meta(changelog): Update changelog for 10.44.0#19843
Merged
Conversation
[Gitflow] Merge master into develop
I ran `yarn fix` on `develop` and there was a change. Does that mean that the CI doesn't fail when the files are not formatted correctly?! Closes #19711 (added automatically)
#19708) closes #19670 When browserTracingIntegration initializes, it creates a 30-second setTimeout (idle span final timeout), multiple PerformanceObserver instances, and various other timers. These keep the JS event loop active, which prevents Googlebot's headless Chromium renderer from considering the page "idle" — resulting in incomplete or broken page snapshots in Google Search Console. This PR detects known bot/crawler user agents and skips the tracing setup entirely, so no timers or observers are created. Error monitoring via other integrations is unaffected. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
We don't need to create PRs to add new packages to the registry. Craft can now do this automatically. Documented here: https://craft.sentry.dev/targets/registry/#creating-new-packages Closes #19732 (added automatically)
Small addition to this PR: #19731 Reference (adds `sdkName`): getsentry/craft#769 Closes #19737 (added automatically)
…ie-breaking (#19421) ### Summary Implements the `sentry.timestamp.sequence` attribute for both logs and metrics, following the [logs spec v1.16.0](https://develop.sentry.dev/sdk/telemetry/logs/#changelog) and [metrics spec v2.6.0](https://develop.sentry.dev/sdk/telemetry/metrics/#changelog). The attribute provides deterministic ordering of telemetry items that share the same millisecond timestamp. The counter starts at `0`, increments by `1` per item, and resets when the integer millisecond timestamp changes. ### Shared Counter I initially thought about implementing a separate counter for each telemetry category (i.e: one counter for logs, another for metrics.) But I decided that a single shared counter for all telemetry types can be useful to tie-break between them, if we ever needed the case to know if a metric was emitted before a log or vice-versa. ### Does it work on Cloudflare Environments I verified that this does indeed work on cloudflare environments and sequence numbers do increment as expected. <img width="2530" height="1446" alt="CleanShot 2026-03-09 at 12 13 04@2x" src="https://github.com/user-attachments/assets/a5cdd6eb-a1ae-4c1e-a349-8b5343d3b2e0" /> **Note for reviewers:** I considered not sending the attribute at all if it has `0` as a value to save some bytes since this would be the most common scenario but opted to keep it at all times for predictability. LMK what you think about that. --- Closes #19420 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This is a follow up PR that cleans up our configuration and reverts the downgrade to warning for some of the rules we use. This brings us to a similar level of coverage with eslint. Some rules have sensitivity issue, especially when it comes to optional chaining and types so we will still have a lot of warnings. ## Summary of Changes ### Config changes (`.oxlintrc.json`) #### Globally disabled (TS files) | Rule | Why | |---|---| | `no-redundant-type-constituents` | Many violations are intentional — AI integration types use `'literal' \| string` for autocomplete hints, and `unknown \| X` patterns are common throughout the codebase. Low bug-catching value. | | `restrict-template-expressions` | 81 violations mostly from OTel span attributes and `unknown` values in template strings. Would require `String()` wrappers everywhere for minimal safety gain — the SDK handles these at runtime. | | `await-thenable` | `await` on non-Promises is valid JS — it's a useful pattern for uniformly handling `T \| Promise<T>` without branching. Not a bug. | | `no-base-to-string` | Set to **warn** (not off). Kept visible since `[object Object]` in strings is a real issue, but not blocking CI while we clean up the 22 remaining source violations. | #### Disabled in tests + dev-packages only | Rule | Why | |---|---| | `no-misused-spread` | Tests intentionally spread class instances to create plain fixture objects. | | `require-array-sort-compare` | Test assertions sorting string arrays — `.sort()` without comparator is fine for strings. | | `no-base-to-string` | Tests don't need strict toString safety. | #### Configured | Rule | Why | |---|---| | `no-unused-vars` | Set to warn with `_` prefix ignore patterns (`argsIgnorePattern`, `varsIgnorePattern`, `caughtErrorsIgnorePattern`). Standard convention — unused catch params/args prefixed with `_` are intentional. | ### Dev-packages config (`dev-packages/.oxlintrc.json`) Added `require-array-sort-compare`, `no-misused-spread`, and `no-base-to-string` as off — these rules aren't worth enforcing in test infrastructure. ### Code fixes | Change | Count | What | |---|---|---| | Removed `\| undefined` from optional params | 19 | `param?: T \| undefined` → `param?: T` — the `?