feat(deps): Bump OpenTelemetry dependencies#19682
Merged
andreiborza merged 31 commits intodevelopfrom Mar 11, 2026
Merged
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
andreiborza
force-pushed
the
ab/bump-otel
branch
from
4755ff2 to
3f4d8da
Compare
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Contributor
size-limit report 📦
|
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
andreiborza
force-pushed
the
ab/bump-otel
branch
3 times, most recently
from
03df6e6 to
50b6d6d
Compare
JPeer264
approved these changes
Mar 9, 2026
| { key: 'network.peer.address', value: { stringValue: expect.any(String) } }, | ||
| { key: 'network.peer.port', value: { intValue: 3030 } }, | ||
| { key: 'http.response.status_code', value: { intValue: 200 } }, | ||
| { key: 'http.response.header.content-length', value: { intValue: 16 } }, |
Member
There was a problem hiding this comment.
l: This got dropped on purpose? According to this page we could use http.response.body.size instead (that is also true for other files where this got dropped)
Member
Author
There was a problem hiding this comment.
Yes, this was intentional. instrumentation-undici 0.23.0 no longer emits http.response.header.content-length by default — it now requires explicit headersToSpanAttributes configuration (aligning with the OTel HTTP semconv spec). http.response.body.size is also not emitted by default in this version, so there is no direct replacement to assert on here.
Member
Author
There was a problem hiding this comment.
I will create a follow up PR to expose the headersToSpanAttributes option so users can opt in.
The actual fail mostly "resolved itself" because Angular now also released `22.0.0-next.0` versions for the Angular CLI packages, in addition to the core angular packages. However, Angular 22 will [require](angular/angular-cli#32681) At least Node 22.22.0. So this PR makes a few modifications to fully fix Angular canary tests again: - set the node version to Node 22.22.0 for the canary test and the Angular 21 e2e test (which should be fine IMHO) - Use the `angular-21` app instead of the `angular-20` app for canary tests - Remove the optional canary test config in the `angular-20` app closes #19636
meta(changelog): Update changelog for 10.43.0
[Gitflow] Merge master into develop
I ran `yarn fix` on `develop` and there was a change. Does that mean that the CI doesn't fail when the files are not formatted correctly?! Closes #19711 (added automatically)
#19708) closes #19670 When browserTracingIntegration initializes, it creates a 30-second setTimeout (idle span final timeout), multiple PerformanceObserver instances, and various other timers. These keep the JS event loop active, which prevents Googlebot's headless Chromium renderer from considering the page "idle" — resulting in incomplete or broken page snapshots in Google Search Console. This PR detects known bot/crawler user agents and skips the tracing setup entirely, so no timers or observers are created. Error monitoring via other integrations is unaffected. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
We don't need to create PRs to add new packages to the registry. Craft can now do this automatically. Documented here: https://craft.sentry.dev/targets/registry/#creating-new-packages Closes #19732 (added automatically)
Small addition to this PR: #19731 Reference (adds `sdkName`): getsentry/craft#769 Closes #19737 (added automatically)
…ie-breaking (#19421) ### Summary Implements the `sentry.timestamp.sequence` attribute for both logs and metrics, following the [logs spec v1.16.0](https://develop.sentry.dev/sdk/telemetry/logs/#changelog) and [metrics spec v2.6.0](https://develop.sentry.dev/sdk/telemetry/metrics/#changelog). The attribute provides deterministic ordering of telemetry items that share the same millisecond timestamp. The counter starts at `0`, increments by `1` per item, and resets when the integer millisecond timestamp changes. ### Shared Counter I initially thought about implementing a separate counter for each telemetry category (i.e: one counter for logs, another for metrics.) But I decided that a single shared counter for all telemetry types can be useful to tie-break between them, if we ever needed the case to know if a metric was emitted