getsentry
diff --git a/‎.claude/skills/add-cdn-bundle/SKILL.md‎
Lines changed: 56 additions & 0 deletions b/‎.claude/skills/add-cdn-bundle/SKILL.md‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎.claude/skills/fix-security-vulnerability/SKILL.md‎
Lines changed: 232 additions & 0 deletions b/‎.claude/skills/fix-security-vulnerability/SKILL.md‎
Lines changed: 232 additions & 0 deletions
diff --git a/‎.cursor/BUGBOT.md‎
Lines changed: 5 additions & 0 deletions b/‎.cursor/BUGBOT.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.cursor/commands/add_cdn_bundle.md‎
Lines changed: 35 additions & 0 deletions b/‎.cursor/commands/add_cdn_bundle.md‎
Lines changed: 35 additions & 0 deletions
@@ -0,0 +1,56 @@
+---
+name: add-cdn-bundle
+description: Create a new CDN bundle for the browser package with specified features
+argument-hint: <feature-combo> (e.g., replay.logs.metrics, tracing.logs, tracing.replay.feedback.logs.metrics)
+---
+
+# Add CDN Bundle Skill
+
+This skill creates a new CDN bundle for the browser package that includes a specific combination of features.
+
+## Input
+
+The user provides a feature combination using dot notation:
+
+- `logs.metrics` - Bundle with logs and metrics
+- `replay.logs.metrics` - Bundle with replay, logs, and metrics
+- `tracing.replay.logs` - Bundle with tracing, replay, and logs
+- `tracing.replay.feedback.logs.metrics` - Full featured bundle
+
+**Feature order in bundle names:** `tracing` → `replay` → `feedback` → `logs` → `metrics`
+
+## Instructions
+
+Follow the detailed guide at [docs/adding-cdn-bundle.md](../../../docs/adding-cdn-bundle.md) to create the bundle.
+
+### Quick Reference - Naming Conventions
+
+Given a feature combination, derive these variants:
+
+| Placeholder                     | Example (`replay.logs.metrics`) |
+| ------------------------------- | ------------------------------- |
+| `{FEATURE_COMBO}`               | `replay.logs.metrics`           |
+| `{feature_combo}`               | `replay_logs_metrics`           |
+| `{featureCombo}`                | `replayLogsMetrics`             |
+| `{Human Readable Features}`     | `Replay, Logs, Metrics`         |
+| `{Human Readable Feature List}` | `Replay, Logs, and Metrics`     |
+
+### Quick Reference - Files to Create/Modify
+
+1. **Create** `packages/browser/src/index.bundle.{FEATURE_COMBO}.ts`
+2. **Create** `packages/browser/test/index.bundle.{FEATURE_COMBO}.test.ts`
+3. **Modify** `packages/browser/rollup.bundle.config.mjs`
+4. **Modify** `.size-limit.js`
+5. **Modify** `dev-packages/browser-integration-tests/package.json`
+6. **Modify** `dev-packages/browser-integration-tests/utils/generatePlugin.ts`
+7. **Modify** `.github/workflows/build.yml`
+
+### Verification Steps
+
+After making changes:
+
+```bash
+yarn lint
+cd packages/browser && yarn build:dev
+cd packages/browser && yarn test
+```
@@ -0,0 +1,232 @@
+---
+name: fix-security-vulnerability
+description: Analyze and propose fixes for Dependabot security alerts
+argument-hint: <dependabot-alert-url>
+---
+
+# Fix Security Vulnerability Skill
+
+Analyze Dependabot security alerts and propose fixes. **Does NOT auto-commit** - always presents analysis first and waits for user approval.
+
+## Input
+
+- Dependabot URL: `https://github.com/getsentry/sentry-javascript/security/dependabot/1046`
+- Or just the alert number: `1046`
+
+## Workflow
+
+### Step 1: Fetch Vulnerability Details
+
+```bash
+gh api repos/getsentry/sentry-javascript/dependabot/alerts/<alert-number>
+```
+
+Extract: package name, vulnerable/patched versions, CVE ID, severity, description.
+
+### Step 2: Analyze Dependency Tree
+
+```bash
+yarn why <package-name>
+```
+
+Determine if it's a direct or transitive dependency, and whether it's production or dev.
+
+### Step 3: Determine Fix Strategy
+
+#### Check for version-specific test packages
+
+Many packages in `dev-packages/e2e-tests/test-applications/` intentionally pin specific versions:
+
+- `nextjs-13` - Tests Next.js 13.x, should NOT bump to 14
+- `remix-2` - Tests Remix 2.x specifically
+
+**Do NOT bump these.** Recommend dismissing the alert with an explanation.
