meta(changelog): Update changelog for 10.43.0 by chargome · Pull Request #19716 · getsentry/sentry-javascript

chargome · 2026-03-09T14:29:01Z

:)

…on (#19602) We are extending the skill to scan through all issues instead: #19598 Closes #19603 (added automatically)

Adds a "scan all" mode to the security fix skill: `/fix-security-vulnerability --all`. Which will interactively iterate over all open security issues in this repo. The user is prompted for every issue for the action to take. Fixes will be carried out on separate branches, so they do not cross-pollute. Did a quick trial and closed about 30 issues in 10 minutes. Closes #19599 (added automatically)

[Gitflow] Merge master into develop

Adds local skills to lockfile Closes #19607 (added automatically)

…lt release (#19617) Add `HEROKU_BUILD_COMMIT` as the primary env var for detecting the release on Heroku, keeping `HEROKU_SLUG_COMMIT` as a fallback since it is deprecated by Heroku. Closes: #19615

… in Turbopack (#19604) Adds a Turbopack loader that annotates React components with `data-sentry-component`, `data-sentry-element`, and `data-sentry-source-file` attributes at build time. This enables searching Replays by component name, seeing component names in breadcrumbs, and performance monitoring — previously only available with webpack builds. - Adds `componentAnnotationLoader` that reuses `createComponentNameAnnotateHooks` from `@sentry/bundler-plugin-core` - Registered via `constructTurbopackConfig` for `*.{tsx,jsx}` files with condition: `{ not: 'foreign' }` (Next.js 16+ only) - Configurable via `_experimental.turbopackReactComponentAnnotation` in SentryBuildOptions Usage ```ts // next.config.ts export default withSentryConfig(nextConfig, { _experimental: { turbopackReactComponentAnnotation: { enabled: true, ignoredComponents: ['Header', 'Footer'], // optional }, }, }); ``` closes #19319

Tool calls were only cleaned up on tool errors, causing unbounded retention in tool-heavy apps (and potential OOMs when inputs/outputs were recorded). Store only span context in the global map and clean up on successful tool results; add tests for caching/eviction. --------- Co-authored-by: Nicolas Hrubec <nico.hrubec@sentry.io>

The SDK now only uses the hono integration for error capturing. Before, the Hono integration from the Cloudflare SDK wrapping was used which caused unparametrized transaction names. Addtionally, the mechanism `auto.faas.hono.error_handler` was added to the error. Closes #19578 (added automatically)

Closes #19584 (added automatically)

…I semantic conventions (#19624) - Standardize invoke_agent pipeline span descriptions to use `invoke_agent` (with optional `functionId` suffix) instead of Vercel SDK function names like `generateText` or `generateObject`. This aligns with how other AI integrations (e.g. LangGraph) name their agent spans. - Unify all `.do*` content generation span descriptions under a single `generate_content` prefix (e.g. `generate_content mock-model-id`) instead of using individual prefixes like `generate_text`, `stream_text`, `generate_object`, `stream_object`. - Remove `addOriginToSpan` helper and inline the `setAttribute` call directly. Closes #19625 (added automatically)

@andreiborza

Middleware spans are named either after the function name or they are numbered. Middleware in Hono is onion-shaped ([see docs](https://hono.dev/docs/concepts/middleware)) and technically, this shape would create a nested children-based span structure. This however, is not as intuitive and so I decided (after also talking to @andreiborza and @JPeer264) to create a sibiling-like structure: <img width="873" height="152" alt="image" src="https://github.com/user-attachments/assets/484d029b-0887-4d5a-87c4-8eaca9d0081c" /> Closes #19585