before a log or vice-versa. ### Does it work on Cloudflare Environments I verified that this does indeed work on cloudflare environments and sequence numbers do increment as expected. <img width="2530" height="1446" alt="CleanShot 2026-03-09 at 12 13 04@2x" src="https://github.com/user-attachments/assets/a5cdd6eb-a1ae-4c1e-a349-8b5343d3b2e0" /> **Note for reviewers:** I considered not sending the attribute at all if it has `0` as a value to save some bytes since this would be the most common scenario but opted to keep it at all times for predictability. LMK what you think about that. --- Closes #19420 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This is a follow up PR that cleans up our configuration and reverts the downgrade to warning for some of the rules we use. This brings us to a similar level of coverage with eslint. Some rules have sensitivity issue, especially when it comes to optional chaining and types so we will still have a lot of warnings. ## Summary of Changes ### Config changes (`.oxlintrc.json`) #### Globally disabled (TS files) | Rule | Why | |---|---| | `no-redundant-type-constituents` | Many violations are intentional — AI integration types use `'literal' \| string` for autocomplete hints, and `unknown \| X` patterns are common throughout the codebase. Low bug-catching value. | | `restrict-template-expressions` | 81 violations mostly from OTel span attributes and `unknown` values in template strings. Would require `String()` wrappers everywhere for minimal safety gain — the SDK handles these at runtime. | | `await-thenable` | `await` on non-Promises is valid JS — it's a useful pattern for uniformly handling `T \| Promise<T>` without branching. Not a bug. | | `no-base-to-string` | Set to **warn** (not off). Kept visible since `[object Object]` in strings is a real issue, but not blocking CI while we clean up the 22 remaining source violations. | #### Disabled in tests + dev-packages only | Rule | Why | |---|---| | `no-misused-spread` | Tests intentionally spread class instances to create plain fixture objects. | | `require-array-sort-compare` | Test assertions sorting string arrays — `.sort()` without comparator is fine for strings. | | `no-base-to-string` | Tests don't need strict toString safety. | #### Configured | Rule | Why | |---|---| | `no-unused-vars` | Set to warn with `_` prefix ignore patterns (`argsIgnorePattern`, `varsIgnorePattern`, `caughtErrorsIgnorePattern`). Standard convention — unused catch params/args prefixed with `_` are intentional. | ### Dev-packages config (`dev-packages/.oxlintrc.json`) Added `require-array-sort-compare`, `no-misused-spread`, and `no-base-to-string` as off — these rules aren't worth enforcing in test infrastructure. ### Code fixes | Change | Count | What | |---|---|---| | Removed `\| undefined` from optional params | 19 | `param?: T \| undefined` → `param?: T` — the `?` already implies `undefined` | | Prefixed unused catch params with `_` | 25 | `catch (error)` → `catch (_error)` — follows the `_` convention for intentionally unused variables | | Prefixed unused callback param | 1 | `(error, version)` → `(error, _version)` in `bun/scripts/install-bun.js` | ### Result **373 warnings → 31** (22 of which are the intentional `no-base-to-string` warnings we kept visible). Closes #19718 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Bumps [simple-git](https://github.com/steveukx/git-js/tree/HEAD/simple-git) from 3.30.0 to 3.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/steveukx/git-js/releases">simple-git's releases</a>.</em></p> <blockquote> <h2>simple-git@3.33.0</h2> <h3>Minor Changes</h3> <ul> <li>a263635: Use <code>pathspec</code> wrappers for remote and local paths when running either <code>git.clone</code> or <code>git.mirror</code> to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>e253a0d: Enhanced <code>git -c</code> checks in <code>unsafe</code> plugin.</p> <p>Thanks to <a href="https://github.com/JohannesLks"><code>@JohannesLks</code></a> for identifying the issue</p> </li> </ul> <h2>simple-git@3.32.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>f704208: Enhanced <code>protocol.allow</code> checks in <code>allowUnsafeExtProtocol</code> handling.