+
+#### For other dependencies
+
+| Type                  | Action                              |
+| --------------------- | ----------------------------------- |
+| Patch bump available  | Preferred - lowest risk             |
+| Minor bump needed     | Usually safe                        |
+| Major bump needed     | Analyze breaking changes first      |
+| Transitive dependency | Bump the parent package (see below) |
+
+### Step 3a: Transitive Dependencies
+
+If the vulnerable package is pulled in by another package:
+
+**1. Identify and check the parent:**
+
+```bash
+yarn why <vulnerable-package>
+npm view <parent-package>@latest dependencies.<vulnerable-package>
+```
+
+**2. Fix approach:**
+
+| Scenario                          | Action                          |
+| --------------------------------- | ------------------------------- |
+| Parent has newer version with fix | **Bump the parent**             |
+| Parent hasn't released fix        | Wait, or open an issue upstream |
+| We control the parent             | Fix in parent package first     |
+
+**AVOID RESOLUTIONS.** Using `resolutions` to force a transitive dependency version is risky - it can break the parent package silently. Only consider resolutions if:
+
+- No upstream fix exists AND it's a production-critical vulnerability
+- The forced version is a patch/minor bump (not major)
+- You've manually verified compatibility
+
+In most cases, it's better to wait for an upstream fix or accept the risk for dev-only dependencies than to use resolutions.
+
+### Step 4: Present Analysis
+
+Present findings and **wait for user approval** before making changes:
+
+```
+## Security Vulnerability Analysis
+
+**Package:** <name> | **Severity:** <severity> | **CVE:** <id>
+**Vulnerable:** <range> | **Patched:** <version>
+
+### Dependency Chain
+<yarn why output>
+
+### Recommendation
+<One of: Safe to bump / Version-specific test - do not bump / Bump parent package>
+
+### Proposed Fix
+1. Update <file>: "<package>": "<new-version>"
+2. yarn install && yarn dedupe-deps:fix
+3. Verify with: yarn why <package>
+
+Proceed?
+```
+
+### Step 5: Apply Fix (After Approval)
+
+```bash
+# 1. Edit package.json
+# 2. Update lockfile
+yarn install
+# 3. Deduplicate
+yarn dedupe-deps:fix
+# 4. Verify
+yarn dedupe-deps:check
+yarn why <package>
+# 5. Show changes
+git diff
+```
+
+**Do NOT commit** - let the user review first.
+
+### Step 5 (Alternative): Dismiss Alert
+
+For alerts that should not be fixed (e.g., version-specific test packages), offer to dismiss instead.
+
+**Always get user approval first.** Present the dismissal option:
+
+```
+This alert should be dismissed rather than fixed because:
+- <reason: version-specific test / dev-only acceptable risk / etc.>
+
+Dismiss with reason: <suggested reason>
+Comment: "<suggested comment>"
+
+Proceed with dismissal?
+```
+
+**After user approval**, dismiss via GitHub API:
+
+```bash
+gh api --method PATCH repos/getsentry/sentry-javascript/dependabot/alerts/<number> \
+  -f state=dismissed \
+  -f dismissed_reason=<reason> \
+  -f dismissed_comment="<comment>"
+```
+
+**Dismissal reasons:**
+
+| Reason           | When to use                                  |
+| ---------------- | -------------------------------------------- |
+| `tolerable_risk` | Dev-only dependency, risk accepted           |
+| `no_bandwidth`   | Will fix later, not urgent                   |
+| `inaccurate`     | False positive, not actually vulnerable      |
+| `not_used`       | Vulnerable code path is not used in our code |
+
+## Commands Reference
+
+| Command                                                                                           | Purpose                      |
+| ------------------------------------------------------------------------------------------------- | ---------------------------- |
+| `yarn why <pkg>`                                                                                  | Show dependency tree         |
+| `yarn dedupe-deps:fix`                                                                            | Fix duplicates in yarn.lock  |
+| `yarn dedupe-deps:check`                                                                          | Verify no duplicate issues   |
+| `gh api repos/getsentry/sentry-javascript/dependabot/alerts/<n>`                                  | Fetch alert                  |
+| `gh api --method PATCH .../dependabot/alerts/<n> -f state=dismissed -f dismissed_reason=<reason>` | Dismiss alert                |
+| `npm view <pkg>@latest dependencies.<dep>`                                                        | Check transitive dep version |
+
+## Examples
+
+### Dev dependency - safe to bump
+
+```
+Package: mongoose
+Location: dev-packages/node-integration-tests/package.json
+Type: Dev dependency (tests OTel instrumentation)
+
+Recommendation: Safe to bump 5.x → 6.x
+- Not version-specific, just tests instrumentation works
+- OTel instrumentation supports mongoose 5.x-8.x
+```
+
+### Version-specific test - dismiss instead
+
+```
+Package: next
+Location: dev-packages/e2e-tests/test-applications/nextjs-13/package.json
+
+Recommendation: DISMISS (do not bump)
+This app specifically tests Next.js 13 compatibility.
