meta(changelog): Update changelog for 10.47.0 by chargome · Pull Request #20050 · getsentry/sentry-javascript

chargome · 2026-03-31T09:04:18Z

Adds 8 new E2E tests to the Deno test application (5 → 13 total), covering breadcrumbs, user/tag/extra context, scope isolation, outbound fetch, metrics, logs, and Vercel AI SDK integration (generateText spans + error-trace linking). Changes: - 8 new test files in tests/ - 8 new route handlers in src/app.ts - Added ai, zod dependencies + Deno import maps - Enabled sendDefaultPii and enableLogs in Sentry.init() AI tests follow the same MockLanguageModelV1 pattern used in the `nextjs-15/nextjs-16` E2E tests.

Adds `nodeRuntimeMetricsIntegration` to `@sentry/node` and `@sentry/node-core`. When enabled, the integration periodically collects Node.js runtime health metrics and emits them to Sentry via the metrics pipeline. ### Usage ```ts import * as Sentry from '@sentry/node'; Sentry.init({ dsn: '...', integrations: [ Sentry.nodeRuntimeMetricsIntegration(), ], }); ``` ### Default metrics (8) Emitted every 30 seconds out of the box: | Metric | Type | Unit | Description | |---|---|---|---| | `node.runtime.mem.rss` | gauge | byte | Resident Set Size — actual process memory footprint | | `node.runtime.mem.heap_used` | gauge | byte | V8 heap currently in use — tracks GC pressure and leaks | | `node.runtime.mem.heap_total` | gauge | byte | Total V8 heap allocated — paired with `heap_used` to see headroom | | `node.runtime.cpu.utilization` | gauge | — | CPU time / wall-clock time ratio (can exceed 1.0 on multi-core) | | `node.runtime.event_loop.delay.p50` | gauge | second | Median event loop delay — baseline latency | | `node.runtime.event_loop.delay.p99` | gauge | second | 99th percentile event loop delay — tail latency / spikes | | `node.runtime.event_loop.utilization` | gauge | — | Fraction of time the event loop was active | | `node.runtime.process.uptime` | counter | second | Cumulative uptime — useful for detecting restarts / crashes | ### Opt-in metrics (off by default) ```ts Sentry.nodeRuntimeMetricsIntegration({ collect: { cpuTime: true, // node.runtime.cpu.user + node.runtime.cpu.system (raw seconds) memExternal: true, // node.runtime.mem.external + node.runtime.mem.array_buffers eventLoopDelayMin: true, eventLoopDelayMax: true, eventLoopDelayMean: true, eventLoopDelayP90: true, }, }) ``` Any default metric can also be turned off: ```ts Sentry.nodeRuntimeMetricsIntegration({ collect: { uptime: false, eventLoopDelayP50: false, }, }) ``` ### Collection interval ```ts Sentry.nodeRuntimeMetricsIntegration({ collectionIntervalMs: 60_000, // default: 30_000 }) ``` ### Serverless (Next.js on Vercel, AWS Lambda, etc.) Works out of the box — no special configuration needed. Metrics are sent by the periodic collection interval and flushed by the existing SDK flush infrastructure (framework wrappers like SvelteKit, TanStack Start, and `@sentry/aws-serverless` already call `flushIfServerless` after each request handler). The interval is `unref()`-ed so it never prevents the process from exiting. ### Runtime compatibility This integration is Node.js only. Bun and Deno will be addressed in separate integrations that use their respective native APIs. Closes #19967 (added automatically) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

[Gitflow] Merge master into develop

Docs here seem slightly out of sync Closes #19983 (added automatically)

…seconds (#19958) ## Summary - Patches OTel span's `end()` method to run numeric timestamps through `ensureTimestampInMilliseconds()` before reaching OTel's native implementation - `startTime` already had this conversion, but `span.end(timestamp)` passed values directly to OTel which expects milliseconds — passing seconds (the Sentry convention) produced garbage timestamps - Applied in all three span creation paths: both code paths in `_startSpan()` and `startInactiveSpan()` Closes #18697 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Nuxt 5 uses Nitro's `response` hook and changes the callback signature, while Nuxt 4 uses `beforeResponse`. This change keeps Sentry's server-side route naming working across both versions by separating the logic into two different plugins. Closes #19976

We have this function in both the shared utilities (used by `google-genai` and `anthropic`) and in `openai` with slightly different names for no apparent reason. We also had a separate helper that just prepends `gen_ai` to the operation name in both cases, which seems unnecessary. Doing some cleanup here Closes #19978 (added automatically)

