meta(changelog): Update changelog for 10.48.0#20172
Merged
Conversation
…en_ai` attributes in sentry conventions (#20011) In the openai and anthropic integrations we send multiple provider specific attributes. None of these are part of our sentry conventions and should therefore be emitted. These fall into two categories: - Exact duplicates of attributes in our `gen_ai` namespace: - `openai.response.id`, `openai.response.model`, `openai.usage.prompt_tokens`, `openai.usage.completion_tokens` - These are strictly redundant and therefore provide no value. - No `gen_ai` equivalent: - `openai.response.timestamp`, `anthropic.response.timestamp` - These have no `gen_ai` equivalent so we would no longer send this data at all, but since they are not in the semantic conventions we probably shouldn't send them either. According to Hex, none of these attributes are used in any stored queries, dashboards or alerts. We will still call this out in the changelog in case any users rely on this in hooks. Closes #20015 (added automatically)
chore(gitflow): Sync master with develop
This extracts the functionality from the OTel Express
intstrumentation, replacing it with a portable standalone integration
in `@sentry/core`, which can be extended and applied to patch any
Express module import in whatever way makes sense for the platform in
question.
Currently in node, that is still an OpenTelemetry intstrumentation,
but just handling the automatic module load instrumentation, not the
entire tracing integration.
This is somewhat a proof of concept, to see what it takes to port
a fairly invovled OTel integration into a state where it can support
all of the platforms that we care about, but it does impose a bit
less of a translation layer between OTel and Sentry semantics (for
example, no need to use the no-op `span.recordException()`).
User-visible changes (beyond the added export in `@sentry/core`):
* Express router spans have an origin of `auto.http.express` rather
than `auto.http.otel.express`, since it's no longer technically an
otel integration.
* The empty `measurements: {}` object is no longer attached to
span data, as that was an artifact of otel's `span.recordError`,
which is a no-op anyway, and no longer executed.
Obviously this is not a full clean-room reimplementation, and relies
on the fact that the opentelemetry-js-contrib project is Apache
2.0 licensed. I included the link to the upstream license in the
index file for the Express integration, but there may be a more
appropriate way to ensure that the license is respected properly. It
was arguably a derivative work already, but simple redistribution is
somewhat different than re-implementation with subtly different
context.
This reduces the node overhead and makes the Express
instrumentation portable to other SDKs, but it of course *increases*
the bundle size of `@sentry/core` considerably. It would be a good
idea to explore splitting out integrations from core, so that they're
bundled and analyzed separately, rather than shipping to all SDKs
that extend core.
Closes
[JS-1982](https://linear.app/getsentry/issue/JS-1982/featcore-node-portable-express-integration)
Extracts duplicated stream finalization logic (setting response attributes + ending the span) into a shared `endStreamSpan` function in `packages/core/src/tracing/ai/utils.ts`, used by OpenAI, Anthropic, and Google GenAI streaming.
Adds `denoRuntimeMetricsIntegration` to `@sentry/deno` that collects runtime health metrics on a configurable interval (default: 30s). --- **Default metrics** (`deno.runtime.*` prefix): - `mem.rss` — Resident Set Size - `mem.heap_used` — V8 heap in use - `mem.heap_total` — total V8 heap - `process.uptime` — process uptime **Opt-in:** `memExternal` enables `mem.external` --- **vs. `nodeRuntimeMetricsIntegration`:** No CPU or event loop metrics — Deno does not expose `process.cpuUsage()`, `performance.eventLoopUtilization()`, or `monitorEventLoopDelay`. Note: Deno's [loadavg()](https://docs.deno.com/api/deno/~/Deno.loadavg) reflects system-wide load across all processes rather than the Deno process itself, which is why we did not include it. closes https://linear.app/getsentry/issue/JS-1957/runtime-metrics-deno-support --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.8.3 to 0.8.12. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/xmldom/xmldom/releases"><code>@xmldom/xmldom</code>'s releases</a>.</em></p> <blockquote> <h2>0.8.12</h2> <p><a href="https://github.com/xmldom/xmldom/compare/0.8.11...0.8.12">Commits</a></p> <h3>Fixed</h3> <ul> <li>preserve trailing whitespace in ProcessingInstruction data <a href="https://redirect.github.com/xmldom/xmldom/pull/962"><code>[#962](https://github.com/xmldom/xmldom/issues/962)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/42"><code>[#42](https://github.com/xmldom/xmldom/issues/42)</code></a></li> <li>Security: <code>createCDATASection</code> now throws <code>InvalidCharacterError</code> when <code>data</code> contains <code>"]]>"</code>, as required by the <a href="https://dom.spec.whatwg.org/#dom-document-createcdatasection">WHATWG DOM spec</a>. <a href="https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"><code>GHSA-wh4c-j3r5-mjhp</code></a></li> <li>Security: <code>XMLSerializer</code> now splits CDATASection nodes whose data contains <code>"]]>"</code> into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (<code>appendData</code>, <code>replaceData</code>, <code>.data =</code>, <code>.textContent =</code>). <a href="https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"><code>GHSA-wh4c-j3r5-mjhp</code></a></li> </ul> <p>Code that passes a string containing <code>"]]>"</code> to <code>createCDATASection</code> and relied on the previously unsafe behavior will now receive <code>InvalidCharacterError</code>. Use a mutation method such as <code>appendData</code> if you intentionally need <code>"]]>"</code> in a CDATASection node's data.</p> <p>Thank you, <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>, <a href="https://github.com/stevenobiajulu"><code>@stevenobiajulu</code></a>, for your contributions</p> <p><a href="https://github.com/xmldom/xmldom/discussions/357">https://github.com/xmldom/xmldom/discussions/357</a></p> <h2>0.8.11</h2> <h2><a href="https://github.com/xmldom/xmldom/compare/0.8.10...0.8.11">0.8.11</a></h2> <h3>Fixed</h3> <ul> <li>update <code>ownerDocument</code> when moving nodes between documents <a href="https://redirect.github.com/xmldom/xmldom/pull/933"><code>[#933](https://github.com/xmldom/xmldom/issues/933)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/932"><code>[#932](https://github.com/xmldom/xmldom/issues/932)</code></a></li> </ul> <p>Thank you, <a href="https://github.com/shunkica"><code>@shunkica</code></a>, for your contributions</p> <h2>0.8.10</h2> <p><a href="https://github.com/xmldom/xmldom/compare/0.8.9...0.8.10">Commits</a></p> <h3>Fixed</h3> <ul> <li>dom: prevent iteration over deleted items <a href="https://redirect.github.com/xmldom/xmldom/pull/514"><code>[#514](https://github.com/xmldom/xmldom/issues/514)</code></a>/ <a href="https://redirect.github.com/xmldom/xmldom/issues/499"><code>[#499](https://github.com/xmldom/xmldom/issues/499)</code></a></li> </ul> <p>Thank you, <a href="https://github.com/qtow"><code>@qtow</code></a>, for your contributions</p> <h2>0.8.9</h2> <p><a href="https://github.com/xmldom/xmldom/compare/0.8.8...0.8.9">Commits</a></p> <h3>Fixed</h3> <ul> <li>Set nodeName property in ProcessingInstruction <a href="https://redirect.github.com/xmldom/xmldom/pull/509"><code>[#509](https://github.com/xmldom/xmldom/issues/509)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/505"><code>[#505](https://github.com/xmldom/xmldom/issues/505)</code></a></li> </ul> <p>Thank you, <a href="https://github.com/cjbarth"><code>@cjbarth</code></a>, for your contributions</p> <h2>0.8.8</h2> <p><a