meta(changelog): Update changelog for 10.49.0 by JPeer264 · Pull Request #20348 · getsentry/sentry-javascript

JPeer264 · 2026-04-16T11:48:29Z

JFYI there are 4 commit in there which are not verified. This is due to this: #20195 (comment)

This PR is an extraction of #19991 It basically exports `getTracingHeadersForFetchRequest`, which was previously only exported for testing, but offers a great functionality if you want to add tracing headers to a request. I renamed it as `addTracingHeadersToFetchRequest` sounded a little misleading, as it didn't really add headers to the request, as it returned the extracted headers from the request (or init, if there are any). ### Open question I added `@hidden` and `@internal` to it, not sure if this is an approach we follow. I'm ok to remove it from the jsdoc

[Gitflow] Merge master into develop

This PR adds an `enableTruncation` option to the OpenAI integration that allows users to disable input message truncation. It defaults to `true` to preserve existing behavior. Closes: #20135

Bumps [defu](https://github.com/unjs/defu) from 6.1.4 to 6.1.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/unjs/defu/releases">defu's releases</a>.</em></p> <blockquote> <h2>v6.1.6</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.5...v6.1.6">compare changes</a></p> <h3>📦 Build</h3> <ul> <li>Fix mixed types (<a href="https://github.com/unjs/defu/commit/407b516">407b516</a>)</li> </ul> <h2>v6.1.5</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.4...v6.1.5">compare changes</a></p> <h3>🩹 Fixes</h3> <ul> <li>Prevent prototype pollution via <code>__proto__</code> in defaults (<a href="https://redirect.github.com/unjs/defu/pull/156">#156</a>)</li> <li>Ignore inherited enumerable properties (<a href="https://github.com/unjs/defu/commit/11ba022">11ba022</a>)</li> </ul> <h3>✅ Tests</h3> <ul> <li>Add more tests for plain objects (<a href="https://github.com/unjs/defu/commit/b65f603">b65f603</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@pi0</code></a>)</li> <li>Kricsleo (<a href="https://github.com/kricsleo"><code>@kricsleo</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/unjs/defu/blob/main/CHANGELOG.md">defu's changelog</a>.</em></p> <blockquote> <h2>v6.1.6</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.5...v6.1.6">compare changes</a></p> <h3>📦 Build</h3> <ul> <li>Fix mixed types (<a href="https://github.com/unjs/defu/commit/407b516">407b516</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@pi0</code></a>)</li> </ul> <h2>v6.1.5</h2> <p><a href="https://github.com/unjs/defu/compare/v6.1.4...v6.1.5">compare changes</a></p> <h3>🩹 Fixes</h3> <ul> <li>Prevent prototype pollution via <code>__proto__</code> in defaults (<a href="https://redirect.github.com/unjs/defu/pull/156">#156</a>)</li> <li>Ignore inherited enumerable properties (<a href="https://github.com/unjs/defu/commit/11ba022">11ba022</a>)</li> </ul> <h3>🏡 Chore</h3> <ul> <li>Add tea.yaml (<a href="https://github.com/unjs/defu/commit/70cffe5">70cffe5</a>)</li> <li>Update repo (<a href="https://github.com/unjs/defu/commit/23cc432">23cc432</a>)</li> <li>Fix typecheck (<a href="https://github.com/unjs/defu/commit/89df6bb">89df6bb</a>)</li> </ul> <h3>✅ Tests</h3> <ul> <li>Add more tests for plain objects (<a href="https://github.com/unjs/defu/commit/b65f603">b65f603</a>)</li> </ul> <h3>🤖 CI</h3> <ul> <li>Bump node (<a href="https://github.com/unjs/defu/commit/9237d9c">9237d9c</a>)</li> </ul> <h3>❤️ Contributors</h3> <ul> <li>Pooya Parsa (<a href="https://github.com/pi0"><code>@pi0</code></a>)</li> <li>Kricsleo (<a href="https://github.com/kricsleo"><code>@kricsleo</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/unjs/defu/commit/001c2906010eb65c1bb13ccd1f4abea09e10405b"><code>001c290</code></a> chore(release): v6.1.6</li> <li><a href="https://github.com/unjs/defu/commit/407b51645c41a57da6efac5b40967f2c60ce4f12"><code>407b516</code></a> build: fix mixed types</li> <li><a href="https://github.com/unjs/defu/commit/23e59e684cb6a432aad13f308d142247e31b6315"><code>23e59e6</code></a> chore(release): v6.1.5</li> <li><a href="https://github.com/unjs/defu/commit/11ba02213d4b1c6b02dd686041f75edc479c98e9"><code>11ba022</code></a> fix: ignore inherited enumerable properties</li> <li><a href="https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29"><code>3942bfb</code></a> fix: prevent prototype pollution via <code>__proto__</code> in defaults (<a href="https://redirect.github.com/unjs/defu/issues/156">#156</a>)</li> <li><a href="https://github.com/unjs/defu/commit/d3ef16dabe861713192ba8679c5db8e0ac143f9b"><code>d3ef16d</code></a> chore(deps): update actions/checkout action to v6 (<a href="https://redirect.github.com/unjs/defu/issues/151">#151</a>)</li> <li><a href="https://github.com/unjs/defu/commit/869a053effb7b1bf49a1635e1bb211840daa589e"><code>869a053</code></a> chore(deps): update actions/setup-node action to v6 (<a href="https://redirect.github.com/unjs/defu/issues/149">#149</a>)</li> <li><a href="https://github.com/unjs/defu/commit/a97310c6a52bd33b3bb1bb0f7d94df5a1461e732"><code>a97310c</code></a> chore(deps): update codecov/codecov-action action to v6 (<a href="https://redirect.github.com/unjs/defu/issues/154">#154</a>)</li> <li><a href="https://github.com/unjs/defu/commit/89df6bb1dfb4161b9d285f96e0b4ad1a993a647c"><code>89df6bb</code></a> chore: fix typecheck</li> <li><a href="https://github.com/unjs/defu/commit/9237d9c92059317142b30d7385f0e7bbb0ee82b4"><code>9237d9c</code></a> ci: bump node</li> <li>Additional commits viewable in <a href="https://github.com/unjs/defu/compare/v6.1.4...v6.1.6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=defu&package-manager=npm_and_yarn&previous-version=6.1.4&new-version=6.1.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Please feel free to merge as soon as CI passes

We need to get a grip on our test flake situation again. Currently, CI flakes on almost every initial run, which is especially painful when cutting releases. This PR adds a few rules for bug bot to look out for anti patterns that are likely to introduce new test flakes.