## Summary - `@opentelemetry/api@1.9.1` was released on Mar 25 and introduced `export { Foo, type Bar }` syntax (inline type modifiers) in its `.d.ts` files, which requires TypeScript 4.5+ - The `generic-ts3.8` E2E test runs with `skipLibCheck: false` and TypeScript 3.8, so it tries to parse OTel's types and fails - This pins `@opentelemetry/api` to `1.9.0` in the ts3.8 test app via `pnpm.overrides` - We can't pin repo-wide in published packages because OTel uses a global singleton pattern — version mismatches with `@opentelemetry/sdk-trace-base` cause the tracer to become a no-op - Our published `.d.ts` files are unaffected — only OTel's own types use the incompatible syntax ## Test plan - [x] Verified locally: `yarn test:run generic-ts3.8` passes with the pin - [ ] CI `E2E generic-ts3.8 Test` should go green 🤖 Generated with [Claude Code](https://claude.com/claude-code) Closes #19998 (added automatically) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Removes element timing span creation from `browserTracingIntegration` (deprecates `enableElementTiming` option, introduces a new standalone `elementTimingIntegration` that emits Element Timing API data as **Sentry distribution metrics** instead of spans. Emits `element_timing.render_time` and `element_timing.load_time` metrics with `element.identifier` and `element.paint_type` attributes. I believe users can query by the element identifier if they are interested in metrics for a specific element. Me and Lukas think this is a safe change because it was never documented, even then I made sure to export NO-OP replacement functions to stub them out. ## Reasoning for the change Element Timing values (`renderTime`, `loadTime`) are point-in-time timestamps, not durations. Modeling them as spans required awkward workarounds (zero-duration spans, arbitrary start times) that didn't produce meaningful trace data. Metrics are the correct abstraction here. See discussion in #19261 for full context. ## Usage ```js Sentry.init({ integrations: [ Sentry.browserTracingIntegration(), Sentry.elementTimingIntegration(), ], }); ``` closes #19260 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…#19981) Replace the shared `getOperationName()` function with per-provider method registries that map API paths to their operation name and streaming behavior. This explicitly couples the instrumented methods and necessary metadata in one place instead of having convoluted substring matching in multiple places that can be quite hard to reason about. Closes #19987 (added automatically)

