meta(changelog): Update changelog for 10.41.0#19576
Merged
andreiborza merged 34 commits intomasterfrom Mar 2, 2026
Merged
Conversation
[Gitflow] Merge master into develop
This came up in a clanker review, feel free to close @nicohrubec Closes #19503 (added automatically)
Just came across https://nextjs.org/docs/app/api-reference/config/next-config-js/turbopack#advanced-webpack-loader-conditions when researching for another issue. We can match the turbopack loaders more strictly to only run on user code. Potentially reduces build times. Closes #19504 (added automatically)
Our conditions for dropping control flow errors were a bit broad, leading to silently dropping errors from being sent to Sentry including `axios` errors. Closes #19519
…erless environments (#19513) As of today server-side Sentry does not work for Tanstack Start if run in serverless environments. Deployment works fine, but no data is actually sent to Sentry. After some experimentation I figured out that we can make it work if we make the following two changes: - Import `instrument.server.mjs` in the `server.ts` file that has the server entry point. Eventually we can do this automatically during the build, but for now I'll update the documentation to do that. - Events need to be explicitly `flushed()`, so that data is sent off before the serverless function dies. This PR adds a `flushIfServerless()` call to the `wrapFetchWithSentry` wrapper. With these modifications errors, logs and basic tracing work (tested on Netlify and Vercel). For cloudflare we'll likely need a slightly modified approach. Tests: - Added basic unit tests that check that `flush()` is called. - Tried to add a netlify e2e test so we can properly test this behavior, but couldn't get anything server-side to work with that. With manual deployments it works fine. Closes #19507
- Create AGENTS.md as the single source of truth for SDK development rules - Remove .cursor/rules/sdk_development.mdc (all content now in AGENTS.md) - Symlink CLAUDE.md to AGENTS.md Both CLAUDE.md and .cursor/rules/sdk_development.mdc contained duplicated SDK development rules that could drift out of sync. AGENTS.md is the standard cross-tool format — Cursor, Claude Code, and other agents all read it automatically, so a single shared file eliminates duplication. Closes #19522 (added automatically) --------- Co-authored-by: Sigrid <32902192+s1gr1d@users.noreply.github.com>
…alize streaming span names (#19500) This PR introduces some fixes across AI integrations. 1. Normalize streaming span description Removes the stream-response suffix from span descriptions across OpenAI, Anthropic, and Google GenAI integrations. Streaming and non-streaming spans now use the same naming format (e.g., chat gpt-4 instead of chat gpt-4 stream-response), making grouping and filtering more consistent. 2. Expand multimodal media stripping Adds detection and redaction of three additional inline media formats in truncateGenAiMessages: - OpenAI vision format with nested image_url objects ({ image_url: { url: "data:..." } }) - OpenAI input_audio parts ({ type: "input_audio", input_audio: { data: "..." } }) - OpenAI file parts with inline data ({ type: "file", file: { file_data: "..." } }) 4. Rename redaction placeholder Changes the placeholder for stripped binary data from [Filtered] to [Blob substitute] to better communicate what happened. 5. Fix off-by-one in truncation byte accounting Subtracts the 2-byte JSON array wrapper ([ and ]) from the effective max bytes budget, and fixes a boundary condition in truncateTextByBytes to avoid strings that land exactly on the byte limit. Closes #19496 #19479
- Adding a devDependency on minimatch in the root, so that all outdated versions get pushed into duplicates. - Updated `minimatch` direct dependency packages/node, packages/react-router, and packages/remix - Once getsentry/sentry-javascript-bundler-plugins#885 lands, we can update the dependency coming in from `@sentry/bundler-plugin-core` There are several other dependencies that transitively bring in a minimatch v3, v5, v8, or v9. Fixes for the ReDOS will be backported where those dependencies cannot be easily updated. Before submitting a pull request, please take a look at our [Contributing](https://github.com/getsentry/sentry-javascript/blob/master/CONTRIBUTING.md) guidelines and verify: - [ ] If you've added code that should be tested, please add tests. - [ ] Ensure your code lints and the test suite passes (`yarn lint`) & (`yarn test`). - [ ] Link an issue if there is one related to your pull request. If no issue is linked, one will be auto-generated and linked. Closes #issue_link_here
- adds `agents.toml` for managing repo skills using https://github.com/getsentry/dotagents - restructures existing skills to `.agents folder` Closes #19527 (added automatically)
No idea why this didn't trigger our linter.. but I keep getting this whenever I run `yarn fix` 🤔 Closes #19537 (added automatically) --------- Co-authored-by: Nicolas Hrubec <nicolas.hrubec@outlook.com>
closes #19510 closes [JS-1801](https://linear.app/getsentry/issue/JS-1801/magic-string-pinned-to-exact-versions-across-packages-preventing) This is using a version range for `magic-string`. I moved the version range from `magic-string` in `@sentry/svelte` to a `~`, to actually prevent breaking changes in case something would break our SDK in `0.31.0`.