` already implies `undefined` | | Prefixed unused catch params with `_` | 25 | `catch (error)` → `catch (_error)` — follows the `_` convention for intentionally unused variables | | Prefixed unused callback param | 1 | `(error, version)` → `(error, _version)` in `bun/scripts/install-bun.js` | ### Result **373 warnings → 31** (22 of which are the intentional `no-base-to-string` warnings we kept visible). Closes #19718 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Bumps [simple-git](https://github.com/steveukx/git-js/tree/HEAD/simple-git) from 3.30.0 to 3.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/steveukx/git-js/releases">simple-git's releases</a>.</em></p> <blockquote> <h2>simple-git@3.33.0</h2> <h3>Minor Changes</h3> <ul> <li>a263635: Use <code>pathspec</code> wrappers for remote and local paths when running either <code>git.clone</code> or <code>git.mirror</code> to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>e253a0d: Enhanced <code>git -c</code> checks in <code>unsafe</code> plugin.</p> <p>Thanks to <a href="https://github.com/JohannesLks"><code>@JohannesLks</code></a> for identifying the issue</p> </li> </ul> <h2>simple-git@3.32.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>f704208: Enhanced <code>protocol.allow</code> checks in <code>allowUnsafeExtProtocol</code> handling.</p> <p>Thanks to <a href="https://github.com/CodeAnt-AI-Security"><code>@CodeAnt-AI-Security</code></a> for identifying the issue</p> </li> </ul> <h2>simple-git@3.32.2</h2> <h3>Patch Changes</h3> <ul> <li>8d02097: Enhanced clone unsafe switch detection.</li> </ul> <h2>simple-git@3.32.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>23b070f: Fix regex for detecting unsafe clone options</p> <p>Thanks to <a href="https://github.com/stevenwdv"><code>@stevenwdv</code></a> for reporting this issue.</p> </li> </ul> <h2>simple-git@3.32.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>1effd8e: Enhances the <code>unsafe</code> plugin to block additional cases where the <code>-u</code> switch may be disguised along with other single character options.</p> <p>Thanks to <a href="https://github.com/JuHwiSang"><code>@JuHwiSang</code></a> for identifying this as vulnerability.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.</li> </ul> <h2>simple-git@3.31.1</h2> <h3>Patch Changes</h3> <ul> <li>a44184f: Resolve NPM publish steps</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md">simple-git's changelog</a>.</em></p> <blockquote> <h2>3.33.0</h2> <h3>Minor Changes</h3> <ul> <li>a263635: Use <code>pathspec</code> wrappers for remote and local paths when running either <code>git.clone</code> or <code>git.mirror</code> to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>e253a0d: Enhanced <code>git -c</code> checks in <code>unsafe</code> plugin.</p> <p>Thanks to <a href="https://github.com/JohannesLks"><code>@JohannesLks</code></a> for identifying the issue</p> </li> </ul> <h2>3.32.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>f704208: Enhanced <code>protocol.allow</code> checks in <code>allowUnsafeExtProtocol</code> handling.</p> <p>Thanks to <a href="https://github.com/CodeAnt-AI-Security"><code>@CodeAnt-AI-Security</code></a> for identifying the issue</p> </li> </ul> <h2>3.32.2</h2> <h3>Patch Changes</h3> <ul> <li>8d02097: Enhanced clone unsafe switch detection.</li> </ul> <h2>3.32.1</h2> <h3>Patch Changes</h3> <ul> <li> <p>23b070f: Fix regex for detecting unsafe clone options</p> <p>Thanks to <a href="https://github.com/stevenwdv"><code>@stevenwdv</code></a> for reporting this issue.</p> </li> </ul> <h2>3.32.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>1effd8e: Enhances the <code>unsafe</code> plugin to block additional cases where the <code>-u</code> switch may be disguised along with other single character options.</p> <p>Thanks to <a href="https://github.com/JuHwiSang"><code>@JuHwiSang</code></a> for identifying this as vulnerability.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.