…ts (#19963) ## Summary - Add OTel-aware `startNewTrace` implementation that injects the new traceId as a remote span context into the OTel context - Add `startNewTrace` to the `AsyncContextStrategy` interface so OTel can override the default behavior - Register the new implementation in the OTel async context strategy ### Root Cause `startNewTrace` set a new `traceId` on the Sentry scope's propagation context but only called `withActiveSpan(null, callback)`, which in OTel translates to `trace.deleteSpan(context.active())`. This removed the active span but did **not** inject the new traceId into the OTel context. Each subsequent `startInactiveSpan` call created a root span with a fresh random traceId from OTel's tracer. The fix follows the same pattern as `continueTrace` — injecting the traceId as a remote span context via `trace.setSpanContext()` so all spans in the callback inherit it. Closes #19952 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Add instrumentation support for the Google GenAI embeddings API (`models.embedContent`). Docs: https://ai.google.dev/gemini-api/docs/embeddings Closes #19535 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.7 to 4.7.9. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/handlebars-lang/handlebars.js/releases">handlebars's releases</a>.</em></p> <blockquote> <h2>v4.7.9</h2> <ul> <li>fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2</li> <li>fix type "RuntimeOptions" also accepting string partials - eab1d14</li> <li>feat(types): set <code>hash</code> to be a <code>Record<string, any></code> - de4414d</li> <li>fix non-contiguous program indices - 4512766</li> <li>refactor: rename i to startPartIndex - e497a35</li> <li>security: fix security issues - 68d8df5 <ul> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2</a></li> </ul> </li> </ul> <p><a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.8...v4.7.9">Commits</a></p> <h2>v4.7.8</h2> <ul> <li>Make library compatible with workers (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1894">#1894</a>) - 3d3796c</li> <li>Don't rely on Node.js global object (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1776">#1776</a>) - 2954e7e</li> <li>Fix compiling of each block params in strict mode (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1855">#1855</a>) - 30dbf04</li> <li>Fix rollup warning when importing Handlebars as ESM - 03d387b</li> <li>Fix bundler issue with webpack 5 (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1862">#1862</a>) - c6c6bbb</li> <li>Use https instead of git for mustache submodule - 88ac068</li> </ul> <p><a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.7...v4.7.8">Commits</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md">handlebars's changelog</a>.</em></p> <blockquote> <h2>v4.7.9 - March 26th, 2026</h2> <ul> <li>fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2</li> <li>fix type "RuntimeOptions" also accepting string partials - eab1d14</li> <li>feat(types): set <code>hash</code> to be a <code>Record<string, any></code> - de4414d</li> <li>fix non-contiguous program indices - 4512766</li> <li>refactor: rename i to startPartIndex - e497a35</li> <li>security: fix security issues - 68d8df5</li> </ul> <p><a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.8...v4.7.9">Commits</a></p> <h2>v4.7.8 - July 27th, 2023</h2> <ul> <li>Make library compatible with workers (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1894">#1894</a>) - 3d3796c</li> <li>Don't rely on Node.js global object (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1776">#1776</a>) - 2954e7e</li> <li>Fix compiling of each block params in strict mode (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1855">#1855</a>) - 30dbf04</li> <li>Fix rollup warning when importing Handlebars as ESM - 03d387b</li> <li>Fix bundler issue with webpack 5 (<a href="https://redirect.github.com/handlebars-lang/handlebars.js/issues/1862">#1862</a>) - c6c6bbb</li> <li>Use https instead of git for mustache submodule - 88ac068</li> </ul> <p><a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.7...v4.7.8">Commits</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/dce542c9a660048d31f0981ac8a45c08b919bddb"><code>dce542c</code></a> v4.7.9</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/8a41389ba5b2624b6f43a5463d8e2533b843a562"><code>8a41389</code></a> Update release notes</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"><code>68d8df5</code></a> Fix security issues</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/b2a083136b11e1da9f0f47a11f749a9830a49328"><code>b2a0831</code></a> Fix browser tests</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/9f98c1629834abf8de5a127caff8a2eab03d2c12"><code>9f98c16</code></a> Fix release script</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/45443b4290475dfb7cec32a85d344f12ab345eb9"><code>45443b4</code></a> Revert "Improve partial indenting performance"</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/8841a5f6d35096aee95d68e1e49636a4cb5c661e"><code>8841a5f</code></a> Fix CI errors with linting</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/e0137c26f2202593bca7cc25184e733e87d54709"><code>e0137c2</code></a> fix: enable shell mode for spawn to resolve Windows EINVAL issue</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/e914d6037ffb0dd371f7e4823cdb019732ae66d7"><code>e914d60</code></a> Improve rendering performance</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/7de4b41c344a5d702edca93d1841b59642fa32bd"><code>7de4b41</code></a> Upgrade GitHub Actions checkout and setup-node on 4.x branch</li> <li>Additional commits viewable in <a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.7...v4.7.9">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~jaylinski">jaylinski</a>, a new releaser for handlebars since your current version.</p> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=handlebars&package-manager=npm_and_yarn&previous-version=4.7.7&new-version=4.7.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server) from 5.4.0 to 5.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apollographql/apollo-server/releases"><code>@apollo/server</code>'s releases</a>.</em></p> <blockquote> <h2><code>@apollo/server-integration-testsuite</code><a href="https://github.com/5"><code>@5</code></a>.5.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/apollographql/apollo-server/pull/8191">#8191</a> <a href="https://github.com/apollographql/apollo-server/commit/ada12001c4e95b5c779d80314a5a32e33087b5cf"><code>ada1200</code></a> - ⚠️ SECURITY <code>@apollo/server/standalone</code>:</p> <p>Apollo Server now rejects GraphQL <code>GET</code> requests which contain a <code>Content-Type</code> header other than <code>application/json</code> (with optional parameters such as <code>; charset=utf-8</code>). Any other value is now rejected with a 415 status code.</p> <p>(GraphQL <code>GET</code> requests without a <code>Content-Type</code> header are still allowed, though they do still need to contain a non-empty <code>X-Apollo-Operation-Name</code> or <code>Apollo-Require-Preflight</code> header to be processed if the default CSRF prevention feature is enabled.)</p> <p>This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.</p> <p><strong>If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.</strong></p> <p>This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty <code>Content-Type</code> headers with <code>GET</code> requests with types other than <code>application/json</code>. If your use case requires such requests, please <a href="https://github.com/apollographql/apollo-server/issues">file an issue</a> and we may add more configurability in a follow-up release.</p> <p>See <a href="https://github.com/apollographql/apollo-server/security/advisories/GHSA-9q82-xgwf-vj6h">advisory GHSA-9q82-xgwf-vj6h</a> for more details.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/apollographql/apollo-server/commit/ada12001c4e95b5c779d80314a5a32e33087b5cf"><code>ada1200</code></a>]: <ul> <li><code>@apollo/server</code><a href="https://github.com/5"><code>@5</code></a>.5.0</li> </ul> </li> </ul> <h2><code>@apollo/server</code><a href="https://github.com/5"><code>@5</code></a>.5.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/apollographql/apollo-server/pull/8191">#8191</a> <a href="https://github.com/apollographql/apollo-server/commit/ada12001c4e95b5c779d80314a5a32e33087b5cf"><code>ada1200</code></a> Thanks <a href="https://github.com/glasser"><code>@glasser</code></a>! - ⚠️ SECURITY <code>@apollo/server/standalone</code>:</p> <p>Apollo Server now rejects GraphQL <code>GET</code> requests which contain a <code>Content-Type</code> header other than <code>application/json</code> (with optional parameters such as <code>; charset=utf-8</code>). Any other value is now rejected with a 415 status code.</p> <p>(GraphQL <code>GET</code> requests without a <code>Content-Type</code> header are still allowed, though they do still need to contain a non-empty <code>X-Apollo-Operation-Name</code> or <code>Apollo-Require-Preflight</code> header to be processed if the default CSRF prevention feature is enabled.)</p> <p>This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.</p> <p><strong>If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.</strong></p> <p>This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty <code>Content-Type</code> headers with <code>GET</code> requests with types other than <code>application/json</code>. If your use case requires such requests, please <a href="https://github.com/apollographql/apollo-server/issues">file an issue</a> and we may add more configurability in a follow-up release.