</p> <p>Thanks to <a href="https://github.com/CodeAnt-AI-Security"><code>@CodeAnt-AI-Security</code></a> for identifying the issue</p> </li> </ul> <h2>simple-git@3.32.2</h2> <h3>Patch Changes</h3> <ul> <li>8d02097: Enhanced clone unsafe switch detection.</li> </ul> <h2>simple-git@3.32.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>23b070f: Fix regex for detecting unsafe clone options</p> <p>Thanks to <a href="https://github.com/stevenwdv"><code>@stevenwdv</code></a> for reporting this issue.</p> </li> </ul> <h2>simple-git@3.32.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>1effd8e: Enhances the <code>unsafe</code> plugin to block additional cases where the <code>-u</code> switch may be disguised along with other single character options.</p> <p>Thanks to <a href="https://github.com/JuHwiSang"><code>@JuHwiSang</code></a> for identifying this as vulnerability.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.</li> </ul> <h2>simple-git@3.31.1</h2> <h3>Patch Changes</h3> <ul> <li>a44184f: Resolve NPM publish steps</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md">simple-git's changelog</a>.</em></p> <blockquote> <h2>3.33.0</h2> <h3>Minor Changes</h3> <ul> <li>a263635: Use <code>pathspec</code> wrappers for remote and local paths when running either <code>git.clone</code> or <code>git.mirror</code> to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>e253a0d: Enhanced <code>git -c</code> checks in <code>unsafe</code> plugin.</p> <p>Thanks to <a href="https://github.com/JohannesLks"><code>@JohannesLks</code></a> for identifying the issue</p> </li> </ul> <h2>3.32.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>f704208: Enhanced <code>protocol.allow</code> checks in <code>allowUnsafeExtProtocol</code> handling.</p> <p>Thanks to <a href="https://github.com/CodeAnt-AI-Security"><code>@CodeAnt-AI-Security</code></a> for identifying the issue</p> </li> </ul> <h2>3.32.2</h2> <h3>Patch Changes</h3> <ul> <li>8d02097: Enhanced clone unsafe switch detection.</li> </ul> <h2>3.32.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>23b070f: Fix regex for detecting unsafe clone options</p> <p>Thanks to <a href="https://github.com/stevenwdv"><code>@stevenwdv</code></a> for reporting this issue.</p> </li> </ul> <h2>3.32.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>1effd8e: Enhances the <code>unsafe</code> plugin to block additional cases where the <code>-u</code> switch may be disguised along with other single character options.</p> <p>Thanks to <a href="https://github.com/JuHwiSang"><code>@JuHwiSang</code></a> for identifying this as vulnerability.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.</li> </ul> <h2>3.31.1</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/steveukx/git-js/commit/8bbbabc827fc05824e0e4bd51746e9ca0109b353"><code>8bbbabc</code></a> Version Packages</li> <li><a href="https://github.com/steveukx/git-js/commit/a263635ca4729c276eba869ae8c97cbb00fc4eb9"><code>a263635</code></a> Clone API use pathspec (<a href="https://github.com/steveukx/git-js/tree/HEAD/simple-git/issues/1132">#1132</a>)</li> <li><a href="https://github.com/steveukx/git-js/commit/e253a0d1bf9d013228f856209b3b8a7c5980a54b"><code>e253a0d</code></a> Fix/block unsafe 2603 (<a href="https://github.com/steveukx/git-js/tree/HEAD/simple-git/issues/1135">#1135</a>)</li> <li><a href="https://github.com/steveukx/git-js/commit/a1170e506eeeaade4a242bfbf6d0620d57872364"><code>a1170e5</code></a> Version Packages</li> <li><a href="https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"><code>f704208</code></a> In extension to CVE-2022-25912, switch to case-insensitive check for `protoco...</li> <li><a href="https://github.com/steveukx/git-js/commit/4bb20811eb35c0fa5437553cad4eb8ebf8f6f6e6"><code>4bb2081</code></a> Version Packages</li> <li><a href="https://github.com/steveukx/git-js/commit/7ae7537737bafc1e6559a28816785b10926fb095"><code>7ae7537</code></a> Match tokens to word boundary</li> <li><a href="https://github.com/steveukx/git-js/commit/c47ad103b07ce768cf69aec63e0c9f7f77a1ab0f"><code>c47ad10</code></a> Lint</li> <li><a href="https://github.com/steveukx/git-js/commit/8d02097b726c2bc5360b4f55ee3ecb7e09648e4d"><code>8d02097</code></a> Enhanced clone switch detection</li> <li><a href="https://github.com/steveukx/git-js/commit/f6909a52807512cb4e29a654db2dcd409b019113"><code>f6909a5</code></a> Remove