meta(changelog): Add changelog for 10.45.0#19877
Merged
Conversation
- Adds E2E tests verifying that GraphQL fetch spans are attributed to the correct navigation transaction in React Router 7 lazy routes - Test 1: Navigate from index to lazy GQL page → asserts UserAQuery span is in the navigation transaction (not the pageload) - Test 2: Navigate between two lazy GQL pages → asserts UserAQuery only in first nav, UserBQuery only in second nav, no cross-leaking Closes #19845 (added automatically)
Fixes Dependabot alerts #1156, #1158, #1159, #1160, #1161. CVEs: CVE-2026-2229, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…ts/test-applications/nextjs-16 (#19851) Bumps [next](https://github.com/vercel/next.js) from 16.1.5 to 16.1.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v16.1.7</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>[Cache Components] Prevent streaming fetch calls from hanging in dev (<a href="https://redirect.github.com/vercel/next.js/issues/89194">#89194</a>)</li> <li>Apply server actions transform to node_modules in route handlers (<a href="https://redirect.github.com/vercel/next.js/issues/89380">#89380</a>)</li> <li>ensure <code>maxPostponedStateSize</code> is always respected (See: <a href="https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq">CVE-2026-27979</a>)</li> <li>feat(next/image): add lru disk cache and <code>images.maximumDiskCacheSize</code> (See: <a href="https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8">CVE-2026-27980</a>)</li> <li>Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: <a href="https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36">CVE-2026-27977</a>)</li> <li>Disallow Server Action submissions from privacy-sensitive contexts by default (See: <a href="https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx">CVE-2026-27978</a>)</li> <li>fix: patch http-proxy to prevent request smuggling in rewrites (See: <a href="https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8">CVE-2026-29057</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/unstubbable"><code>@unstubbable</code></a>, <a href="https://github.com/styfle"><code>@styfle</code></a>, <a href="https://github.com/eps1lon"><code>@eps1lon</code></a>, and <a href="https://github.com/ztanner"><code>@ztanner</code></a> for helping!</p> <h2>v16.1.6</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Upgrade to swc 54 (<a href="https://redirect.github.com/vercel/next.js/issues/88207">#88207</a>)</li> <li>implement LRU cache with invocation ID scoping for minimal mode response cache (<a href="https://redirect.github.com/vercel/next.js/issues/88509">#88509</a>)</li> <li>tweak LRU sentinel key (<a href="https://redirect.github.com/vercel/next.js/issues/89123">#89123</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/mischnic"><code>@mischnic</code></a>, <a href="https://github.com/wyattjoh"><code>@wyattjoh</code></a>, and <a href="https://github.com/ztanner"><code>@ztanner</code></a> for helping!</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/next.js/commit/bdf3e3577a6d55ea186a48238d61fbd8da07a626"><code>bdf3e35</code></a> v16.1.7</li> <li><a href="https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6"><code>dc98c04</code></a> [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...</li> <li><a href="https://github.com/vercel/next.js/commit/9023c0ab70235cdf68e88c14b66290500efa9f7f"><code>9023c0a</code></a> [backport] Disallow Server Action submissions from privacy-sensitive contexts...</li> <li><a href="https://github.com/vercel/next.js/commit/36a97b9b64e263f2340afcc1c12fc01323b2cfc0"><code>36a97b9</code></a> Allow blocking cross-site dev-only websocket connections from privacy-sensiti...</li> <li><a href="https://github.com/vercel/next.js/commit/93c3993a8e3f4952508a2f6da87c1533c76b5365"><code>93c3993</code></a> [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...</li> <li><a href="https://github.com/vercel/next.js/commit/c68d62d5d4786fe89ab241f895b7821fcb730373"><code>c68d62d</code></a> Backport documentation fixes for 16.1.x (<a href="https://redirect.github.com/vercel/next.js/issues/90655">#90655</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/5214ac1513f4d2f2315d35a81a7e249e2815d90c"><code>5214ac1</code></a> [backport]: ensure maxPostponedStateSize is always respected (<a href="https://redirect.github.com/vercel/next.js/issues/90060">#90060</a>) (<a href="https://redirect.github.com/vercel/next.js/issues/90471">#90471</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/c95e357f195c5d6c54d9dd599b89916f7217c9c5"><code>c95e357</code></a> Backport/docs fixes 16.1.x (<a href="https://redirect.github.com/vercel/next.js/issues/90125">#90125</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/cba6144edd14f1a8c8c8663feb632cfbd50d4e2e"><code>cba6144</code></a> [backport] Apply server actions transform to <code>node_modules</code> in route handlers...</li> <li><a href="https://github.com/vercel/next.js/commit/3db90632a7957a1bbda98ebb228e57618bbb7032"><code>3db9063</code></a> [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...</li> <li>Additional commits viewable in <a href="https://github.com/vercel/next.js/compare/v16.1.5...v16.1.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixes Dependabot alert #1137. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