</p> <p>See <a href="https://github.com/apollographql/apollo-server/security/advisories/GHSA-9q82-xgwf-vj6h">advisory GHSA-9q82-xgwf-vj6h</a> for more details.</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md"><code>@apollo/server</code>'s changelog</a>.</em></p> <blockquote> <h2>5.5.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/apollographql/apollo-server/pull/8191">#8191</a> <a href="https://github.com/apollographql/apollo-server/commit/ada12001c4e95b5c779d80314a5a32e33087b5cf"><code>ada1200</code></a> Thanks <a href="https://github.com/glasser"><code>@glasser</code></a>! - ⚠️ SECURITY <code>@apollo/server/standalone</code>:</p> <p>Apollo Server now rejects GraphQL <code>GET</code> requests which contain a <code>Content-Type</code> header other than <code>application/json</code> (with optional parameters such as <code>; charset=utf-8</code>). Any other value is now rejected with a 415 status code.</p> <p>(GraphQL <code>GET</code> requests without a <code>Content-Type</code> header are still allowed, though they do still need to contain a non-empty <code>X-Apollo-Operation-Name</code> or <code>Apollo-Require-Preflight</code> header to be processed if the default CSRF prevention feature is enabled.)</p> <p>This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.</p> <p><strong>If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.</strong></p> <p>This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty <code>Content-Type</code> headers with <code>GET</code> requests with types other than <code>application/json</code>. If your use case requires such requests, please <a href="https://github.com/apollographql/apollo-server/issues">file an issue</a> and we may add more configurability in a follow-up release.</p> <p>See <a href="https://github.com/apollographql/apollo-server/security/advisories/GHSA-9q82-xgwf-vj6h">advisory GHSA-9q82-xgwf-vj6h</a> for more details.</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/apollographql/apollo-server/commit/64c0e1bb5d79d571bf448c35aea0b31097e6ce9d"><code>64c0e1b</code></a> Version Packages (<a href="https://github.com/apollographql/apollo-server/tree/HEAD/packages/server/issues/8192">#8192</a>)</li> <li><a href="https://github.com/apollographql/apollo-server/commit/ada12001c4e95b5c779d80314a5a32e33087b5cf"><code>ada1200</code></a> Reject GET requests with a Content-Type other than application/json (<a href="https://github.com/apollographql/apollo-server/tree/HEAD/packages/server/issues/8191">#8191</a>)</li> <li>See full diff in <a href="https://github.com/apollographql/apollo-server/commits/@apollo/server@5.5.0/packages/server">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@apollo/server&package-manager=npm_and_yarn&previous-version=5.4.0&new-version=5.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [srvx](https://github.com/h3js/srvx) from 0.11.12 to 0.11.13. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/h3js/srvx/releases">srvx's releases</a>.</em></p> <blockquote> <h2>v0.11.13</h2> <p><a href="https://github.com/h3js/srvx/compare/v0.11.12...v0.11.13">compare changes</a></p> <h3>🩹 Fixes</h3> <ul> <li><strong>url:</strong> Deopt absolute URIs in FastURL (<a href="https://github.com/h3js/srvx/commit/de0d699">de0d699</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/h3js/srvx/blob/main/CHANGELOG.md">srvx's changelog</a>.</em></p> <blockquote> <h2>v0.11.13</h2> <p><a href="https://github.com/h3js/srvx/compare/v0.11.12...v0.11.13">compare changes</a></p> <h3>🩹 Fixes</h3> <ul> <li><strong>url:</strong> Deopt absolute URIs in FastURL (<a href="https://github.com/h3js/srvx/commit/de0d699">de0d699</a>)</li> </ul> <h3>🏡 Chore</h3> <ul> <li>Update deps (<a href="https://github.com/h3js/srvx/commit/4e6ace6">4e6ace6</a>)</li> <li>Update deps (<a href="https://github.com/h3js/srvx/commit/6a72a00">6a72a00</a>)</li> <li>Fix type issue (<a href="https://github.com/h3js/srvx/commit/ed8cc2b">ed8cc2b</a>)</li> <li>Apply automated updates (<a href="https://github.com/h3js/srvx/commit/7375fed">7375fed</a>)</li> <li>Update deps (<a href="https://github.com/h3js/srvx/commit/8f4bc4f">8f4bc4f</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@pi0</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/h3js/srvx/commit/e19649a96a33012be5f5c201c11fb388940ade68"><code>e19649a</code></a> chore(release): v0.11.13</li> <li><a href="https://github.com/h3js/srvx/commit/8f4bc4f2d00622d980f31b4ab205c6e5ad80c02f"><code>8f4bc4f</code></a> chore: update deps</li> <li><a href="https://github.com/h3js/srvx/commit/7375fed4a2bf9fb4b64896ce868937eda7cf686f"><code>7375fed</code></a> chore: apply automated updates</li> <li><a href="https://github.com/h3js/srvx/commit/ed8cc2b900e25da2f0ec1505da1e2edad867b4b6"><code>ed8cc2b</code></a> chore: fix type issue</li> <li><a href="https://github.com/h3js/srvx/commit/6a72a0031063669d6f8320ad6c9a7cac3254fb41"><code>6a72a00</code></a> chore: update deps</li> <li><a href="https://github.com/h3js/srvx/commit/de0d69901c357f36a39b7e13eebef6c930652baa"><code>de0d699</code></a> fix(url): deopt absolute URIs in FastURL</li> <li><a href="https://github.com/h3js/srvx/commit/4e6ace6b55686acd6125f608ef6ab3ab1efb057f"><code>4e6ace6</code></a> chore: update deps</li> <li>See full diff in <a href="https://github.com/h3js/srvx/compare/v0.11.12...v0.11.13">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=srvx&package-manager=npm_and_yarn&previous-version=0.11.12&new-version=0.11.13)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/v6...v7">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.2 to 1.4.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's changelog</a>.</em></p> <blockquote> <h2>1.4.0 - 2026-03-24</h2> <h3>Security</h3> <ul> <li><strong>HIGH</strong>: Denial of Service in <code>BigInteger.modInverse()</code> <ul> <li>A Denial of Service (DoS) vulnerability exists due to an infinite loop in the <code>BigInteger.modInverse()</code> function (inherited from the bundled jsbn library). When <code>modInverse()</code> is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.</li> <li>Reported by Kr0emer.</li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2026-33891">CVE-2026-33891</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx">GHSA-5gfm-wpxj-wjgq</a></li> </ul> </li> <li><strong>HIGH</strong>: Signature forgery in RSA-PKCS due to ASN.1 extra field. <ul> <li>RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.</li> <li>Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.</li> <li>Reported as part of a U.C. Berkeley security research project by: <ul> <li>Austin Chu, Sohee Kim, and Corban Villa.</li> </ul> </li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2026-33894">CVE-2026-33894</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp">GHSA-ppp5-5v6c-4jwp</a></li> </ul> </li> <li><strong>HIGH</strong>: Signature forgery in Ed25519 due to missing S < L check. <ul> <li>Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.</li> <li>Reported as part of a U.C. Berkeley security research project by: <ul> <li>Austin Chu, Sohee Kim, and Corban Villa.</li> </ul> </li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2026-33895">CVE-2026-33895</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw">GHSA-q67f-28xg-22rw</a></li> </ul> </li> <li><strong>HIGH</strong>: <code>basicConstraints</code> bypass in certificate chain verification. <ul> <li><code>pki.verifyCertificateChain()</code> does not enforce RFC 5280 <code>basicConstraints</code> requirements when an intermediate certificate lacks both the <code>basicConstraints</code> and <code>keyUsage</code> extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.</li> <li>Reported by Doruk Tan Ozturk (<a href="https://github.com/peaktwilight"><code>@peaktwilight</code></a>) - doruk.ch</li> <li>CVE ID: <a href="https://www.cve.org/CVERecord?id=CVE-2026-33896">CVE-2026-33896</a></li> <li>GHSA ID: <a href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25">GHSA-2328-f5f3-gj25</a></li> </ul> </li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/digitalbazaar/forge/commit/fa385f92440879601240020f158bed68e444e83a"><code>fa385f9</code></a> Release 1.4.0.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/07d4e162762ed4fdab5caca9ebf78237fcf85339"><code>07d4e16</code></a> Update changelog.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/cb90fd92091ee34e4abab3ad0c835eeea3d06c3e"><code>cb90fd9</code></a> Update changelog.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/963e7c5c7b0f03de1b28a1e5a42a6bafda4cf711"><code>963e7c5</code></a> Add unit test for "pseudonym"</li> <li><a href="https://github.com/digitalbazaar/forge/commit/f0b6f5b7c5d1c918240e975e0cade4f47d005446"><code>f0b6f5b</code></a> Add pseudonym OID</li> <li><a href="https://github.com/digitalbazaar/forge/commit/3df48a311d4b53dc6493b7a47a8d07f3669957d9"><code>3df48a3</code></a> Fix missing CVE ID.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"><code>2e49283</code></a> Add x509 <code>basicConstraints</code> check.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85"><code>bdecf11</code></a> Add canonical signature scaler check for S < L.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/af094e69c60ac5f7b29f2b1957c53ae5e12fd4a0"><code>af094e6</code></a> Add RSA padding and DigestInfo length checks.</li> <li><a href="https://github.com/digitalbazaar/forge/commit/796eeb1673f6ec636fda02dfc295047d9f7aefe0"><code>796eeb1</code></a> Improve jsbn fix.</li> <li>Additional commits viewable in <a href="https://github.com/digitalbazaar/forge/compare/v1.3.2...v1.4.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=node-forge&package-manager=npm_and_yarn&previous-version=1.3.2&new-version=1.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>