Bumps [hono](https://github.com/honojs/hono) from 4.12.7 to 4.12.12. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.12</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>Middleware bypass via repeated slashes in serveStatic</h3> <p>Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (<code>//</code>) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c</p> <h3>Path traversal in toSSG() allows writing files outside the output directory</h3> <p>Affects: <code>toSSG()</code> for Static Site Generation. Fixes a path traversal issue where crafted <code>ssgParams</code> values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx</p> <h3>Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses</h3> <p>Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. <code>::ffff:127.0.0.1</code>) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g</p> <h3>Missing validation of cookie name on write path in setCookie()</h3> <p>Affects: <code>setCookie()</code>, <code>serialize()</code>, and <code>serializeSigned()</code> from <code>hono/cookie</code>. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm</p> <h3>Non-breaking space prefix bypass in cookie name handling in getCookie()</h3> <p>Affects: <code>getCookie()</code> from <code>hono/cookie</code>. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4</p> <hr /> <p>Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.</p> <h2>v4.12.11</h2> <h2>What's Changed</h2> <ul> <li>feat(css): add classNameSlug option to createCssContext by <a href="https://github.com/flow-pie"><code>@flow-pie</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4834">honojs/hono#4834</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/flow-pie"><code>@flow-pie</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4834">honojs/hono#4834</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.10...v4.12.11">https://github.com/honojs/hono/compare/v4.12.10...v4.12.11</a></p> <h2>v4.12.10</h2> <h2>What's Changed</h2> <ul> <li>test(router): fix <code>Simple capturing group</code> test by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4838">honojs/hono#4838</a></li> <li>docs: fix impaired -> inspired typo in benchmark READMEs by <a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4843">honojs/hono#4843</a></li> <li>fix(jsx/dom): apply select value after children are rendered by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4847">honojs/hono#4847</a></li> <li>fix(compress): convert strong ETag to weak ETag when compressing by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4848">honojs/hono#4848</a></li> <li>docs(ip-restriction): add clear JSDoc examples and param types by <a href="https://github.com/VISHNU7KASIREDDY"><code>@VISHNU7KASIREDDY</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4851">honojs/hono#4851</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4843">honojs/hono#4843</a></li> <li><a href="https://github.com/VISHNU7KASIREDDY"><code>@VISHNU7KASIREDDY</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4851">honojs/hono#4851</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/c37ba26da9709ad03b803d1972773ed864b7e60d"><code>c37ba26</code></a> 4.12.12</li> <li><a href="https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"><code>cc067c8</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec"><code>a586cd7</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39"><code>48fa223</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679"><code>b470278</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c"><code>9aff14b</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/2c403c67eb3d7be15aaa9e74ec74d2dcb4b4b4d2"><code>2c403c6</code></a> 4.12.11</li> <li><a href="https://github.com/honojs/hono/commit/f82aba8e8ea45d56199e751cee6ea7c067bcd176"><code>f82aba8</code></a> feat(css): add classNameSlug option to createCssContext (<a href="https://redirect.github.com/honojs/hono/issues/4834">#4834</a>)</li> <li><a href="https://github.com/honojs/hono/commit/9f374a55b25c5c644c293bd4ed6ffce016eb3b44"><code>9f374a5</code></a> 4.12.10</li> <li><a href="https://github.com/honojs/hono/commit/a8c56a6620597084e97792f7de3ffbd257c004cc"><code>a8c56a6</code></a> docs(ip-restriction): add clear JSDoc examples and param types (<a href="https://redirect.github.com/honojs/hono/issues/4851">#4851</a>)</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.12.7...v4.12.12">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

#20193) - [x] Analyze the flaky test issue: `waitForTransaction` in pageload tests only checks `transactionEvent.transaction === '/performance'` without verifying `op === 'pageload'`, so it can match navigation transactions in race conditions - [x] Fix `react-router-7-framework-spa/tests/performance/pageload.client.test.ts` - add `op === 'pageload'` check to all `waitForTransaction` callbacks - [x] Fix `react-router-7-framework-spa-node-20-18/tests/performance/pageload.client.test.ts` - same fix - [x] Fix `react-router-7-framework/tests/performance/pageload.client.test.ts` - same fix - [x] Fix `react-router-7-framework-custom/tests/performance/pageload.client.test.ts` - same fix - [x] Fix `react-router-7-framework-node-20-18/tests/performance/pageload.client.test.ts` - same fix - [x] Fix navigation tests in the same apps to add `op === 'navigation'` check where missing (prevents symmetric confusion) - [x] Run validation (Code Review ✅, CodeQL ✅) - [x] Fix formatting issues with `yarn format` --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Lms24 <8420481+Lms24@users.noreply.github.com>

fix(deno): Avoid inferring invalid span op from Deno tracer

…20182) This PR adds an `enableTruncation` option to the LangChain integration that allows users to disable input message truncation. It defaults to `true` to preserve existing behavior. Also fixes missing truncation for LLM string prompts in extractLLMRequestAttributes and refactors to use the shared getTruncatedJsonString/getJsonString utilities. Closes: #20138 --------- Co-authored-by: Nicolas Hrubec <nicolas.hrubec@outlook.com>