href="https://github.com/xmldom/xmldom/compare/0.8.7...0.8.8">Commits</a></p> <h3>Fixed</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md"><code>@xmldom/xmldom</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/xmldom/xmldom/compare/0.8.11...0.8.12">0.8.12</a></h2> <h3>Fixed</h3> <ul> <li>preserve trailing whitespace in ProcessingInstruction data <a href="https://redirect.github.com/xmldom/xmldom/pull/962"><code>[#962](https://github.com/xmldom/xmldom/issues/962)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/42"><code>[#42](https://github.com/xmldom/xmldom/issues/42)</code></a></li> <li>Security: <code>createCDATASection</code> now throws <code>InvalidCharacterError</code> when <code>data</code> contains <code>"]]>"</code>, as required by the <a href="https://dom.spec.whatwg.org/#dom-document-createcdatasection">WHATWG DOM spec</a>. <a href="https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"><code>GHSA-wh4c-j3r5-mjhp</code></a></li> <li>Security: <code>XMLSerializer</code> now splits CDATASection nodes whose data contains <code>"]]>"</code> into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (<code>appendData</code>, <code>replaceData</code>, <code>.data =</code>, <code>.textContent =</code>). <a href="https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"><code>GHSA-wh4c-j3r5-mjhp</code></a></li> </ul> <p>Code that passes a string containing <code>"]]>"</code> to <code>createCDATASection</code> and relied on the previously unsafe behavior will now receive <code>InvalidCharacterError</code>. Use a mutation method such as <code>appendData</code> if you intentionally need <code>"]]>"</code> in a CDATASection node's data.</p> <p>Thank you, <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>, <a href="https://github.com/stevenobiajulu"><code>@stevenobiajulu</code></a>, for your contributions</p> <h2><a href="https://github.com/xmldom/xmldom/compare/0.8.10...0.8.11">0.8.11</a></h2> <h3>Fixed</h3> <ul> <li>update <code>ownerDocument</code> when moving nodes between documents <a href="https://redirect.github.com/xmldom/xmldom/pull/933"><code>[#933](https://github.com/xmldom/xmldom/issues/933)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/932"><code>[#932](https://github.com/xmldom/xmldom/issues/932)</code></a></li> </ul> <p>Thank you, <a href="https://github.com/shunkica"><code>@shunkica</code></a>, for your contributions</p> <h2><a href="https://github.com/xmldom/xmldom/compare/0.9.8...0.9.7">0.9.8</a></h2> <h3>Fixed</h3> <ul> <li>fix: replace \u2029 as part of normalizeLineEndings <a href="https://redirect.github.com/xmldom/xmldom/pull/839"><code>[#839](https://github.com/xmldom/xmldom/issues/839)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/838"><code>[#838](https://github.com/xmldom/xmldom/issues/838)</code></a></li> <li>perf: speed up line detection <a href="https://redirect.github.com/xmldom/xmldom/pull/847"><code>[#847](https://github.com/xmldom/xmldom/issues/847)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/issues/838"><code>[#838](https://github.com/xmldom/xmldom/issues/838)</code></a></li> </ul> <h3>Chore</h3> <ul> <li>updated dependencies</li> <li>drop jazzer and rxjs devDependencies <a href="https://redirect.github.com/xmldom/xmldom/pull/845"><code>[#845](https://github.com/xmldom/xmldom/issues/845)</code></a></li> </ul> <p>Thank you, <a href="https://github.com/kboshold"><code>@kboshold</code></a>, <a href="https://github.com/Ponynjaa"><code>@Ponynjaa</code></a>, for your contributions.</p> <h2><a href="https://github.com/xmldom/xmldom/compare/0.9.6...0.9.7">0.9.7</a></h2> <h3>Added</h3> <ul> <li>Implementation of <code>hasAttributes</code> <a href="https://redirect.github.com/xmldom/xmldom/pull/804"><code>[#804](https://github.com/xmldom/xmldom/issues/804)</code></a></li> </ul> <h3>Fixed</h3> <ul> <li>locator is now true even when other options are being used for the DOMParser <a href="https://redirect.github.com/xmldom/xmldom/issues/802"><code>[#802](https://github.com/xmldom/xmldom/issues/802)</code></a> / <a href="https://redirect.github.com/xmldom/xmldom/pull/803"><code>[#803](https://github.com/xmldom/xmldom/issues/803)</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/xmldom/xmldom/commit/189cb78a83e81e1515880988a399e863a8be85ac"><code>189cb78</code></a> 0.8.12</li> <li><a href="https://github.com/xmldom/xmldom/commit/ed08df7572f4236d4fd88d16063c3fd8f59c7884"><code>ed08df7</code></a> fix: XML injection via unsafe CDATA serialization (GHSA-wh4c-j3r5-mjhp) (<a href="https://redirect.github.com/xmldom/xmldom/issues/968">#968</a>)</li> <li><a href="https://github.com/xmldom/xmldom/commit/a5b929ba008f067eeabb427c38de008e36a92796"><code>a5b929b</code></a> chore: clean up generated test artefacts before running ci-local</li> <li><a href="https://github.com/xmldom/xmldom/commit/4e37a205627a08eb64365b13c4e4cce5e86278cb"><code>4e37a20</code></a> ci: run format:check in lint job</li> <li><a href="https://github.com/xmldom/xmldom/commit/ac0ac7714f0e5a7bd7aff5c30f7733666cf03982"><code>ac0ac77</code></a> chore: ignore generated files when checking formatting</li> <li><a href="https://github.com/xmldom/xmldom/commit/968c8939438eec2eca1d003b333cd0fc4595c72d"><code>968c893</code></a> chore: add local CI script and format:check script</li> <li><a href="https://github.com/xmldom/xmldom/commit/ac40424adfa49429811095bcdaf6598255a81a39"><code>ac40424</code></a> fix: preserve trailing whitespace in ProcessingInstruction data (<a href="https://redirect.github.com/xmldom/xmldom/issues/962">#962</a>)</li> <li><a href="https://github.com/xmldom/xmldom/commit/cece7521a3c77da7a10f3fc66521e3e077c9974c"><code>cece752</code></a> chore: add .nvmrc pointing to node version 18</li> <li><a href="https://github.com/xmldom/xmldom/commit/cbf44d90a40703237d217598fa0bcd88770bfa0b"><code>cbf44d9</code></a> docs: improve links to changes in most recent release</li> <li><a href="https://github.com/xmldom/xmldom/commit/c0f14011c7cf93af60b2541898065b7136594f6b"><code>c0f1401</code></a> 0.8.11</li> <li>Additional commits viewable in <a href="https://github.com/xmldom/xmldom/compare/0.8.3...0.8.12">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~karfau">karfau</a>, a new releaser for <code>@xmldom/xmldom</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
I noticed this folder and have never used it, and as far as I am aware others have neither - usually folks just copy these files from another existing package.
closes #20030 closes [JS-2020](https://linear.app/getsentry/issue/JS-2020/sentrycloudflare-child-spans-inside-transactions-from-durable-objects) Important: This issue is not reproducible locally, so it can only be done on production. I still added an integration test (which would also pass on `develop` now), just in case this would be added to miniflare. The problem is that when we instrument the requests we mark them on the object with `__SENTRY_INSTRUMENTED__`. This would work the very first time and for other requests. Sometimes, however, the worker kind of restarts its state, without resetting `__SENTRY_INSTRUMENTED__` - which means that at this point we do not instrument the new set `fetch` requests (and other requests). To remove this issue we set a global `WeakMap` and cache the instrumented function in there. So whenever this scenario happens, we do not check via the `__SENTRY_INSTRUMENTED__` on the object itself, but on the global `WeakMap`. The benefit of this is, that even when the `WeakMap` would removes its reference, we just instrument again. In the worst case if the `WeakMap` loses its reference, and for some reason in the future `fetch` requests keep its instrumentation in the given scenario, then we just overwrite `fetch` with a fresh instrumentation. This is being achieved by wrapping all functions in `ensureInstrumented`: before: ```js if (isInstrumented(handler.fetch)) return; handler.fetch = new Proxy(handler.fetch, ...); markAsInstrumented(handler.fetch); ``` after: ```js handler.fetch = ensureInstrumented(handler.fetch, (original) => new Proxy(original, ...))
