p> <ul> <li><code>from.scroll</code>: The scroll position at the moment navigation was triggered</li> <li><code>to.scroll</code>: In <code>beforeNavigate</code> and <code>onNavigate</code>, this is populated for <code>popstate</code> navigations (back/forward) with the scroll position that will be restored, and <code>null</code> for other navigation types. In <code>afterNavigate</code>, this is always the final scroll position after navigation completed.</li> </ul> <p>This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.</p> </li> <li> <p>feat: <code>hydratable</code>'s injected script now works with CSP (<a href="https://redirect.github.com/sveltejs/kit/pull/15048">#15048</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: put preloads before styles (<a href="https://redirect.github.com/sveltejs/kit/pull/15232">#15232</a>)</p> </li> <li> <p>fix: suppress false-positive inner content warning when children prop is forwarded to a child component (<a href="https://redirect.github.com/sveltejs/kit/pull/15269">#15269</a>)</p> </li> <li> <p>fix: <code>fetch</code> not working when URL is same host but different than <code>paths.base</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15291">#15291</a>)</p> </li> <li> <p>fix: navigate to hash link when base element is present (<a href="https://redirect.github.com/sveltejs/kit/pull/15236">#15236</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@sveltejs/kit</code>'s changelog</a>.</em></p> <blockquote> <h2>2.52.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: validate <code>form</code> file information to prevent amplification attacks (<a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p> </li> <li> <p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p> </li> <li> <p>fix: parse file offset table more strictly (<a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p> </li> </ul> <h2>2.52.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: clear stale preflight issues on subsequent valid form submissions (<a href="https://redirect.github.com/sveltejs/kit/pull/15281">#15281</a>)</p> </li> <li> <p>chore: remove dependency on <code>sade</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15272">#15272</a>)</p> </li> <li> <p>fix: include <code>.txt</code> files in precompression (<a href="https://redirect.github.com/sveltejs/kit/pull/15259">#15259</a>)</p> </li> <li> <p>fix: escape backticks and dollar signs when creating inlined css (<a href="https://redirect.github.com/sveltejs/kit/pull/15320">#15320</a>)</p> </li> <li> <p>fix: increment <code>form.pending</code> count before preflight validation (<a href="https://redirect.github.com/sveltejs/kit/pull/15279">#15279</a>)</p> </li> </ul> <h2>2.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: <code>match</code> function to map a path back to a route id and params (<a href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: respect scroll-margin when navigating to a url-supplied anchor (<a href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p> </li> <li> <p>fix: <code>resolve</code> will narrow types to follow trailing slash page settings (<a href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p> </li> </ul> <h2>2.51.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: add <code>scroll</code> property to <code>NavigationTarget</code> in navigation callbacks (<a href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/kit/commit/9c4a73733441acaa2f166d023fcdb977a9d88cf6"><code>9c4a737</code></a> Version Packages (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15338">#15338</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/kit/commit/62991c81db4f50ccfb08a9ac5e05ccba4ddab59e"><code>62991c8</code></a> chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15339">#15339</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/kit/commit/6f69ded005c14db0c2e6a73843cc5e5cb15b684f"><code>6f69ded</code></a> Version Packages (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15321">#15321</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/e87efba90aeb04227e6a1a5e9017989e7f1c78dc"><code>e87efba</code></a> fix: clear stale preflight issues on subsequent valid form submissions (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15281">#15281</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/4f367d5bf80935e99c9048e75d6f7e258730980f"><code>4f367d5</code></a> chore: fix Node 18 CI by changing .remote.js import to .remote.ts (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15331">#15331</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/20dfadfbef312b4e750318aa871aebbfcb4396a4"><code>20dfadf</code></a> fix: escape backticks and dollar signs before creating interpolated string (#...