Closes #19621

Bumps [underscore](https://github.com/jashkenas/underscore) from 1.12.1 to 1.13.8. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jashkenas/underscore/commit/9374840c22e348083d0d072f30dc980622523259"><code>9374840</code></a> Merge branch 'release/1.13.8'</li> <li><a href="https://github.com/jashkenas/underscore/commit/309ad7e6658b927ca5f28ce069665d9c523c53e5"><code>309ad7e</code></a> Re-generate annotated sources and minified codemaps</li> <li><a href="https://github.com/jashkenas/underscore/commit/a1ac1d33537662304d4985f61301112ea0f1f051"><code>a1ac1d3</code></a> Add links to diff and docs in 1.13.8 change log entry</li> <li><a href="https://github.com/jashkenas/underscore/commit/b579595ec9da8db15196bc1d3547833458939c44"><code>b579595</code></a> Mention CVE-2026-27601 in comments and documentation (<a href="https://redirect.github.com/jashkenas/underscore/issues/3011">#3011</a>)</li> <li><a href="https://github.com/jashkenas/underscore/commit/45ea015a99069780db492a114c1e709dd77d3b89"><code>45ea015</code></a> Revert obfuscations from 42823bb.</li> <li><a href="https://github.com/jashkenas/underscore/commit/4a4019e00beb2c42eda20c05f375a35983b748f0"><code>4a4019e</code></a> Update minified bundles</li> <li><a href="https://github.com/jashkenas/underscore/commit/1ccfdd0c50470d862bb553c1e0c70567a59d4355"><code>1ccfdd0</code></a> Add preliminary release notes for 1.13.8</li> <li><a href="https://github.com/jashkenas/underscore/commit/42823bbff87e9fe82855d5adb5ba7ff839f8b446"><code>42823bb</code></a> Temporarily obfuscate comments</li> <li><a href="https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"><code>a6e23ae</code></a> Make _.isEqual nonrecursive</li> <li><a href="https://github.com/jashkenas/underscore/commit/f2b516441ab99b82045f2a336c348899e6527e00"><code>f2b5164</code></a> Add regression test against stack overflow in _.isEqual</li> <li>Additional commits viewable in <a href="https://github.com/jashkenas/underscore/compare/1.12.1...1.13.8">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=underscore&package-manager=npm_and_yarn&previous-version=1.12.1&new-version=1.13.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Similar to browser bundles, the layer does not need to be built during `dev` builds. Closes #19587 (added automatically) --------- Co-authored-by: Andrei Borza <andrei.borza@sentry.io>

Fixes Dependabot alert #1134. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Uses `dotagents` to add the `skill-scanner` skill from `getsentry/skills` for scanning agent skills for security issues such as prompt injection, malicious scripts and supply chain risks. Closes #19609 (added automatically) --------- Co-authored-by: Claude <noreply@anthropic.com>

@s1gr1d

Fixes Dependabot alerts #1125, #1126, #1127, #1128, #1129, #1130. - CVE-2026-29045: Arbitrary file access via serveStatic (high) - Cookie Attribute Injection via setCookie() (medium) - SSE Control Field Injection via writeSSE() (medium) @s1gr1d feel free to close this one if you want, but pls dismiss the alerts accordingly if this is the case Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

…sts (#19652) Auto-instrumentation for guards, interceptors and pipes seems to work out of the box. However, trace propagation seems broken since they are not attached to the main http transaction, instead they become standalone transactions. Add some tests to document current behavior. Closes #19648

Fixes Dependabot alert #1132 (CVE-2026-29074). --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

This is just an early spike on how we can test uploaded sourcemaps, I'd like to expand this a bit further in follow up PRs for different Next.js scenarios - Adds a new `nextjs-sourcemaps` e2e test app that verifies sourcemaps uploads during `next build` - The test app builds a minimal Next.js app against a mock Sentry server, then asserts that: - Artifact bundles with valid manifests were uploaded - JS/sourcemap pairs have matching, valid debug IDs (UUIDs) - Sourcemaps contain real mappings and reference app source files - Artifact bundle assemble requests target the correct project - Extracts the mock server and assertion logic into reusable utilities in `@sentry-internal/test-utils` (`startMockSentryServer`, `assertDebugIdPairs`, `assertSourcemapMappings`, etc.) so other frameworks can reuse them. ## How it works 1. `pnpm build` starts a mock Sentry server on `:3032`, then runs `next build` with `@sentry/nextjs` configured to upload sourcemaps to it 2. The mock server captures all requests (chunk uploads, artifact bundle assemble, releases) and writes them to disk 3. `pnpm test:assert` runs `assert-build.ts` which loads the captured data and runs the assertion suite Closes #19657 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Closes #19620