…20183) This PR adds an `enableTruncation` option to the LangGraph integration that allows users to disable input message truncation. It defaults to `true` to preserve existing behavior. Also refactors to use the shared getTruncatedJsonString/getJsonString utilities. Closes: #20139 --------- Co-authored-by: Nicolas Hrubec <nicolas.hrubec@outlook.com>

…#20181) This PR adds an `enableTruncation` option to the Anthropic AI integration that allows users to disable input message truncation. It defaults to `true` to preserve existing behavior. Closes: #20136 --------- Co-authored-by: Nicolas Hrubec <nico.hrubec@sentry.io> Co-authored-by: Nicolas Hrubec <nicolas.hrubec@outlook.com>

…20184) This PR adds an `enableTruncation` option to the Google GenAI integration that allows users to disable input message truncation. It defaults to `true` to preserve existing behavior. Also refactors the truncation to use the shared `getTruncatedJsonString`/`getJsonString` utilities instead of calling `truncateGenAiMessages` directly. Closes: #20137 --------- Co-authored-by: Nicolas Hrubec <nico.hrubec@sentry.io> Co-authored-by: Nicolas Hrubec <nicolas.hrubec@outlook.com>

…sts/test-applications/cloudflare-hono (#20119) Bumps [hono](https://github.com/honojs/hono) from 4.12.7 to 4.12.12. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.12</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>Middleware bypass via repeated slashes in serveStatic</h3> <p>Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (<code>//</code>) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c</p> <h3>Path traversal in toSSG() allows writing files outside the output directory</h3> <p>Affects: <code>toSSG()</code> for Static Site Generation. Fixes a path traversal issue where crafted <code>ssgParams</code> values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx</p> <h3>Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses</h3> <p>Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. <code>::ffff:127.0.0.1</code>) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g</p> <h3>Missing validation of cookie name on write path in setCookie()</h3> <p>Affects: <code>setCookie()</code>, <code>serialize()</code>, and <code>serializeSigned()</code> from <code>hono/cookie</code>. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm</p> <h3>Non-breaking space prefix bypass in cookie name handling in getCookie()</h3> <p>Affects: <code>getCookie()</code> from <code>hono/cookie</code>. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4</p> <hr /> <p>Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.</p> <h2>v4.12.11</h2> <h2>What's Changed</h2> <ul> <li>feat(css): add classNameSlug option to createCssContext by <a href="https://github.com/flow-pie"><code>@flow-pie</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4834">honojs/hono#4834</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/flow-pie"><code>@flow-pie</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4834">honojs/hono#4834</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.10...v4.12.11">https://github.com/honojs/hono/compare/v4.12.10...v4.12.11</a></p> <h2>v4.12.10</h2> <h2>What's Changed</h2> <ul> <li>test(router): fix <code>Simple capturing group</code> test by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4838">honojs/hono#4838</a></li> <li>docs: fix impaired -> inspired typo in benchmark READMEs by <a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4843">honojs/hono#4843</a></li> <li>fix(jsx/dom): apply select value after children are rendered by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4847">honojs/hono#4847</a></li> <li>fix(compress): convert strong ETag to weak ETag when compressing by <a href="https://github.com/usualoma"><code>@usualoma</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4848">honojs/hono#4848</a></li> <li>docs(ip-restriction): add clear JSDoc examples and param types by <a href="https://github.com/VISHNU7KASIREDDY"><code>@VISHNU7KASIREDDY</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4851">honojs/hono#4851</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4843">honojs/hono#4843</a></li> <li><a href="https://github.com/VISHNU7KASIREDDY"><code>@VISHNU7KASIREDDY</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4851">honojs/hono#4851</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/c37ba26da9709ad03b803d1972773ed864b7e60d"><code>c37ba26</code></a> 4.12.12</li> <li><a href="https://github.com/honojs/hono/commit/cc067c85592415cb1880ad3c61ed923472452ec0"><code>cc067c8</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/a586cd72e3f6122792e631ecf1817e5cabb803ec"><code>a586cd7</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/48fa2233bc092f650119f42df043050737cabf39"><code>48fa223</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/b470278920fffcfd6d76002755d6db53db827679"><code>b470278</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/9aff14bd727f8b0435c963363fd803260e7b8e3c"><code>9aff14b</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/2c403c67eb3d7be15aaa9e74ec74d2dcb4b4b4d2"><code>2c403c6</code></a> 4.12.11</li> <li><a href="https://github.com/honojs/hono/commit/f82aba8e8ea45d56199e751cee6ea7c067bcd176"><code>f82aba8</code></a> feat(css): add classNameSlug option to createCssContext (<a href="https://redirect.github.com/honojs/hono/issues/4834">#4834</a>)</li> <li><a href="https://github.com/honojs/hono/commit/9f374a55b25c5c644c293bd4ed6ffce016eb3b44"><code>9f374a5</code></a> 4.12.10</li> <li><a href="https://github.com/honojs/hono/commit/a8c56a6620597084e97792f7de3ffbd257c004cc"><code>a8c56a6</code></a> docs(ip-restriction): add clear JSDoc examples and param types (<a href="https://redirect.github.com/honojs/hono/issues/4851">#4851</a>)</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.12.7...v4.12.12">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) relates to #19327 related to #16898 (it is not really closing it as we just add context propagation without adding spans for individual calls. It needs to be defined if we need it) It is important to know that these RPC calls do only work with the `.fetch` call: ```js const id = env.MY_DURABLE_OBJECT.idFromName('workflow-test'); const stub = env.MY_DURABLE_OBJECT.get(id); await stub.fetch(new Request('http://my-worker/my-do-call')); ``` This adds RPC fetch calls between: - Workers -> Workers ([Service bindings](https://developers.cloudflare.com/workers/runtime-apis/bindings/service-bindings/rpc/)) - Workers -> DurableObjects (via [standard RPC](https://developers.cloudflare.com/workers/runtime-apis/rpc/)) - Workflows -> DurableObjects (also via standard RPC) This works by instrumenting `env` (via `instrumentEnv`), which then goes over the bindings and see if there is a DurableObject or a normal Fetcher (full list of current bindings: https://developers.cloudflare.com/workers/runtime-apis/bindings/). This got inspired by how `otel-cf-workers` instruments their env: https://github.com/evanderkoogh/otel-cf-workers/blob/effeb549f0a4ed1c55ea0c4f0d8e8e37e5494fb3/src/instrumentation/env.ts With this PR I added a lot of tests to check if trace propagation works (so this PR might look like it added a lot of LoC, but it is mostly tests). So I added it for `schedule` and `queue`, but it is not possible for `email` and `tail` with `wrangler dev`. ## Potential things to change ### Trace propagagtion I added the `addTraceHeaders.ts` helper, as there is currently no way to reuse the existing logic (it is baked-in into the fetch instrumentations). It would be nice once #19960 lands that we can reuse it in Cloudflare to reuse existing code. I tried to write couple of tests so we don't have duplicated headers. ### Adding extra spans So there is actually a guide by OTel to [add RPC spans](https://opentelemetry.io/docs/specs/semconv/rpc/rpc-spans/), but was talking with someone from the OTel maintainers and they meant that this wouldn't be necessary as we already have an `http.server` span from out instrumented DurableObjects (and other resources) - so it wouldn't add much of information. Without RPC span: <img width="451" height="130" alt="Screenshot 2026-03-25 at 10 59 01" src="https://github.com/user-attachments/assets/dc280b38-0879-4306-8d61-7fcc5e9cacc0" /> With RPC span: <img width="433" height="170" alt="Screenshot 2026-03-25 at 10 55 48" src="https://github.com/user-attachments/assets/e30fa84b-068a-4eca-aa06-5668f3f0081c" />