</li> </ul> <h2>3.31.1</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/steveukx/git-js/commit/8bbbabc827fc05824e0e4bd51746e9ca0109b353"><code>8bbbabc</code></a> Version Packages</li> <li><a href="https://github.com/steveukx/git-js/commit/a263635ca4729c276eba869ae8c97cbb00fc4eb9"><code>a263635</code></a> Clone API use pathspec (<a href="https://github.com/steveukx/git-js/tree/HEAD/simple-git/issues/1132">#1132</a>)</li> <li><a href="https://github.com/steveukx/git-js/commit/e253a0d1bf9d013228f856209b3b8a7c5980a54b"><code>e253a0d</code></a> Fix/block unsafe 2603 (<a href="https://github.com/steveukx/git-js/tree/HEAD/simple-git/issues/1135">#1135</a>)</li> <li><a href="https://github.com/steveukx/git-js/commit/a1170e506eeeaade4a242bfbf6d0620d57872364"><code>a1170e5</code></a> Version Packages</li> <li><a href="https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257"><code>f704208</code></a> In extension to CVE-2022-25912, switch to case-insensitive check for `protoco...</li> <li><a href="https://github.com/steveukx/git-js/commit/4bb20811eb35c0fa5437553cad4eb8ebf8f6f6e6"><code>4bb2081</code></a> Version Packages</li> <li><a href="https://github.com/steveukx/git-js/commit/7ae7537737bafc1e6559a28816785b10926fb095"><code>7ae7537</code></a> Match tokens to word boundary</li> <li><a href="https://github.com/steveukx/git-js/commit/c47ad103b07ce768cf69aec63e0c9f7f77a1ab0f"><code>c47ad10</code></a> Lint</li> <li><a href="https://github.com/steveukx/git-js/commit/8d02097b726c2bc5360b4f55ee3ecb7e09648e4d"><code>8d02097</code></a> Enhanced clone switch detection</li> <li><a href="https://github.com/steveukx/git-js/commit/f6909a52807512cb4e29a654db2dcd409b019113"><code>f6909a5</code></a> Remove test timeout override</li> <li>Additional commits viewable in <a href="https://github.com/steveukx/git-js/commits/simple-git@3.33.0/simple-git">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for simple-git since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Instruments the `@Cron`, `@Interval` and `@Timeout` decorators from `@nestjs/schedule` ([npm](https://www.npmjs.com/package/@nestjs/schedule)) to capture errors and fork isolation scopes to prevent leakage into subsequent http requests. So far we only had a manual `@SentryCron` decorator that users could apply to get checkins and exceptions from crons. `@SentryCron` is now reduced to only send check-ins if applied (no exception capture anymore since this is handled by the auto-instrumentation). Closes #19704
Bumps [file-type](https://github.com/sindresorhus/file-type) from 20.5.0 to 21.3.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sindresorhus/file-type/releases">file-type's releases</a>.</em></p> <blockquote> <h2>v21.3.1</h2> <ul> <li>Fix infinite loop in ASF parser on malformed input (<a href="https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473">https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473</a>) 319abf8</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1">https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1</a></p> <h2>v21.3.0</h2> <ul> <li>Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (<a href="https://redirect.github.com/sindresorhus/file-type/issues/779">#779</a>) d223491</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.2.0...v21.3.0">https://github.com/sindresorhus/file-type/compare/v21.2.0...v21.3.0</a></p> <h2>v21.2.0</h2> <ul> <li>Add support for SPSS data files (<a href="https://redirect.github.com/sindresorhus/file-type/issues/787">#787</a>) 889f638</li> <li>Add support for JMP (<a href="https://redirect.github.com/sindresorhus/file-type/issues/784">#784</a>) 093dba0</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.1.1...v21.2.0">https://github.com/sindresorhus/file-type/compare/v21.1.1...v21.2.0</a></p> <h2>v21.1.1</h2> <ul> <li>Fix handling of partial Gunzip file (<a href="https://redirect.github.com/sindresorhus/file-type/issues/783">#783</a>) 710e053</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.1.0...v21.1.1">https://github.com/sindresorhus/file-type/compare/v21.1.0...v21.1.1</a></p> <h2>v21.1.0</h2> <ul> <li>Add support for <code>.tar.gz</code> (gunzipped tarball file) (<a href="https://redirect.github.com/sindresorhus/file-type/issues/763">#763</a>) eda03a7</li> <li>Add support for Windows registry (.reg) files 0db61ec 7d2ddcf</li> <li>Add support for Windows registry hive file (<code>.dat</code>) (<a