Add E2E tests for `nodeRuntimeMetricsIntegration` (#19923) in two test applications: - **node-express-v5**: Enables the integration in the Express app's Sentry init and adds 4 tests verifying all 8 default runtime metrics are emitted with correct shape - **nextjs-16**: Enables the integration in the server config and adds the same 4 tests, verifying metrics flow through the Next.js server runtime Both test suites use `waitForMetric` from `@sentry-internal/test-utils` and validate metric type, unit, value, and attributes (including `sentry.origin: 'auto.node.runtime_metrics'`). The collection interval is set to 1 second to keep tests fast. Refs #19923 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Adds a new `bunRuntimeMetricsIntegration` that collects runtime metrics on a configurable interval using `process.memoryUsage()`, `process.cpuUsage()`, `performance.eventLoopUtilization()`, and `process.uptime()`. **Default metrics** (`bun.runtime.*` prefix): - `mem.rss`, `mem.heap_used`, `mem.heap_total` - `cpu.utilization` - `event_loop.utilization` - `process.uptime` **Opt-in:** `cpuTime` (`cpu.user`, `cpu.system`), `memExternal` (`mem.external`, `mem.array_buffers`) **vs. `nodeRuntimeMetricsIntegration`:** No event loop delay histogram metrics (`monitorEventLoopDelay` is unavailable in Bun). ELU is guarded with try/catch for older Bun versions. Uses `bun.runtime.*` prefix and `auto.bun.runtime_metrics` origin. Includes unit tests (`bun:test`) and integration tests. closes https://linear.app/getsentry/issue/JS-1956/runtime-metrics-bun-support --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Add the PR validation workflow using the shared composite action from getsentry/github-workflows#153. Validates non-maintainer PRs against contribution guidelines and enforces draft status on all new PRs. #skip-changelog Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…ization) (#20020) Creates a virtual module with Vite when using Nuxt 4+ instead of creating a template. `useServerTemplate()` cannot be used here as it's not Nitro-only but the SSR-space (server) within Nuxt. Closes #20010

