meta(changelog): Update changelog for 10.27.0 #18312

s1gr1d · 2025-11-24T17:45:59Z

No description provided.

Bumping OpenTelemetry instrumentations is an important but tedious task, all instrumentations have to be bumped in lockstep across the codebase. That includes easy to miss dev-packages and third party instrumentations like prisma's. This command should make it easier to do that. Example of a PR that was kicked off with this command: #18239

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <p><strong>Breaking Changes</strong></p> <ul> <li>Limit automatic caching to npm, update workflows and documentation by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1374">actions/setup-node#1374</a></li> </ul> <p><strong>Dependency Upgrades</strong></p> <ul> <li>Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1336">#1336</a></li> <li>Upgrade prettier from 2.8.8 to 3.6.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1334">#1334</a></li> <li>Upgrade actions/publish-action from 0.3.0 to 0.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1362">#1362</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v5...v6.0.0">https://github.com/actions/setup-node/compare/v5...v6.0.0</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <h3>Breaking Changes</h3> <ul> <li>Enhance caching in setup-node with automatic package manager detection by <a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li> </ul> <p>This update, introduces automatic caching when a valid <code>packageManager</code> field is present in your <code>package.json</code>. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set <code>package-manager-cache: false</code></p> <pre lang="yaml"><code>steps: - uses: actions/checkout@v5 - uses: actions/setup-node@v5 with: package-manager-cache: false </code></pre> <ul> <li>Upgrade action to use node24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li> </ul> <p>Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">See Release Notes</a></p> <h3>Dependency Upgrades</h3> <ul> <li>Upgrade <code>@octokit/request-error</code> and <code>@actions/github</code> by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1227">actions/setup-node#1227</a></li> <li>Upgrade uuid from 9.0.1 to 11.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1273">actions/setup-node#1273</a></li> <li>Upgrade undici from 5.28.5 to 5.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1295">actions/setup-node#1295</a></li> <li>Upgrade form-data to bring in fix for critical vulnerability by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1332">actions/setup-node#1332</a></li> <li>Upgrade actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1345">actions/setup-node#1345</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v5.0.0">https://github.com/actions/setup-node/compare/v4...v5.0.0</a></p> <h2>v4.4.0</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-node/commit/2028fbc5c25fe9cf00d9f06a71cc4710d4507903"><code>2028fbc</code></a> Limit automatic caching to npm, update workflows and documentation (<a href="https://redirect.github.com/actions/setup-node/issues/1374">#1374</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/13427813f706a0f6c9b74603b31103c40ab1c35a"><code>1342781</code></a> Bump actions/publish-action from 0.3.0 to 0.4.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1362">#1362</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/89d709d423dc495668cd762a18dd4a070611be3f"><code>89d709d</code></a> Bump prettier from 2.8.8 to 3.6.2 (<a href="https://redirect.github.com/actions/setup-node/issues/1334">#1334</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/cd2651c46231bc0d6f48d6b34433b845331235fe"><code>cd2651c</code></a> Bump ts-jest from 29.1.2 to 29.4.1 (<a href="https://redirect.github.com/actions/setup-node/issues/1336">#1336</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/a0853c24544627f65ddf259abe73b1d18a591444"><code>a0853c2</code></a> Bump actions/checkout from 4 to 5 (<a href="https://redirect.github.com/actions/setup-node/issues/1345">#1345</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/b7234cc9fe124f0f4932554b4e5284543083ae7b"><code>b7234cc</code></a> Upgrade action to use node24 (<a href="https://redirect.github.com/actions/setup-node/issues/1325">#1325</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/d7a11313b581b306c961b506cfc8971208bb03f6"><code>d7a1131</code></a> Enhance caching in setup-node with automatic package manager detection (<a href="https://redirect.github.com/actions/setup-node/issues/1348">#1348</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/5e2628c959b9ade56971c0afcebbe5332d44b398"><code>5e2628c</code></a> Bumps form-data (<a href="https://redirect.github.com/actions/setup-node/issues/1332">#1332</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/65beceff8e91358525397bdce9103d999507ab03"><code>65becef</code></a> Bump undici from 5.28.5 to 5.29.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1295">#1295</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/7e24a656e1c7a0d6f3eaef8d8e84ae379a5b035b"><code>7e24a65</code></a> Bump uuid from 9.0.1 to 11.1.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1273">#1273</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/setup-node/compare/v4...v6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=4&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jan Peer Stöcklmair <jan.oster94@gmail.com>