#19538) Update rollup from 4.57.0 to 4.59.0 to address CVE-2026-27606 (GHSA-mw96-cpmx-2vgc), a high-severity arbitrary file write via path traversal in rollup's filename sanitization. Co-authored-by: Claude <noreply@anthropic.com>
The JS doc states that extra keys are added as `consola.` log
attributes. However, this is not the case.
Extra keys can be added by, for example, calling the Consola reporter
directly or by calling `consola.[type]({ message: '', ... })`.
Part of this PR (split up for better reviewing):
#18602
Closes #19512 (added automatically)
…umentation (#19476) ## Summary The Vue Router navigation guard registered by `instrumentVueRouter` declares a third `next` parameter, which triggers a deprecation warning in Vue Router 4.x+: > [Vue Router warn]: The `next()` callback in navigation guards is deprecated. Use return values instead. Vue Router uses `Function.length` to detect whether a guard expects the legacy `next` callback. Since the guard declares 3 parameters (`to`, `_from`, `next`), Vue Router enters callback mode and emits the deprecation warning at runtime. This PR removes the `next` parameter entirely. Vue Router automatically resolves navigation for guards with `length < 3` via its return-based pattern, so calling `next()` was already a no-op in Vue Router 4+. The `if (next) { next(); }` block was only needed for Vue Router 2/3 compatibility, which is no longer supported by `@sentry/vue` v8+. Relates to #8349 ## Changes - Removed `next` parameter from the `beforeEach` guard in `instrumentVueRouter` - Removed the `if (next) { next(); }` compatibility block - Updated `VueRouter` interface to reflect the 2-parameter signature - Updated all tests to remove `mockNext` usage - Replaced the "doesn't throw when next is not available" test with a `Function.length` assertion that enforces the guard uses the modern return-based pattern ## Test plan - [x] Existing unit tests updated and passing (80/80) - [x] New `Function.length` assertion prevents future regressions - [x] Verified fix eliminates the deprecation warning at runtime in a Vue Router 4/5 application --- closes #19528
This PR adds the external contributor to the CHANGELOG.md file, so that they are credited for their contribution. See #19476 Co-authored-by: logaretm <6261322+logaretm@users.noreply.github.com>
Bumps [rxjs](https://github.com/reactivex/rxjs) from 7.8.1 to 7.8.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ReactiveX/rxjs/blob/7.8.2/CHANGELOG.md">rxjs's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/reactivex/rxjs/compare/7.8.1...7.8.2">7.8.2</a> (2025-02-22)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>animationFrameScheduler:</strong> some tasks are never flushed and sometimes it breaks completely (<a href="https://redirect.github.com/reactivex/rxjs/issues/7444">#7444</a>) (<a href="https://github.com/reactivex/rxjs/commit/8bbfa4efd15f6572316d5b2b05b2f49ded69a3ca">8bbfa4e</a>)</li> <li><strong>mergeWith:</strong> works correctly with an Array (<a href="https://redirect.github.com/reactivex/rxjs/issues/7281">#7281</a>) (<a href="https://github.com/reactivex/rxjs/commit/27855c635ca74107352ae3336944433a328c0b41">27855c6</a>)</li> <li><strong>subscriber:</strong> strict type signature for next method (<a href="https://redirect.github.com/reactivex/rxjs/issues/7172">#7172</a>) (<a href="https://github.com/reactivex/rxjs/commit/0e2ef5e1142699b028bc3624aae9b24c3e3aaccf">0e2ef5e</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ReactiveX/rxjs/commit/e5351d02e225e275ac0e497c7b66eaa5f0c88791"><code>e5351d0</code></a> chore(publish): 7.8.2</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/8bbfa4efd15f6572316d5b2b05b2f49ded69a3ca"><code>8bbfa4e</code></a> fix(animationFrameScheduler): some tasks are never flushed and sometimes it b...