[Gitflow] Merge master into develop
…ovider (#19723) ## Summary - Calls `trace.disable()` before `trace.setGlobalTracerProvider()` in `@sentry/deno`'s OTel tracer setup - This fixes silent registration failure when Supabase Edge Runtime (or Deno's native OTel) pre-registers a `TracerProvider` on the `@opentelemetry/api` global (`Symbol.for('opentelemetry.js.api.1')`) - Without this fix, **OTel-instrumented spans** (e.g. `gen_ai.*` from AI SDK, or any library using `@opentelemetry/api`) never reach Sentry because Sentry's `TracerProvider` fails to register as the global. Sentry's own `startSpan()` API is unaffected since it bypasses the OTel global. ## Context Supabase Edge Runtime (Deno 2.1.4+) registers its own `TracerProvider` before user code runs. The OTel API's `trace.setGlobalTracerProvider()` is a no-op if a provider is already registered (it only logs a diag warning), so Sentry's tracer silently gets ignored. **What works without the fix:** `Sentry.startSpan()` — goes through Sentry's internal pipeline, not the OTel global. **What breaks without the fix:** Any spans created via `@opentelemetry/api` (AI SDK's `gen_ai.*` spans, HTTP instrumentations, etc.) — these hit the pre-existing Supabase provider instead of Sentry's. Calling `trace.disable()` clears the global, allowing `trace.setGlobalTracerProvider()` to succeed. This matches the pattern already used in `cleanupOtel()` in the test file and is safe because: 1. It only runs once during `Sentry.init()` 2. Any pre-existing provider is immediately replaced by Sentry's 3. It's gated behind `skipOpenTelemetrySetup` so users with custom OTel setups can opt out 4. The Cloudflare package was investigated and doesn't have the same issue ## Test plan - [x] Updated `should override pre-existing OTel provider with Sentry provider` unit test — simulates a pre-existing provider and verifies Sentry overrides it - [x] Updated `should override native Deno OpenTelemetry when enabled` unit test — verifies Sentry captures spans even when `OTEL_DENO=true` - [x] **E2E test app** (`dev-packages/e2e-tests/test-applications/deno/`) — Deno server with pre-existing OTel provider, 5 tests: - Error capture (`Sentry.captureException`) - `Sentry.startSpan` transaction - OTel `tracer.startSpan` despite pre-existing provider (core regression test) - OTel `tracer.startActiveSpan` (AI SDK pattern) - Sentry + OTel interop (OTel child inside Sentry parent) - [x] Verified manually with Supabase Edge Function + AI SDK: `Sentry.startSpan()` spans appeared in Sentry both before and after the fix, but `gen_ai.*` OTel spans only appeared after the fix 🤖 Generated with [Claude Code](https://claude.com/claude-code) Closes #19724 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Fixes Dependabot alert #1146. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…2026-31873 (#19848) Fixes Dependabot alerts #1143 and #1144. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…9847) Fixes Dependabot alerts #1141 (CVE-2026-31808) and #1155 (CVE-2026-32630). Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary This PR migrates from the deprecated `action-prepare-release` to the new Craft GitHub Actions. ## Changes - Migrated `.github/workflows/auto-release.yml` to Craft reusable workflow ## Documentation See https://getsentry.github.io/craft/github-actions/ for more information. Closes #18765 (added automatically) --------- Co-authored-by: Charly Gomez <charly.gomez@sentry.io>