[Gitflow] Merge master into develop

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v3.31.2</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.31.2 - 30 Oct 2025</h2> <p>No user facing changes.</p> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.31.2/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.31.1</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.31.1 - 30 Oct 2025</h2> <ul> <li>The <code>add-snippets</code> input has been removed from the <code>analyze</code> action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.</li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.31.1/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.31.0</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.31.0 - 24 Oct 2025</h2> <ul> <li>Bump minimum CodeQL bundle version to 2.17.6. <a href="https://redirect.github.com/github/codeql-action/pull/3223">#3223</a></li> <li>When SARIF files are uploaded by the <code>analyze</code> or <code>upload-sarif</code> actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the <code>upload-sarif</code> action. For <code>analyze</code>, this may affect Advanced Setup for CodeQL users who specify a value other than <code>always</code> for the <code>upload</code> input. <a href="https://redirect.github.com/github/codeql-action/pull/3222">#3222</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.31.0/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.30.9</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.30.9 - 17 Oct 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.3. <a href="https://redirect.github.com/github/codeql-action/pull/3205">#3205</a></li> <li>Experimental: A new <code>setup-codeql</code> action has been added which is similar to <code>init</code>, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3204">#3204</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.30.9/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.30.8</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h2>4.31.2 - 30 Oct 2025</h2> <p>No user facing changes.</p> <h2>4.31.1 - 30 Oct 2025</h2> <ul> <li>The <code>add-snippets</code> input has been removed from the <code>analyze</code> action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.</li> </ul> <h2>4.31.0 - 24 Oct 2025</h2> <ul> <li>Bump minimum CodeQL bundle version to 2.17.6. <a href="https://redirect.github.com/github/codeql-action/pull/3223">#3223</a></li> <li>When SARIF files are uploaded by the <code>analyze</code> or <code>upload-sarif</code> actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the <code>upload-sarif</code> action. For <code>analyze</code>, this may affect Advanced Setup for CodeQL users who specify a value other than <code>always</code> for the <code>upload</code> input. <a href="https://redirect.github.com/github/codeql-action/pull/3222">#3222</a></li> </ul> <h2>4.30.9 - 17 Oct 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.3. <a href="https://redirect.github.com/github/codeql-action/pull/3205">#3205</a></li> <li>Experimental: A new <code>setup-codeql</code> action has been added which is similar to <code>init</code>, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3204">#3204</a></li> </ul> <h2>4.30.8 - 10 Oct 2025</h2> <p>No user facing changes.</p> <h2>4.30.7 - 06 Oct 2025</h2> <ul> <li>[v4+ only] The CodeQL Action now runs on Node.js v24. <a href="https://redirect.github.com/github/codeql-action/pull/3169">#3169</a></li> </ul> <h2>3.30.6 - 02 Oct 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.2. <a href="https://redirect.github.com/github/codeql-action/pull/3168">#3168</a></li> </ul> <h2>3.30.5 - 26 Sep 2025</h2> <ul> <li>We fixed a bug that was introduced in <code>3.30.4</code> with <code>upload-sarif</code> which resulted in files without a <code>.sarif</code> extension not getting uploaded. <a href="https://redirect.github.com/github/codeql-action/pull/3160">#3160</a></li> </ul> <h2>3.30.4 - 25 Sep 2025</h2> <ul> <li>We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the <code>codeql-action/init</code> step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the <code>codeql-action/init</code> step. <a href="https://redirect.github.com/github/codeql-action/pull/3099">#3099</a> and <a href="https://redirect.github.com/github/codeql-action/pull/3100">#3100</a></li> <li>We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. <a href="https://redirect.github.com/github/codeql-action/pull/3107">#3107</a></li> <li>You can now run the latest CodeQL nightly bundle by passing <code>tools: nightly</code> to the <code>init</code> action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3130">#3130</a></li> <li>Update default CodeQL bundle version to 2.23.1. <a href="https://redirect.github.com/github/codeql-action/pull/3118">#3118</a></li> </ul> <h2>3.30.3 - 10 Sep 2025</h2> <p>No user facing changes.</p> <h2>3.30.2 - 09 Sep 2025</h2> <ul> <li>Fixed a bug which could cause language autodetection to fail. <a href="https://redirect.github.com/github/codeql-action/pull/3084">#3084</a></li> <li>Experimental: The <code>quality-queries</code> input that was added in <code>3.29.2</code> as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new <code>analysis-kinds</code> input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. <a href="https://redirect.github.com/github/codeql-action/pull/3064">#3064</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/74c8748a6f2dada2c01b25ae170d7858ac90f4af"><code>74c8748</code></a> Update analyze/action.yml</li> <li><a href="https://github.com/github/codeql-action/commit/34c50c1d299d8a59b64a9dc6faf04dc0d9c33152"><code>34c50c1</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3251">#3251</a> from github/mbg/user-error/enablement</li> <li><a href="https://github.com/github/codeql-action/commit/4ae68afd845398aa4e0bd7fccf3a37d121b3ec88"><code>4ae68af</code></a> Warn if the <code>add-snippets</code> input is used</li> <li><a href="https://github.com/github/codeql-action/commit/52a7bd7b6e714abd930eb15cde3c7c76c45d6c0f"><code>52a7bd7</code></a> Check for 403 status</li> <li><a href="https://github.com/github/codeql-action/commit/194ba0ee2dcf02e70ff941763c144ea06f58c485"><code>194ba0e</code></a> Make error message tests less brittle</li> <li><a href="https://github.com/github/codeql-action/commit/53acf0b8aa0a8705134bb6153d859bc2817e1740"><code>53acf0b</code></a> Turn enablement errors into configuration errors</li> <li><a href="https://github.com/github/codeql-action/commit/ac9aeee2261a2f9c74439210107de7657bd5ed42"><code>ac9aeee</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3249">#3249</a> from github/henrymercer/api-logging</li> <li><a href="https://github.com/github/codeql-action/commit/d49e837b8cf6e8fd2c77703cc5189cfa79547ec0"><code>d49e837</code></a> Merge branch 'main' into henrymercer/api-logging</li> <li><a href="https://github.com/github/codeql-action/commit/3d988b275a8c578caa755c4aaccd900332aefe93"><code>3d988b2</code></a> Pass minimal copy of <code>core</code></li> <li><a href="https://github.com/github/codeql-action/commit/8cc18acfa4e60a22b3ed992afffc562f93c17030"><code>8cc18ac</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3250">#3250</a> from github/henrymercer/prefer-fs-delete</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/v3...v4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3&new-version=4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jan Peer Stöcklmair <jan.oster94@gmail.com>

…17825) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.1.1 to 2.1.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's releases</a>.</em></p> <blockquote> <h2>v2.1.4</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v2.1.3...v2.1.4">2.1.4</a> (2025-09-13)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump <code>@octokit/auth-app</code> from 7.2.1 to 8.0.1 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/257">#257</a>) (<a href="https://github.com/actions/create-github-app-token/commit/bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1">bef1eaf</a>)</li> </ul> <h2>v2.1.3</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v2.1.2...v2.1.3">2.1.3</a> (2025-09-13)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump undici from 7.8.0 to 7.10.0 in the production-dependencies group (<a href="https://redirect.github.com/actions/create-github-app-token/issues/254">#254</a>) (<a href="https://github.com/actions/create-github-app-token/commit/f3d5ec20739b0cf6f0d52e5a051b65484c378ec9">f3d5ec2</a>)</li> </ul> <h2>v2.1.2</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v2.1.1...v2.1.2">2.1.2</a> (2025-09-12)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump <code>@octokit/request</code> from 9.2.3 to 10.0.2 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/256">#256</a>) (<a href="https://github.com/actions/create-github-app-token/commit/5d7307be63501c0070c634b0ae8fec74e8208130">5d7307b</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/create-github-app-token/commit/67018539274d69449ef7c02e8e71183d1719ab42"><code>6701853</code></a> build(release): 2.1.4 [skip ci]</li> <li><a href="https://github.com/actions/create-github-app-token/commit/bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1"><code>bef1eaf</code></a> fix(deps): bump <code>@octokit/auth-app</code> from 7.2.1 to 8.0.1 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/257">#257</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/1526738aa46502312d4f6ba7779d432c61dc4e36"><code>1526738</code></a> build(release): 2.1.3 [skip ci]</li> <li><a href="https://github.com/actions/create-github-app-token/commit/f3d5ec20739b0cf6f0d52e5a051b65484c378ec9"><code>f3d5ec2</code></a> fix(deps): bump undici from 7.8.0 to 7.10.0 in the production-dependencies gr...</li> <li><a href="https://github.com/actions/create-github-app-token/commit/def152b8a737443d7af6c5722c6389146fe90c90"><code>def152b</code></a> build(release): 2.1.2 [skip ci]</li> <li><a href="https://github.com/actions/create-github-app-token/commit/5d7307be63501c0070c634b0ae8fec74e8208130"><code>5d7307b</code></a> fix(deps): bump <code>@octokit/request</code> from 9.2.3 to 10.0.2 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/256">#256</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/525760a53ff3ae31661275c3461bff7181a54c90"><code>525760a</code></a> build(deps): bump stefanzweifel/git-auto-commit-action from 5.2.0 to 6.0.1 (#...</li> <li><a href="https://github.com/actions/create-github-app-token/commit/8ab05a8a84060745bdc8f0b4f6d8f403c29e06b8"><code>8ab05a8</code></a> Add beta branch support for releases (<a href="https://redirect.github.com/actions/create-github-app-token/issues/282">#282</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/d00315e88cbf932b0754df7a395f556a41b682e4"><code>d00315e</code></a> build(deps): bump actions/checkout from 4 to 5 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/279">#279</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/fcc6c288e5046f2c3614766b9abb3c41fc5b56c6"><code>fcc6c28</code></a> build(deps-dev): bump dotenv from 16.5.0 to 17.2.1 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/269">#269</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/create-github-app-token/compare/a8d616148505b5069dccd32f177bb87d7f39123b...67018539274d69449ef7c02e8e71183d1719ab42">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/create-github-app-token&package-manager=github_actions&previous-version=2.1.1&new-version=2.1.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>  --- > [!NOTE] > Update actions/create-github-app-token from 2.1.1 to 2.1.4 in auto-release and release workflows. > > - **CI Workflows**: > - Bump `actions/create-github-app-token` to `v2.1.4` in `.github/workflows/auto-release.yml` and `.github/workflows/release.yml`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e8434a8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jan Peer Stöcklmair <jan.oster94@gmail.com>

Just bumping some transitive dev deps to fix security warnings.