The `getActiveSpan` mock calls `actual.getActiveSpan()` and immediately assigns to the returned span without guarding against `undefined`. When the router subscriber fires outside an active span context, `span` is `undefined` and the property assignment throws a TypeError. Additionally, there are two `vi.mock('@sentry/core')` declarations for the same module; the first (lines 66-73) is dead code since the second one overrides it. Closes #20199

## Summary This PR fixes a high-severity security vulnerability where GitHub context data was being directly interpolated into a shell script, potentially allowing command injection attacks. ## Changes - Moved `github.event.pull_request.head.sha` and related GitHub context expressions into an environment variable `COMMIT_SHA_EXPR` - Updated the shell script to reference the environment variable with proper quoting (`"$COMMIT_SHA_EXPR"`) - This prevents untrusted input from being directly executed in the shell ## Security Impact Before this fix, an attacker could potentially inject malicious code through pull request metadata, which would be executed in the GitHub Actions runner with access to secrets and code. After this fix, the GitHub context data is safely passed through an environment variable, preventing command injection. ## References - Parent ticket: https://linear.app/getsentry/issue/VULN-1328 - Child ticket: https://linear.app/getsentry/issue/JS-1972 - [GitHub Actions Security Hardening](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) - [GitHub Security Lab: Untrusted Input](https://securitylab.github.com/research/github-actions-untrusted-input/) - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection) --------- Co-authored-by: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>

…20189) The kafkajs integration test asserted producer and consumer transactions in a fixed order, but they can arrive in either order due to Kafka's async nature. To fix the flake, we collect both transactions via callbacks, then assert after both have arrived using `find()` by transaction name instead of relying on arrival order closes #20121 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>

Manually checking for flakes and opening issues is a bit annoying. I was thinking we could add a ci workflow to automate this. The action only runs when merging to develop. Could also be done on PRs but seems unnecessarily complicated. My thinking is that for a push to develop to happen, all the test must first have passed in the original PR. Therefore if the test then fails on develop we know it's a flake. Open for ideas/improvements/cleanups or let me know if there might be any cases I am missing that could lead to false positives. Example issue created with this: #18693 It doesn't get all the details but I think basically the most important is a link to the run so we can then investigate further. Also the logic for creating the issues is a bit ugly, but not sure if we can make it cleaner given that I want to create one issue per failed test not dump it all into one issue.

…treaming (#20187) This PR replaces `reader.closed.finally(() => onDone())` with `reader.closed.then(() => onDone(), () => onDone())` in `monitorStream`. Per the WHATWG Streams spec, `reader.releaseLock()` rejects `reader.closed` when the promise is still pending. `.finally()` propagates that rejection as an unhandled promise rejection, while `.then(f, f)` suppresses it by handling both the fulfilled and rejected cases. I was not able to reproduce the error directly on my deno version but this should prevent the issue. Closes: #20177

…grations

…nabled in OpenAI integration (#20227) When span streaming is enabled, the `enableTruncation` option now defaults to `false` unless the user has explicitly set it. Closes: #20221

…nabled in Vercel AI integration (#20232) When span streaming is enabled, the `enableTruncation` option now defaults to `false` unless the user has explicitly set it. Should be merged after: #20195 Closes: #20226

…nabled in Anthropic AI integration (#20228) When span streaming is enabled, the `enableTruncation` option now defaults to `false` unless the user has explicitly set it. Closes: #20222

Fixes replay element attributes grabbing a potentially stale version of the attributes, we basically now prefer the live element if available, otherwise we keep the old behavior. closes #20238 --------- Co-authored-by: GPT-5 <noreply@anthropic.com>