Bumps [@sentry/rollup-plugin](https://github.com/getsentry/sentry-javascript-bundler-plugins) from 5.1.0 to 5.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/releases"><code>@sentry/rollup-plugin</code>'s releases</a>.</em></p> <blockquote> <h2>5.1.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Align <code>engines</code> with Node support by <a href="https://github.com/timfish"><code>@timfish</code></a> in <a href="https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/893">#893</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>Use version range for magic-string by <a href="https://github.com/JPeer264"><code>@JPeer264</code></a> in <a href="https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/891">#891</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/blob/main/CHANGELOG.md"><code>@sentry/rollup-plugin</code>'s changelog</a>.</em></p> <blockquote> <h2>5.1.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Align <code>engines</code> with Node support by <a href="https://github.com/timfish"><code>@timfish</code></a> in <a href="https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/893">#893</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>Use version range for magic-string by <a href="https://github.com/JPeer264"><code>@JPeer264</code></a> in <a href="https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/pull/891">#891</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/commit/b0a97c7e98b98b6d1477396e732a35c9b97904bb"><code>b0a97c7</code></a> release: 5.1.1</li> <li><a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/commit/16275643a96c2da8bc7e24df98f402e8311ac7d6"><code>1627564</code></a> fix: Align <code>engines</code> with Node support (<a href="https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/issues/893">#893</a>)</li> <li><a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/commit/635b5843d3a7b6f86d221ded189353baa2913aaa"><code>635b584</code></a> chore: Use version range for magic-string (<a href="https://redirect.github.com/getsentry/sentry-javascript-bundler-plugins/issues/891">#891</a>)</li> <li><a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/commit/b50daf682e94bea926662e0ab3f2436c0b4c251c"><code>b50daf6</code></a> Merge branch 'release/5.1.0'</li> <li>See full diff in <a href="https://github.com/getsentry/sentry-javascript-bundler-plugins/compare/5.1.0...5.1.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@sentry/rollup-plugin&package-manager=npm_and_yarn&previous-version=5.1.0&new-version=5.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tStorage (#19662) ## Summary Fixes #19661 `instrumentDurableObjectStorage`'s Proxy `get` trap passes `receiver` (the proxy) to `Reflect.get`, breaking native workerd getters like `storage.sql` that validate `this` via internal slots. - Change `Reflect.get(target, prop, receiver)` → `Reflect.get(target, prop, target)` so native getters execute with the real storage object as `this` - Add regression tests using a class with private fields to simulate workerd's native brand-checked getters ## Details The `sql` property on `DurableObjectStorage` is a native getter that requires the real native object as `this`. When the Proxy's `get` trap calls `Reflect.get(target, prop, receiver)`, the getter runs with `this` = proxy → "Illegal invocation". Using `target` as receiver ensures native getters always run against the real storage object. Instrumented KV methods (`get`, `put`, `delete`, `list`) were unaffected because they're functions that get explicitly `.bind(target)`ed or called via `.apply(target, args)`. The bug only manifests for non-function getters (like `sql`). **Regression tests** use a `BrandCheckedStorage` class with private fields — accessing `#sqlInstance` on the wrong `this` throws TypeError, faithfully simulating workerd's native internal-slot validation. --------- Co-authored-by: Nicolas Hrubec <nico.hrubec@sentry.io>

…ing (#19684) The LangChain instrumentation registers both a module-level and a file-level hook for each provider package (e.g. `@langchain/openai`). Both hooks call _patch, which wraps the same prototype methods (invoke, stream, batch) with a new proxy and callback handler. This results in every LangChain call producing duplicate gen_ai.chat spans. The fix adds a `__sentry_patched__` guard on the prototype to skip patching if it's already been done. Closes #19685 (added automatically)