</li> <li><a href="https://github.com/sveltejs/kit/commit/8c2384a346825d54eb4281f9da854388fb4d81b3"><code>8c2384a</code></a> fix: increment <code>form.pending</code> count before preflight validation (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15279">#15279</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/71ddbc7ff19a612cfcd483f3b7ba58586372528b"><code>71ddbc7</code></a> chore: remove dependency on sade (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15272">#15272</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [hono](https://github.com/honojs/hono) from 4.11.7 to 4.11.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.11.10</h2> <h2>What's Changed</h2> <ul> <li>fix: fixed to be more properly timing safe (Merge commit from fork 91def7ca)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.11.9...v4.11.10">https://github.com/honojs/hono/compare/v4.11.9...v4.11.10</a></p> <h2>v4.11.9</h2> <h2>What's Changed</h2> <ul> <li>fix(url): ignore fragment identifiers in getPath() by <a href="https://github.com/sano-suguru"><code>@sano-suguru</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4627">honojs/hono#4627</a></li> <li>fix: determine if rendered or not by <code>node.vC[0]</code> instead of referring to <code>node.pP</code> by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4663">honojs/hono#4663</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.11.8...v4.11.9">https://github.com/honojs/hono/compare/v4.11.8...v4.11.9</a></p> <h2>v4.11.8</h2> <h2>What's Changed</h2> <ul> <li>fix(jsx): preserve context when using await before html helper by <a href="https://github.com/kaigritun"><code>@kaigritun</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li> <li>fix(bearer-auth): make auth-scheme case-insensitive by <a href="https://github.com/bytaesu"><code>@bytaesu</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4659">honojs/hono#4659</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/kaigritun"><code>@kaigritun</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.8">https://github.com/honojs/hono/compare/v4.11.7...v4.11.8</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/a40d210834adfa4f24cc42faaed5661cd025e6af"><code>a40d210</code></a> 4.11.10</li> <li><a href="https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e"><code>91def7c</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/8b179354c10f13eaca87a24507d909886c39f124"><code>8b17935</code></a> test(types): add regression tests for <a href="https://redirect.github.com/honojs/hono/issues/4388">#4388</a> (routes before .use() with explic...</li> <li><a href="https://github.com/honojs/hono/commit/4a03f4f9cded9f0ed95aeefe7ed95e8a5170260b"><code>4a03f4f</code></a> doc(jwt): mark <code>options.secret</code> as required in JSDoc (<a href="https://redirect.github.com/honojs/hono/issues/4718">#4718</a>)</li> <li><a href="https://github.com/honojs/hono/commit/730055133f2579ee56d2d8327bf0040c310293ae"><code>7300551</code></a> chore(ci): bump typescript-go to the latest (<a href="https://redirect.github.com/honojs/hono/issues/4716">#4716</a>)</li> <li><a href="https://github.com/honojs/hono/commit/4b2978060888718351941140a7e8e028b2e9d69b"><code>4b29780</code></a> chore: update Zod import examples to use namespace imports (<a href="https://redirect.github.com/honojs/hono/issues/4715">#4715</a>)</li> <li><a href="https://github.com/honojs/hono/commit/69ad8857df4eeef1a02e628ab8f5b2b60e643f19"><code>69ad885</code></a> 4.11.9</li> <li><a href="https://github.com/honojs/hono/commit/3d536ff38d5c24ca584866a7f01cf5691b96e983"><code>3d536ff</code></a> fix: determine if rendered or not by <code>node.vC[0]</code> instead of referring to `no...</li> <li><a href="https://github.com/honojs/hono/commit/0c1d4c76cf6b2aace8bbef745d375c2cc176d99f"><code>0c1d4c7</code></a> fix(url): ignore fragment identifiers in getPath() (<a href="https://redirect.github.com/honojs/hono/issues/4627">#4627</a>)</li> <li><a href="https://github.com/honojs/hono/commit/5ca5c3e9764486b31ad7db4c0c19b2c926753ae3"><code>5ca5c3e</code></a> 4.11.8</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.10">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…kages/e2e-tests/test-applications/sveltekit-2-kit-tracing (#19446) Bumps [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) from 2.49.5 to 2.52.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/kit/releases"><code>@sveltejs/kit</code>'s releases</a>.</em></p> <blockquote> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.52.