…API (#20048) closes #20043 closes [JS-2024](https://linear.app/getsentry/issue/JS-2024/sentrygatsby-build-can-fail-with-typeerror-invokeerr-is-not-a-function) The `@sentry/bundler-plugin-core` was updated to call `errorHandler` with only a single `Error` argument, but the Gatsby plugin's `errorHandler` still expected two arguments `(err, invokeErr)`. This caused builds to fail with "TypeError: invokeErr is not a function" when a Sentry error occurred during source map upload. It was originally added in #4064, where we still had v1 of the `@senrty/webpack-plugin` (where the type still existed: https://github.com/getsentry/sentry-webpack-plugin/blob/cb854281eb409c5c14f6a0d1042429240644a48d/index.d.ts#L112). With v2, and the move to [our new repo](https://github.com/getsentry/sentry-javascript-bundler-plugins), this option got removed and is no longer part of it. So `invokeErr` is safe to remove, and should have been already with this PR #11292 Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Update validate-pr action to getsentry/github-workflows@71588dd. Changes included: - Skip all checks when a maintainer reopens a PR (getsentry/github-workflows#161) - Skip checks for users with write access (getsentry/github-workflows#162) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…mbda hanging (#20064) The vendored `AwsLambdaInstrumentation._endSpan` calls `tracerProvider.forceFlush()` without any timeout. Because `_endSpan` blocks the promise chain before `wrapHandler`'s `flush(2000)` can run, a hung `forceFlush()` prevents the Lambda from ever returning, causing it to sit idle until the runtime kills it at its configured timeout. This was [reported by a user](https://discord.com/channels/621778831602221064/1488407219035701358) whose AppSync authorizer Lambda consistently timed out at 15s despite the handler completing in ~178ms. The fix wraps the flush in a `Promise.race` with a 2s timeout, matching `wrapHandler`'s existing flush timeout. closes #20063 Co-authored-by: Claude <noreply@anthropic.com>
`addResponseAttributes` in the openai integration had a lot of convoluted special handling for setting attributes across different OpenAI APIs (chat completions, responses API, embeddings, conversations). To reduce complexity, this inlines everything into one helper that simply sets attributes if they are present on the response, rather than branching by API type.
The Vercel AI integration had 4 distinct span op values for inner `.do*`
spans (`gen_ai.generate_text`, `gen_ai.stream_text`,
`gen_ai.generate_object`, `gen_ai.stream_object`), even though all of
them share `generate_content` as operation name. Every other AI
integration derives the span op as `gen_ai.${operationName}`, so these
should all be `gen_ai.generate_content`.
We currently emit spans for the google-genai `chats.create()` API. I think this is basically useless because `chats.create()` doesn't represent an actual interaction with an LLM model, instead it just constructs a local chat object as a result that then further exposes methods like `sendMessage()` that represent actual LLM interactions. This PR removes the spans for `chats.create()`. Since this API is a special case where we actually need to proxy the return object instead of the method call itself we had some surrounding logic hardcoded to this method. To make this a bit more future proof and also more explicit we now add a `proxyResultPath` field to the method registry that allows to define this behavior in the method registry without needing any hardcoded logic. Another benefit this has is that the full logic in the `createDeepProxy` methods in all our client-proxy based AI integrations (google-genai, openai, anthropic) is now essentially the same so could potentially in the future be easily merged into a shared abstraction. Limitation: We do"loose" some data by not emitting this create span anymore, because the way this API works is that the user defines certain parameters only on the `chats.create()` call and these are then subsequently used for each `chat.sendMessage()` call. The correct way would be to send this data as part of each `chat.sendMessage()` chat span. We can think about doing this as part of this PR or doing a follow up.
Bumps [lodash.template](https://github.com/lodash/lodash) from 4.5.0 to 4.18.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lodash/lodash/releases">lodash.template's releases</a>.</em></p> <blockquote> <h2>4.18.1</h2> <h2>Bugs</h2> <p>Fixes a <code>ReferenceError</code> issue in <code>lodash</code> <code>lodash-es</code> <code>lodash-amd</code> and <code>lodash.template</code> when using the <code>template</code> and <code>fromPairs</code> functions from the modular builds. See <a href="https://redirect.github.com/lodash/lodash/issues/6167#issuecomment-4165269769">lodash/lodash#6167</a></p> <p>These defects were related to how lodash distributions are built from the main branch using <a href="https://github.com/lodash-archive/lodash-cli">https://github.com/lodash-archive/lodash-cli</a>. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.</p> <p>There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:</p> <ul> <li><code>lodash</code>: <a href="https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm">https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm</a></li> <li><code>lodash-es</code>: <a href="https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es">https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es</a></li> <li><code>lodash-amd</code>: <a href="https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd">https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd</a></li> <li><code>lodash.template</code><a href="https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages">https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages</a></li> </ul> <h2>4.18.0</h2> <h2>v4.18.0</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/lodash/lodash/compare/4.17.23...4.18.0">https://github.com/lodash/lodash/compare/4.17.23...4.18.0</a></p> <h3>Security</h3> <p><strong><code>_.unset</code> / <code>_.omit</code></strong>: Fixed prototype pollution via <code>constructor</code>/<code>prototype</code> path traversal (<a href="https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh">GHSA-f23m-r3pf-42rh</a>, <a href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b">fe8d32e</a>). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now <code>constructor</code> and <code>prototype</code> are blocked unconditionally as non-terminal path keys, matching <code>baseSet</code>. Calls that previously returned <code>true</code> and deleted the property now return <code>false</code> and leave the target untouched.</p> <p><strong><code>_.template</code></strong>: Fixed code injection via <code>imports</code> keys (<a href="https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc">GHSA-r5fr-rjxr-66jc</a>, CVE-2026-4800, <a href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6">879aaa9</a>). Fixes an incomplete patch for CVE-2021-23337. The <code>variable</code> option was validated against <code>reForbiddenIdentifierChars</code> but <code>importsKeys</code> was left unguarded, allowing code injection via the same <code>Function()</code> constructor sink. <code>imports</code> keys containing forbidden identifier characters now throw <code>"Invalid imports option passed into _.template"</code>.</p> <h3>Docs</h3> <ul> <li>Add security notice for <code>_.template</code> in threat model and API docs (<a href="https://redirect.github.com/lodash/lodash/pull/6099">#6099</a>)</li> <li>Document <code>lower > upper</code> behavior in <code>_.random</code> (<a href="https://redirect.github.com/lodash/lodash/pull/6115">#6115</a>)</li> <li>Fix quotes in <code>_.compact</code> jsdoc (<a href="https://redirect.github.com/lodash/lodash/pull/6090">#6090</a>)</li> </ul> <h3><code>lodash.*</code> modular packages</h3> <p><a href="https://redirect.github.com/lodash/lodash/pull/6157">Diff</a></p> <p>We have also regenerated and published a select number of the <code>lodash.*</code> modular packages.