…18241) Both of these units are supported by Relay, see https://getsentry.github.io/relay/relay_metrics/enum.InformationUnit.html.

#18243)

…ests/test-applications/cloudflare-astro (#18259) Bumps [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) from 4.16.18 to 5.15.9. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/withastro/astro/releases">astro's releases</a>.</em></p> <blockquote> <h2>astro@5.15.9</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14786">#14786</a> <a href="https://github.com/withastro/astro/commit/758a891112839a108479fd0489a1785640b31ecf"><code>758a891</code></a> Thanks <a href="https://github.com/mef"><code>@mef</code></a>! - Add handling of invalid encrypted props and slots in server islands.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14783">#14783</a> <a href="https://github.com/withastro/astro/commit/504958fe7fccd7bffc177a1f4b1bf4e22989470e"><code>504958f</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14791">#14791</a> <a href="https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"><code>9e9c528</code></a> Thanks <a href="https://github.com/Princesseuh"><code>@Princesseuh</code></a>! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.</p> <p>In order to allow data URIs for remote images, you will need to update your <code>astro.config.mjs</code> file to include the following configuration:</p> <pre lang="js"><code>// astro.config.mjs import { defineConfig } from 'astro/config'; <p>export default defineConfig({ images: { remotePatterns: [ { protocol: 'data', }, ], }, }); </code></pre></p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14787">#14787</a> <a href="https://github.com/withastro/astro/commit/0f75f6bc637d547e07324e956db21d9f245a3e8e"><code>0f75f6b</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots</p> <p>Previously, hostnames like <code>localhost</code> or other single-part names would incorrectly match patterns like <code>*.example.com</code>. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14776">#14776</a> <a href="https://github.com/withastro/astro/commit/3537876fde3bdb2a0ded99cc9b00d53f66160a7f"><code>3537876</code></a> Thanks <a href="https://github.com/ktym4a"><code>@ktym4a</code></a>! - Fixes the behavior of <code>passthroughImageService</code> so it does not generate webp.</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"><code>9e9c528</code></a>, <a href="https://github.com/withastro/astro/commit/0f75f6bc637d547e07324e956db21d9f245a3e8e"><code>0f75f6b</code></a>]:</p> <ul> <li><code>@astrojs/internal-helpers</code><a href="https://github.com/0"><code>@0</code></a>.7.5</li> <li><code>@astrojs/markdown-remark</code><a href="https://github.com/6"><code>@6</code></a>.3.9</li> </ul> </li> </ul> <h2>astro@5.15.8</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14772">#14772</a> <a href="https://github.com/withastro/astro/commit/00c579a23322d92459e4ccad0ec365c4d1980a5d"><code>00c579a</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.</p> <p>Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14771">#14771</a> <a href="https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"><code>6f80081</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Fix middleware pathname matching by normalizing URL-encoded paths</p> <p>Middleware now receives normalized pathname values, ensuring that encoded paths like <code>/%61dmin</code> are properly decoded to <code>/admin</code> before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.</p> </li> </ul> <h2>astro@5.15.7</h2> <h3>Patch Changes</h3>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md">astro's changelog</a>.</em></p> <blockquote> <h2>5.15.9</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14786">#14786</a> <a href="https://github.com/withastro/astro/commit/758a891112839a108479fd0489a1785640b31ecf"><code>758a891</code></a> Thanks <a href="https://github.com/mef"><code>@mef</code></a>! - Add handling of invalid encrypted props and slots in server islands.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14783">#14783</a> <a href="https://github.com/withastro/astro/commit/504958fe7fccd7bffc177a1f4b1bf4e22989470e"><code>504958f</code></a> Thanks <a href="https://github.com/florian-lefebvre"><code>@florian-lefebvre</code></a>! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14791">#14791</a> <a href="https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"><code>9e9c528</code></a> Thanks <a href="https://github.com/Princesseuh"><code>@Princesseuh</code></a>! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.</p> <p>In order to allow data URIs for remote images, you will need to update your <code>astro.config.mjs</code> file to include the following configuration:</p> <pre lang="js"><code>// astro.config.mjs import { defineConfig } from 'astro/config'; <p>export default defineConfig({ images: { remotePatterns: [ { protocol: 'data', }, ], }, }); </code></pre></p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14787">#14787</a> <a href="https://github.com/withastro/astro/commit/0f75f6bc637d547e07324e956db21d9f245a3e8e"><code>0f75f6b</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots</p> <p>Previously, hostnames like <code>localhost</code> or other single-part names would incorrectly match patterns like <code>*.example.com</code>. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14776">#14776</a> <a href="https://github.com/withastro/astro/commit/3537876fde3bdb2a0ded99cc9b00d53f66160a7f"><code>3537876</code></a> Thanks <a href="https://github.com/ktym4a"><code>@ktym4a</code></a>! - Fixes the behavior of <code>passthroughImageService</code> so it does not generate webp.</p> </li> <li> <p>Updated dependencies [<a href="https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"><code>9e9c528</code></a>, <a href="https://github.com/withastro/astro/commit/0f75f6bc637d547e07324e956db21d9f245a3e8e"><code>0f75f6b</code></a>]:</p> <ul> <li><code>@astrojs/internal-helpers</code><a href="https://github.com/0"><code>@0</code></a>.7.5</li> <li><code>@astrojs/markdown-remark</code><a href="https://github.com/6"><code>@6</code></a>.3.9</li> </ul> </li> </ul> <h2>5.15.8</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14772">#14772</a> <a href="https://github.com/withastro/astro/commit/00c579a23322d92459e4ccad0ec365c4d1980a5d"><code>00c579a</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.</p> <p>Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.</p> </li> <li> <p><a href="https://redirect.github.com/withastro/astro/pull/14771">#14771</a> <a href="https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"><code>6f80081</code></a> Thanks <a href="https://github.com/matthewp"><code>@matthewp</code></a>! - Fix middleware pathname matching by normalizing URL-encoded paths</p> <p>Middleware now receives normalized pathname values, ensuring that encoded paths like <code>/%61dmin</code> are properly decoded to <code>/admin</code> before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.</p> </li> </ul> <h2>5.15.7</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/withastro/astro/commit/7a07f0244c78a8f1889c1e08910ac2033c9a8c4c"><code>7a07f02</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14788">#14788</a>)</li> <li><a href="https://github.com/withastro/astro/commit/8cf3f0544fac865848bf6d5cc1d9e9d9b117aa7d"><code>8cf3f05</code></a> [ci] format</li> <li><a href="https://github.com/withastro/astro/commit/758a891112839a108479fd0489a1785640b31ecf"><code>758a891</code></a> fix(astro): handle invalid encrypted props in server island (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14786">#14786</a>)</li> <li><a href="https://github.com/withastro/astro/commit/3537876fde3bdb2a0ded99cc9b00d53f66160a7f"><code>3537876</code></a> fix: <code>passthroughImageService</code> generate webp (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14776">#14776</a>)</li> <li><a href="https://github.com/withastro/astro/commit/048e4dc764d0dc2aee4ce67c7a8bb582011980dd"><code>048e4dc</code></a> [ci] format</li> <li><a href="https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"><code>9e9c528</code></a> fix: require explicit authorization to use data urls (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14791">#14791</a>)</li> <li><a href="https://github.com/withastro/astro/commit/0f75f6bc637d547e07324e956db21d9f245a3e8e"><code>0f75f6b</code></a> Fix wildcard hostname matching to reject hostnames without dots (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14787">#14787</a>)</li> <li><a href="https://github.com/withastro/astro/commit/504958fe7fccd7bffc177a1f4b1bf4e22989470e"><code>504958f</code></a> feat(fonts): log number of downloaded files (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14783">#14783</a>)</li> <li><a href="https://github.com/withastro/astro/commit/24e28d2aea9f8d3dbace85947e4712a06190568d"><code>24e28d2</code></a> fix(deps): update astro dependencies (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14779">#14779</a>)</li> <li><a href="https://github.com/withastro/astro/commit/60af4d0a1a56d8db56e3d737f4f9ea680203490e"><code>60af4d0</code></a> [ci] release (<a href="https://github.com/withastro/astro/tree/HEAD/packages/astro/issues/14773">#14773</a>)</li> <li>Additional commits viewable in <a href="https://github.com/withastro/astro/commits/astro@5.15.9/packages/astro">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for astro since your current version.</p> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=astro&package-manager=npm_and_yarn&previous-version=4.16.18&new-version=5.15.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…s/test-applications/cloudflare-hono (#18038) Bumps [hono](https://github.com/honojs/hono) from 4.9.7 to 4.10.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.10.3</h2> <h2>Securiy Fix</h2> <p>A security issue in the CORS middleware has been fixed. In some cases, a request header could affect the Vary response header. Please update to the latest version if you are using the CORS middleware.</p> <h2>What's Changed</h2> <ul> <li>fix(aws-lambda): serve microsoft office files as binary in lambda handler by <a href="https://github.com/matthiasfeist"><code>@matthiasfeist</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4469">honojs/hono#4469</a></li> <li>fix(request-id): validation accepts <code>=</code> by <a href="https://github.com/ryuapp"><code>@ryuapp</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4478">honojs/hono#4478</a></li> <li>refactor(jwt): reduce the size of the code generated by minification by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4480">honojs/hono#4480</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/matthiasfeist"><code>@matthiasfeist</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4469">honojs/hono#4469</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.10.2...v4.10.3">https://github.com/honojs/hono/compare/v4.10.2...v4.10.3</a></p> <h2>v4.10.2</h2> <h2>Security hardening improvement</h2> <p>If you are using JWT middleware, please read the following and consider applying the configuration.</p> <h3>Improper Authorization in Hono (JWT Audience Validation)</h3> <p>Hono’s JWT authentication middleware did not validate the aud (Audience) claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential cross-service access (token mix-up).</p> <p>The issue is addressed by adding a new <code>verification.aud</code> configuration option to allow RFC 7519–compliant audience validation. This change is classified as a security hardening improvement, but the lack of validation can still be considered a vulnerability in deployments that rely on default JWT verification.</p> <h3>Recommended secure configuration</h3> <p>You can enable RFC 7519–compliant audience validation using the new <code>verification.aud</code> option:</p> <pre lang="ts"><code>import { Hono } from 'hono' import { jwt } from 'hono/jwt' <p>const app = new Hono()</p> <p>app.use(<br /> '/api/*',<br /> jwt({<br /> secret: 'my-secret',<br /> verification: {<br /> // Require this API to only accept tokens with aud = 'service-a'<br /> aud: 'service-a',<br /> },<br /> })<br /> )<br /> </code></pre></p> <h2>What's Changed</h2> <ul> <li>tests: Fix test case of handlers without a path by <a href="https://github.com/IAmSSH"><code>@IAmSSH</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4472">honojs/hono#4472</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/fcefd50c65144eda31e2bc6752c81904171d9629"><code>fcefd50</code></a> 4.10.3</li> <li><a href="https://github.com/honojs/hono/commit/95ae4d372119cddba32e4935d2bbc6f4e2768dab"><code>95ae4d3</code></a> refactor(jwt): reduce the size of the code generated by minification (<a href="https://redirect.github.com/honojs/hono/issues/4480">#4480</a>)</li> <li><a href="https://github.com/honojs/hono/commit/d9b8b4b73b4f997994f2764013207365fe711282"><code>d9b8b4b</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/52161170e83298fc3d13312bfceba3992916bfa2"><code>5216117</code></a> fix(request-id): validation accepts <code>=</code> (<a href="https://redirect.github.com/honojs/hono/issues/4478">#4478</a>)</li> <li><a href="https://github.com/honojs/hono/commit/253ec2857a083595e52a446694923645084e9ecd"><code>253ec28</code></a> fix(aws-lambda): serve microsoft office files as binary in lambda handler (<a href="https://redirect.github.com/honojs/hono/issues/4">#4</a>...</li> <li><a href="https://github.com/honojs/hono/commit/0c6455dc10db6428257bdd601eca559247e27de6"><code>0c6455d</code></a> 4.10.2</li> <li><a href="https://github.com/honojs/hono/commit/45ba3bf9e3dff8e4bd85d6b47d4b71c8d6c66bef"><code>45ba3bf</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/4cbad8b3e2a67d77849710ec400d9de020c435fd"><code>4cbad8b</code></a> tests: Fix test case of handlers without a path (<a href="https://redirect.github.com/honojs/hono/issues/4472">#4472</a>)</li> <li><a href="https://github.com/honojs/hono/commit/db764c2f1d8a2905d66c78c41aa47e47d3a4165d"><code>db764c2</code></a> 4.10.1</li> <li><a href="https://github.com/honojs/hono/commit/8774bf9a59278a9593d5e91cc85543d5a4bb518c"><code>8774bf9</code></a> fix(types): cannot <code>.use</code> non-return mw from <code>createMiddleware</code> (<a href="https://redirect.github.com/honojs/hono/issues/4465">#4465</a>)</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.9.7...v4.10.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.9.7&new-version=4.10.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jan Peer Stöcklmair <jan.oster94@gmail.com>