…20289) Bumps [next](https://github.com/vercel/next.js) from 16.1.7 to 16.2.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v16.2.3</h2> <blockquote> <p>[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see <a href="https://vercel.com/changelog/summary-of-cve-2026-23869">https://vercel.com/changelog/summary-of-cve-2026-23869</a>. The release does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Ensure app-page reports stale ISR revalidation errors via onRequestError (<a href="https://redirect.github.com/vercel/next.js/issues/92282">#92282</a>)</li> <li>Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (<a href="https://redirect.github.com/vercel/next.js/issues/91981">#91981</a> through <a href="https://redirect.github.com/vercel/next.js/issues/92273">#92273</a>)</li> <li>Deduplicate output assets and detect content conflicts on emit (<a href="https://redirect.github.com/vercel/next.js/issues/92292">#92292</a>)</li> <li>Fix styled-jsx race condition: styles lost due to concurrent rendering (<a href="https://redirect.github.com/vercel/next.js/issues/92459">#92459</a>)</li> <li>turbo-tasks-backend: stability fixes for task cancellation and error handling (<a href="https://redirect.github.com/vercel/next.js/issues/92254">#92254</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/sokra"><code>@sokra</code></a>, <a href="https://github.com/wbinnssmith"><code>@wbinnssmith</code></a>, <a href="https://github.com/eps1lon"><code>@eps1lon</code></a> and <a href="https://github.com/ztanner"><code>@ztanner</code></a> for helping!</p> <h2>v16.2.2</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>backport: Move expanded adapters docs to API reference (<a href="https://redirect.github.com/vercel/next.js/issues/92115">#92115</a>) (<a href="https://redirect.github.com/vercel/next.js/issues/92129">#92129</a>)</li> <li>Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (<a href="https://redirect.github.com/vercel/next.js/issues/92130">#92130</a>)</li> <li>[create-next-app] Skip interactive prompts when CLI flags are provided (<a href="https://redirect.github.com/vercel/next.js/issues/91840">#91840</a>)</li> <li>next.config.js: Accept an option for serverFastRefresh (<a href="https://redirect.github.com/vercel/next.js/issues/91968">#91968</a>)</li> <li>Turbopack: enable server HMR for app route handlers (<a href="https://redirect.github.com/vercel/next.js/issues/91466">#91466</a>)</li> <li>Turbopack: exclude metadata routes from server HMR (<a href="https://redirect.github.com/vercel/next.js/issues/92034">#92034</a>)</li> <li>Fix CI for glibc linux builds</li> <li>Backport: disable bmi2 in qfilter <a href="https://redirect.github.com/vercel/next.js/issues/92177">#92177</a></li> <li>[backport] Fix CSS HMR on Safari (<a href="https://redirect.github.com/vercel/next.js/issues/92174">#92174</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/nextjs-bot"><code>@nextjs-bot</code></a>, <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/ijjk"><code>@ijjk</code></a>, <a href="https://github.com/gaojude"><code>@gaojude</code></a>, <a href="https://github.com/wbinnssmith"><code>@wbinnssmith</code></a>, <a href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>, and <a href="https://github.com/bgw"><code>@bgw</code></a> for helping!</p> <h2>v16.2.1</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>docs: post release amends (<a href="https://redirect.github.com/vercel/next.js/issues/91715">#91715</a>)</li> <li>docs: fix broken Activity Patterns demo link in preserving UI state guide (<a href="https://redirect.github.com/vercel/next.js/issues/91698">#91698</a>)</li> <li>Fix adapter outputs for dynamic metadata routes (<a href="https://redirect.github.com/vercel/next.js/issues/91680">#91680</a>)</li> <li>Turbopack: fix webpack loader runner layer (<a href="https://redirect.github.com/vercel/next.js/issues/91727">#91727</a>)</li> <li>Fix server actions in standalone mode with <code>cacheComponents</code> (<a href="https://redirect.github.com/vercel/next.js/issues/91711">#91711</a>)</li> <li>turbo-persistence: remove Unmergeable mmap advice (<a href="https://redirect.github.com/vercel/next.js/issues/91713">#91713</a>)</li> <li>Fix layout segment optimization: move app-page imports to server-utility transition (<a href="https://redirect.github.com/vercel/next.js/issues/91701">#91701</a>)</li> <li>Turbopack: lazy require metadata and handle TLA (<a href="https://redirect.github.com/vercel/next.js/issues/91705">#91705</a>)</li> <li>[turbopack] Respect <code>{eval:true}</code> in worker_threads constructors (<a href="https://redirect.github.com/vercel/next.js/issues/91666">#91666</a>)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/next.js/commit/d5f649b2f4affdad1009cb178c1e3b37f4f1ad3f"><code>d5f649b</code></a> v16.2.3</li> <li><a href="https://github.com/vercel/next.js/commit/28739286a88a83ab2d4e1899bdb4eb4ee7bee9a9"><code>2873928</code></a> [16.x] Avoid consuming cyclic models multiple times (<a href="https://redirect.github.com/vercel/next.js/issues/75">#75</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/d7c77653602ae2009595cc71eb10f1b8828cc789"><code>d7c7765</code></a> [backport]: Ensure app-page reports stale ISR revalidation errors via onReque...</li> <li><a href="https://github.com/vercel/next.js/commit/c573e8c4f3208711f52bf3b64f5db238c9164762"><code>c573e8c</code></a> fix(server-hmr): metadata routes overwrite page runtime HMR handler (<a href="https://redirect.github.com/vercel/next.js/issues/92273">#92273</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/57b8f659060e1d0f202273a9ed9e56d40f1d1a9c"><code>57b8f65</code></a> next-core: deduplicate output assets and detect content conflicts on emit (<a href="https://redirect.github.com/vercel/next.js/issues/9">#9</a>...</li> <li><a href="https://github.com/vercel/next.js/commit/f158df18bd926d0c2165ad309bbb561d7e73e74a"><code>f158df1</code></a> Fix styled-jsx race condition: styles lost due to concurrent rendering (<a href="https://redirect.github.com/vercel/next.js/issues/92459">#92459</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/356d605b5831ffbe12ce9c9641e5e2e55d203523"><code>356d605</code></a> turbo-tasks-backend: stability fixes for task cancellation and error handling...</li> <li><a href="https://github.com/vercel/next.js/commit/3b77a6e2670ce81d686111b8e466eec612fa1867"><code>3b77a6e</code></a> Fix DashMap read-write self-deadlock in task_cache causing hangs (<a href="https://redirect.github.com/vercel/next.js/issues/92210">#92210</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/b2f208ae98645d119a7e3388ab8a407005619dd8"><code>b2f208a</code></a> Backport: new view-transitions guide, update and fixes (<a href="https://redirect.github.com/vercel/next.js/issues/92264">#92264</a>)</li> <li><a href="https://github.com/vercel/next.js/commit/52faae3d94641584e13691238df5be158d0f00fb"><code>52faae3</code></a> v16.2.2</li> <li>Additional commits viewable in <a href="https://github.com/vercel/next.js/compare/v16.1.7...v16.2.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=16.1.7&new-version=16.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…readability (#20310) Builds on top of this PR: #20103 Adds some explaining comments and refactors the directive-scanning logic in the value injection loader from 4 functions down to 3 by inlining whitespace and comment skipping into the main loop. The previous implementation split the scanning into a separate `skipWhitespaceAndComments` function. The new version handles whitespace, line comments, and block comments as continue branches directly in the main while loop, which: - Eliminates one level of function calls - Unterminated block comments are handled inline with an early return - Makes the control flow easier to follow. Each iteration of the loop either skips something inert (whitespace/comments), successfully parses a directive and advances, or exits