</p> <p>These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:</p> <ul> <li><a href="https://www.npmjs.com/package/lodash.orderby">lodash.orderby</a></li> <li><a href="https://www.npmjs.com/package/lodash.tonumber">lodash.tonumber</a></li> <li><a href="https://www.npmjs.com/package/lodash.trim">lodash.trim</a></li> <li><a href="https://www.npmjs.com/package/lodash.trimend">lodash.trimend</a></li> <li><a href="https://www.npmjs.com/package/lodash.sortedindexby">lodash.sortedindexby</a></li> <li><a href="https://www.npmjs.com/package/lodash.zipobjectdeep">lodash.zipobjectdeep</a></li> <li><a href="https://www.npmjs.com/package/lodash.unset">lodash.unset</a></li> <li><a href="https://www.npmjs.com/package/lodash.omit">lodash.omit</a></li> <li><a href="https://www.npmjs.com/package/lodash.template">lodash.template</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/cb0b9b9212521c08e3eafe7c8cb0af1b42b6649e"><code>cb0b9b9</code></a> release(patch): bump main to 4.18.1 (<a href="https://redirect.github.com/lodash/lodash/issues/6177">#6177</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/75535f57883b7225adb96de1cfc1cd4169cfcb51"><code>75535f5</code></a> chore: prune stale advisory refs (<a href="https://redirect.github.com/lodash/lodash/issues/6170">#6170</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/62e91bc6a39c98d85b9ada8c44d40593deaf82a4"><code>62e91bc</code></a> docs: remove n_ Node.js < 6 REPL note from README (<a href="https://redirect.github.com/lodash/lodash/issues/6165">#6165</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/59be2de61f8aa9461c7856533b51d31b7d8babc4"><code>59be2de</code></a> release(minor): bump to 4.18.0 (<a href="https://redirect.github.com/lodash/lodash/issues/6161">#6161</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/af634573030f979194871da7c68f79420992f53d"><code>af63457</code></a> fix: broken tests for _.template 879aaa9</li> <li><a href="https://github.com/lodash/lodash/commit/1073a7693e1727e0cf3641e5f71f75ddcf8de7c0"><code>1073a76</code></a> fix: linting issues</li> <li><a href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6"><code>879aaa9</code></a> fix: validate imports keys in _.template</li> <li><a href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b"><code>fe8d32e</code></a> fix: block prototype pollution in baseUnset via constructor/prototype traversal</li> <li><a href="https://github.com/lodash/lodash/commit/18ba0a32f42fd02117f096b032f89c984173462d"><code>18ba0a3</code></a> refactor(fromPairs): use baseAssignValue for consistent assignment (<a href="https://redirect.github.com/lodash/lodash/issues/6153">#6153</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/b8190803d48d60b8c80ad45d39125f32fa618cb2"><code>b819080</code></a> ci: add dist sync validation workflow (<a href="https://redirect.github.com/lodash/lodash/issues/6137">#6137</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.5.0...4.18.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…l from 2.24.1 to 2.25.2 (#20081) Bumps [getsentry/craft/.github/workflows/changelog-preview.yml](https://github.com/getsentry/craft) from 2.24.1 to 2.25.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/craft/releases">getsentry/craft/.github/workflows/changelog-preview.yml's releases</a>.</em></p> <blockquote> <h2>2.25.2</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Preserve HTML blocks (e.g., <code><img></code> tags from GitHub image uploads) in custom <code>## Changelog Entry</code> PR sections instead of silently dropping them. by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/786">#786</a></li> <li>(deps) Bump brace-expansion from 5.0.4 to 5.0.5 by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/787">#787</a></li> <li>Upgrade GitHub Actions to Node.js 24 compatible versions by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/784">#784</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>(deps) Bump astro from 5.16.11 to 5.18.1 in /docs by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/785">#785</a></li> </ul> <h2>2.25.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>(deps) Address smol-toml DoS vulnerability (GHSA-v3rj-xjv7-4jmq) by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/783">#783</a></li> <li>Commit changelog even when preReleaseCommand returns false by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/781">#781</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>Reformat codebase with Prettier and add CI enforcement by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/782">#782</a></li> </ul> <h2>2.25.0</h2> <h3>New Features ✨</h3> <ul> <li>(registry) Require and validate registry metadata on first publish by <a href="https://github.com/s1gr1d"><code>@s1gr1d</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/777">#777</a></li> </ul> <h3>Bug Fixes 🐛</h3> <ul> <li>(deps) Address security advisories for fast-xml-parser, h3, and flatted by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/780">#780</a></li> <li>(publish) Make post-publish merge failure non-fatal with resolve strategy retry by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/778">#778</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>(deps-dev) Bump fast-xml-parser from 5.3.8 to 5.5.7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/779">#779</a></li> </ul> <h2>2.24.2</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>(deps) Address security advisories for flatted and devalue by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/775">#775</a></li> <li>(prepare) Handle scoped tag prefixes in auto version resolution by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/773">#773</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>Update CI actions from Node.js 20 SHA pins to latest by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/774">#774</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/craft/blob/master/CHANGELOG.md">getsentry/craft/.github/workflows/changelog-preview.yml's changelog</a>.</em></p> <blockquote> <h2>2.25.2</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Preserve HTML blocks (e.g., <code><img></code> tags from GitHub image uploads) in custom <code>## Changelog Entry</code> PR sections instead of silently dropping them. by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/786">#786</a></li> <li>(deps) Bump brace-expansion from 5.0.4 to 5.0.5 by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/787">#787</a></li> <li>Upgrade GitHub Actions to Node.js 24 compatible versions by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/784">#784</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>(deps) Bump astro from 5.16.11 to 5.18.1 in /docs by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/785">#785</a></li> </ul> <h2>2.25.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>(deps) Address smol-toml DoS vulnerability (GHSA-v3rj-xjv7-4jmq) by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/783">#783</a></li> <li>Commit changelog even when preReleaseCommand returns false by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/781">#781</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>Reformat codebase with Prettier and add CI enforcement by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/782">#782</a></li> </ul> <h2>2.25.0</h2> <h3>New Features ✨</h3> <ul> <li>(registry) Require and validate registry metadata on first publish by <a href="https://github.com/s1gr1d"><code>@s1gr1d</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/777">#777</a></li> </ul> <h3>Bug Fixes 🐛</h3> <ul> <li>(deps) Address security advisories for fast-xml-parser, h3, and flatted by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/780">#780</a></li> <li>(publish) Make post-publish merge failure non-fatal with resolve strategy retry by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/778">#778</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>(deps-dev) Bump fast-xml-parser from 5.3.8 to 5.5.7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/779">#779</a></li> </ul> <h2>2.24.2</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>(deps) Address security advisories for flatted and devalue by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/775">#775</a></li> <li>(prepare) Handle scoped tag prefixes in auto version resolution by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/773">#773</a></li> </ul> <h3>Internal Changes 🔧</h3> <ul> <li>Update CI actions from