This disables the creation of dependabot updates for opentelemetry. Based on the image below there was not a real benefit of having this, except noise. <img width="984" height="820" alt="Screenshot 2025-11-19 at 11 21 02" src="https://github.com/user-attachments/assets/6849c6e2-16d2-4cfd-874e-cd3241c70deb" />

) ## Problem Previously, the client would process all incoming events without any limit, which could lead to unbounded growth of pending events/promises in memory. This could cause performance issues and memory pressure in high-throughput scenarios. This occurs when two conditions are met: - when an integration with an async `processEvent` are added (e.g. `ContextLines`, which is a defaultIntegration) - events, e.g. `Sentry.captureException`, are called synchronously ```js Sentry.init({ ... }); // ... for (let i = 0; i < 5000; i++) { Sentry.captureException(new Error()); } ``` ## Solution This PR adds a `PromiseBuffer` to the `Client` class to limit the number of concurrent event processing operations. - Introduced a `_promiseBuffer` in the `Client` class that limits concurrent event processing - The buffer size defaults to `DEFAULT_TRANSPORT_BUFFER_SIZE` (64) but can be configured via `transportOptions.bufferSize` - When the buffer is full, events are rejected and properly tracked as dropped events with the `queue_overflow` reason - Please tak - Modified the `_process()` method to: - Accept a task producer function instead of a promise directly (lazy evaluation) - Use the promise buffer to manage concurrent operations - Track the data category for proper dropped event categorization ## Special 👀 on - About reusing `transportOptions.bufferSize`: Not sure if this is the best technique, but IMO both should have the same size - because if it wouldn't it would be capped at a later stage (asking myself if the transport still needs the promise buffer - as we have it now way earlier in place) - The `_process` takes now a `DataCategory`. At the time of the process the event type is almost unknown. Not sure if I assumed the categories correctly there, or if there is another technique of getting the type (**edit:** a [comment by Cursor](https://github.com/getsentry/sentry-javascript/pull/18120/files/2ee14b484d00432145d4f9a6773fbd31f92921d7#r2504259236) helped a little and I added [a helper function](7381a49)) - `recordDroppedEvent` is now printing it one after each other - theoretically we can count all occurences and print the count on it. I decided against this one, since it would delay the user feedback - this can be challenged though