Replaces eslint with oxlint, we had an outdated Eslint 8.x setup anyways and we needed to either upgrade it or move to something else. Oxlint brings so much speed gains given how slow linting is, and almost no one is running it locally project wide because of how slow it is. The changes can look like a lot but most of it is just: - Comment Replacement due to rule name changes. - Config file swapping (from `.eslintrc.js` to `.oxlintrc.json` I downgraded a few rules, but they will be cleaned up in a follow up PR in ## Benchmarks ### Overall | Metric | Before (ESLint) | After (Oxlint) | Speedup | |--------|-----------------|----------------|---------| | CI Time | ~6 minutes | ~10 seconds | **36x**\* | Note that: - ~Lerna adds a considerable overhead that eats a lot of the gains we can potentially get.~ We removed Lerna and also we will just lint the entire project rather than go package by package. - ~CI time is hogged by building types step~ Not relevant anymore, typeaware mode works wonderfully after [oxc-project/tsgolint#739](oxc-project/tsgolint#739) was merged. #### SDK Packages | Package | Files | ESLint | Oxlint | Speedup | | ----------------- | ----- | ------ | ------ | -------- | | `core` | 365 | 9.6s | 53ms | **181x** | | `browser` | 136 | 6.8s | 55ms | **124x** | | `node` | 105 | 6.1s | 64ms | **95x** | | `node-core` | 101 | 6.2s | 56ms | **111x** | | `nextjs` | 181 | 10.9s | 79ms | **138x** | | `sveltekit` | 63 | 6.4s | 71ms | **90x** | | `opentelemetry` | 58 | 4.3s | 52ms | **83x** | | `cloudflare` | 43 | 3.8s | 45ms | **84x** | | `remix` | 38 | 7.1s | 42ms | **169x** | | `react` | 39 | 6.5s | 49ms | **133x** | | `feedback` | 38 | 3.8s | 48ms | **79x** | | `replay-internal` | 152 | 5.6s | 38ms | **147x** | | `vue` | 24 | 4.0s | 48ms | **83x** | | `svelte` | 15 | 4.0s | 52ms | **77x** | | `angular` | 12 | 3.7s | 37ms | **100x** | #### Dev Packages | Package | Files | ESLint | Oxlint | Speedup | | ------------------------------ | ----- | -------- | ------ | -------- | | `browser-integration-tests` | 778 | 10.8s | 209ms | **52x** | | `node-integration-tests` | 605 | 9.0s | 291ms | **31x** | | `node-core-integration-tests` | 268 | 6.2s | 74ms | **84x** | | `e2e-tests` | 10 | 2.6s | 44ms | **59x** | | `cloudflare-integration-tests` | 27 | 2.5s | 35ms | **71x** | | `test-utils` | 5 | 2.4s | 21ms | **114x** | | `rollup-utils` | 13 | ❌ error | 22ms | N/A | | `bundler-tests` | 3 | ❌ error | 51ms | N/A | --- closes #19222

…19461) ## Problem When deploying a TanStack Start application to Cloudflare Workers, importing `@sentry/tanstackstart-react` causes a build failure. The `@cloudflare/vite-plugin` configures resolve conditions as `["workerd", "worker", "module", "browser"]` for the SSR environment. Since this package only defines `browser` and `node` conditions, the resolver falls through to `browser`, which points to `index.client.js`. TanStack Start's import-protection plugin denies files matching `**/*.client.*` in the server environment, causing the build to fail. Related: TanStack/router#6688 ## Solution Add `workerd` and `worker` export conditions to the `.` entry in `package.json`, pointing to `index.server.js` (the same target as the `node` condition). This ensures that bundlers targeting Workers runtimes resolve to the server entry rather than falling through to the `browser` condition. Users deploying to Cloudflare Workers will need `nodejs_compat` enabled in their wrangler configuration for `@sentry/node` to function correctly at runtime. A dedicated Cloudflare entrypoint (without `@sentry/node` dependency) will be addressed in a follow-up PR. ## Changed files | File | Change | |---|---| | `packages/tanstackstart-react/package.json` | Add `workerd` and `worker` export conditions pointing to `index.server.js` |

Closes #19698 (added automatically)