smol cleanup, three constants when there should be one

All of these are constants that are never used anywhere, so let's get rid of that

We have mappings for essentially the same thing in 3 places instead of one map to encode what we need

Adds a Bun integration test suite (`dev-packages/bun-integration-tests`) modeled after the Cloudflare and Node integration tests. The runner spawns Bun child processes, points them at a mock Sentry server, and asserts on the collected envelopes. Includes a test for basic error capture. More test suites will be added while working on the Hono SDK. A CI job (`job_bun_integration_tests`) is added to `build.yml` that only runs when relevant code changes.

let's expand the no-truncation scenario here to use multiple input messages to ensure no message popping is applied to align this with other scenarios Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…20252) ## Summary - Replace the custom fork `mydea/pr-labels-action@fn/bump-node20` with built-in GitHub Actions expressions - Zero external dependencies needed — uses `github.event.pull_request.labels.*.name` directly ### Before ```yaml - name: Get PR labels id: pr-labels uses: mydea/pr-labels-action@fn/bump-node20 # ... contains(steps.pr-labels.outputs.labels, ' Gitflow ') contains(steps.pr-labels.outputs.labels, ' ci-skip-cache ') ``` ### After ```yaml # No action step needed # ... contains(toJSON(github.event.pull_request.labels.*.name), 'Gitflow') contains(toJSON(github.event.pull_request.labels.*.name), 'ci-skip-cache') ``` Both usages already gate on `github.event_name == 'pull_request'`, so the labels context is always available when needed. This also eliminates the Node.js 20 deprecation warning that `mydea/pr-labels-action` was causing. ## Test plan - [ ] CI metadata job runs successfully - [ ] Gitflow label detection still works on PRs with the `Gitflow` label - [ ] `ci-skip-cache` label detection still works 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…rations (#20326) Openai span streaming tests (with truncation enabled) were failing. This fixes that. Anthropic and google-genai were using separate scenario files for these tests, which seems like the better pattern in this case. So this aligns the integration tests for the remaining gen_ai integrations. Closes #20322 Closes #20321 Closes #20323 Closes #20320

…v7 (#20249) ## Summary - Upgrade `actions/cache/restore` and `actions/cache/save` from v4 to v5 in `install-playwright` and `restore-cache` composite actions - Upgrade `actions/download-artifact` from v4 to **v7** in `restore-cache` composite action (v5 still ran on Node 20; v7 runs on Node 24 and matches `actions/upload-artifact@v7` elsewhere) - This should fix warnings about Node 20 runner usage in CI ## Changelog ### `actions/cache` v4 → v5 - Only change is upgrading the Node.js runtime from 20 to 24 - No input/output parameter changes - No behavioral differences - Requires Actions Runner ≥ 2.327.1 (already satisfied by GitHub-hosted runners) ### `actions/download-artifact` v4 → v7 - **v7** updates the action runtime to Node.js 24 (`runs.using: node24`); v5 remained on Node 20, so it did not clear deprecation warnings for this step - Requires Actions Runner ≥ 2.327.1 (same as cache v5; satisfied by GitHub-hosted runners) - We download artifacts **by name** only; v5’s breaking changes around downloads **by ID** do not apply - Aligns with `actions/upload-artifact@v7` already used in workflows ## Affected files - `.github/actions/install-playwright/action.yml` — `cache/restore@v4` → `v5`, `cache/save@v4` → `v5` - `.github/actions/restore-cache/action.yml` — `cache/restore@v4` → `v5`, `download-artifact@v4` → `v7` ## Test plan - CI workflows pass (cache restore/save and artifact download work as before) - No changes to action inputs/outputs for our usage, so downstream step references remain valid --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Extract the exact failing test name from GitHub check annotations (via Vitest github-actions and Playwright github reporters) and include it in the issue title. This allows us to change issue deduplication from per job to per test. Previously, if test A flaked and created an issue for "Node 18 Integration Tests", a later flake of test B for the same job would be skipped; now each failing test gets its own issue. [Example issue](#20315)