Bumps [@sentry/cli](https://github.com/getsentry/sentry-cli) from 2.56.0 to 2.58.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-cli/releases"><code>@sentry/cli</code>'s releases</a>.</em></p> <blockquote> <h2>2.58.2</h2> <h3>Improvements</h3> <ul> <li>Added validation for the <code>sentry-cli build upload</code> command's <code>--head-sha</code> and <code>--base-sha</code> arguments (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2945">#2945</a>). The CLI now validates that these are valid SHA1 sums. Passing an empty string is also allowed; this prevents the default values from being used, causing the values to instead be unset.</li> </ul> <h3>Fixes</h3> <ul> <li>Fixed a bug where providing empty-string values for the <code>sentry-cli build upload</code> command's <code>--vcs-provider</code>, <code>--head-repo-name</code>, <code>--head-ref</code>, <code>--base-ref</code>, and <code>--base-repo-name</code> arguments resulted in 400 errors (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2946">#2946</a>). Now, setting these to empty strings instead explicitly clears the default value we would set otherwise, as expected.</li> </ul> <h2>2.58.1</h2> <h3>Deprecations</h3> <ul> <li>Deprecated API key authentication (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2934">#2934</a>, <a href="https://redirect.github.com/getsentry/sentry-cli/pull/2937">#2937</a>). Users who are still using API keys to authenticate Sentry CLI should generate and use an <a href="https://docs.sentry.io/account/auth-tokens/">Auth Token</a> instead.</li> </ul> <h3>Improvements</h3> <ul> <li>The <code>sentry-cli debug-files bundle-jvm</code> no longer makes any HTTP requests to Sentry, meaning auth tokens are no longer needed, and the command can be run offline (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2926">#2926</a>).</li> </ul> <h3>Fixes</h3> <ul> <li>Skip setting <code>base_sha</code> and <code>base_ref</code> when they equal <code>head_sha</code> during auto-inference, since comparing a commit to itself provides no meaningful baseline (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2924">#2924</a>).</li> <li>Improved error message when supplying a non-existent organization to <code>sentry-cli sourcemaps upload</code>. The error now correctly indicates the organization doesn't exist, rather than incorrectly suggesting the Sentry server lacks artifact bundle support (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2931">#2931</a>).</li> </ul> <h2>2.58.0</h2> <h3>New Features</h3> <ul> <li>Removed experimental status from the <code>sentry-cli build upload</code> commands (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2899">#2899</a>, <a href="https://redirect.github.com/getsentry/sentry-cli/pull/2905">#2905</a>). At the time of this release, build uploads are still in closed beta on the server side, so most customers cannot use this functionality quite yet.</li> <li>Added CLI version metadata to build upload archives (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2890">#2890</a>).</li> </ul> <h3>Deprecations</h3> <ul> <li>Deprecated the <code>upload-proguard</code> subcommand's <code>--platform</code> flag (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2863">#2863</a>). This flag was a no-op for some time, so we will remove it in the next major.</li> <li>Deprecated the <code>upload-proguard</code> subcommand's <code>--android-manifest</code> flag (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2891">#2891</a>). This flag was a no-op for some time, so we will remove it in the next major.</li> <li>Deprecated the <code>sentry-cli sourcemaps upload</code> command's <code>--no-dedupe</code> flag (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2913">#2913</a>). The flag was no longer relevant for sourcemap uploads to modern Sentry servers and was made a no-op.</li> </ul> <h3>Fixes</h3> <ul> <li>Fixed autofilled git base metadata (<code>--base-ref</code>, <code>--base-sha</code>) when using the <code>build upload</code> subcommand in git repos. Previously this worked only in the context of GitHub workflows (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2897">#2897</a>, <a href="https://redirect.github.com/getsentry/sentry-cli/pull/2898">#2898</a>).</li> </ul> <h3>Performance</h3> <ul> <li>Slightly sped up the <code>sentry-cli sourcemaps upload</code> command by eliminating an HTTP request to the Sentry server, which was not required in most cases (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2913">#2913</a>).</li> </ul> <h2>2.57.0</h2> <h3>New Features</h3> <ul> <li>(JS API) Add <code>projects</code> field to <code>SentryCliUploadSourceMapsOptions</code> (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2856">#2856</a>)</li> </ul> <h3>Deprecations</h3>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-cli/blob/master/CHANGELOG.md"><code>@sentry/cli</code>'s changelog</a>.</em></p> <blockquote> <h2>2.58.2</h2> <h3>Improvements</h3> <ul> <li>Added validation for the <code>sentry-cli build upload</code> command's <code>--head-sha</code> and <code>--base-sha</code> arguments (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2945">#2945</a>). The CLI now validates that these are valid SHA1 sums. Passing an empty string is also allowed; this prevents the default values from being used, causing the values to instead be unset.</li> </ul> <h3>Fixes</h3> <ul> <li>Fixed a bug where providing empty-string values for the <code>sentry-cli build upload</code> command's <code>--vcs-provider</code>, <code>--head-repo-name</code>, <code>--head-ref</code>, <code>--base-ref</code>, and <code>--base-repo-name</code> arguments resulted in 400 errors (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2946">#2946</a>). Now, setting these to empty strings instead explicitly clears the default value we would set otherwise, as expected.</li> </ul> <h2>2.58.1</h2> <h3>Deprecations</h3> <ul> <li>Deprecated API key authentication (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2934">#2934</a>, <a href="https://redirect.github.com/getsentry/sentry-cli/pull/2937">#2937</a>). Users who are still using API keys to authenticate Sentry CLI should generate and use an <a href="https://docs.sentry.io/account/auth-tokens/">Auth Token</a> instead.</li> </ul> <h3>Improvements</h3> <ul> <li>The <code>sentry-cli debug-files bundle-jvm</code> no longer makes any HTTP requests to Sentry, meaning auth tokens are no longer needed, and the command can be run offline (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2926">#2926</a>).</li> </ul> <h3>Fixes</h3> <ul> <li>Skip setting <code>base_sha</code> and <code>base_ref</code> when they equal <code>head_sha</code> during auto-inference, since comparing a commit to itself provides no meaningful baseline (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2924">#2924</a>).</li> <li>Improved error message when supplying a non-existent organization to <code>sentry-cli sourcemaps upload</code>. The error now correctly indicates the organization doesn't exist, rather than incorrectly suggesting the Sentry server lacks artifact bundle support (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2931">#2931</a>).</li> </ul> <h2>2.58.0</h2> <h3>New Features</h3> <ul> <li>Removed experimental status from the <code>sentry-cli build upload</code> commands (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2899">#2899</a>, <a href="https://redirect.github.com/getsentry/sentry-cli/pull/2905">#2905</a>). At the time of this release, build uploads are still in closed beta on the server side, so most customers cannot use this functionality quite yet.</li> <li>Added CLI version metadata to build upload archives (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2890">#2890</a>).</li> </ul> <h3>Deprecations</h3> <ul> <li>Deprecated the <code>upload-proguard</code> subcommand's <code>--platform</code> flag (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2863">#2863</a>). This flag was a no-op for some time, so we will remove it in the next major.</li> <li>Deprecated the <code>upload-proguard</code> subcommand's <code>--android-manifest</code> flag (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2891">#2891</a>). This flag was a no-op for some time, so we will remove it in the next major.</li> <li>Deprecated the <code>sentry-cli sourcemaps upload</code> command's <code>--no-dedupe</code> flag (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2913">#2913</a>). The flag was no longer relevant for sourcemap uploads to modern Sentry servers and was made a no-op.</li> </ul> <h3>Fixes</h3> <ul> <li>Fixed autofilled git base metadata (<code>--base-ref</code>, <code>--base-sha</code>) when using the <code>build upload</code> subcommand in git repos. Previously this worked only in the context of GitHub workflows (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2897">#2897</a>, <a href="https://redirect.github.com/getsentry/sentry-cli/pull/2898">#2898</a>).</li> </ul> <h3>Performance</h3> <ul> <li>Slightly sped up the <code>sentry-cli sourcemaps upload</code> command by eliminating an HTTP request to the Sentry server, which was not required in most cases (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2913">#2913</a>).</li> </ul> <h3>Internal changes</h3> <ul> <li>Migrated JavaScript wrapper to TypeScript for better type safety (<a href="https://redirect.github.com/getsentry/sentry-cli/pull/2910">#2910</a>)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/getsentry/sentry-cli/commit/b8965a39887e7e268e2e03ec9584d71adc30d81c"><code>b8965a3</code></a> release: 2.58.2</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/f99509f65a71a5403fea8a569ba094c1fd8f741b"><code>f99509f</code></a> fix(build): Allow clearing string arguments to <code>build upload</code> (<a href="https://redirect.github.com/getsentry/sentry-cli/issues/2946">#2946</a>)</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/a2cef209eadc9807a398aff0c411b8fb1d407d96"><code>a2cef20</code></a> ref(build): Add client-side validation for SHA fields (<a href="https://redirect.github.com/getsentry/sentry-cli/issues/2945">#2945</a>)</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/c550aa7ba01345303b4a698a93a332c22e59d469"><code>c550aa7</code></a> ref(build): Move <code>VcsInfo</code> beside other <code>build upload</code> API types (<a href="https://redirect.github.com/getsentry/sentry-cli/issues/2944">#2944</a>)</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/f303fd401eaef1ff59ff20ffc3b9dec78152f610"><code>f303fd4</code></a> ref(build): Use <code>VcsInfo</code> directly in <code>ChunkedBuildRequest</code> (<a href="https://redirect.github.com/getsentry/sentry-cli/issues/2943">#2943</a>)</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/63b187cee56bc20d595392ef0d768f5063a49391"><code>63b187c</code></a> meta(cargo): Remove <code>authors</code> from <code>Cargo.toml</code> (<a href="https://redirect.github.com/getsentry/sentry-cli/issues/2939">#2939</a>)</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/1ccff9d8667d7c6364af952055c1437494b3329f"><code>1ccff9d</code></a> build(npm): 🤖 Bump optional dependencies to 2.58.1</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/4362cf600148b8bf564919602da38fc376140b3e"><code>4362cf6</code></a> Merge branch 'release/2.58.1'</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/b25423a2b522badb18a61d612354bf48043d2c50"><code>b25423a</code></a> release: 2.58.1</li> <li><a href="https://github.com/getsentry/sentry-cli/commit/7595ba9b46fa2a28657a70f7a675cd633b3759ff"><code>7595ba9</code></a> chore(js): Deprecate <code>apiKey</code> field (<a href="https://redirect.github.com/getsentry/sentry-cli/issues/2937">#2937</a>)</li> <li>Additional commits viewable in <a href="https://github.com/getsentry/sentry-cli/compare/2.56.0...2.58.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@sentry/cli&package-manager=npm_and_yarn&previous-version=2.56.0&new-version=2.58.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Angular 21 was [released](https://www.npmjs.com/package/@angular/cli) silently yesterday. Migration docs don't seem to indicate any breaking change for us.