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: validate <code>form</code> file information to prevent amplification attacks (<a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p> </li> <li> <p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p> </li> <li> <p>fix: parse file offset table more strictly (<a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p> </li> </ul> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: <code>match</code> function to map a path back to a route id and params (<a href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: respect scroll-margin when navigating to a url-supplied anchor (<a href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p> </li> <li> <p>fix: <code>resolve</code> will narrow types to follow trailing slash page settings (<a href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p> </li> </ul> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.51.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>feat: add <code>scroll</code> property to <code>NavigationTarget</code> in navigation callbacks (<a href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</p> <p>Navigation callbacks (<code>beforeNavigate</code>, <code>onNavigate</code>, and <code>afterNavigate</code>) now include scroll position information via the <code>scroll</code> property on <code>from</code> and <code>to</code> targets:</p> <ul> <li><code>from.scroll</code>: The scroll position at the moment navigation was triggered</li> <li><code>to.scroll</code>: In <code>beforeNavigate</code> and <code>onNavigate</code>, this is populated for <code>popstate</code> navigations (back/forward) with the scroll position that will be restored, and <code>null</code> for other navigation types. In <code>afterNavigate</code>, this is always the final scroll position after navigation completed.</li> </ul> <p>This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.</p> </li> <li> <p>feat: <code>hydratable</code>'s injected script now works with CSP (<a href="https://redirect.github.com/sveltejs/kit/pull/15048">#15048</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: put preloads before styles (<a href="https://redirect.github.com/sveltejs/kit/pull/15232">#15232</a>)</p> </li> <li> <p>fix: suppress false-positive inner content warning when children prop is forwarded to a child component (<a href="https://redirect.github.com/sveltejs/kit/pull/15269">#15269</a>)</p> </li> <li> <p>fix: <code>fetch</code> not working when URL is same host but different than <code>paths.base</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15291">#15291</a>)</p> </li> <li> <p>fix: navigate to hash link when base element is present (<a href="https://redirect.github.com/sveltejs/kit/pull/15236">#15236</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@sveltejs/kit</code>'s changelog</a>.</em></p> <blockquote> <h2>2.52.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: validate <code>form</code> file information to prevent amplification attacks (<a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p> </li> <li> <p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p> </li> <li> <p>fix: parse file offset table more strictly (<a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p> </li> </ul> <h2>2.52.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: clear stale preflight issues on subsequent valid form submissions (<a href="https://redirect.github.com/sveltejs/kit/pull/15281">#15281</a>)</p> </li> <li> <p>chore: remove dependency on <code>sade</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15272">#15272</a>)</p> </li> <li> <p>fix: include <code>.txt</code> files in precompression (<a href="https://redirect.github.com/sveltejs/kit/pull/15259">#15259</a>)</p> </li> <li> <p>fix: escape backticks and dollar signs when creating inlined css (<a href="https://redirect.github.com/sveltejs/kit/pull/15320">#15320</a>)</p> </li> <li> <p>fix: increment <code>form.pending</code> count before preflight validation (<a href="https://redirect.github.com/sveltejs/kit/pull/15279">#15279</a>)</p> </li> </ul> <h2>2.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: <code>match</code> function to map a path back to a route id and params (<a href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: respect scroll-margin when navigating to a url-supplied anchor (<a href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p> </li> <li> <p>fix: <code>resolve</code> will narrow types to follow trailing slash page settings (<a href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p> </li> </ul> <h2>2.51.