href="https://redirect.github.com/sindresorhus/file-type/issues/767">#767</a>) f8d62be</li> <li>Fix: Handle partial unzip (<a href="https://redirect.github.com/sindresorhus/file-type/issues/773">#773</a>) 7ad3a90</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/file-type/compare/v21.0.0...v21.1.0">https://github.com/sindresorhus/file-type/compare/v21.0.0...v21.1.0</a></p> <h2>v21.0.0</h2> <h3>Breaking</h3> <ul> <li>Require Node.js 20 24aec1f</li> <li>Drop Adobe Illustrator (.ai) detection support (<a href="https://redirect.github.com/sindresorhus/file-type/issues/743">#743</a>) af169f3</li> <li>Correct Matroska (video) MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/753">#753</a>) f53f5ff</li> <li>Correct FLAC MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/755">#755</a>) b9fda36</li> <li>Correct Apache Parquet MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/748">#748</a>) 98e3f8e</li> <li>Correct Apache Arrow MIME-type to formal IANA registration (<a href="https://redirect.github.com/sindresorhus/file-type/issues/754">#754</a>) 7184775</li> </ul> <h3>Improvements</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sindresorhus/file-type/commit/ad5857e5384874e853cc9c4c29b867f1135a7c30"><code>ad5857e</code></a> 21.3.1</li> <li><a href="https://github.com/sindresorhus/file-type/commit/5d2fedf104dc5067b51a1f31410aa60052c74f64"><code>5d2fedf</code></a> Harden parser</li> <li><a href="https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f"><code>319abf8</code></a> Fix infinite loop in ASF parser on malformed input</li> <li><a href="https://github.com/sindresorhus/file-type/commit/1ca9281706e6ff5606d4ebaf88fa8f97b124c126"><code>1ca9281</code></a> Mention <code>@file-type/cfbf</code> plugin (<a href="https://redirect.github.com/sindresorhus/file-type/issues/791">#791</a>)</li> <li><a href="https://github.com/sindresorhus/file-type/commit/2033ea7f1aef092e8251034b1207efc7c96ebeb0"><code>2033ea7</code></a> 21.3.0</li> <li><a href="https://github.com/sindresorhus/file-type/commit/d223491482bda0a8222e29fe31cca7ecf65a0c4e"><code>d223491</code></a> Add support for Mach-O Universal (aka "Fat") binaries and additional architec...</li> <li><a href="https://github.com/sindresorhus/file-type/commit/2ca86b3869a0185ec40e273ff51a9607cce2a48e"><code>2ca86b3</code></a> Docs: Remove BYOB stream requirement warning (<a href="https://redirect.github.com/sindresorhus/file-type/issues/790">#790</a>)</li> <li><a href="https://github.com/sindresorhus/file-type/commit/4d7393ad119cdb56698a7b0575302913032c2692"><code>4d7393a</code></a> List <code>@file-type/pdf</code> in available plugins (<a href="https://redirect.github.com/sindresorhus/file-type/issues/788">#788</a>)</li> <li><a href="https://github.com/sindresorhus/file-type/commit/810e1d87c54beb10603855cfb654a8ce15a0cefb"><code>810e1d8</code></a> 21.2.0</li> <li><a href="https://github.com/sindresorhus/file-type/commit/889f6384142d2b13c20898f1e1ca147b25704661"><code>889f638</code></a> Add support for SPSS data files (<a href="https://redirect.github.com/sindresorhus/file-type/issues/787">#787</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sindresorhus/file-type/compare/v20.5.0...v21.3.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…, interceptors, and exception filters (#19751) This should allow for more specific querying for users and also potentially interesting data to look at for us in the future. Spans emitted from actual middlewares keep the same origin as before, for the rest I added the integration-part so we know where the span is coming from. Closes #19750
I think this is even the actual fix for #19589 This could happen right now for alarms. When an alarm is being executed the first Client is getting disposed. Once the alarm is getting triggered it might be that it wants to reuse the previous Client, which didn't work as it got disposed. With that fix we actually check if the client is also disposed (by checking if there is a transport), if there is none we just create a new client.
Mock `timestampInSeconds` in the "increments the sequence number across consecutive metrics" test to return a fixed value. The test was flaky because consecutive calls could land on different milliseconds, causing the sequence counter to reset unexpectedly. Closes #19749 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This patch adjusts our Astro middleware to be compatible with Astro 6. It
also adds an e2e test app for Astro 6 on the node adapter.