)

https://5-0-0-beta.docs.astro.build/en/guides/upgrade-to/v5/#removed-hybrid-rendering-mode the test app was bumped to v5 from dependabot in #18259 --------- Co-authored-by: Andrei Borza <andrei.borza@sentry.io>

This PR adds `scope.setAttribute`, `scope.setAttributes` and `scope.removeAttribute` methods, as specified in our [develop docs](https://develop.sentry.dev/sdk/telemetry/scopes/#setting-attributes). This intial PR only enables setting the attributes (including attributes with units) as well as the usual scope data operations (clone(), update(), clear(), getSpanData()). These attributes are not yet applied to any of the telemetry we eventually want them to apply to. I'll take care of this in a follow-up PR. closes #18140 ref https://linear.app/getsentry/project/implement-global-attributes-api-javascript-02c3c74184fc/issues --------- Co-authored-by: Sigrid <32902192+s1gr1d@users.noreply.github.com>

Address an issue where local variables were not being captured for out-of-app frames, even when the `includeOutOfAppFrames` option was enabled. The `localVariablesSyncIntegration` had a race condition where it would process events before the debugger session was fully initialized. Fix this by awaiting the session creation in `setupOnce`. The tests for this integration were failing because they were not setting up a Sentry client, which is required for the integration to be enabled. Correct by adding a client to the test setup. Additionally, add tests for the `localVariablesAsyncIntegration` to ensure it correctly handles the `includeOutOfAppFrames` option. The `LocalVariables` integrations `setupOnce` method was `async`, which violates the `Integration` interface. This caused a race condition where events could be processed before the integration was fully initialized, leading to missed local variables. Fix the race condition by: - Make `setupOnce` synchronous to adhere to the interface contract - Move the asynchronous initialization logic to a separate `setup` function - Make `processEvent` asynchronous and await the result of the `setup` function, so the integration is fully initialized before processing any events - Update tests to correctly `await` the `processEvent` method Fixes GH-12588 Fixes GH-17545