This PR removes some custom stuff we still had around for our E2E tests that, as far as I can tell, weren't even needed anymore. We used to spin up a minimal docker image just to publish packages to NPM, which AFAIk should not really be necessary. ## Summary - Removes `Dockerfile.publish-packages` and the Docker build+run steps for publishing packages to the local Verdaccio registry during E2E tests - Extracts the tarball publishing logic into `lib/publishPackages.ts` as an importable function and calls it directly from `registrySetup()` — no subprocess needed - Removes the old `publish-packages.ts` standalone script - Removes the `E2E_TEST_PUBLISH_SCRIPT_NODE_VERSION` env var and `Get node version` steps from `build.yml` and `canary.yml` - Removes the `PUBLISH_PACKAGES_DOCKER_IMAGE_NAME` constant The Docker container only existed to pin a Node.js version for `npm publish` of pre-built tarballs. Since the host already has the correct Node.js version via Volta, the container adds overhead (image build + volume mounts + `--network host`) without meaningful benefit. ## Test plan - [ ] E2E tests pass in CI (the Verdaccio publish step needs to work without Docker) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…etSentryResource()` (#20327) ## Summary - Adds a minimal `SentryResource` class in `@sentry/opentelemetry` that structurally satisfies the OTel `Resource` interface (`attributes`, `merge()`, `getRawAttributes()`) - Exports `getSentryResource(serviceName)` which produces the same 6-attribute resource previously built via `defaultResource().merge(resourceFromAttributes({...}))` - Removes direct `@opentelemetry/resources` imports from `@sentry/node`, `@sentry/vercel-edge`, and test helpers - Drops `@opentelemetry/resources` from `@sentry/node` dependencies and `@sentry/node-core` peer/dev dependencies ## Test plan - [x] `yarn test` passes for `@sentry/opentelemetry`, `@sentry/node`, `@sentry/vercel-edge`, `@sentry/node-core` - [x] `yarn build:dev` succeeds for all affected packages - [x] No lint or format errors introduced 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…t memory leak (#20328)

@Lms24

## Summary (Updated from @Lms24) Closes #17931 When span streaming is enabled (`traceLifecycle: 'stream'`), emit web vital values as non-standalone spans that flow through the v2 pipeline (`afterSpanEnd` → `captureSpan()` → `SpanBuffer`). - Emit LCP, CLS, INP as streamed spans when `hasSpanStreamingEnabled(client)` is `true` - LCP, CLS, INP v2 spans exclusively send new `browser.web_vital.<vitalName>.*` attributes - Disable standalone CLS/LCP spans when span streaming is enabled (`!spanStreamingEnabled && enableStandaloneClsSpans`) - Add `MAX_PLAUSIBLE_INP_DURATION` (60s) sanity check to streamed INP path, matching the existing standalone handler - TTFB, FCP, FP are **not** emitted as spans — they stay as pageload span attributes but get sent with the new `browser.web_vital.(ttfb|fcp|fp).value` attributes - Performance meta attributes are sent with better names (getsentry/sentry-conventions#321) - Added integration tests - LCP v2 spans now have a duration and are no longer point in time --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Lukas Stracke <lukas.stracke@sentry.io>

…pagation (#20345) follow up to #19991 It is better to release it first with an option to be enabled, that would then also be in line with #20343, otherwise `.fetch()` RPC calls would work without any option and the actual Cap'n'Proto RPC calls wouldn't work without. That would be an odd experience. ### New option: `enableRpcTracePropagation` > `instrumentPrototypeMethods` has been deprecated in favor of `enableRpcTracePropagation` Replaces the deprecated `instrumentPrototypeMethods` option with a clearer name that describes what it actually does. This option must be enabled on **both** the caller (Worker) and receiver (Durable Object) sides for trace propagation to work. It is also worth to mention that the implementation of "instrumenting prototype methods" has changed to a Proxy. ```ts // Worker side export default Sentry.withSentry( (env) => ({ dsn: env.SENTRY_DSN, enableRpcTracePropagation: true, }), handler, ); // Durable Object side export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry( (env) => ({ dsn: env.SENTRY_DSN, enableRpcTracePropagation: true, }), MyDurableObjectBase, ); ```

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

cursor

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit bf4e188. Configure here.}

cursor · 2026-04-16T11:53:09Z

      has_gitflow_label:
-        ${{ github.event_name == 'pull_request' && contains(steps.pr-labels.outputs.labels, ' Gitflow ') }}
+        ${{ github.event_name == 'pull_request' && contains(toJSON(github.event.pull_request.labels.*.name), 'Gitflow')
+        }}


Label matching uses substring instead of exact comparison

Low Severity

Using contains(toJSON(github.event.pull_request.labels.*.name), 'Gitflow') performs string substring matching on the serialized JSON array (e.g., ["NotGitflow"] would match Gitflow). The previous approach used space-padded exact matching. Dropping toJSON() and using contains(github.event.pull_request.labels.*.name, 'Gitflow') directly performs exact array element matching, which is the recommended pattern per GitHub's documentation. Same issue applies to the ci-skip-cache label check.

Additional Locations (1)

.github/workflows/ci-metadata.yml#L87-L89

^{Reviewed by Cursor Bugbot for commit bf4e188. Configure here.}

cursor · 2026-04-16T11:53:09Z

+      {},
+      req => envelopeParser(req)?.[4] as ViewHierarchyData,
+    ),
+  ]);


Test uses deprecated unreliable envelope request helper

Low Severity

The new view hierarchy test imports and uses getMultipleSentryEnvelopeRequests, which the project rules explicitly flag as unreliable. The rules state that getFirstEnvelope*, getMultipleEnvelope*, and related test helpers are NOT reliable anymore and recommend using helpers like waitForTransaction, waitForError, waitForSpans, etc. instead. This was flagged because it was mentioned in the rules file.