This PR fixes a bug in our node-core `httpServerIntegration` (user-facing it's `httpIntegration`), which caused traceIds (or rather our propagationContext) to stay the same across requests. This would surface in SDK setups where tracing is not explicitly enabled (e.g. missing `tracesSampleRate`), causing caught errors across request to be associated with the same trace. This PR now recycles the propagationContext on the current as well as isolation scope to ensure traces are isolated on a request level. Added node(-core) integration tests to demonstrate that traceIds are now scoped to requests, when tracing is enabled or disabled. Prior to this PR, the test for tracing being disabled failed. Note: This should only have an effect on SDKs configured for tracing without spans (i.e. (and confusingly) no `tracesSampleRate` set), as for tracing with spans, we take the trace data from the active span directly. I added a test demonstrating this, just to be sure. closes #19815 ref #17101 --------- Co-authored-by: Charly Gomez <charly.gomez1310@gmail.com>
Adds automatic trace propagation from server to client via the Server-Timing HTTP header for Remix applications. The client-side reading of Server-Timing headers via the Performance API was added in #18673. Adds: - `generateSentryServerTimingHeader(span)` public utility that generates a Server-Timing header value containing Sentry trace context - Automatic injection in the document request handler for normal page responses - Automatic injection on redirect responses from loaders and actions, which bypass the document request handler entirely. This is an advantage over meta tag injection, which cannot work on redirect responses since they have no HTML body - For Cloudflare/Hydrogen apps: call `generateSentryServerTimingHeader()` manually and append the value to the response's `Server-Timing` header in entry.server.tsx (see remix-hydrogen e2e test for example) Works on both Node.js and Cloudflare Workers environments. Closes #18696 --------- Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>
Skip 3 ISR route tests on the latest variant that fail due to opennext not supporting the prefetch-hints.json manifest required by newer Next.js versions. Ref: opennextjs/opennextjs-cloudflare#1141 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
closes #18294 closes [JS-1202](https://linear.app/getsentry/issue/JS-1202/cloudflare-types-for-env-no-longer-work) By not using `unknown` but going directly to the `env` export of `cloudflare:workers`, this should resolve the typing issue, without changing the current generic API (as proposed in #18302). The test proofs that when changing the Cloudflare globals, that this works OOTB now.
…33036 and related (#19870) Fixes Dependabot alerts #1165-#1215 (HTTP smuggling, image disk cache DoS, WebSocket DoS, CSRF null origin bypass in Next.js). - nextjs-16-bun/cacheComponents/cf-workers/trailing-slash/tunnel: 16.1.5 → 16.1.7 - nextjs-sourcemaps: 16.1.6 → 16.1.7 - nextjs-15, nextjs-15-intl: 15.5.10 → 15.5.13 - nextjs-15-t3: ^15.5.9 → ^15.5.13 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
## Summary Small, safe simplifications across core utilities. Combined saves **~80 bytes gzipped**. ## Changes - **envelope.ts**: Slim `ITEM_TYPE_TO_DATA_CATEGORY_MAP` by removing 7 self-mapping entries (e.g. `session: "session"`). Falls back to the type name itself. - **object.ts**: Replace `getOwnProperties` manual `for...in` + `hasOwnProperty` loop with `Object.fromEntries(Object.entries(obj))`. Use shorthand `value` in `addNonEnumerableProperty`. - **baggage.ts**: Use `.startsWith()` instead of `.match(regex)` for sentry prefix check. - **browser.ts**: Inline `allowedAttrs` array literal directly in the `for...of` loop. - **eventFilters.ts**: Convert verbose `DEFAULT_IGNORE_ERRORS` string literals to shorter regex patterns with equivalent matching behavior (vv().getRestrictions, simulateEvent, solana, _AutofillCallbackHandler). All changes are behavior-preserving. Part of #19833. Co-Authored-By: Claude claude@anthropic.com --------- Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>
Fix Next.js tunnel route span filtering by extending `dropMiddlewareTunnelRequests` to also drop `BaseServer.handleRequest` spans that match the tunnel path, replacing a fragile transaction-name string comparison in the event processor with the early, attribute-based `TRANSACTION_ATTR_SHOULD_DROP_TRANSACTION` mechanism already used for middleware and fetch spans. closes https://linear.app/getsentry/issue/JS-1952/nextjs-automatically-filter-tunnel-route-spans closes #19840
Co-Authored-By: claude-4.6-opus-high-thinking <noreply@anthropic.com> Made-with: Cursor
Contributor
Semver Impact of This PR🟢 Patch (bug fixes) 📋 Changelog PreviewThis is how your changes will appear in the changelog. Internal Changes 🔧
🤖 This preview updates automatically when you update the PR. |
Contributor
size-limit report 📦
|
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
chargome
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Smaller release to get out #19835 but also includes #18653 (making this a minor release) and some other fixes