This PR bumps OpenTelemetry instrumentations and SDK packages to their latest versions. ## Dependency Updates: * @opentelemetry/context-async-hooks: 2.1.0 → 2.2.0 * @opentelemetry/core: 2.1.0 → 2.2.0 * @opentelemetry/resources: 2.1.0 → 2.2.0 * @opentelemetry/sdk-trace-base: 2.1.0 → 2.2.0 * @opentelemetry/sdk-trace-node: 2.1.0 → 2.2.0 * @opentelemetry/instrumentation: 0.204.0 → 0.208.0 * @opentelemetry/instrumentation-mongodb: 0.57.0 → 0.61.0 * @opentelemetry/instrumentation-pg: 0.57.0 → 0.61.0 * @opentelemetry/instrumentation-mysql: 0.50.0 → 0.54.0 * @opentelemetry/instrumentation-mysql2: 0.51.0 → 0.55.0 * @opentelemetry/instrumentation-tedious: 0.23.0 → 0.27.0 * @opentelemetry/instrumentation-mongoose: 0.51.0 → 0.55.0 * @opentelemetry/instrumentation-redis: 0.53.0 → 0.57.0 * @opentelemetry/instrumentation-ioredis: 0.52.0 → 0.56.0 * @opentelemetry/instrumentation-express: 0.53.0 → 0.57.0 * @opentelemetry/instrumentation-koa: 0.52.0 → 0.57.0 * @opentelemetry/instrumentation-hapi: 0.51.0 → 0.55.0 * @opentelemetry/instrumentation-connect: 0.48.0 → 0.52.0 * @opentelemetry/instrumentation-nestjs-core: 0.50.0 → 0.55.0 * @opentelemetry/instrumentation-http: 0.204.0 → 0.208.0 * @opentelemetry/instrumentation-graphql: 0.52.0 → 0.56.0 * @opentelemetry/instrumentation-amqplib: 0.51.0 → 0.55.0 * @opentelemetry/instrumentation-aws-sdk: 0.59.0 → 0.64.0 * @opentelemetry/instrumentation-dataloader: 0.22.0 → 0.26.0 * @opentelemetry/instrumentation-fs: 0.24.0 → 0.28.0 * @opentelemetry/instrumentation-generic-pool: 0.48.0 → 0.52.0 * @opentelemetry/instrumentation-kafkajs: 0.14.0 → 0.18.0 * @opentelemetry/instrumentation-knex: 0.49.0 → 0.53.0 * @opentelemetry/instrumentation-lru-memoizer: 0.49.0 → 0.53.0 * @opentelemetry/instrumentation-undici: 0.15.0 → 0.19.0 * @prisma/instrumentation: 6.15.0 → 6.19.0 Closes: #18178

This pull request adds the support to Azure OpenAI client in addition to the existing support of the vanilla OpenAI client. Fixes issue #18280

…tions (#18155) Building on top of #17962 Added a few more checks to make sure non-resolved (wildcard) routes are not reported in lazy route pageloads / navigations. - Improved `patchSpanEnd` with a user-configurable wait timeout for potentially slow route resolution. Named this option as `lazyRouteTimeout` and it's defaulted as `idleTimeout` * 3. It may conditionally delay reporting (if the route resolution is still not done by the end of the timeout), but will prevent prematurely sent lazy-route transactions inside that window. - Added extra checks on `updateNavigationSpan` and `handleNavigation` for whether any wildcard still exists in a lazy-route, so they are still marked as open to full resolution. We keep track of pending lazy-route resolutions inside `pendingLazyRouteLoads` - Added a final attempt to update the transaction name with fully-resolved route when the pending resolution is done. Any of these should not affect the behaviour of non-lazy route usage --------- Co-authored-by: Sigrid <32902192+s1gr1d@users.noreply.github.com>

This PR adds the external contributor to the CHANGELOG.md file, so that they are credited for their contribution. See #18281 Co-authored-by: nicohrubec <29484629+nicohrubec@users.noreply.github.com>

Readme incorrectly pointed to NextJS docs

This PR adds the external contributor to the CHANGELOG.md file, so that they are credited for their contribution. See #18298 Co-authored-by: Lms24 <8420481+Lms24@users.noreply.github.com>

…#18189) Adds the `manual` mode for profiling and browser integration tests. - adds deprecation note for old option - adds some JSDoc comments to public-facing API to make the difference between Node and UI profiling better visible. Closes #17279

It can happen that error messages are too long and exceed the maximum envelope size (mentioned in #18219). `maxValueLength` now also checks for long error messages and truncates them.

Summary for changelog: The `tunnelRoute: true` option didn't work well with Turbopack due to repeated runs of the config files leading to different tunnel URLs in client, server and edge runtimes, this PR fixes that while also fixing Sentry requests spans not being dropped by the sampler. When using Next.js with Turbopack and the Sentry tunnel route feature (`tunnelRoute: true`), several issues prevented events from being sent properly: ### 1. Tunnel Route Consistency (Turbopack) **Problem**: Random tunnel routes were generated separately for client and server builds in Turbopack. **Solution**: Implemented processs-level caching in `withSentryConfig.ts`: - Extract tunnel route resolution into `resolveTunnelRoute()` function - Use `process.env` to store the random tunnel value across server/client builds. ### 2. Filter Tunnel Request Spans **Problem**: Requests to the tunnel route (before rewrite) and to Sentry ingest URLs (after rewrite) were creating spans that polluted Sentry with internal instrumentation noise, spans were being created by the middleware and OTEL node.js fetch instrumentation. **Solution**: Implemented server-side span filtering: - Created `dropMiddlewareTunnelRequests()` utility to detect and drop tunnel-related spans - Filter spans originating from `Middleware.execute` (Next.js middleware) - Filter spans originating from `auto.http.otel.node_fetch` (Node.js fetch instrumentation) - Check both local tunnel paths and Sentry ingest URLs (using `isSentryRequestSpan` from `@sentry/opentelemetry`) - Mark matching spans with `TRANSACTION_ATTR_SHOULD_DROP_TRANSACTION` to prevent them from being sent - I tried `beforeSampling` hook but it didn't work for some reason, so I stuck with the drop attribute. ---- The final issue was excluding the tunnel requests from the middleware/proxy, but there are many blockers for a solution: 1. The `config` must be statically analyzable, so we cannot expose `withSentryMiddlewareConfig` wrapper of any kind. 2. Warning the user doesn't help much because they can't do anything about it since the tunnel route is random. 3. Tested out writing a loader for turbopack/webpack to inject the tunnel into the matcher as an array but user existing matcher can match still. 4. Only way is to inject an exclusion match into the user existing matcher, if it is an array then we need to inject it into each single entry. I may explore this further later with a loader for both webpack/turbopack, and figure out a reliable way to inject the negative matchers into the user expressions.

We're re-introducing `_experiments.enableLogs`. The option stays deprecated and maybe we can actually remove it or type it as `undefined` in the next major to sunset it for good. Main motivation for re-adding: The flag was introduced in v9 while we already worked on v10 where we removed it again. Therefore, it had an unusually short lifespan. Some users didn't realize this when upgrading to v10 and were wondering where their logs went.

…sendDefaultPii` (#18311) In case an HTTP header is considered "sensitive" (could contain tokens), the value is already filtered within the SDK. --- Follow-up on this PR: - #17475

github-actions · 2025-11-24T17:49:19Z

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	24.8 kB	added	added
@sentry/browser - with treeshaking flags	23.31 kB	added	added
@sentry/browser (incl. Tracing)	41.54 kB	added	added
@sentry/browser (incl. Tracing, Profiling)	46.13 kB	added	added
@sentry/browser (incl. Tracing, Replay)	79.96 kB	added	added
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	69.68 kB	added	added
@sentry/browser (incl. Tracing, Replay with Canvas)	84.64 kB	added	added
@sentry/browser (incl. Tracing, Replay, Feedback)	96.88 kB	added	added
@sentry/browser (incl. Feedback)	41.48 kB	added	added
@sentry/browser (incl. sendFeedback)	29.49 kB	added	added
@sentry/browser (incl. FeedbackAsync)	34.43 kB	added	added
@sentry/react	26.52 kB	added	added
@sentry/react (incl. Tracing)	43.74 kB	added	added
@sentry/vue	29.25 kB	added	added
@sentry/vue (incl. Tracing)	43.34 kB	added	added
@sentry/svelte	24.82 kB	added	added
CDN Bundle	27.17 kB	added	added
CDN Bundle (incl. Tracing)	42.16 kB	added	added
CDN Bundle (incl. Tracing, Replay)	78.7 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback)	84.15 kB	added	added
CDN Bundle - uncompressed	79.84 kB	added	added
CDN Bundle (incl. Tracing) - uncompressed	125.22 kB	added	added
CDN Bundle (incl. Tracing, Replay) - uncompressed	241.25 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	254.01 kB	added	added
@sentry/nextjs (client)	45.96 kB	added	added
@sentry/sveltekit (client)	41.9 kB	added	added
@sentry/node-core	51.19 kB	added	added
@sentry/node	159.24 kB	added	added
@sentry/node - without tracing	92.83 kB	added	added
@sentry/aws-serverless	108.08 kB	added	added