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: add <code>scroll</code> property to <code>NavigationTarget</code> in navigation callbacks (<a href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/kit/commit/9c4a73733441acaa2f166d023fcdb977a9d88cf6"><code>9c4a737</code></a> Version Packages (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15338">#15338</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/kit/commit/62991c81db4f50ccfb08a9ac5e05ccba4ddab59e"><code>62991c8</code></a> chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15339">#15339</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/kit/commit/6f69ded005c14db0c2e6a73843cc5e5cb15b684f"><code>6f69ded</code></a> Version Packages (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15321">#15321</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/e87efba90aeb04227e6a1a5e9017989e7f1c78dc"><code>e87efba</code></a> fix: clear stale preflight issues on subsequent valid form submissions (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15281">#15281</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/4f367d5bf80935e99c9048e75d6f7e258730980f"><code>4f367d5</code></a> chore: fix Node 18 CI by changing .remote.js import to .remote.ts (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15331">#15331</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/20dfadfbef312b4e750318aa871aebbfcb4396a4"><code>20dfadf</code></a> fix: escape backticks and dollar signs before creating interpolated string (#...</li> <li><a href="https://github.com/sveltejs/kit/commit/8c2384a346825d54eb4281f9da854388fb4d81b3"><code>8c2384a</code></a> fix: increment <code>form.pending</code> count before preflight validation (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15279">#15279</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/71ddbc7ff19a612cfcd483f3b7ba58586372528b"><code>71ddbc7</code></a> chore: remove dependency on sade (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15272">#15272</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…kages/e2e-tests/test-applications/sveltekit-2 (#19441) Bumps [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) from 2.49.5 to 2.52.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/kit/releases"><code>@sveltejs/kit</code>'s releases</a>.</em></p> <blockquote> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.52.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: validate <code>form</code> file information to prevent amplification attacks (<a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p> </li> <li> <p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p> </li> <li> <p>fix: parse file offset table more strictly (<a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p> </li> </ul> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: <code>match</code> function to map a path back to a route id and params (<a href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: respect scroll-margin when navigating to a url-supplied anchor (<a href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p> </li> <li> <p>fix: <code>resolve</code> will narrow types to follow trailing slash page settings (<a href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p> </li> </ul> <h2><code>@sveltejs/kit</code><a href="https://github.com/2"><code>@2</code></a>.51.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>feat: add <code>scroll</code> property to <code>NavigationTarget</code> in navigation callbacks (<a href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</p> <p>Navigation callbacks (<code>beforeNavigate</code>, <code>onNavigate</code>, and <code>afterNavigate</code>) now include scroll position information via the <code>scroll</code> property on <code>from</code> and <code>to</code> targets:</p> <ul> <li><code>from.scroll</code>: The scroll position at the moment navigation was triggered</li> <li><code>to.scroll</code>: In <code>beforeNavigate</code> and <code>onNavigate</code>, this is populated for <code>popstate</code> navigations (back/forward) with the scroll position that will be restored, and <code>null</code> for other navigation types. In <code>afterNavigate</code>, this is always the final scroll position after navigation completed.</li> </ul> <p>This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.</p> </li> <li> <p>feat: <code>hydratable</code>'s injected script now works with CSP (<a href="https://redirect.github.com/sveltejs/kit/pull/15048">#15048</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: put preloads before styles (<a href="https://redirect.github.com/sveltejs/kit/pull/15232">#15232</a>)</p> </li> <li> <p>fix: suppress false-positive inner content warning when children prop is forwarded to a child component (<a href="https://redirect.github.com/sveltejs/kit/pull/15269">#15269</a>)</p> </li> <li> <p>fix: <code>fetch</code> not working when URL is same host but different than <code>paths.base</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15291">#15291</a>)</p> </li> <li> <p>fix: navigate to hash link when base element is present (<a href="https://redirect.github.com/sveltejs/kit/pull/15236">#15236</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@sveltejs/kit</code>'s changelog</a>.