^{Triggered by project rule: PR Review Guidelines for Cursor Bot}

^{Reviewed by Cursor Bugbot for commit bf4e188. Configure here.}

github-actions · 2026-04-16T11:58:36Z

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.78 kB	added	added
@sentry/browser - with treeshaking flags	24.27 kB	added	added
@sentry/browser (incl. Tracing)	43.61 kB	added	added
@sentry/browser (incl. Tracing + Span Streaming)	45.32 kB	added	added
@sentry/browser (incl. Tracing, Profiling)	48.51 kB	added	added
@sentry/browser (incl. Tracing, Replay)	82.74 kB	added	added
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.25 kB	added	added
@sentry/browser (incl. Tracing, Replay with Canvas)	87.43 kB	added	added
@sentry/browser (incl. Tracing, Replay, Feedback)	99.67 kB	added	added
@sentry/browser (incl. Feedback)	42.59 kB	added	added
@sentry/browser (incl. sendFeedback)	30.45 kB	added	added
@sentry/browser (incl. FeedbackAsync)	35.45 kB	added	added
@sentry/browser (incl. Metrics)	27.07 kB	added	added
@sentry/browser (incl. Logs)	27.2 kB	added	added
@sentry/browser (incl. Metrics & Logs)	27.89 kB	added	added
@sentry/react	27.53 kB	added	added
@sentry/react (incl. Tracing)	45.88 kB	added	added
@sentry/vue	30.61 kB	added	added
@sentry/vue (incl. Tracing)	45.45 kB	added	added
@sentry/svelte	25.8 kB	added	added
CDN Bundle	28.46 kB	added	added
CDN Bundle (incl. Tracing)	44.69 kB	added	added
CDN Bundle (incl. Logs, Metrics)	29.83 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics)	45.78 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics)	68.73 kB	added	added
CDN Bundle (incl. Tracing, Replay)	81.65 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	82.73 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback)	87.17 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	88.23 kB	added	added
CDN Bundle - uncompressed	83.12 kB	added	added
CDN Bundle (incl. Tracing) - uncompressed	133.64 kB	added	added
CDN Bundle (incl. Logs, Metrics) - uncompressed	87.27 kB	added	added
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	137.05 kB	added	added
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	210.63 kB	added	added
CDN Bundle (incl. Tracing, Replay) - uncompressed	250.87 kB	added	added
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	254.27 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	263.78 kB	added	added
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	267.17 kB	added	added
@sentry/nextjs (client)	48.42 kB	added	added
@sentry/sveltekit (client)	44.06 kB	added	added
@sentry/node-core	57.94 kB	added	added
@sentry/node	174.78 kB	added	added
@sentry/node - without tracing	97.89 kB	added	added
@sentry/aws-serverless	115.12 kB	added	added

JPeer264 and others added 30 commits April 9, 2026 20:24

Merge pull request #20176 from getsentry/master

7a59841

[Gitflow] Merge master into develop

feat(core): Add enableTruncation option to OpenAI integration (#20167)

86dc30a

This PR adds an `enableTruncation` option to the OpenAI integration that allows users to disable input message truncation. It defaults to `true` to preserve existing behavior. Closes: #20135

chore(size-limit): Bump failing size limit scenario (#20186)

499f042

Please feel free to merge as soon as CI passes

enableTruncation for vercel

5a85b6c

fix(deno): Avoid inferring invalid span op from Deno tracer (#20128)

01a04ab

fix(deno): Avoid inferring invalid span op from Deno tracer

.

b9de893

.

d176053

Add enableTruncation option to Cloudflare, Deno, and Vercel Edge inte…

88a4c3e

…grations

feat(core): Automatically disable truncation when span streaming is e…

2b3cfae

…nabled in OpenAI integration (#20227) When span streaming is enabled, the `enableTruncation` option now defaults to `false` unless the user has explicitly set it. Closes: #20221

feat(core): Automatically disable truncation when span streaming is e…

506d0bc

…nabled in Anthropic AI integration (#20228) When span streaming is enabled, the `enableTruncation` option now defaults to `false` unless the user has explicitly set it. Closes: #20222

logaretm and others added 18 commits April 14, 2026 20:12

ref(core): Merge embeddings operations constants (#20095)

42c4da2

smol cleanup, three constants when there should be one

ref(core): Remove unused constants from vercel-ai-attributes.ts (#20096)

608023a

All of these are constants that are never used anywhere, so let's get rid of that

ref(core): Add registry in Vercel ai integration (#20098)

49fb4df

We have mappings for essentially the same thing in 3 places instead of one map to encode what we need

fix(opentelemetry): Use WeakRef for context stored on scope to preven…

3332fec

…t memory leak (#20328)

meta(changelog): Update changelog for 10.49.0

bf4e188

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

JPeer264 requested review from Lms24, chargome and nicohrubec April 16, 2026 11:48

JPeer264 self-assigned this Apr 16, 2026

JPeer264 requested a review from a team as a code owner April 16, 2026 11:48

nicohrubec approved these changes Apr 16, 2026

View reviewed changes

Lms24 approved these changes Apr 16, 2026

View reviewed changes

chargome approved these changes Apr 16, 2026

View reviewed changes

cursor bot reviewed Apr 16, 2026

View reviewed changes

JPeer264 merged commit 46dcef1 into master Apr 16, 2026
471 of 474 checks passed

JPeer264 deleted the prepare-release/10.49.0 branch April 16, 2026 12:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

meta(changelog): Update changelog for 10.49.0#20348

meta(changelog): Update changelog for 10.49.0#20348
JPeer264 merged 75 commits intomasterfrom
prepare-release/10.49.0

JPeer264 commented Apr 16, 2026 •

edited

Loading

Uh oh!

cursor bot left a comment

Uh oh!

cursor bot Apr 16, 2026

Uh oh!

cursor bot Apr 16, 2026

Uh oh!

github-actions bot commented Apr 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

Uh oh!

Conversation

JPeer264 commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cursor bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor bot Apr 16, 2026

Choose a reason for hiding this comment

Label matching uses substring instead of exact comparison

Uh oh!

cursor bot Apr 16, 2026

Choose a reason for hiding this comment

Test uses deprecated unreliable envelope request helper

Uh oh!

github-actions bot commented Apr 16, 2026

size-limit report 📦

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

12 participants

JPeer264 commented Apr 16, 2026 •

edited

Loading