…ehavior (#19645) - Remove `condition: { not: 'foreign' }` from the Turbopack metadata injection rule so node_modules (including e.g. React) are tagged as first-party, matching webpack's BannerPlugin behavior - Wrap injected code in a try-catch IIFE (matching the webpack plugin's `CodeInjection` pattern) to safely handle node_modules with strict initialization order - Exclude only `next/dist/build/polyfills/` which contain non-standard syntax that causes Turbopack parse errors Fixes the `thirdPartyErrorFilterIntegration` being unusable in Turbopack builds — previously, React frames in stack traces were treated as third-party because node_modules lacked metadata, causing `apply-tag-if-contains-third-party-frames` to incorrectly tag every error. closes #19320 (again)

Closes #19681 (added automatically) --------- Co-authored-by: s1gr1d <32902192+s1gr1d@users.noreply.github.com>

…19701) The claude-code-action OIDC token exchange verifies that the triggering GitHub actor has write access to the repository. When an external user opens an issue, they are the actor and don't have write access, causing the action to fail with a 401 error. Pass an explicit github_token and set allowed_non_write_users to '*' so the action skips the write-access check. This is safe because the workflow's GITHUB_TOKEN only has read permissions, and the existing prompt injection detection script guards against malicious issue content before any triage logic (including Linear writes) executes. Following an example from anthropic [here](https://github.com/anthropics/claude-code-action/blob/3428ca8991d4611b464661a70b0725ae459c894d/examples/issue-triage.yml#L28) Closes #19702 (added automatically) Co-authored-by: Claude <noreply@anthropic.com>

…ntegrations (#19712) Add a `tracePropagation` option to `httpIntegration` and `nativeNodeFetchIntegration` that allows disabling Sentry's trace header injection (sentry-trace, baggage, traceparent) while still creating breadcrumbs. This is useful when `skipOpenTelemetrySetup: true` is configured and an external OTel setup handles trace propagation, avoiding duplicate headers. Closes: #19689

- Moves assertions into the test itself - Refactors utils to plain getters for different data types Closes #19679 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

As a "manual but less manual than editing `.size-limit.js`" alternative to #19690, this PR adds a skill that takes care of bumping size limits. I also added a `test:size-limit` script for convenience since we didn't document elsewhere how to manually run the `size-limit` CLI.

…#19714) Replace `existsSync` guard with try/catch around read+write operations to eliminate the time-of-check to time-of-use race condition (CWE-367) flagged by CodeQL (code-scanning alert #439). closes https://github.com/getsentry/sentry-javascript/security/code-scanning/439 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

github-actions · 2026-03-09T14:39:13Z

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.64 kB	added	added
@sentry/browser - with treeshaking flags	24.14 kB	added	added
@sentry/browser (incl. Tracing)	42.44 kB	added	added
@sentry/browser (incl. Tracing, Profiling)	47.1 kB	added	added
@sentry/browser (incl. Tracing, Replay)	81.26 kB	added	added
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.88 kB	added	added
@sentry/browser (incl. Tracing, Replay with Canvas)	85.95 kB	added	added
@sentry/browser (incl. Tracing, Replay, Feedback)	98.21 kB	added	added
@sentry/browser (incl. Feedback)	42.44 kB	added	added
@sentry/browser (incl. sendFeedback)	30.31 kB	added	added
@sentry/browser (incl. FeedbackAsync)	35.36 kB	added	added
@sentry/browser (incl. Metrics)	26.8 kB	added	added
@sentry/browser (incl. Logs)	26.95 kB	added	added
@sentry/browser (incl. Metrics & Logs)	27.62 kB	added	added
@sentry/react	27.39 kB	added	added
@sentry/react (incl. Tracing)	44.78 kB	added	added
@sentry/vue	30.09 kB	added	added
@sentry/vue (incl. Tracing)	44.31 kB	added	added
@sentry/svelte	25.66 kB	added	added
CDN Bundle	28.18 kB	added	added
CDN Bundle (incl. Tracing)	43.27 kB	added	added
CDN Bundle (incl. Logs, Metrics)	29.02 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics)	44.11 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics)	68.1 kB	added	added
CDN Bundle (incl. Tracing, Replay)	80.15 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.01 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback)	85.66 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.54 kB	added	added
CDN Bundle - uncompressed	82.38 kB	added	added
CDN Bundle (incl. Tracing) - uncompressed	128.09 kB	added	added
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.21 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	130.93 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	208.88 kB	added	added
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.98 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	247.8 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.89 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	260.7 kB	added	added
@sentry/nextjs (client)	47.19 kB	added	added
@sentry/sveltekit (client)	42.9 kB	added	added
@sentry/node-core	52.27 kB	added	added
@sentry/node	174.77 kB	added	added
@sentry/node - without tracing	97.44 kB	added	added
@sentry/aws-serverless	113.24 kB	added	added