Node.js 20 SHA pins to latest by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/craft/pull/774">#774</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/getsentry/craft/commit/ba01e596c4a4c07692f0de10b0d4fe05f3dd0292"><code>ba01e59</code></a> release: 2.25.2</li> <li><a href="https://github.com/getsentry/craft/commit/507962acac92471452229b89fec259a4ca653ca3"><code>507962a</code></a> fix(deps): bump brace-expansion from 5.0.4 to 5.0.5 (<a href="https://redirect.github.com/getsentry/craft/issues/787">#787</a>)</li> <li><a href="https://github.com/getsentry/craft/commit/b811104f3055861eb15da872b8815fd743ceace9"><code>b811104</code></a> build(deps): bump astro from 5.16.11 to 5.18.1 in /docs (<a href="https://redirect.github.com/getsentry/craft/issues/785">#785</a>)</li> <li><a href="https://github.com/getsentry/craft/commit/a3ad8d359bd980a9618ba505031407bb98ba9af2"><code>a3ad8d3</code></a> fix(changelog): preserve HTML blocks in custom changelog entry sections (<a href="https://redirect.github.com/getsentry/craft/issues/786">#786</a>)</li> <li><a href="https://github.com/getsentry/craft/commit/d80bdf5838fc61ebf98313f6a20f698b5700a4cd"><code>d80bdf5</code></a> fix: upgrade GitHub Actions to Node.js 24 compatible versions (<a href="https://redirect.github.com/getsentry/craft/issues/784">#784</a>)</li> <li><a href="https://github.com/getsentry/craft/commit/390ea43f4f980826b8b4d69a70e43dbcb4bf6401"><code>390ea43</code></a> meta: Bump new development version</li> <li><a href="https://github.com/getsentry/craft/commit/724f9ff5547e18da11439853a05210f15c9540e7"><code>724f9ff</code></a> Merge branch 'release/2.25.1'</li> <li><a href="https://github.com/getsentry/craft/commit/14aca37e23aa6d8239a4013cae86d3bae4b4e0cd"><code>14aca37</code></a> release: 2.25.1</li> <li><a href="https://github.com/getsentry/craft/commit/7223a48b850b70701693c40177eb96ad0649a6a4"><code>7223a48</code></a> fix(deps): address smol-toml DoS vulnerability (GHSA-v3rj-xjv7-4jmq) (<a href="https://redirect.github.com/getsentry/craft/issues/783">#783</a>)</li> <li><a href="https://github.com/getsentry/craft/commit/63ed0bf871983d6b02a9d10d9d8f1ddb9105b332"><code>63ed0bf</code></a> chore: reformat codebase with Prettier and add CI enforcement (<a href="https://redirect.github.com/getsentry/craft/issues/782">#782</a>)</li> <li>Additional commits viewable in <a href="https://github.com/getsentry/craft/compare/2.24.1...2.25.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [mshick/add-pr-comment](https://github.com/mshick/add-pr-comment) from dd126dd8c253650d181ad9538d8b4fa218fc31e8 to e7516d74559b5514092f5b096ed29a629a1237c6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mshick/add-pr-comment/blob/main/CHANGELOG.md">mshick/add-pr-comment's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.9.0...v3.9.1">3.9.1</a> (2026-03-31)</h2> <h3>Bug Fixes</h3> <ul> <li>input <code>delete-on-status</code> not declared (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/175">#175</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/108eeca085f6dfe103fbe745a5b402fa225cfdbe">108eeca</a>)</li> </ul> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.8.0...v3.9.0">3.9.0</a> (2026-03-14)</h2> <h3>Features</h3> <ul> <li>add library exports for programmatic usage (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/169">#169</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/277cebd817f74153d8c88986b77f0e75976e00af">277cebd</a>)</li> </ul> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.7.0...v3.8.0">3.8.0</a> (2026-03-14)</h2> <h3>Features</h3> <ul> <li>automatic message truncation for oversized comments (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/167">#167</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/38989f396057a576bf9584d56295f40c6e4bd1df">38989f3</a>)</li> </ul> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.6.0...v3.7.0">3.7.0</a> (2026-03-14)</h2> <h3>Features</h3> <ul> <li>add file attachments via artifacts (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/165">#165</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/678e3402d584de30a0fd466ffaf959f48b20cedc">678e340</a>)</li> </ul> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.5.0...v3.6.0">3.6.0</a> (2026-03-13)</h2> <h3>Features</h3> <ul> <li>add commit comment support (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/163">#163</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/5906ed7b9e50927d804b34b4e43ace2ac43dfca7">5906ed7</a>)</li> </ul> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.4.0...v3.5.0">3.5.0</a> (2026-03-13)</h2> <h3>Features</h3> <ul> <li>add "delete on status" option (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/126">#126</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/adbd10702a827c95a3e3fcdaba88eb56c36b3075">adbd107</a>)</li> </ul> <h2><a href="https://github.com/mshick/add-pr-comment/compare/v3.3.0...v3.4.0">3.4.0</a> (2026-03-13)</h2> <h3>Features</h3> <ul> <li>enable immutable releases (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/158">#158</a>) (<a href="https://github.com/mshick/add-pr-comment/commit/e9cf45c7dafb15ef94edf29cfb27e8b08d5e8f2e">e9cf45c</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/mshick/add-pr-comment/commit/e7516d74559b5514092f5b096ed29a629a1237c6"><code>e7516d7</code></a> ci: publish to npm (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/182">#182</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/ab9a11d46c61ddfd4cb9888476f39151869639fa"><code>ab9a11d</code></a> ci: improve OpenSSF Scorecard compliance (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/180">#180</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/15c9cfd78012c86df2eaad0cf4837d34f92ee44d"><code>15c9cfd</code></a> docs: add OpenSSF Baseline badge (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/181">#181</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/f102bb3ebc97eedd4e2a98a9e71e462cc257fe80"><code>f102bb3</code></a> chore(main): release 3.9.1 (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/176">#176</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/b3e3690c6ace01aa326c1f4319bfd6b64e2ea27a"><code>b3e3690</code></a> docs: note that commit comments must be enabled on the repo (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/179">#179</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/c9d8f2441385c16019a77d9b012c22cb58e9e5bf"><code>c9d8f24</code></a> chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates (#...</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/f8c62839f7aebc25d985a78d624e44e8935e0735"><code>f8c6283</code></a> docs: add anne-pc as a contributor for code (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/177">#177</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/108eeca085f6dfe103fbe745a5b402fa225cfdbe"><code>108eeca</code></a> fix: input <code>delete-on-status</code> not declared (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/175">#175</a>)</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/e5991cdd976b9aaf9d547c5786d72363d832012e"><code>e5991cd</code></a> docs: add missing documentation for commit comments, library exports, and new...</li> <li><a href="https://github.com/mshick/add-pr-comment/commit/ffd016c7e151d97d69d21a843022fd4cd5b96fe5"><code>ffd016c</code></a> chore(main): release 3.9.0 (<a href="https://redirect.github.com/mshick/add-pr-comment/issues/170">#170</a>)</li> <li>Additional commits viewable in <a href="https://github.com/mshick/add-pr-comment/compare/dd126dd8c253650d181ad9538d8b4fa218fc31e8...e7516d74559b5514092f5b096ed29a629a1237c6">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds embeddings instrumentation for LangChain (`embedQuery`,
`embedDocuments`). LangChain's `Embeddings` base class doesn't use the
callback system that we rely on for chat models, so this uses direct
prototype patching instead.
In Node.js, embedding classes from provider packages are
auto-instrumented. For other runtimes:
```js
const embeddings = Sentry.instrumentLangChainEmbeddings(
new OpenAIEmbeddings({ model: 'text-embedding-3-small' })
);
await embeddings.embedQuery('Hello world');
```
Creates `gen_ai.embeddings` spans. Token usage is not available since LangChain's embedding methods only return raw vectors.