test timeout override</li> <li>Additional commits viewable in <a href="https://github.com/steveukx/git-js/commits/simple-git@3.33.0/simple-git">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for simple-git since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Instruments the `@Cron`, `@Interval` and `@Timeout` decorators from `@nestjs/schedule` ([npm](https://www.npmjs.com/package/@nestjs/schedule)) to capture errors and fork isolation scopes to prevent leakage into subsequent http requests. So far we only had a manual `@SentryCron` decorator that users could apply to get checkins and exceptions from crons. `@SentryCron` is now reduced to only send check-ins if applied (no exception capture anymore since this is handled by the auto-instrumentation). Closes #19704
Bumps [file-type](https://github.com/sindresorhus/file-type) from 20.5.0 to 21.3.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sindresorhus/file-type/releases">file-type's releases</a>.</em></p> <blockquote> <h2>v21.3.1</h2> <ul> <li>Fix infinite loop in ASF parser on malformed input (<a href="https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473">https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473</a>) 319abf8</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1">https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1</a></p> <h2>v21.3.0</h2> <ul> <li>Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (<a href="https://redirect.github.com/sindresorhus/file-type/issues/779">#779</a>) d223491</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.2.0...v21.3.0">https://github.com/sindresorhus/file-type/compare/v21.2.0...v21.3.0</a></p> <h2>v21.2.0</h2> <ul> <li>Add support for SPSS data files (<a href="https://redirect.github.com/sindresorhus/file-type/issues/787">#787</a>) 889f638</li> <li>Add support for JMP (<a href="https://redirect.github.com/sindresorhus/file-type/issues/784">#784</a>) 093dba0</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.1.1...v21.2.0">https://github.com/sindresorhus/file-type/compare/v21.1.1...v21.2.0</a></p> <h2>v21.1.1</h2> <ul> <li>Fix handling of partial Gunzip file (<a href="https://redirect.github.com/sindresorhus/file-type/issues/783">#783</a>) 710e053</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.1.0...v21.1.1">https://github.com/sindresorhus/file-type/compare/v21.1.0...v21.1.1</a></p> <h2>v21.1.0</h2> <ul> <li>Add support for <code>.tar.gz</code> (gunzipped tarball file) (<a href="https://redirect.github.com/sindresorhus/file-type/issues/763">#763</a>) eda03a7</li> <li>Add support for Windows registry (.reg) files 0db61ec 7d2ddcf</li> <li>Add support for Windows registry hive file (<code>.dat</code>) (<a href="https://redirect.github.com/sindresorhus/file-type/issues/767">#767</a>) f8d62be</li> <li>Fix: Handle partial unzip (<a href="https://redirect.github.com/sindresorhus/file-type/issues/773">#773</a>) 7ad3a90</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.0.0...v21.1.0">https://github.com/sindresorhus/file-type/compare/v21.0.0...v21.1.0</a></p> <h2>v21.0.0</h2> <h3>Breaking</h3> <ul> <li>Require Node.js 20 24aec1f</li> <li>Drop Adobe Illustrator (.ai) detection support (<a href="https://redirect.github.com/sindresorhus/file-type/issues/743">#743</a>) af169f3</li> <li>Correct Matroska (video) MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/753">#753</a>) f53f5ff</li> <li>Correct FLAC MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/755">#755</a>) b9fda36</li> <li>Correct Apache Parquet MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/748">#748</a>) 98e3f8e</li> <li>Correct Apache Arrow MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/754">#754</a>) 7184775</li> </ul> <h3>Improvements</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sindresorhus/file-type/commit/ad5857e5384874e853cc9c4c29b867f1135a7c30"><code>ad5857e</code></a> 21.3.1</li> <li><a href="https://github.com/sindresorhus/file-type/commit/5d2fedf104dc5067b51a1f31410aa60052c74f64"><code>5d2fedf</code></a> Harden parser</li> <li><a href="https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f"><code>319abf8</code></a> Fix infinite loop in ASF parser on malformed input</li> <li><a href="https://github.com/sindresorhus/file-type/commit/1ca9281706e6ff5606d4ebaf88fa8f97b124c126"><code>1ca9281</code></a> Mention <code>@file-type/cfbf</code> plugin (<a href="https://redirect.github.com/sindresorhus/file-type/issues/791">#791</a>)</li> <li><a href="https://github.com/sindresorhus/file-type/commit/2033ea7f1aef092e8251034b1207efc7c96ebeb0"><code>2033ea7</code></a> 21.3.0</li> <li><a href="https://github.com/sindresorhus/file-type/commit/d223491482bda0a8222e29fe31cca7ecf65a0c4e"><code>d223491</code></a> Add support for Mach-O Universal (aka "Fat") binaries and additional architec...