andreiborza · 2025-11-24T17:58:57Z

CHANGELOG.md

+    - chore: Do not update opentelemetry ([#18254](https://github.com/getsentry/sentry-javascript/pull/18254))
+    - chore(angular): Add Angular 21 Support ([#18274](https://github.com/getsentry/sentry-javascript/pull/18274))
+    - chore(deps): bump astro from 4.16.18 to 5.15.9 in /dev-packages/e2e-tests/test-applications/cloudflare-astro ([#18259](https://github.com/getsentry/sentry-javascript/pull/18259))
+    - chore(deps): bump glob from 11.0.1 to 11.1.0 in /packages/react-router ([#18243](https://github.com/getsentry/sentry-javascript/pull/18243))


m: I'd pull this up to other changes or maybe even important changes since this resolves a a security vulnerability: #18303

Put it into other changes as it's only used during build time in the react router sdk - impact is pretty minimal.

andreiborza · 2025-11-24T18:01:06Z

CHANGELOG.md

+    - ci(deps): bump actions/upload-artifact from 4 to 5 ([#18075](https://github.com/getsentry/sentry-javascript/pull/18075))
+    - ci(deps): bump github/codeql-action from 3 to 4 ([#18076](https://github.com/getsentry/sentry-javascript/pull/18076))
+    - doc(sveltekit): Update documentation link for SvelteKit guide ([#18298](https://github.com/getsentry/sentry-javascript/pull/18298))
+    - ref(react): Add more guarding against wildcards in lazy route transactions ([#18155](https://github.com/getsentry/sentry-javascript/pull/18155))


l: This should go up, it's a user facing change

github-actions · 2025-11-24T18:02:53Z

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,078	-	-	added
GET With Sentry	1,812	20%	-	added
GET With Sentry (error only)	6,265	69%	-	added
POST Baseline	1,223	-	-	added
POST With Sentry	595	49%	-	added
POST With Sentry (error only)	1,088	89%	-	added
MYSQL Baseline	3,394	-	-	added
MYSQL With Sentry	490	14%	-	added
MYSQL With Sentry (error only)	2,781	82%	-	added

andreiborza and others added 30 commits November 19, 2025 11:32

Merge pull request #18255 from getsentry/master

e9ea037

[Gitflow] Merge master into develop

test(nextjs): Remove debug logs from e2e test (#18250)

d710314

chore(dev-deps): Update some dev dependencies (#17816)

013f0be

Just bumping some transitive dev deps to fix security warnings.

feat(core): Add gibibyte and pebibyte to InformationUnit type (#…

49badb0

…18241) Both of these units are supported by Relay, see https://getsentry.github.io/relay/relay_metrics/enum.InformationUnit.html.

chore(deps): bump glob from 11.0.1 to 11.1.0 in /packages/react-router (

93faf61

#18243)

fix(metrics): Update return type of beforeSendMetric (#18261)

6d75c8f

chore(angular): Add Angular 21 Support (#18274)

1a6be80

Angular 21 was [released](https://www.npmjs.com/package/@angular/cli) silently yesterday. Migration docs don't seem to indicate any breaking change for us.

feat(deps): bump @sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#18273

108b027

)

test(e2e): Fix astro config in test app (#18282)

edc1f09

https://5-0-0-beta.docs.astro.build/en/guides/upgrade-to/v5/#removed-hybrid-rendering-mode the test app was bumped to v5 from dependabot in #18259 --------- Co-authored-by: Andrei Borza <andrei.borza@sentry.io>

feat(node): Add tracing support for AzureOpenAI (#18281)

5e7cd06

This pull request adds the support to Azure OpenAI client in addition to the existing support of the vanilla OpenAI client. Fixes issue #18280

chore: Add external contributor to CHANGELOG.md (#18297)

2ee464f

This PR adds the external contributor to the CHANGELOG.md file, so that they are credited for their contribution. See #18281 Co-authored-by: nicohrubec <29484629+nicohrubec@users.noreply.github.com>

doc(sveltekit): Update documentation link for SvelteKit guide (#18298)

b8127fb

Readme incorrectly pointed to NextJS docs

chore: Add external contributor to CHANGELOG.md (#18300)

3d48cc6

This PR adds the external contributor to the CHANGELOG.md file, so that they are credited for their contribution. See #18298 Co-authored-by: Lms24 <8420481+Lms24@users.noreply.github.com>

feat(core): Use maxValueLength on error messages (#18301)

6240191

It can happen that error messages are too long and exceed the maximum envelope size (mentioned in #18219). `maxValueLength` now also checks for long error messages and truncates them.

Lms24 and others added 2 commits November 24, 2025 17:18

fix(core): Always redact content of sensitive headers regardless of `…

6ce620e

…sendDefaultPii` (#18311) In case an HTTP header is considered "sensitive" (could contain tokens), the value is already filtered within the SDK. --- Follow-up on this PR: - #17475

s1gr1d requested a review from a team as a code owner November 24, 2025 17:46

s1gr1d requested review from AbhiPrasad and andreiborza November 24, 2025 17:46

AbhiPrasad approved these changes Nov 24, 2025

View reviewed changes

s1gr1d force-pushed the prepare-release/10.27.0 branch from ef3f20e to 6452561 Compare November 24, 2025 17:49

AbhiPrasad closed this Nov 24, 2025

AbhiPrasad reopened this Nov 24, 2025

andreiborza reviewed Nov 24, 2025

View reviewed changes

meta(changelog): Update changelog for 10.27.0

02aa2ea

AbhiPrasad force-pushed the prepare-release/10.27.0 branch from 6452561 to 02aa2ea Compare November 24, 2025 18:05

andreiborza approved these changes Nov 24, 2025

View reviewed changes

AbhiPrasad merged commit 930863e into master Nov 24, 2025
389 of 391 checks passed

AbhiPrasad deleted the prepare-release/10.27.0 branch November 24, 2025 18:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

meta(changelog): Update changelog for 10.27.0 #18312

meta(changelog): Update changelog for 10.27.0 #18312

Uh oh!

s1gr1d commented Nov 24, 2025

Uh oh!

github-actions bot commented Nov 24, 2025 •

edited

Loading

Uh oh!

andreiborza Nov 24, 2025

Uh oh!

AbhiPrasad Nov 24, 2025

Uh oh!

andreiborza Nov 24, 2025

Uh oh!

github-actions bot commented Nov 24, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

14 participants

Uh oh!

meta(changelog): Update changelog for 10.27.0 #18312

meta(changelog): Update changelog for 10.27.0 #18312

Uh oh!

Conversation

s1gr1d commented Nov 24, 2025

Uh oh!

github-actions bot commented Nov 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

andreiborza Nov 24, 2025

Choose a reason for hiding this comment

Uh oh!

AbhiPrasad Nov 24, 2025

Choose a reason for hiding this comment

Uh oh!

andreiborza Nov 24, 2025

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

node-overhead report 🧳

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

14 participants

github-actions bot commented Nov 24, 2025 •

edited

Loading

github-actions bot commented Nov 24, 2025 •

edited

Loading