</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/4a2d0d29a7b17607e74afcb6fb8037fe58ef9021"><code>4a2d0d2</code></a> docs(rxjs.dex): replace polyfill.io with a Cloudflare equivalent (<a href="https://redirect.github.com/reactivex/rxjs/issues/7487">#7487</a>)</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/2fb074008430c8fcae9a10c22a3cd7b5140ffd84"><code>2fb0740</code></a> chore: 7.x remove global npm install and ignore latest TS (<a href="https://redirect.github.com/reactivex/rxjs/issues/7398">#7398</a>)</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/d69d890b65c2890c1bd7cd181cb462848f8b75fb"><code>d69d890</code></a> docs: fix missing overloads in docs when overload count is less than 3 (<a href="https://redirect.github.com/reactivex/rxjs/issues/7367">#7367</a>...</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/27855c635ca74107352ae3336944433a328c0b41"><code>27855c6</code></a> fix(mergeWith): works correctly with an Array (<a href="https://redirect.github.com/reactivex/rxjs/issues/7281">#7281</a>)</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/9db65635b0b26b25c35b3470885c6f02abd54122"><code>9db6563</code></a> docs: provide URL for the V8 docs app (<a href="https://redirect.github.com/reactivex/rxjs/issues/7244">#7244</a>)</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/5c3fb3347376eaa079655fc70f6d39fbbd7ca180"><code>5c3fb33</code></a> docs: add MonoTypeOperatorFunction documentation (<a href="https://redirect.github.com/reactivex/rxjs/issues/7284">#7284</a>)</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/0e2ef5e1142699b028bc3624aae9b24c3e3aaccf"><code>0e2ef5e</code></a> fix(subscriber): strict type signature for next method (<a href="https://redirect.github.com/reactivex/rxjs/issues/7172">#7172</a>)</li> <li><a href="https://github.com/ReactiveX/rxjs/commit/b6d00c1d276ad3b987dd832168448e106741ebda"><code>b6d00c1</code></a> docs: improve glossary and semantics page (<a href="https://redirect.github.com/reactivex/rxjs/issues/7267">#7267</a>)</li> <li>Additional commits viewable in <a href="https://github.com/reactivex/rxjs/compare/7.8.1...7.8.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Create `/release`, `/upgrade-dep`, `/upgrade-otel` skills from `.cursor/rules/` procedural guides - Inline `fetch-docs/attributes.mdc` and `fetch-docs/scopes.mdc` as reference links in root `AGENTS.md` - Delete 5 migrated `.cursor/rules/` files (-250 lines of Cursor-specific format) Some cursor rules used `alwaysApply: false`, meaning they loaded on-demand. Moving them into `AGENTS.md` (always loaded) would waste context tokens on every interaction. Skills are the right fit — they're on-demand, match the existing pattern (`/e2e`, `/triage-issue`, etc.), and work across all agents. Part of the `.cursor/rules/` → `AGENTS.md` migration. Remaining files(`adding-a-new-ai-integration.mdc` + browser fetch-docs) will be handled in a follow-up PR with scoped `AGENTS.md` files. Closes #19550 (added automatically)
…ion` on Turbopack (#19542) When Next.js switched to Turbopack as the default dev bundler, `thirdPartyErrorFilterIntegration` stopped working because it relies on `@sentry/webpack-plugin` injecting `_sentryModuleMetadata` into every app module — and Turbopack doesn't support webpack plugins. This PR adds a new Turbopack loader (`moduleMetadataInjectionLoader`) that injects the same `_sentryModuleMetadata` snippet the webpack plugin would, using Turbopack's `condition: { not: 'foreign' }` to restrict injection to first-party code only. This is gated behind `_experimental.turbopackApplicationKey` and requires Next.js 16+. closes #19320
…wn_chain spans LangChain's callback manager passes the actual node/run name as the 8th argument to handleChainStart. The previous implementation only read 4 of the 8 parameters, falling back to chain.name which is not a standard property on the Serialized type and is always undefined. This caused all chain spans — including LangGraph node spans — to be named unknown_chain. Co-Authored-By: claude-sonnet-4-6 <noreply@anthropic.com>
Motivation is: Package conventions (e.g. bundle size concerns in browser) belong in scoped `AGENTS.md` files that load only when editing in that directory.