</li> <li><a href="https://github.com/sindresorhus/file-type/commit/2ca86b3869a0185ec40e273ff51a9607cce2a48e"><code>2ca86b3</code></a> Docs: Remove BYOB stream requirement warning (<a href="https://redirect.github.com/sindresorhus/file-type/issues/790">#790</a>)</li> <li><a href="https://github.com/sindresorhus/file-type/commit/4d7393ad119cdb56698a7b0575302913032c2692"><code>4d7393a</code></a> List <code>@file-type/pdf</code> in available plugins (<a href="https://redirect.github.com/sindresorhus/file-type/issues/788">#788</a>)</li> <li><a href="https://github.com/sindresorhus/file-type/commit/810e1d87c54beb10603855cfb654a8ce15a0cefb"><code>810e1d8</code></a> 21.2.0</li> <li><a href="https://github.com/sindresorhus/file-type/commit/889f6384142d2b13c20898f1e1ca147b25704661"><code>889f638</code></a> Add support for SPSS data files (<a href="https://redirect.github.com/sindresorhus/file-type/issues/787">#787</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sindresorhus/file-type/compare/v20.5.0...v21.3.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…, interceptors, and exception filters (#19751) This should allow for more specific querying for users and also potentially interesting data to look at for us in the future. Spans emitted from actual middlewares keep the same origin as before, for the rest I added the integration-part so we know where the span is coming from. Closes #19750
I think this is even the actual fix for #19589 This could happen right now for alarms. When an alarm is being executed the first Client is getting disposed. Once the alarm is getting triggered it might be that it wants to reuse the previous Client, which didn't work as it got disposed. With that fix we actually check if the client is also disposed (by checking if there is a transport), if there is none we just create a new client.
Mock `timestampInSeconds` in the "increments the sequence number across consecutive metrics" test to return a fixed value. The test was flaky because consecutive calls could land on different milliseconds, causing the sequence counter to reset unexpectedly. Closes #19749 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This patch adjusts our Astro middleware to be compatible with Astro 6. It
also adds an e2e test app for Astro 6 on the node adapter.
Changes:
- Cleaned up peer dependency range in `package.json`
- The middleware context object's properties changed. We need to access
route manifest now via `ctx.[Symbol.for('astro.pipeline')]` instead of
`ctx.[Symbol.for('context.routes')]`
- For now, I skipped our server island tests because there's still a
[bug in Astro 6.0.2](withastro/astro#15753)
which causes server islands not to work correctly. Once this is fixed (I
subscribed to the issue), we should be able to re-enable the test
without any fails 🤞
---------
Co-authored-by: Jan Peer Stöcklmair <jan.peer@sentry.io>
This PR introduces some attributes and fixes to Vercel AI SDK: - Adds new [gen_ai.output.messages ](https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-output-messages) which deprecates https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-response-text and https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-response-tool_calls - Adds new [gen_ai.tool.description](https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-tool-description) - Checks for Vercel AI media type when stripping media out of the input messages Closes #19574
nicohrubec
approved these changes
Mar 11, 2026