…19968) Nitro v3 (used by Nuxt 5) ships with h3 v2, which restructures the `EventHandlerObject` type ([old](https://github.com/h3js/h3/blob/b72bb57060cf68e627575e0c350742f4fa8206fa/src/types/index.ts#L81-L92) / [new](https://github.com/h3js/h3/blob/7c2bc9b96ab9bc25f5ca02b0c15a81b8d079e159/src/types/handler.ts#L20-L28)). The previous `onRequest`/`onBeforeResponse` lifecycle hooks are replaced by a single middleware array, and `handler` is now optional. This PR updates the Nuxt SDK's middleware instrumentation to handle both shapes transparently: h3 v1 (`onRequest`, `onBeforeResponse`, required `handler`) for Nuxt 4 / Nitro v2, and h3 v2 (`middleware[]`, optional `handler`) for Nuxt 5 / Nitro v3. The Nuxt 5 test app middleware files are updated to match the new h3 v2 API, and unit/E2E test assertions are adjusted accordingly. Closes #19954

Updates the pinned SHA for the validate-pr composite action from getsentry/github-workflows to pick up the bot allowlist fix (getsentry/github-workflows#155). Trusted bots (dependabot, renovate, github-actions, etc.) are now exempt from issue reference validation and draft enforcement. #skip-changelog Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

This PR adds route parametrization for the solidRouterBrowserTracingIntegration. It replaces raw URLs (e.g. /users/5) with parametrized routes (e.g. /users/:id) in transaction names. Closes: #16685

The validate-pr composite action's draft enforcement step was failing with: ``` API call failed: GraphQL: Resource not accessible by integration (convertPullRequestToDraft) ``` The SDK Maintainer Bot app lacks the permissions needed for the `convertPullRequestToDraft` GraphQL mutation. Rather than expanding the app's permissions, draft enforcement has been removed from the shared action in getsentry/github-workflows#159. This bumps the pinned SHA to pick up that fix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Added `otlpIntegration` at `@sentry/node-core/light/otlp` for users who manage their own OpenTelemetry setup and want to send trace data to Sentry without adopting the full `@sentry/node` SDK. ```js import { NodeTracerProvider } from '@opentelemetry/sdk-trace-node'; import * as Sentry from '@sentry/node-core/light'; import { otlpIntegration } from '@sentry/node-core/light/otlp'; const provider = new NodeTracerProvider(); provider.register(); Sentry.init({ dsn: '__DSN__', integrations: [ otlpIntegration({ // Export OTel spans to Sentry via OTLP (default: true) setupOtlpTracesExporter: true, // Send traces to a custom collector instead of the DSN-derived endpoint (default: undefined) collectorUrl: 'https://my-collector.example.com/v1/traces', }), ], }); ``` The integration links Sentry errors to OTel traces and exports spans to Sentry via OTLP. <hr> Split up for easier reviewing: External propagation context support: 1ec99378b5 OTLP integration: 70d58adff4 E2E test app: 19904655a2 CHANGELOG entry: b43c9de861 --------- Co-authored-by: Claude claude-opus-4-6 <noreply@anthropic.com>

The validate-pr action's draft enforcement step was failing with: `API call failed: GraphQL: Resource not accessible by integration (convertPullRequestToDraft)` Draft enforcement has been removed from the shared action in getsentry/github-workflows#159. This bumps the pinned SHA. Co-Authored-By: Claude Opus 4.6 (1M context) [noreply@anthropic.com](mailto:noreply@anthropic.com) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Closes #20032 ### Context: In the `supabaseIntegration`'s PostgREST instrumentation, the `.then()` success handler accesses `res.error` without checking if `res` is nullish first. This causes crashes in environments like React Native where the response can be `undefined`. A related error recently trended on the React Native SDK (see Linear comment) ### Summary: - Added a null guard on `res` before accessing `res.error` in `instrumentPostgRESTFilterBuilder`, changing `if (res.error)` to `if (res && res.error)` — matching the existing pattern used in `instrumentAuthOperation` - The existing `setHttpStatus` block already had a proper guard (`if (res && typeof res === 'object' && 'status' in res)`), so only the error-handling path was affected - Span `.end()` and breadcrumb creation continue to work correctly regardless of whether `res` is nullish - Added a new test file for the supabase integration covering the nullish response scenario and existing utility functions Before submitting a pull request, please take a look at our [Contributing](https://github.com/getsentry/sentry-javascript/blob/master/CONTRIBUTING.md) guidelines and verify: - [x] If you've added code that should be tested, please add tests. - [x] Ensure your code lints and the test suite passes (`yarn lint`) & (`yarn test`). - [x] Link an issue if there is one related to your pull request. If no issue is linked, one will be auto-generated and linked. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@Lms24

## Summary A collection of small, safe optimizations across the browser package. Combined saves **~60 bytes gzipped**. ## Changes UPDATE (@Lms24): Removed some initial changes, leaving them here for posterity | File | Change | Impact | |------|--------|--------| | ~`helpers.ts` + `stacktrace.ts`~ | ~Rename internal `sentryWrapped` → `sW` in wrap(). Update frame stripping regex to match both names.~ | ~10B gzip~ | | `breadcrumbs.ts` | Remove unused `breadcrumbData` variable from fetch handler | dead code | | `browserapierrors.ts` | Encode `DEFAULT_EVENT_TARGET` as `string.split(",")` instead of array literal | 51B raw | | `globalhandlers.ts` | Remove redundant intermediate variable aliases in `_enhanceEventWithInitialFrame` | cleaner code | | `detectBrowserExtension.ts` | Replace `array.some(startsWith)` with single regex test | ~3B gzip | | `eventbuilder.ts` | Simplify `getErrorPropertyFromObject` to `Object.values().find()` | ~9B gzip | | `lazyLoadIntegration.ts` | Derive CDN bundle filenames from ~integration names~ list of integration names instead of storing duplicate key-value pairs | ~30B gzip | ### lazyLoadIntegration detail The `LazyLoadableIntegrations` object stored 21 key-value pairs where values were mostly derivable from keys (strip `"Integration"`, lowercase). Replaced with: - An array of integration names (encoded as `string.split(",")`) - A derivation function - A 3-entry exceptions map for hyphenated names (`replay-canvas`, `feedback-modal`, `feedback-screenshot`) All changes are behavior-preserving. No public API modifications. Part of #19833. Co-Authored-By: Claude claude@anthropic.com --------- Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>