Agents frequently misunderstand the bundling architecture, so adding this file should help to resolve this. Closes #19557 (added automatically)
These commands all already have skill equivalents. Closes #19561 (added automatically)
…rt-runname fix(langchain): use runName argument in handleChainStart to fix unknown_chain spans
…9109) Resolves: #19097 Middleware spans created by the instrumentation API were using the route pattern as the span name (same as loaders and actions), which doesn't help when a route has multiple middlewares. This PR adds function name resolution so middleware spans are named `middleware authMiddleware` instead of just the route pattern. Each span also gets a `react_router.middleware.index` attribute. When names are not available (anonymous arrow functions), it falls back to the route ID. Function names are resolved from the `ServerBuild` object, which is captured through two complementary paths: - The OTEL instrumentation patches createRequestHandler at runtime, capturing the `ServerBuild` from its arguments. This handles both static builds and factory functions (dev mode HMR). - New Vite plugin (makeServerBuildCapturePlugin) that injects into the virtual react-router/server-build module during SSR builds, providing early capture at module initialization. This is needed because virtual modules are not reachable by OTEL's module hooks. The `isInstrumentationApiUsed()` check in the OTEL instrumentation was moved from the per-request handler to `createRequestHandler` itself. The OTEL hook now always needs to run to capture the ServerBuild reference for middleware name lookup; per-request wrapping is gated at the handler level instead. The Node version gating for the OTEL hook was also removed since it needs to run unconditionally now. Limitation: - Anonymous middlewares won't have function names regardless of build mode.
Update lockfile to pull patched rollup versions for transitive dependencies vulnerable to arbitrary file write via path traversal: - ng-packagr: rollup 2.79.2 → 2.80.0 - astro/vite: rollup 3.29.5 → 3.30.0 - unbuild: rollup 3.29.5 → 3.30.0 Co-authored-by: Claude <noreply@anthropic.com>
…on (#19566) This PR extracts parts from `@sentry/node`'s `PostgresJsInstrumentation` to `@sentry/core` and exposes it as a callable `instrumentPostgresJsSql` helper that can be used in SDKs that aren't based on OpenTelemetry. It is currently exposed in `@sentry/cloudflare` and `@sentry/deno` as these two SDKs are not based on OpenTelemetry under the hood. `@sentry/node` imports and reuses as much as possible from it. Closes #19567 (added automatically)
…19506) closes #19475 closes [JS-1785](https://linear.app/getsentry/issue/JS-1785/investigate-memory-leaks-in-cloudflare) This is a way to dispose the client entirely. Every request in Cloudflare Workers create their own client. Once the request is done the client would stay in memory forever, unless we `dispose` it after every request. We also have to wait until all `waitUntil`s are finished, otherwise we would loose these traces. The `dispose()` method got added on purpose into the core client, as the `getCurrentClient()` would return a `Client`. The `dispose()` method actually only has functionality inside the `ServerRuntimeClient`, as only the server would need this functionality. There is still a leak in one of the default integrations, but when running load tests against [the reproduction repo](https://github.com/JPeer264/temp-cloudflare-leak) and setting `defaultIntegrations: false`, then no leak is happening. FWIW there will be a separate PR for adding a MemoryProfiler as seen in #19364, to prevent this memory leak in the future.
…ication (#19540) - Fixes a bug where base64 image/audio data in LangChain multimodal messages leaked into gen_ai.input.messages span attributes unredacted - The root cause was normalizeLangChainMessages calling asString() (which JSON.stringifies arrays) on multimodal content before the media stripping pipeline could inspect it, so stripInlineMediaFromMessages never saw structured objects to redact - Adds normalizeContent() that applies stripInlineMediaFromSingleMessage to array/object content parts before stringification, matching the [Blob substitute] behavior already working for OpenAI/Anthrop Closes #19539
Co-Authored-By: Claude claude-opus-4-6 <noreply@anthropic.com>
chargome
approved these changes
Mar 2, 2026
JPeer264
approved these changes
Mar 2, 2026
Contributor
size-limit report 📦
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| scope.setClient(client); | ||
| } | ||
|
|
||
| const clientToDispose = currentClient || scope.getClient(); |
There was a problem hiding this comment.
Disposing inherited client breaks parent scope in DOs
Medium Severity
When wrapMethodWithSentry finds a pre-existing client on the scope (e.g., from a parent fetch handler), clientToDispose is set to that inherited client. After the wrapped method completes, flushAndDispose(clientToDispose) disposes it — clearing its transport, hooks, integrations, and event processors. If a Durable Object's fetch handler (wrapped by wrapRequestHandler) calls one of its own RPC methods (wrapped by wrapMethodWithSentry), the fetch handler's client gets disposed while the fetch handler is still running. Subsequent Sentry calls from the fetch handler become no-ops, and the fetch handler's own flushAndDispose silently skips flushing because _transport is already undefined. Previously this code path just called flush(2000), which was non-destructive.
Additional Locations (1)
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.