## Summary Standardize lint/format script naming across the monorepo (53 files). Removes redundant/confusing scripts and makes naming consistent. ### New root-level scripts | Script | Command | Purpose | |--------|---------|---------| | `verify` | `run-s format:check lint` | Read-only: format check + lint | | `fix` | `run-s format lint:fix` | Write: format + lint fix | | `lint` | `oxlint . --type-aware` | Lint only | | `lint:fix` | `oxlint . --fix --type-aware` | Lint + fix only | | `format` | `oxfmt . --write` | Format only | | `format:check` | `oxfmt . --check` | Format check only | ### What changed - `lint` now runs only oxlint (previously also ran oxfmt check) - `lint:fix` replaces old `fix` for oxlint auto-fix - New `verify` runs both `format:check` + `lint` (replaces old `lint` behavior) - New `fix` runs both `format` + `lint:fix` - All oxlint commands consistently include `OXLINT_TSGOLINT_DANGEROUSLY_SUPPRESS_PROGRAM_DIAGNOSTICS` flag and `--type-aware` across root and all sub-packages - Removes redundant scripts: `fix:oxlint`, `fix:oxfmt`, `lint:oxfmt`, `lint:oxlint` - Updates CI workflow (`build.yml`) to use new script names ## Test plan - [ ] CI lint job passes with `yarn lint` instead of `yarn lint:oxlint` - [ ] CI format check job passes (unchanged `yarn format:check`) - [ ] `yarn verify` runs both format check and lint at root level - [ ] `yarn fix` runs both format and lint fix at root level 🤖 Generated with [Claude Code](https://claude.com/claude-code) Closes #19722 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
andreiborza
force-pushed
the
ab/bump-otel
branch
from
6672a2d to
0e2af05
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Bump OpenTelemetry instrumentation packages: - @opentelemetry/instrumentation-amqplib: 0.52.0 → 0.54.0 - @opentelemetry/instrumentation-connect: 0.53.0 → 0.55.0 - @opentelemetry/instrumentation-dataloader: 0.26.0 → 0.28.0 - @opentelemetry/instrumentation-express: 0.53.0 → 0.55.0 - @opentelemetry/instrumentation-fastify: 0.53.0 → 0.55.0 - @opentelemetry/instrumentation-fs: 0.29.0 → 0.31.0 - @opentelemetry/instrumentation-generic-pool: 0.53.0 → 0.55.0 - @opentelemetry/instrumentation-graphql: 0.47.0 → 0.49.0 - @opentelemetry/instrumentation-hapi: 0.55.0 → 0.57.0 - @opentelemetry/instrumentation-http: 0.57.0 → 0.59.0 - @opentelemetry/instrumentation-ioredis: 0.57.0 → 0.59.0 - @opentelemetry/instrumentation-kafkajs: 0.27.0 → 0.29.0 - @opentelemetry/instrumentation-knex: 0.54.0 → 0.56.0 - @opentelemetry/instrumentation-koa: 0.57.0 → 0.59.0 - @opentelemetry/instrumentation-lru-memoizer: 0.54.0 → 0.56.0 - @opentelemetry/instrumentation-mongodb: 0.52.0 → 0.54.0 - @opentelemetry/instrumentation-mongoose: 0.55.0 → 0.57.0 - @opentelemetry/instrumentation-mysql: 0.55.0 → 0.57.0 - @opentelemetry/instrumentation-mysql2: 0.55.0 → 0.57.0 - @opentelemetry/instrumentation-nestjs-core: 0.57.0 → 0.59.0 - @opentelemetry/instrumentation-pg: 0.51.0 → 0.53.0 - @opentelemetry/instrumentation-redis-4: 0.56.0 → 0.58.0 - @opentelemetry/instrumentation-tedious: 0.28.0 → 0.30.0 - @opentelemetry/instrumentation-undici: 0.20.0 → 0.22.0 - @opentelemetry/instrumentation-aws-sdk: 0.66.0 → 0.68.0 - @opentelemetry/instrumentation: 0.57.0 → 0.59.0 Bump OpenTelemetry core packages: - @opentelemetry/api: 1.9.0 → 1.10.0 - @opentelemetry/core: 1.30.0 → 1.32.0 - @opentelemetry/sdk-trace-base: 1.30.0 → 1.32.0 - @opentelemetry/resources: 1.30.0 → 1.32.0 - @opentelemetry/context-async-hooks: 1.30.0 → 1.32.0 - @opentelemetry/semantic-conventions: ^1.39.0 → ^1.40.0 Bump other packages: - import-in-the-middle: ^2.0.6 → ^3.0.0 - @fastify/otel: 0.16.0 → 0.17.1 - @prisma/instrumentation: 7.2.0 → 7.4.2 Add yarn resolution for @opentelemetry/instrumentation to 0.213.0 to prevent @prisma/instrumentation (^0.207.0) and @fastify/otel (^0.212.0) from pulling in older versions with conflicting import-in-the-middle copies, which breaks ESM HTTP instrumentation. Update tests for instrumentation-undici 0.22.0 spec compliance: - Remove http.response.header.content-length assertions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The `_httpPatched` guard in `@opentelemetry/instrumentation-http` >=0.213.0 blocks ESM patching after CJS, breaking HTTP spans in environments like AWS Lambda where the runtime loads `http` via CJS before the user's ESM handler imports it. Ref: open-telemetry/opentelemetry-js#6489
andreiborza
force-pushed
the
ab/bump-otel
branch
from
0e2af05 to
22e0e54