</em></p> <blockquote> <h2>2.52.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: validate <code>form</code> file information to prevent amplification attacks (<a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p> </li> <li> <p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p> </li> <li> <p>fix: parse file offset table more strictly (<a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p> </li> </ul> <h2>2.52.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: clear stale preflight issues on subsequent valid form submissions (<a href="https://redirect.github.com/sveltejs/kit/pull/15281">#15281</a>)</p> </li> <li> <p>chore: remove dependency on <code>sade</code> (<a href="https://redirect.github.com/sveltejs/kit/pull/15272">#15272</a>)</p> </li> <li> <p>fix: include <code>.txt</code> files in precompression (<a href="https://redirect.github.com/sveltejs/kit/pull/15259">#15259</a>)</p> </li> <li> <p>fix: escape backticks and dollar signs when creating inlined css (<a href="https://redirect.github.com/sveltejs/kit/pull/15320">#15320</a>)</p> </li> <li> <p>fix: increment <code>form.pending</code> count before preflight validation (<a href="https://redirect.github.com/sveltejs/kit/pull/15279">#15279</a>)</p> </li> </ul> <h2>2.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: <code>match</code> function to map a path back to a route id and params (<a href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: respect scroll-margin when navigating to a url-supplied anchor (<a href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p> </li> <li> <p>fix: <code>resolve</code> will narrow types to follow trailing slash page settings (<a href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p> </li> </ul> <h2>2.51.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: add <code>scroll</code> property to <code>NavigationTarget</code> in navigation callbacks (<a href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/kit/commit/9c4a73733441acaa2f166d023fcdb977a9d88cf6"><code>9c4a737</code></a> Version Packages (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15338">#15338</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/kit/commit/62991c81db4f50ccfb08a9ac5e05ccba4ddab59e"><code>62991c8</code></a> chore: upgrade <code>devalue</code> and <code>svelte</code> (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15339">#15339</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/kit/commit/6f69ded005c14db0c2e6a73843cc5e5cb15b684f"><code>6f69ded</code></a> Version Packages (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15321">#15321</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/e87efba90aeb04227e6a1a5e9017989e7f1c78dc"><code>e87efba</code></a> fix: clear stale preflight issues on subsequent valid form submissions (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15281">#15281</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/4f367d5bf80935e99c9048e75d6f7e258730980f"><code>4f367d5</code></a> chore: fix Node 18 CI by changing .remote.js import to .remote.ts (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15331">#15331</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/20dfadfbef312b4e750318aa871aebbfcb4396a4"><code>20dfadf</code></a> fix: escape backticks and dollar signs before creating interpolated string (#...</li> <li><a href="https://github.com/sveltejs/kit/commit/8c2384a346825d54eb4281f9da854388fb4d81b3"><code>8c2384a</code></a> fix: increment <code>form.pending</code> count before preflight validation (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15279">#15279</a>)</li> <li><a href="https://github.com/sveltejs/kit/commit/71ddbc7ff19a612cfcd483f3b7ba58586372528b"><code>71ddbc7</code></a> chore: remove dependency on sade (<a href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15272">#15272</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary - Bumps `@mapbox/node-pre-gyp` from `2.0.0` to `2.0.3` (transitive dep via `@sentry/aws-serverless` → `@vercel/nft`) - This resolves `tar` from `7.5.7` to `7.5.9`, patching [GHSA-83g3-92jg-28cx](GHSA-83g3-92jg-28cx) / CVE-2026-26960 - No `package.json` changes — existing version ranges already permitted the newer versions; only `yarn.lock` was updated ## Vulnerability **CVE-2026-26960** (High, CVSS 7.1) — Arbitrary file read/write via hardlink target escape through symlink chain in `tar.extract()`. An attacker-controlled archive can create a hardlink inside the extraction directory pointing to a file outside the extraction root using default options. **Affected:** `tar < 7.5.8` | **Patched:** `tar >= 7.5.8` ## Dependency chain ``` @sentry/aws-serverless → @vercel/nft → @mapbox/node-pre-gyp 2.0.0 → 2.0.3 → tar 7.5.7 → 7.5.9 ``` Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/1063 Made with [Cursor](https://cursor.com) Co-authored-by: Cursor <cursoragent@cursor.com>