Closes #19774
…cs integrations (#20068) - Values below 1000ms are normalized to 1000ms with a `console.warn` - Non-finite values (e.g. `NaN`) are also caught and fall back to 1000ms - Shared `_INTERNAL_normalizeCollectionInterval` helper extracted to `@sentry/node-core` and re-exported through `@sentry/node` for use in `@sentry/bun` - Each runtime retains ownership of its own `DEFAULT_INTERVAL_MS` - Also adapted deno logging to be in sync with the other runtimes --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…ror response (#20082) When an MCP tool returns a JSON-RPC error response (i.e. the response has an `error` field instead of `result`), the span was being ended with `status=ok`. This meant `failure_rate()` read 0% in the MCP insights dashboard even when tools were consistently failing. ## Root cause `completeSpanWithResults` always ended the span without checking whether the response was an error. The `captureError` path uses `getActiveSpan()`, which returns `null` outside a `withActiveSpan()` context — so errors were never reflected in span status. ## Fix Pass `!!message.error` as a `hasError` flag to `completeSpanWithResults`. When `true`, set `SPAN_STATUS_ERROR` with `message: 'internal_error'` directly on the stored span before ending it. ## Changes - `correlation.ts` — `completeSpanWithResults` accepts optional `hasError` param; sets error status when true - `transport.ts` — passes `!!message.error` when completing spans on outgoing send - `transportInstrumentation.test.ts` — two new tests: error response sets error status; success response does not Closes #20083 --------- Co-authored-by: claude-sonnet-4-6 <noreply@anthropic.com>
Nuxt 5 is still in development and currently in a nightly version. The E2E tests might fail due to changes but this should not block CI as long as v5 is in nightly. This adds the `optional` label to the test. E.g. unblocking this PR: #20071
…CP integration (#20071) The `@modelcontextprotocol/sdk` introduced `registerTool`, `registerResource`, and `registerPrompt` as a new API in 1.x, and in 2.x these are the *only* methods available — the old `tool`/`resource`/`prompt` names are gone. Before this change, servers using the new API would silently get no instrumentation: `validateMcpServerInstance` would reject them (it only checked for the old names), so `wrapMcpServerWithSentry` would return the unwrapped instance. The cloudflare-mcp e2e app already used `registerTool` and was affected by this. ## Changes - `MCPServerInstance` type now includes optional `registerTool?`, `registerResource?`, `registerPrompt?` alongside the legacy methods (also made legacy ones optional with `@deprecated` tags since 2.x removed them) - `validateMcpServerInstance` now accepts instances with either `tool+resource+prompt+connect` or `registerTool+registerResource+registerPrompt+connect` - `wrapAllMCPHandlers` conditionally wraps whichever set of methods exists on the instance - `captureHandlerError` maps `registerTool` → `tool_execution`, `registerResource` → `resource_execution`, `registerPrompt` → `prompt_execution` - Unit tests added for validation and wrapping of the new method names - `registerTool` handlers added to the node-express, node-express-v5, and tsx-express e2e apps The existing `wrapMethodHandler` logic (intercepts the last argument as the callback) works identically for both old and new signatures, so no changes were needed there. - [ ] Tests added - [ ] Lints and test suite passes Closes #16666 --------- Co-authored-by: claude-sonnet-4-6 <noreply@anthropic.com>
part of #15942 This is a basic instrumentation for `WorkerEntrypoint`. There is no extra `instrumentWorkerEntrypoint` exported, and should work directly with `withSentry` OOTB: ```js class MyWorker extends WorkerEntrypoint {} export default Sentry.withSentry(() => ({}), MyWorker) ``` To support the full `WorkerEntrypoint` there is the need to instrument [RPC methods](#16898). Without that we can't fully support `WorkerEntrypoint`s but just the basics of it. This can be added once #19991 lands (it is safe to review now and instrument the env in a separate PR) --- If you look at the instrumentations themselves, there is no `isInstrumented` or `markAsInstrumented`. The reason is that on the one hand this is not required, as every request is spawning a new instance of the `WorkerEntrypoint` and on the other hand it wouldn't work as it would mark it as instrumented, but on the request the `fetch` is overridden and not instrumented.
… main thread blocking (#20089) The stack parser used the regex `/\S*Error: / to skip error description lines (e.g. "TypeError: foo")` when parsing stack traces. The `\S*` quantifier causes O(n²) backtracking on long lines without whitespace, which are common in minified bundle stack traces. In apps using `thirdPartyErrorFilterIntegration`, the stack parser is invoked on every `_sentryModuleMetadata` entry on the first error event. In large Next.js apps with many bundled chunks, this caused 1s+ main thread blocking. Replacing ` .match(/\S*Error: /)` with `.includes('Error: ')` which is O(n) and semantically equivalent — the `\S*` prefix could match zero characters, so it never affected which lines were matched. Fixes #20052
This option solves the issue that my Cursor/VSCode is not showing type errors. @logaretm could you check if you still have type errors, as you mentioned that you didn't had issues - wondering if it stays the same
- Adds a `sentryOnError` helper to the client bundle for leveraging React Router's [onError hook](https://reactrouter.com/how-to/error-reporting#framework-mode) on `HydratedRouter` - Migrates E2E test apps to the new helper
Bumps all bundler plugins to the [latest release](https://github.com/getsentry/sentry-javascript-bundler-plugins/releases/tag/5.2.0).
This patch ensures that the event processor adding the feature `flags` context to events is scoped to error events only. See PR for more details.
This PR adds the Lambda Extension as a build output to the npm package.
It was previously only available through our Lambda layer but is useful
for users that do not use the layer but would still like to use our
extension.
To use the extension with container image lambdas, copy the extension
files to your Docker image and set the `tunnel` option in your
application. This requires the installation of `@sentry/aws-serverless`,
regardless of which other Sentry SDK is used in your application.