Compare
Bumps [hono](https://github.com/honojs/hono) from 4.12.5 to 4.12.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.7</h2> <h2>Security hardening</h2> <p>Ignore <code>__proto__</code> path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.</p> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.6...v4.12.7">https://github.com/honojs/hono/compare/v4.12.6...v4.12.7</a></p> <h2>v4.12.6</h2> <h2>What's Changed</h2> <ul> <li>fix(accept): replace regex split to mitigate ReDoS by <a href="https://github.com/EdamAme-x"><code>@EdamAme-x</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4758">honojs/hono#4758</a></li> <li>fix(jsx): align link hoisting and dedupe with React 19 by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4792">honojs/hono#4792</a></li> <li>chore(builld): tsconfig project references by <a href="https://github.com/BarryThePenguin"><code>@BarryThePenguin</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4797">honojs/hono#4797</a></li> <li>chore: add <code>tsconfig.spec.json</code> by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4798">honojs/hono#4798</a></li> <li>feat(jsx-renderer): support function-based options by <a href="https://github.com/3w36zj6"><code>@3w36zj6</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4780">honojs/hono#4780</a></li> <li>fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by <a href="https://github.com/t0waxx"><code>@t0waxx</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4782">honojs/hono#4782</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/t0waxx"><code>@t0waxx</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4782">honojs/hono#4782</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.5...v4.12.6">https://github.com/honojs/hono/compare/v4.12.5...v4.12.6</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/b0aba5bd76f11a9f0fef1210a705523fa30172ab"><code>b0aba5b</code></a> 4.12.7</li> <li><a href="https://github.com/honojs/hono/commit/1be3a53ccbd40b85073fc05a1af1ddf4c7a83620"><code>1be3a53</code></a> ci: apply automated fixes</li> <li><a href="https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe"><code>ef90225</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/3f886365c8e2bc3e1e71bc18685583b91fc9327d"><code>3f88636</code></a> 4.12.6</li> <li><a href="https://github.com/honojs/hono/commit/53b66aeac5a503860af902013a1f89ba49ec9641"><code>53b66ae</code></a> fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (<a href="https://redirect.github.com/honojs/hono/issues/4782">#4782</a>)</li> <li><a href="https://github.com/honojs/hono/commit/58825a72f7cc0a36d08535fc11dc90934ba77aeb"><code>58825a7</code></a> feat(jsx-renderer): support function-based options (<a href="https://redirect.github.com/honojs/hono/issues/4780">#4780</a>)</li> <li><a href="https://github.com/honojs/hono/commit/0e80acb9f82912f44c7ebf949bc00abdfdc1eda0"><code>0e80acb</code></a> chore: add <code>tsconfig.spec.json</code> (<a href="https://redirect.github.com/honojs/hono/issues/4798">#4798</a>)</li> <li><a href="https://github.com/honojs/hono/commit/d69deb8886cde681172d8c1280273e032a50d015"><code>d69deb8</code></a> chore(builld): tsconfig project references (<a href="https://redirect.github.com/honojs/hono/issues/4797">#4797</a>)</li> <li><a href="https://github.com/honojs/hono/commit/8217d9ece6f4d302e446b8dc353d1b3cbf51d92e"><code>8217d9e</code></a> fix(jsx): align link hoisting and dedupe with React 19 (<a href="https://redirect.github.com/honojs/hono/issues/4792">#4792</a>)</li> <li><a href="https://github.com/honojs/hono/commit/50869562980628b2984f73e064bb80691e5286bc"><code>5086956</code></a> fix(accept): replace regex split to mitigate ReDoS (<a href="https://redirect.github.com/honojs/hono/issues/4758">#4758</a>)</li> <li>See full diff in <a href="https://github.com/honojs/hono/compare/v4.12.5...v4.12.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
andreiborza
force-pushed
the
ab/bump-otel
branch
from
0405ab0 to
62abea9
Compare
andreiborza
force-pushed
the
ab/bump-otel
branch
from
62abea9 to
bcb496e
Compare
andreiborza
force-pushed
the
ab/bump-otel
branch
from
ccf1bf4 to
6bb4939
Compare
chargome
approved these changes
Mar 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com
Closes #19683 (added automatically)