Changes:
- Cleaned up peer dependency range in `package.json`
- The middleware context object's properties changed. We need to access
route manifest now via `ctx.[Symbol.for('astro.pipeline')]` instead of
`ctx.[Symbol.for('context.routes')]`
- For now, I skipped our server island tests because there's still a
[bug in Astro 6.0.2](withastro/astro#15753)
which causes server islands not to work correctly. Once this is fixed (I
subscribed to the issue), we should be able to re-enable the test
without any fails 🤞
---------
Co-authored-by: Jan Peer Stöcklmair <jan.peer@sentry.io>
This PR introduces some attributes and fixes to Vercel AI SDK: - Adds new [gen_ai.output.messages ](https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-output-messages) which deprecates https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-response-text and https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-response-tool_calls - Adds new [gen_ai.tool.description](https://getsentry.github.io/sentry-conventions/attributes/gen_ai/#gen_ai-tool-description) - Checks for Vercel AI media type when stripping media out of the input messages Closes #19574
## Summary Standardize lint/format script naming across the monorepo (53 files). Removes redundant/confusing scripts and makes naming consistent. ### New root-level scripts | Script | Command | Purpose | |--------|---------|---------| | `verify` | `run-s format:check lint` | Read-only: format check + lint | | `fix` | `run-s format lint:fix` | Write: format + lint fix | | `lint` | `oxlint . --type-aware` | Lint only | | `lint:fix` | `oxlint . --fix --type-aware` | Lint + fix only | | `format` | `oxfmt . --write` | Format only | | `format:check` | `oxfmt . --check` | Format check only | ### What changed - `lint` now runs only oxlint (previously also ran oxfmt check) - `lint:fix` replaces old `fix` for oxlint auto-fix - New `verify` runs both `format:check` + `lint` (replaces old `lint` behavior) - New `fix` runs both `format` + `lint:fix` - All oxlint commands consistently include `OXLINT_TSGOLINT_DANGEROUSLY_SUPPRESS_PROGRAM_DIAGNOSTICS` flag and `--type-aware` across root and all sub-packages - Removes redundant scripts: `fix:oxlint`, `fix:oxfmt`, `lint:oxfmt`, `lint:oxlint` - Updates CI workflow (`build.yml`) to use new script names ## Test plan - [ ] CI lint job passes with `yarn lint` instead of `yarn lint:oxlint` - [ ] CI format check job passes (unchanged `yarn format:check`) - [ ] `yarn verify` runs both format check and lint at root level - [ ] `yarn fix` runs both format and lint fix at root level 🤖 Generated with [Claude Code](https://claude.com/claude-code) Closes #19722 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Bumps [hono](https://github.com/honojs/hono) from 4.12.5 to 4.12.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.7</h2> <h2>Security hardening</h2> <p>Ignore <code>__proto__</code> path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.</p> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.6...v4.12.7">https://github.com/honojs/hono/compare/v4.12.6...v4.12.7</a></p> <h2>v4.12.6</h2> <h2>What's Changed</h2> <ul> <li>fix(accept): replace regex split to mitigate ReDoS by <a href="https://github.com/EdamAme-x"><code>@EdamAme-x</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4758">honojs/hono#4758</a></li> <li>fix(jsx): align link hoisting and dedupe with React 19 by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4792">honojs/hono#4792</a></li> <li>chore(builld): tsconfig project references by <a href="https://github.com/BarryThePenguin"><code>@BarryThePenguin</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4797">honojs/hono#4797</a></li> <li>chore: add <code>tsconfig.spec.json</code> by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4798">honojs/hono#4798</a></li> <li>feat(jsx-renderer): support function-based options by <a href="https://github.com/3w36zj6"><code>@3w36zj6</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4780">honojs/hono#4780</a></li> <li>fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by <a href="https://github.com/t0waxx"><code>@t0waxx</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4782">honojs/hono#4782</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/t0waxx"><code>@t0waxx</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4782">honojs/hono#4782</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.5...v4.12.6">https://github.com/honojs/hono/compare/v4.12.5...v4.12.6</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/b0aba5bd76f11a9f0fef1210a705523fa30172ab"><code>b0aba5b</code></a> 4.12.7</li> <li><a href="https://github.com/honojs/hono/commit/1be3a53ccbd40b85073fc05a1af1ddf4c7a83620"><code>1be3a53</code></a> ci: apply automated fixes</li> <li><a