```dockerfile
RUN mkdir -p /opt/sentry-extension
COPY node_modules/@sentry/aws-serverless/build/lambda-extension/sentry-extension
/opt/extensions/sentry-extension
COPY node_modules/@sentry/aws-serverless/build/lambda-extension/index.mjs
/opt/sentry-extension/index.mjs
RUN chmod +x /opt/extensions/sentry-extension /opt/sentry-extension/index.mjs
```
```js
Sentry.init({
dsn: '__DSN__',
tunnel: 'http://localhost:9000/envelope',
});
```
Closes: #20114
This PR introduces span v2 types as defined in our [develop spec](https://develop.sentry.dev/sdk/telemetry/spans/span-protocol/): * Envelope types: * `SpanV2Envelope`, `SpanV2EnvelopeHeaders`, `SpanContainerItem`, `SpanContainerItemHeaders` * Span v2 types: * `SpanV2JSON` the equivalent to today's `SpanJSON`. Users will interact with spans in this format in `beforeSendSpan`. SDK integrations will use this format in `processSpan` (and related) hooks. * `SerializedSpan` the final, serialized format for v2 spans, sent in the envelope container item. Closes #19101 (added automatically) ref #17836
…ility utilities (#19120) This adds the foundation for user-facing span streaming configuration: - **`traceLifecycle` option**: New option in `ClientOptions` that controls whether spans are sent statically (when the entire local span tree is complete) or streamed (in batches following interval- and action-based triggers). Because the span JSON will look different for streamed spans vs. static spans (i.e. our current ones, we also need some helpers for `beforeSendSpan` where users consume and interact with `StreamedSpanJSON`: - **`withStreamedSpan()` utility**: Wrapper function that marks a `beforeSendSpan` callback as compatible with the streamed span format (`StreamedSpanJSON`) - **`isStreamedBeforeSendSpanCallback()` type guard**: Internal utility to check if a callback was wrapped with `withStreamedSpan`
Adds a utility to create a span v2 envelope from a `SerializedSpan` array + tests. Note: I think here, the "v2" naming makes more sense than the `StreamSpan` patter we use for user-facing functionality. This function should never be called by users, and the envelope is type `span` with content type `span.v2+json` ref #17836
This PR adds span JSON conversion and serialization helpers for span streaming: * `spanToStreamedSpanJSON`: Converts a `Span` instance to a JSON object used as intermediate representation as outlined in #19100 * Adds `SentrySpan::getStreamedSpanJSON` method to convert our own spans * Directly converts any OTel spans * This is analogous to how `spanToJSON` works today. * `spanJsonToSerializedSpan`: Converts a `StreamedSpanJSON` into the final `SerializedSpan` to be sent to Sentry. This PR also adds unit tests for both helpers. ref #17836 --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Jan Peer Stöcklmair <jan.peer@sentry.io>
This PR adds the `captureSpan` pipeline, which takes a `Span` instance, processes it and ultimately returns a `SerializedStreamedSpan` which can then be enqueued into the span buffer. ref #17836
This PR adds a simple span buffer implementation to be used for buffering streamed spans. Behaviour: - buckets incoming spans by `traceId`, as we must not mix up spans of different traces in one envelope - flushes the entire buffer every 5s by default - flushes the specific trace bucket if the max span limit (1000) is reached. Relay accepts at max. 1000 spans per envelope - computes the DSC when flushing the first span of a trace. This is the latest time we can do it as once we flushed we have to freeze the DSC for Dynamic Sampling consistency - debounces the flush interval whenever we flush - flushes the entire buffer if `Sentry.flush()` is called - shuts down the interval-based flushing when `Sentry.close()` is called - [implicit] Client report generation for dropped envelopes is handled in the transport Methods: - `add` accepts a new span to be enqueued into the buffer - `drain` flushes the entire buffer - `flush(traceId)` flushes a specific traceId bucket. This can be used by e.g. the browser span streaming implementation to flush out the trace of a segment span directly once it ends. Options: - `maxSpanLimit` - allows to configure a 0 < maxSpanLimit < 1000 custom span limit. Useful for testing but we could also expose this to users if we see a need - `flushInterval`- allows to configure a >0 flush interval Limitations/edge cases: - No maximum limit of concurrently buffered traces. I'd tend to accept this for now and see where this leads us in terms of memory pressure but at the end of the day, the interval based flushing, in combination with our promise buffer _should_ avoid an ever-growing map of trace buckets. Happy to change this if reviewers have strong opinions or I'm missing something important! - There's no priority based scheduling relative to other telemetry items. Just like with our other log and metric buffers. - since `Map` is [insertion order preserving](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map#description), we apply a FIFO strategy when`drain`ing the trace buckets. This is in line with our [develop spec](https://develop.sentry.dev/sdk/telemetry/telemetry-processor/backend-telemetry-processor/#:~:text=The%20span%20buffer,in%20the%20buffer.) for the telemetry processor but might lead to cases where new traces are dropped by the promise buffer if a lof of concurrently running traces are flushed. I think that's a fine trade off. ref #19119
This PR adds the final big building block for span streaming functionality in the browser SDK: `spanStreamingIntegation`. This integration: - enables `traceLifecycle: 'stream'` if not already set by users. This allows us to avoid the double-opt-in problem we usually have in browser SDKs because we want to keep integration tree-shakeable but also support the runtime-agnostic `traceLifecycle` option. - to do this properly, I decided to introduce a new integration hook: `beforeSetup`. This is allows us to safely modify client options before other integrations read it. We'll need this because `browserTracingIntegration` needs to check for span streaming later on. Let me know what you think! - validates that `beforeSendSpan` is compatible with span streaming. If not, it falls back to static tracing (transactions). - listens to a new `afterSpanEnd` hook. Once called, it will capture the span and hand it off to the span buffer. - listens to a new `afterSegmentSpanEnd` hook. Once called it will flush the trace from the buffer to ensure we flush out the trace as soon as possible. In browser, it's more likely that users refresh or close the tab/window before our buffer's internal flush interval triggers. We don't _have_ to do this but I figured it would be a good trigger point. While "final building block" sounds nice, there's still a lot of stuff to take care of in the browser. But with this in place we can also start integration-testing the browser SDKs. ref #17836 --------- Co-authored-by: Jan Peer Stöcklmair <jan.peer@sentry.io>
Adds weight-based flushing and span size estimation to the span buffer. Behaviour: - tracks weight independently per trace - weight estimation follows the same strategy we use for logs and metrics. I optimized the calculation, adding fixed sizes for as many fields as possible. Only span name, attributes and links are computed dynamically, with the same assumptions and considerations as in logs and metrics. - My tests show that the size estimation roughly compares to factor 0.8 to 1.2 to the real sizes, depending on data on spans (no, few, many, primitive, array attributes and links, etc.) - For now, the limit is set to 5MB which is half of the 10MB Relay accepts for span envelopes.
This PR adds browser integration to test testing span streaming: - Added test helpers: - `waitForStreamedSpan`: Returns a promise of a single matching span - `waitForStreamedSpans`: Returns a promise of all spans in an array whenever the callback returns true - `waitForStreamedSpanEnvelope`: Returns an entire streamed span (v2) envelope (including headers) - `observeStreamedSpan`: Can be used to observe sent span envelopes without blocking the test if no envelopes are sent (good for testing that spans are _not_ sent) - `getSpanOp`: Small helper to easily get the op of a span which we almost always need for the `waitFor*` function callbacks Added 50+ tests, mostly converted from transaction integration tests around spans from `browserTracingIntegration`: - tests asserting the entire span v2 envelope payloads of manually started, pageload and navigation span trees - tests for trace linking and trace lifetime - tests for spans coming from browserTracingIntegration (fetch, xhr, long animation frame, long tasks) Also, this PR fixes two bugs discovered through tests: - negatively sampled spans were still sent (because non-recording spans go through the same span life cycle) - cancelled spans received status `error` instead of `ok`. We want them to have status `ok` but an attribute detailing the cancellation reason. Lastly, I discovered a problem with timing data on fetch and XHR spans. Will try to fix as a follow-up. Tracked in #19613 ref #17836
…spans (#19643) This PR fixes a temporary bug in span streaming where we didn't add Http timing attributes (see #19613). We can fix this by following OTels approach: - delay the ending of `http.client` spans until either 300ms pass by or we receive the PerformanceResourceTiming entry with the respective timing information. Of course we end the span with the original timestamp then. - Unfortunately, we can only do this for streamed span because transaction-based spans cannot stay open longer than their parent (e.g. a pageload or navigation). Otherwise they'd get dropped. So we have to differentiate between the two modes here (RIP bundle size 😢) - To ensure we don't flush unnecessarily often, we also now delay flushing the span buffer for 500ms after a segment span ends. This slightly changed test semantics in a few integration tests because manually consecutively segments are now also sent in one envelope. This is completely fine (actually preferred) because we flush less often (i.e. fewer requests). closes #19613
…19741) This PR adds a server-side span streaming implementation, for now scoped to POtel SDKs. However we can reuse some stuff from this PR to very easily enable span streaming on Cloudflare, Vercel Edge and other OTel-less platforms. Main changes: - added `spanStreamingIntegration` to `@sentry/core`: This orchestrates the span streaming life cycle via the client and the span buffer. It's very similar to the already existing `spanStreamingIntegration` in browser but doesn't expose some of the behaviour that we need only in browser. - adjusted `SentrySpanProcessor` to emit the right client hooks instead of passing the span to the `SpanExporter`. - adjusted the SDKs' default integrations to include `spanStreamingIntegration` when users set `traceLifecycle: 'stream'` in their SDK init. Rest are tests and small refactors. I'll follow up with Node integration tests once this is merged to avoid bloating this PR further. ref #17836
Extends our Node (core) integration test runner API to expect `span` envelopes with both an API to test against span envelope headers as well as the container. In addition, this adds a couple of integration tests testing manually started spans, span name updates and span relationships. Luckily, all of the span relationship logic is independent from span streaming so the tests all pass. I still believe it's valuable to have a `span` version of them.