github-actions · 2026-03-09T14:40:13Z

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,392	-	-	added
GET With Sentry	1,697	18%	-	added
GET With Sentry (error only)	6,099	65%	-	added
POST Baseline	1,213	-	-	added
POST With Sentry	582	48%	-	added
POST With Sentry (error only)	1,055	87%	-	added
MYSQL Baseline	3,239	-	-	added
MYSQL With Sentry	425	13%	-	added
MYSQL With Sentry (error only)	2,706	84%	-	added

The actual fail mostly "resolved itself" because Angular now also released `22.0.0-next.0` versions for the Angular CLI packages, in addition to the core angular packages. However, Angular 22 will [require](angular/angular-cli#32681) At least Node 22.22.0. So this PR makes a few modifications to fully fix Angular canary tests again: - set the node version to Node 22.22.0 for the canary test and the Angular 21 e2e test (which should be fine IMHO) - Use the `angular-21` app instead of the `angular-20` app for canary tests - Remove the optional canary test config in the `angular-20` app closes #19636

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

cursor · 2026-03-09T14:47:27Z

dev-packages/e2e-tests/test-applications/nestjs-websockets/package.json

+  "volta": {
+    "extends": "../../package.json"
+  }
+}


Missing .npmrc in nestjs-websockets test application

Medium Severity

The nestjs-websockets test application is missing a .npmrc file, while its sibling nestjs-microservices (added in the same PR with an identical structure) correctly includes one pointing @sentry and @sentry-internal scoped packages to the local verdaccio registry at http://127.0.0.1:4873. Without it, pnpm install during test:build won't resolve "@sentry/nestjs": "latest || *" from the local registry, likely causing e2e test failures in CI.

Additional Locations (1)

dev-packages/e2e-tests/test-applications/nestjs-microservices/.npmrc#L1-L2

sentry · 2026-03-09T14:49:08Z

packages/hono/src/shared/patchAppUse.ts

+    },
+  });
+}


Bug: The patchAppUse function indiscriminately captures all middleware errors, including intentional HTTPExceptions used for control flow (e.g., 401, 403), leading to false-positive error reports.
_{Severity: MEDIUM}

Suggested Fix

Implement a filtering mechanism in patchAppUse, similar to the shouldHandleError option in setupHonoErrorHandler. This would allow filtering out intentional HTTP errors and only capture unexpected exceptions, such as those with a 5xx status code or non-HTTP errors.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not valid. Location: packages/hono/src/shared/patchAppUse.ts#L29-L31 Potential issue: The `patchAppUse` function, which is automatically applied in the Cloudflare middleware setup, captures all errors thrown by middleware without any filtering. This includes intentional `HTTPException` errors with non-5xx status codes (e.g., 401, 403) that are used for control flow rather than indicating an unexpected server error. This behavior differs from `setupHonoErrorHandler` and other Sentry framework integrations, which typically only capture 5xx errors by default. As a result, expected application behavior, such as authentication failures, will be reported as errors to Sentry, creating false positives and alert noise.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

meta(changelog): Update changelog for 10.43.0

nicohrubec and others added 30 commits March 3, 2026 13:56

chore(fix-security-vulnerability): Remove security vulnerability acti…

ff8c8ce

…on (#19602) We are extending the skill to scan through all issues instead: #19598 Closes #19603 (added automatically)