+Vulnerability only affects CI, not shipped code.
+
+Proposed dismissal:
+  Reason: tolerable_risk
+  Comment: "Version-specific E2E test for Next.js 13 - intentionally pinned"
+
+Proceed with dismissal?
+```
+
+### Transitive dependency - bump parent
+
+```
+Package: vulnerable-lib@1.9.0 (needs >=2.0.1)
+Chain: @sentry/node → @otel/instrumentation-foo@0.45.0 → vulnerable-lib
+
+Check: npm view @otel/instrumentation-foo@latest dependencies.vulnerable-lib
+Result: "^2.0.1" ✓
+
+Recommendation: Bump @otel/instrumentation-foo 0.45.0 → 0.47.0
+This pulls in the patched vulnerable-lib automatically.
+```
+
+### Transitive dependency - no fix available
+
+```
+Package: deep-lib@2.9.0 (needs >=3.0.0)
+Chain: @sentry/node → parent-pkg → middleware → deep-lib
+
+No upstream fix available yet. Options:
+1. Wait for upstream fix (preferred)
+2. Accept risk if dev-only
+3. Consider alternative package if production-critical
+
+AVOID using resolutions unless absolutely necessary.
+```
+
+## Important Notes
+
+- **Never auto-commit** - Always wait for user review
+- **Version-specific tests should not be bumped** - They exist to test specific versions
+- **Dev vs Prod matters** - Dev-only vulnerabilities are lower priority
+- **Bump parents, not transitive deps** - If A depends on vulnerable B, bump A
+- **Avoid resolutions** - They bypass the parent's dependency constraints and can cause subtle breakage
+- **Always verify** - Run `yarn why <pkg>` after fixing to confirm the patched version is installed
@@ -58,3 +58,8 @@ Do not flag the issues below if they appear in tests.
 - Flag usage of `expect.objectContaining` and other relaxed assertions, when a test expects something NOT to be included in a payload but there's no respective assertion.
 - Flag usage of conditionals in one test and recommend splitting up the test for the different paths.
 - Flag usage of loops testing multiple scenarios in one test and recommend using `(it)|(test).each` instead.
+
+## Platform-safe code
+
+- When any `setTimeout` or `setInterval` timers are started in a code path that can end up in server runtime packages (e.g. `@sentry/core` or `@sentry/node`), flag if neither `timeout.unref()` nor `safeUnref()` are called.
+  Not unref'ing a timer can keep CLI-like applications or node scripts from exiting immediately, due to the process waiting on timers started by the SDK.
@@ -0,0 +1,35 @@
+# Add CDN Bundle for `{FEATURE_COMBO}`
+
+Create a new CDN bundle for the browser package that includes `{FEATURE_COMBO}` (e.g., `replay.logs.metrics`, `tracing.logs`, etc.).
+
+## Instructions
+
+Follow the detailed guide at [docs/adding-cdn-bundle.md](../../docs/adding-cdn-bundle.md) to create the bundle.
+
+## Quick Reference - Naming Conventions
+
+| Placeholder                     | Example (`replay.logs.metrics`) |
+| ------------------------------- | ------------------------------- |
+| `{FEATURE_COMBO}`               | `replay.logs.metrics`           |
+| `{feature_combo}`               | `replay_logs_metrics`           |
+| `{featureCombo}`                | `replayLogsMetrics`             |
+| `{Human Readable Features}`     | `Replay, Logs, Metrics`         |
+| `{Human Readable Feature List}` | `Replay, Logs, and Metrics`     |
+
+## Quick Reference - Files to Create/Modify
+
+1. **Create** `packages/browser/src/index.bundle.{FEATURE_COMBO}.ts`
+2. **Create** `packages/browser/test/index.bundle.{FEATURE_COMBO}.test.ts`
+3. **Modify** `packages/browser/rollup.bundle.config.mjs`
+4. **Modify** `.size-limit.js`
+5. **Modify** `dev-packages/browser-integration-tests/package.json`
+6. **Modify** `dev-packages/browser-integration-tests/utils/generatePlugin.ts`
+7. **Modify** `.github/workflows/build.yml`
+
+## Verification Steps
+
+After making changes:
+
+1. Run `yarn lint` to check for linting issues
+2. Run `cd packages/browser && yarn build:dev` to verify TypeScript compilation
+3. Run `cd packages/browser && yarn test` to run the unit tests