Closes #19424 (added automatically)
closes #19384 closes [JS-1744](https://linear.app/getsentry/issue/JS-1744/cloudflare-instrument-async-kv-api) With that we start to instrument DO objects starting with the Async KV API. Cloudflare is instrumenting these with underlines between: `durable_object_storage_get`, without any more information to it. In the future to make them a little more useful we could store the keys as span attributes on it with `db.cloudflare.durable_object.storage.key` or `db.cloudflare.durable_object.storage.keys`. First we have to add them to our [semantic conventions](https://getsentry.github.io/sentry-conventions/attributes/) though
The Nuxt Modules page shows the readme as a documentation which can be confusing as it does not contain all the details. This PR removes all duplicated content that is also available in the docs and keeps the link to the docs. Nuxt Modules page: https://nuxt.com/modules/sentry Closes #19403
Improve the prompt to challenge the framing of the issue reporter and consider misconfiguration etc. Also fix some issues where the agent was trying to write where it was not allowed in CI (e.g. writing to `tmp`). I added some general prompts directly to the system prompt in the GitHub action (as it's only relevant for CI). Also allows `Bash(npm info *),Bash(npm ls *)` to get some general package info. Closes #19455 (added automatically)
bumps `fast-xml-parser` to `5.3.6` which resolves https://github.com/getsentry/sentry-javascript/security/dependabot/1062 partially. The remaining case was usage of the dep in `@langchain/anthropic@0.3.x` which we only use in node integration tests. Given we intentionally test against 0.x, I dismissed the alert due to this case. h/t @chargome for the /fix-security-vulnerability skill 🙏 Closes #19437 (added automatically) Closes #19449
Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
size-limit report 📦
|
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Just putting the changelog here again since the files page may not load 😆
Important Changes
feat(tanstackstart-react): Add global sentry exception middlewares (#19330)
The
sentryGlobalRequestMiddlewareandsentryGlobalFunctionMiddlewareglobal middlewares capture unhandled exceptions thrown in TanStack Start API routes and server functions. Add them as the first entries in therequestMiddlewareandfunctionMiddlewarearrays ofcreateStart():fix(node-core): Reduce bundle size by removing apm-js-collab and requiring pino >= 9.10 (#18631)
In order to keep receiving pino logs, you need to update your pino version to >= 9.10, the reason for the support bump is to reduce the bundle size of the node-core SDK in frameworks that cannot tree-shake the apm-js-collab dependency.
fix(browser): Ensure user id is consistently added to sessions (#19341)
Previously, the SDK inconsistently set the user id on sessions, meaning sessions were often lacking proper coupling to the user set for example via
Sentry.setUser().Additionally, the SDK incorrectly skipped starting a new session for the first soft navigation after the pageload.
This patch fixes these issues. As a result, metrics around sessions, like "Crash Free Sessions" or "Crash Free Users" might change.
This could also trigger alerts, depending on your set thresholds and conditions.
We apologize for any inconvenience caused!
While we're at it, if you're using Sentry in a Single Page App or meta framework, you might want to give the new
'page'session lifecycle a try!This new mode no longer creates a session per soft navigation but continues the initial session until the next hard page refresh.
Check out the docs to learn more!
Other Changes
sourcemaps.filesToDeleteAfterUploadas a top-level option (#19280)ignoreConnectSpansoption topostgresIntegration(#19291)isPromiseAllSettledResultwith null/undefined array elements (#19346)optionsif set (#19274)sentry.drop_transactionattribute on spans whenskipOpenTelemetrySetupis enabled (#19333)options.rootDirinstead ofoptions.srcDir(#19343)Internal Changes
lerna.jsonfor prettier (#19288)environmentto triage action (#19375)id-token: writepermission to triage workflow (#19381)fast-xml-parser(#19433)allowedToolsto Claude GitHub action (#19386)triage-issueskill (#19358)triage-issueskill (#19356)Writeand removermpermission (#19397)defineNitroPluginwrapper (#19334)