Merge pull request #19605 from getsentry/master

67f36ed

[Gitflow] Merge master into develop

chore(agents): Sync dotagents (#19606)

d975bcd

Adds local skills to lockfile Closes #19607 (added automatically)

fix(node-core,vercel-edge): Use HEROKU_BUILD_COMMIT env var for defau…

dde5e36

…lt release (#19617) Add `HEROKU_BUILD_COMMIT` as the primary env var for detecting the release on Heroku, keeping `HEROKU_SLUG_COMMIT` as a fallback since it is deprecated by Heroku. Closes: #19615

chore(hono): Prepare readme and add craft entry (#19583)

fb1b7ba

Closes #19584 (added automatically)

tests(e2e): Add microservices e2e for nestjs (#19642)

1e0c7f1

Closes #19621

chore(aws-serverless): Don't build layer in build:dev command (#19586)

9d3f62a

Similar to browser bundles, the layer does not need to be built during `dev` builds. Closes #19587 (added automatically) --------- Co-authored-by: Andrei Borza <andrei.borza@sentry.io>

fix(deps): bump tar to 7.5.10 to fix hardlink path traversal (#19650)

c8e1e75

Fixes Dependabot alert #1134. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

fix(deps): bump svgo to 4.0.1 to fix DoS via entity expansion (#19651)

c3fa288

Fixes Dependabot alert #1132 (CVE-2026-29074). --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

tests(e2e): Add websockets e2e for nestjs (#19630)

a1405ce

Closes #19620

chore(tanstackstart-react): Add link to docs in README (#19697)

c6b6edb

Closes #19698 (added automatically)

andreiborza and others added 6 commits March 9, 2026 09:16

fix(browser): Fix missing traces for user feedback (#19660)

5651be2

Closes #19681 (added automatically) --------- Co-authored-by: s1gr1d <32902192+s1gr1d@users.noreply.github.com>

chore(sourcemaps): Make sourcemaps e2e test more generic (#19678)

cdee7a9

- Moves assertions into the test itself - Refactors utils to plain getters for different data types Closes #19679 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

chargome self-assigned this Mar 9, 2026

chargome requested review from a team as code owners March 9, 2026 14:29

chargome requested review from JPeer264, Lms24, andreiborza, isaacs, logaretm, nicohrubec and s1gr1d March 9, 2026 14:29

andreiborza approved these changes Mar 9, 2026

View reviewed changes

Lms24 and others added 2 commits March 9, 2026 15:43

meta(changelog): Update changelog for 10.43.0

61d7a84

chargome force-pushed the prepare-release/10.43.0 branch from 878cf8e to 61d7a84 Compare March 9, 2026 14:45

cursor bot reviewed Mar 9, 2026

View reviewed changes

sentry bot reviewed Mar 9, 2026

View reviewed changes

logaretm approved these changes Mar 9, 2026

View reviewed changes

chargome merged commit 8706e4e into master Mar 9, 2026
438 of 440 checks passed

chargome deleted the prepare-release/10.43.0 branch March 9, 2026 15:26

andreiborza pushed a commit that referenced this pull request Mar 11, 2026

Merge pull request #19716 from getsentry/prepare-release/10.43.0

66d9344

meta(changelog): Update changelog for 10.43.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

meta(changelog): Update changelog for 10.43.0#19716

meta(changelog): Update changelog for 10.43.0#19716
chargome merged 38 commits intomasterfrom
prepare-release/10.43.0

chargome commented Mar 9, 2026

Uh oh!

github-actions bot commented Mar 9, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 9, 2026 •

edited

Loading

Uh oh!

cursor bot left a comment

Uh oh!

cursor bot Mar 9, 2026

Uh oh!

sentry bot Mar 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

Uh oh!

Conversation

chargome commented Mar 9, 2026

Uh oh!

github-actions bot commented Mar 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

github-actions bot commented Mar 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

node-overhead report 🧳

Uh oh!

cursor bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor bot Mar 9, 2026

Choose a reason for hiding this comment

Missing .npmrc in nestjs-websockets test application

Uh oh!

sentry bot Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

github-actions bot commented Mar 9, 2026 •

edited

Loading

github-actions bot commented Mar 9, 2026 •

edited

Loading

Missing `.npmrc` in nestjs-websockets test application