href="https://github.com/honojs/hono/commit/ef902257e0beacbb83d2a9549b3b83e03514a6fe"><code>ef90225</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/3f886365c8e2bc3e1e71bc18685583b91fc9327d"><code>3f88636</code></a> 4.12.6</li> <li><a href="https://github.com/honojs/hono/commit/53b66aeac5a503860af902013a1f89ba49ec9641"><code>53b66ae</code></a> fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (<a href="https://redirect.github.com/honojs/hono/issues/4782">#4782</a>)</li> <li><a href="https://github.com/honojs/hono/commit/58825a72f7cc0a36d08535fc11dc90934ba77aeb"><code>58825a7</code></a> feat(jsx-renderer): support function-based options (<a href="https://redirect.github.com/honojs/hono/issues/4780">#4780</a>)</li> <li><a href="https://github.com/honojs/hono/commit/0e80acb9f82912f44c7ebf949bc00abdfdc1eda0"><code>0e80acb</code></a> chore: add <code>tsconfig.spec.json</code> (<a href="https://redirect.github.com/honojs/hono/issues/4798">#4798</a>)</li> <li><a href="https://github.com/honojs/hono/commit/d69deb8886cde681172d8c1280273e032a50d015"><code>d69deb8</code></a> chore(builld): tsconfig project references (<a href="https://redirect.github.com/honojs/hono/issues/4797">#4797</a>)</li> <li><a href="https://github.com/honojs/hono/commit/8217d9ece6f4d302e446b8dc353d1b3cbf51d92e"><code>8217d9e</code></a> fix(jsx): align link hoisting and dedupe with React 19 (<a href="https://redirect.github.com/honojs/hono/issues/4792">#4792</a>)</li> <li><a href="https://github.com/honojs/hono/commit/50869562980628b2984f73e064bb80691e5286bc"><code>5086956</code></a> fix(accept): replace regex split to mitigate ReDoS (<a href="https://redirect.github.com/honojs/hono/issues/4758">#4758</a>)</li> <li>See full diff in <a href="https://github.com/honojs/hono/compare/v4.12.5...v4.12.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…19713) - Adds the official `skill-creator` skill from `anthropics/skills` for creating and optimizing agent skills. We should use this going forward with every skill. ref https://claude.com/blog/improving-skill-creator-test-measure-and-refine-agent-skills - Update `dotagents` and `skill-scanner` skills to their latest versions. Closes #19760 (added automatically) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Bump @opentelemetry/context-async-hooks from 2.5.1 to 2.6.0 - Bump @opentelemetry/core from 2.5.1 to 2.6.0 - Bump @opentelemetry/instrumentation from 0.211.0 to 0.213.0 - Bump @opentelemetry/instrumentation-amqplib from 0.58.0 to 0.60.0 - Bump @opentelemetry/instrumentation-aws-sdk from 0.66.0 to 0.68.0 - Bump @opentelemetry/instrumentation-connect from 0.54.0 to 0.56.0 - Bump @opentelemetry/instrumentation-dataloader from 0.28.0 to 0.30.0 - Bump @opentelemetry/instrumentation-express from 0.59.0 to 0.61.0 - Bump @opentelemetry/instrumentation-fs from 0.30.0 to 0.32.0 - Bump @opentelemetry/instrumentation-generic-pool from 0.54.0 to 0.56.0 - Bump @opentelemetry/instrumentation-graphql from 0.58.0 to 0.61.0 - Bump @opentelemetry/instrumentation-hapi from 0.57.0 to 0.59.0 - Bump @opentelemetry/instrumentation-http from 0.211.0 to 0.213.0 - Bump @opentelemetry/instrumentation-ioredis from 0.59.0 to 0.61.0 - Bump @opentelemetry/instrumentation-kafkajs from 0.20.0 to 0.22.0 - Bump @opentelemetry/instrumentation-knex from 0.55.0 to 0.57.0 - Bump @opentelemetry/instrumentation-koa from 0.59.0 to 0.61.0 - Bump @opentelemetry/instrumentation-lru-memoizer from 0.55.0 to 0.57.0 - Bump @opentelemetry/instrumentation-mongodb from 0.64.0 to 0.66.0 - Bump @opentelemetry/instrumentation-mongoose from 0.57.0 to 0.59.0 - Bump @opentelemetry/instrumentation-mysql from 0.57.0 to 0.59.0 - Bump @opentelemetry/instrumentation-mysql2 from 0.57.0 to 0.59.0 - Bump @opentelemetry/instrumentation-nestjs-core from 0.57.0 to 0.59.0 - Bump @opentelemetry/instrumentation-pg from 0.63.0 to 0.65.0 - Bump @opentelemetry/instrumentation-redis from 0.59.0 to 0.61.0 - Bump @opentelemetry/instrumentation-tedious from 0.30.0 to 0.32.0 - Bump @opentelemetry/instrumentation-undici from 0.21.0 to 0.23.0 - Bump @opentelemetry/resources from 2.5.1 to 2.6.0 - Bump @opentelemetry/sdk-trace-base from 2.5.1 to 2.6.0 - Bump @opentelemetry/semantic-conventions from 1.39.0 to 1.40.0 - Bump @prisma/instrumentation from 7.2.0 to 7.4.2 - Bump @fastify/otel from 0.16.0 to 0.17.1 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Closes #19683 (added automatically)
…chIntegration` (#19770) Allows users to configure which HTTP request/response headers are captured as span attributes on fetch/undici spans. This was previously captured automatically for `content-length` but is now opt-in since [@opentelemetry/instrumentation-unidici@0.22.0](https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/packages/instrumentation-undici/CHANGELOG.md#0220-2026-02-16).