…ng requests (#19960) This patch fixes a bunch of closely related issues with our node fetch and http integrations for outgoing request header propagation. ### Summary: - We now dedupe sentry-trace and baggage headers more aggressively, resolving multiple scenarios where duplicated sentry headers were attached to outgoing requests - We now always prefer the first sentry tracing headers pair set onto a request. This allows users to set custom sentry headers (for whatever reason) and ensures our instrumentation doesn't overwrite itself. - We no longer mix individual `sentry-` baggage entries when merging two headers where both contain `sentry-` entries. We only take one of the two and delete the other. See PR for further details! closes #19158

## Summary - Adds a shared `waitForMetricRequest` helper to browser integration test utils, following the same `page.waitForRequest` pattern as `waitForErrorRequest`, `waitForTransactionRequest`, etc. - Refactors element timing tests to use `waitForMetricRequest` instead of a custom `createMetricCollector` with polling-based `waitForIdentifiers` - The new helper accumulates `SerializedMetric[]` across envelope requests and resolves when the callback returns `true` for the full collected set Closes #20005 (added automatically) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…nt double injection (##19890) Set sourcemaps.disable to true (boolean) instead of 'disable-upload' (string) in makeCustomSentryVitePlugins. The Rollup plugin checks disable !== true, so the string value was not disabling debug ID injection. This caused double injection with two different UUIDs per file when sentryOnBuildEnd also ran sentry-cli sourcemaps inject, breaking source map resolution. Fixes GH-19874 Co-Authored-By: Claude <noreply@anthropic.com>

…uble-injection fix(react-router): Disable debug ID injection in Vite plugin to prevent double injection

The native CPU profiler's sampling thread can race with V8's GC in worker threads, causing heap corruption and ~40-60% crash rate under allocation pressure. This PR adds a JS-side guard while a long-term native addon should be added separately. - Adds isMainThread guard in ContinuousProfiler.initialize() to skip profiler startup in worker threads - Adds isMainThread guard in maybeProfileSpan() to prevent legacy span profiling in worker threads - Updates worker thread tests to verify profiling is a no-op across all profiling modes closes #20029 repro https://github.com/chargome/repro.JS-2019

…20047) axios 1.14.1 contains a supply chain attack via the plain-crypto-js dependency. This PR pins to 1.13.5 to prevent accidental upgrades. See: https://x.com/feross/status/2038807290422370479 Co-authored-by: Claude claude-opus-4-6 <noreply@anthropic.com>

This PR bumps all OpenTelemetry instrumentation packages and core dependencies: - @opentelemetry/api: ^1.9.0 -> ^1.9.1 - @opentelemetry/core: ^2.6.0 -> ^2.6.1 - @opentelemetry/context-async-hooks: ^2.6.0 -> ^2.6.1 - @opentelemetry/resources: ^2.6.0 -> ^2.6.1 - @opentelemetry/sdk-trace-base: ^2.6.0 -> ^2.6.1 - @opentelemetry/exporter-trace-otlp-http: ^0.213.0 -> ^0.214.0 - @opentelemetry/instrumentation: ^0.213.0 -> ^0.214.0 - @opentelemetry/instrumentation-http: 0.213.0 -> 0.214.0 - @opentelemetry/instrumentation-amqplib: 0.60.0 -> 0.61.0 - @opentelemetry/instrumentation-aws-sdk: 0.68.0 -> 0.69.0 - @opentelemetry/instrumentation-connect: 0.56.0 -> 0.57.0 - @opentelemetry/instrumentation-dataloader: 0.30.0 -> 0.31.0 - @opentelemetry/instrumentation-express: 0.62.0 -> 0.62.0 - @opentelemetry/instrumentation-fs: 0.32.0 -> 0.33.0 - @opentelemetry/instrumentation-generic-pool: 0.56.0 -> 0.57.0 - @opentelemetry/instrumentation-graphql: 0.61.0 -> 0.62.0 - @opentelemetry/instrumentation-hapi: 0.59.0 -> 0.60.0 - @opentelemetry/instrumentation-ioredis: 0.61.0 -> 0.62.0 - @opentelemetry/instrumentation-kafkajs: 0.22.0 -> 0.23.0 - @opentelemetry/instrumentation-knex: 0.57.0 -> 0.58.0 - @opentelemetry/instrumentation-koa: 0.61.0 -> 0.62.0 - @opentelemetry/instrumentation-lru-memoizer: 0.57.0 -> 0.58.0 - @opentelemetry/instrumentation-mongodb: 0.66.0 -> 0.67.0 - @opentelemetry/instrumentation-mongoose: 0.59.0 -> 0.60.0 - @opentelemetry/instrumentation-mysql: 0.59.0 -> 0.60.0 - @opentelemetry/instrumentation-mysql2: 0.59.0 -> 0.60.0 - @opentelemetry/instrumentation-nestjs-core: 0.59.0 -> 0.60.0 - @opentelemetry/instrumentation-pg: 0.65.0 -> 0.66.0 - @opentelemetry/instrumentation-redis: 0.61.0 -> 0.62.0 - @opentelemetry/instrumentation-tedious: 0.32.0 -> 0.33.0 - @opentelemetry/instrumentation-undici: 0.23.0 -> 0.24.0 - @prisma/instrumentation: 7.4.2 -> 7.6.0 - @fastify/otel: 0.17.1 -> 0.18.0 Closes: #20036

github-actions · 2026-03-31T09:04:43Z

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

Internal Changes 🔧

(changelog) Update changelog for 10.47.0 by chargome in #20050

_{🤖 This preview updates automatically when you update the PR.}

nicohrubec

🚀

CHANGELOG.md

Lms24 · 2026-03-31T09:11:30Z

CHANGELOG.md

+
+### Other Changes
+
+- feat(browser): Replace element timing spans with metrics ([#19869](https://github.com/getsentry/sentry-javascript/pull/19869))