…22+ (#17355) Registers diagnostics channels for outgoing requests on Node >= 22 that takes care of creating spans, rather than relying on OTEL instrumentation. Closes #18497 (added automatically) --------- Co-authored-by: Andrei Borza <andrei.borza@sentry.io> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io> Co-authored-by: Andrei <168741329+andreiborza@users.noreply.github.com>
Upgrades the `oxfmt` and `oxlint` dependencies since the PRs we merged was created a while ago and were using outdated versions. No breaking changes, no changes in lint output or in formatting. Mostly bug fixes and performance improvements. Key change is the output is more friendly in CI, minimal noise. Closes #19773 (added automatically)
…9781) (closes #19762) (closes [JS-1921](https://linear.app/getsentry/issue/JS-1921/support-astro-6-on-cloudflare-workers)) This proofs that Astro 6 is working OOTB with Cloudflare. I basically copied the e2e test from `astro-6`. During the tests I found that a lot of resources were dropped. This is being investigated in #19780 (you can check the latest fixup commit with the drops.
Add combined changelog entry for cloudflare and hono middleware. Closes #19829 (added automatically)
…ntext headers (#19821) This PR addresses the issue reported in #19790 where our Bun serve instrumentation blindly attached all HTTP response headers to request contexts. This was problematic as explained in the issue since sensitive headers could have been sent. This PR ensures we no longer do this, while retaining safe response header: - Adjusted `httpHeadersToSpanAttributes` helper from core to also generate `http.response` headers if an optional `lifecycle` parameter is added to the call - Removed setting `contexts.response.headers`: We never do this. In Node, we only set the response status on this context. - Instead, we now send response headers as span attributes on the `http.server` span. By leveraging `httpHeadersToSpanAttributes` we now have the same sensitive data mechanisms in place as with request headers which we already send this way. Meaning, a bunch of authorization headers are filtered always, and cookie/set-cookie headers are filtered depending on `sendDefaultPii`. Note: This can be considered a subtle behaviour break but given the incorrectness of always setting response headers unconditionally before, I think this is justified. Contexts are not indexed, hence alerts can't be built on top of them and neither saved discover or explore queries. I'm also not aware of Relay promoting `respnose.header.*` values to tags, so we should be safe here. Closes #19790
Mentioned here: #19817 (comment) Closes #19832 (added automatically)
This is one of many PRs to create the effect SDK. Once this has been merged I will open the draft PR for the effect sdk and create the plan in there. (the almost final SDK can be viewed here: https://github.com/getsentry/sentry-javascript/tree/jp/effect-sdk. It might be that some specifics change, especially when having browser + server split, and with tracing) --- This PR focuses on the base skaffolding of `@sentry/effect`. This on its own is not really doing anything except setting up the skaffold. The README already reflects the actual usage, while the export doesn't exist yet, this will come in another PR (also `init` is exposed here, just for the sake of completeness) --------- Co-authored-by: Claude <noreply@anthropic.com>
…9649) That adds now the functionality to use the `Sentry.effectLayer` properly. **But** it doesn't do anything, which means right now, to keep the PRs small, it returns an empty layer. Following can be used without any Sentry functionality: ```js const MainLive = HttpLive.pipe(Layer.provide(Sentry.effectLayer({ dsn: "", tracesSampleRate: 1.0, debug: true, }))) MainLive.pipe(Layer.launch, NodeRuntime.runMain) ```
This adds tracing to the `Sentry.effectLayer`. By setting `tracesSampleRate: 1.0` in the options tracing is enabled and spans can be send to Sentry
This adds the functionality to send logs to Sentry by setting `enableLogs: true` in the `Sentry.effectLayer`
This adds metrics to the `Sentry.effectLayer`. It is enabled when `enableMetrics: true` is added as option
This PR is now adding a different naming schema for enabling logs and metrics based on: https://develop.sentry.dev/sdk/telemetry/metrics/#auto-emitted-metrics For the logs I also added them, which might not make the most sense, as `enableLogs` is now `false` by default, which means that there is a double opt-in needed to make logs work via `Effect.log`. The naming is TBD, but this is the best I came up with: `enableEffectLogs` & `enableEffectMetrics`
This adds Node and Browser tests for the `@sentry/effect` SDK. I am not sure what to do with the browser part, as there is I guess no tree-shaking available right now. The basic usage for node and browser are the exact same, only the `effectLayer` has to be added into the runtime layer.