l: could be called out as a feature but logaf-l

github-actions · 2026-03-31T09:14:50Z

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.64 kB	added	added
@sentry/browser - with treeshaking flags	24.13 kB	added	added
@sentry/browser (incl. Tracing)	42.15 kB	added	added
@sentry/browser (incl. Tracing, Profiling)	46.76 kB	added	added
@sentry/browser (incl. Tracing, Replay)	80.94 kB	added	added
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.56 kB	added	added
@sentry/browser (incl. Tracing, Replay with Canvas)	85.65 kB	added	added
@sentry/browser (incl. Tracing, Replay, Feedback)	97.91 kB	added	added
@sentry/browser (incl. Feedback)	42.42 kB	added	added
@sentry/browser (incl. sendFeedback)	30.3 kB	added	added
@sentry/browser (incl. FeedbackAsync)	35.28 kB	added	added
@sentry/browser (incl. Metrics)	26.95 kB	added	added
@sentry/browser (incl. Logs)	27.1 kB	added	added
@sentry/browser (incl. Metrics & Logs)	27.77 kB	added	added
@sentry/react	27.41 kB	added	added
@sentry/react (incl. Tracing)	44.48 kB	added	added
@sentry/vue	30.08 kB	added	added
@sentry/vue (incl. Tracing)	44.05 kB	added	added
@sentry/svelte	25.66 kB	added	added
CDN Bundle	28.31 kB	added	added
CDN Bundle (incl. Tracing)	43.1 kB	added	added
CDN Bundle (incl. Logs, Metrics)	29.68 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics)	44.16 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics)	68.48 kB	added	added
CDN Bundle (incl. Tracing, Replay)	80 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.04 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback)	85.54 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.58 kB	added	added
CDN Bundle - uncompressed	82.66 kB	added	added
CDN Bundle (incl. Tracing) - uncompressed	127.81 kB	added	added
CDN Bundle (incl. Logs, Metrics) - uncompressed	86.81 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	131.22 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.79 kB	added	added
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.68 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.08 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.59 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	260.98 kB	added	added
@sentry/nextjs (client)	46.89 kB	added	added
@sentry/sveltekit (client)	42.62 kB	added	added
@sentry/node-core	55.76 kB	added	added
@sentry/node	172.99 kB	added	added
@sentry/node - without tracing	96.02 kB	added	added
@sentry/aws-serverless	112.78 kB	added	added

github-actions · 2026-03-31T09:15:51Z

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	11,203	-	-	added
GET With Sentry	1,927	17%	-	added
GET With Sentry (error only)	7,538	67%	-	added
POST Baseline	1,155	-	-	added
POST With Sentry	595	52%	-	added
POST With Sentry (error only)	1,035	90%	-	added
MYSQL Baseline	3,937	-	-	added
MYSQL With Sentry	532	14%	-	added
MYSQL With Sentry (error only)	3,136	80%	-	added

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chargome and others added 30 commits March 25, 2026 15:50

Merge pull request #19980 from getsentry/master

9dfbc7b

[Gitflow] Merge master into develop

docs(release): Update publishing-a-release.md (#19982)

c77eff1

Docs here seem slightly out of sync Closes #19983 (added automatically)

chore(deps-dev): remove esbuild override in astro-5-cf-workers E2E test

02c9cd8

feat(solid): Add route parametrization for Solid Router (#20031)

4747355

This PR adds route parametrization for the solidRouterBrowserTracingIntegration. It replaces raw URLs (e.g. /users/5) with parametrized routes (e.g. /users/:id) in transaction names. Closes: #16685

stephanie-anderson and others added 10 commits March 30, 2026 10:19

Merge pull request #19890 from getsentry/fix/react-router-debug-id-do…

61edc25

…uble-injection fix(react-router): Disable debug ID injection in Vite plugin to prevent double injection

chargome self-assigned this Mar 31, 2026

nicohrubec approved these changes Mar 31, 2026

View reviewed changes

andreiborza reviewed Mar 31, 2026

View reviewed changes

CHANGELOG.md Show resolved Hide resolved

Lms24 approved these changes Mar 31, 2026

View reviewed changes

andreiborza approved these changes Mar 31, 2026

View reviewed changes

meta(changelog): Update changelog for 10.47.0

3d4e38d

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chargome force-pushed the prepare-release/10.47.0 branch from 92130a8 to 3d4e38d Compare March 31, 2026 09:23

chargome merged commit c7477bb into master Mar 31, 2026
237 checks passed

chargome deleted the prepare-release/10.47.0 branch March 31, 2026 09:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

meta(changelog): Update changelog for 10.47.0#20050

meta(changelog): Update changelog for 10.47.0#20050
chargome merged 41 commits intomasterfrom
prepare-release/10.47.0

chargome commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026 •

edited

Loading

Internal Changes 🔧

Uh oh!

nicohrubec left a comment

Uh oh!

Uh oh!

Lms24 Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 31, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants


		### Other Changes

		- feat(browser): Replace element timing spans with metrics ([#19869](https://github.com/getsentry/sentry-javascript/pull/19869))

Uh oh!

Conversation

chargome commented Mar 31, 2026

Uh oh!

github-actions bot commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Semver Impact of This PR

Internal Changes 🔧

Uh oh!

nicohrubec left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Lms24 Mar 31, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

github-actions bot commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

node-overhead report 🧳

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

github-actions bot commented Mar 31, 2026 •

edited

Loading

github-actions bot commented Mar 31, 2026 •

edited

Loading

github-actions bot commented Mar 31, 2026 •

edited

Loading