…cer (#19816) This changes three things in one go: - Export `SentryEffectTracer`, `SentryEffectLogger` and `SentryEffectMetricsLayer` for bundle sizes in the browser (and node if they want to go that route) - Respect `tracesSampleRate` when using `Sentry.effectLayer`, so tracing is only added when needed - Moving `setTracer` outside of `SentryEffectTracerLayer` to make it Effect native, where users could call `setTracer` on their own if they want to
There are 2 changes in this PR: 1. No auto-injection anymore 2. Removal of the OP and the span names. We fully rely now on Effect as much as possible (related: #19644 (comment)) About the removal of auto injection of traces, logs or metrics from the `Sentry.effectLayer`: this means that `Sentry.effectLayer` is **only** initializing the browser/node client. So the usages in comparison for logs and traces: before: ```js Layer.provide(Sentry.effectLayer({ dsn: '', tracesSampleRate: 1.0, enableLogs: true, enableEffectLogs: true, })); ``` after: ```js import * as Layer from "effect/Layer"; import * as Logger from "effect/Logger" Layer.mergeAll( Sentry.effectLayer({ dsn: '', tracesSampleRate: 1.0, enableLogs: true, }, Layer.setTracer(Sentry.SentryEffectTracer), Logger.replace(Logger.defaultLogger, Sentry.SentryEffectLogger) )); ``` The benefit of this is to have a unified usage between browser and node, which also follows the usage of Effect, so users have to actively set the tracer with `setTracer` or replace the logger with `Logger.replace`. There is no extra opt-in via `enableEffectLogs` or `enableEffectMetrics`, this would also remove the confusion of not having the `enableEffectTraces` option (which didn't exist before, nor would have existed in any future versions) This was discussed offline with @Lms24 to have this. In the first alpha we can always shift if there is the need, but this is now way cleaner. I ask myself now if `Sentry.effectLayer` is now the best function name.
These are mandatory to release the Effect SDK without any problems. Closes #19838 (added automatically)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| """Recursively find directories that contain an outputs/ subdirectory.""" | ||
| runs: list[dict] = [] | ||
| _find_runs_recursive(workspace, workspace, runs) | ||
| runs.sort(key=lambda r: (r.get("eval_id", float("inf")), r["id"])) |
There was a problem hiding this comment.
Sort crashes when eval_id is None
Medium Severity
The sort key r.get("eval_id", float("inf")) doesn't actually fall back to float("inf") when eval_id is None. Since build_run always includes "eval_id" in the returned dict (initialized to None on line 88, potentially remaining None), dict.get finds the key and returns None instead of the default. When some runs have numeric eval_id and others have None, Python 3 raises TypeError because it can't compare NoneType with int/float. The key function needs an explicit None check, e.g. r["eval_id"] if r["eval_id"] is not None else float("inf").
Additional Locations (1)
| "analyzer_model": "<model-name>", | ||
| "timestamp": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"), | ||
| "evals_run": eval_ids, | ||
| "runs_per_configuration": 3 |
There was a problem hiding this comment.
Hardcoded runs_per_configuration ignores actual run count
Low Severity
runs_per_configuration is hardcoded to 3 instead of being computed from the actual run data. If the benchmark uses a different number of runs per configuration (e.g., 1 or 5), the metadata in benchmark.json and the displayed text in the viewer and markdown report will be incorrect and misleading.
Contributor
size-limit report 📦
|
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
Lms24
approved these changes
Mar 17, 2026
s1gr1d
approved these changes
Mar 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.