This PR Implements applying the `ignoreSpans` option to streamed spans (previously this option had no effect). It covers both, our core/browser- as well as the OTel/Node-based implementation. See PR for details
…20124) This PR makes some changes to the span streaming `beforeSendSpan` implementation: Previously `beforeSendSpan` was typed via discriminated union. While I initially thought this would work, it would break type checking for user-provided static `beforeSendSpan` callbacks because TS couldn't infer if the callback received a `SpanJSON` or a `StreamedSpanJSON`. So it defaulted to `unknown`. Now, we "pretend" that every `beforeSendSpan` callback receives and returns a `SpanJSON`. Since we instruct users for span streaming to use the `withStreamedSpan` helper anyway, they will get correct typing within the wrapper function (i.e. a callback receiving and returning `StreamedSpanJSON`. Other changes: - added missing exports for the `withStreamedSpan` helper from every SDK - added integration tests to demonstrate it being used - downleveled the debug log from `warn` to `log` that the browser `spanStreamingIntegration` automatically sets `traceLifecycle: 'stream'`. This is expected behaviour and we'll instruct users to only set `spanStreamingIntegration` to avoid a double-opt-in situation.
Bumps [effect](https://github.com/Effect-TS/effect/tree/HEAD/packages/effect) from 3.20.0 to 3.21.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Effect-TS/effect/releases">effect's releases</a>.</em></p> <blockquote> <h2>effect@3.21.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/f7bb09b022f195d1f2b3c23d49e74b011ec5d109"><code>f7bb09b</code></a> Thanks <a href="https://github.com/kitlangton"><code>@kitlangton</code></a>! - Add <code>Cron.prev</code> and reverse iteration support, aligning next/prev lookup tables, fixing DST handling symmetry, and expanding cron backward/forward test coverage.</p> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/bd7552a19cc0ed575507ac6cc0879a57e24ebd31"><code>bd7552a</code></a> Thanks <a href="https://github.com/mattiamanzati"><code>@mattiamanzati</code></a>! - Add type-level utils to asserting layer types</p> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/ad1a7eb7f6bebaf91c80be2443ac0439226d0098"><code>ad1a7eb</code></a> Thanks <a href="https://github.com/schickling"><code>@schickling</code></a>! - RcMap: support dynamic <code>idleTimeToLive</code> values per key</p> <p>The <code>idleTimeToLive</code> option can now be a function that receives the key and returns a duration, allowing different TTL values for different resources.</p> <pre lang="ts"><code>const map = yield * RcMap.make({ lookup: (key: string) => acquireResource(key), idleTimeToLive: (key: string) => { if (key.startsWith("premium:")) return Duration.minutes(10) return Duration.minutes(1) } }) </code></pre> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/0d32048f9836e2b23a6ba3ec5f43f0a000bb92fb"><code>0d32048</code></a> Thanks <a href="https://github.com/mikearnaldi"><code>@mikearnaldi</code></a>! - Fix annotateCurrentSpan, add Effect.currentPropagatedSpan</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/0d32048f9836e2b23a6ba3ec5f43f0a000bb92fb"><code>0d32048</code></a> Thanks <a href="https://github.com/mikearnaldi"><code>@mikearnaldi</code></a>! - Add logs to first propagated span, in the following case before this fix the log would not be added to the <code>p</code> span because <code>Effect.fn</code> adds a fake span for the purpose of adding a stack frame.</p> <pre lang="ts"><code>import { Effect } from "effect" <p>const f = Effect.fn(function* () {<br /> yield* Effect.logWarning("FooBar")<br /> return yield* Effect.fail("Oops")<br /> })</p> <p>const p = f().pipe(Effect.withSpan("p"))<br /> </code></pre></p> </li> </ul> <h2>effect@3.20.1</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/6133">#6133</a> <a href="https://github.com/Effect-TS/effect/commit/add06f4521403cbf4b9a692f9b59fb9d3d48293c"><code>add06f4</code></a> Thanks <a href="https://github.com/aniravi24"><code>@aniravi24</code></a>! - Fix <code>Equal.equals</code> crash when comparing <code>null</code> values inside <code>structuralRegion</code>. Added null guard before <code>Object.getPrototypeOf</code> calls to prevent <code>TypeError: Cannot convert undefined or null to object</code>.</p> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/6093">#6093</a> <a href="https://github.com/Effect-TS/effect/commit/a03b6a29ed0b983b0440b8ef4be47f47c57d73d7"><code>a03b6a2</code></a> Thanks <a href="https://github.com/luchersou"><code>@luchersou</code></a>! - avoid class for PrettyError to preserve error.name</p> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Effect-TS/effect/blob/main/packages/effect/CHANGELOG.md">effect's changelog</a>.</em></p> <blockquote> <h2>3.21.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/f7bb09b022f195d1f2b3c23d49e74b011ec5d109"><code>f7bb09b</code></a> Thanks <a href="https://github.com/kitlangton"><code>@kitlangton</code></a>! - Add <code>Cron.prev</code> and reverse iteration support, aligning next/prev lookup tables, fixing DST handling symmetry, and expanding cron backward/forward test coverage.</p> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/bd7552a19cc0ed575507ac6cc0879a57e24ebd31"><code>bd7552a</code></a> Thanks <a href="https://github.com/mattiamanzati"><code>@mattiamanzati</code></a>! - Add type-level utils to asserting layer types</p> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/ad1a7eb7f6bebaf91c80be2443ac0439226d0098"><code>ad1a7eb</code></a> Thanks <a href="https://github.com/schickling"><code>@schickling</code></a>! - RcMap: support dynamic <code>idleTimeToLive</code> values per key</p> <p>The <code>idleTimeToLive</code> option can now be a function that receives the key and returns a duration, allowing different TTL values for different resources.</p> <pre lang="ts"><code>const map = yield * RcMap.make({ lookup: (key: string) => acquireResource(key), idleTimeToLive: (key: string) => { if (key.startsWith("premium:")) return Duration.minutes(10) return Duration.minutes(1) } }) </code></pre> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/0d32048f9836e2b23a6ba3ec5f43f0a000bb92fb"><code>0d32048</code></a> Thanks <a href="https://github.com/mikearnaldi"><code>@mikearnaldi</code></a>! - Fix annotateCurrentSpan, add Effect.currentPropagatedSpan</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/5780">#5780</a> <a href="https://github.com/Effect-TS/effect/commit/0d32048f9836e2b23a6ba3ec5f43f0a000bb92fb"><code>0d32048</code></a> Thanks <a href="https://github.com/mikearnaldi"><code>@mikearnaldi</code></a>! - Add logs to first propagated span, in the following case before this fix the log would not be added to the <code>p</code> span because <code>Effect.fn</code> adds a fake span for the purpose of adding a stack frame.</p> <pre lang="ts"><code>import { Effect } from "effect" <p>const f = Effect.fn(function* () {<br /> yield* Effect.logWarning("FooBar")<br /> return yield* Effect.fail("Oops")<br /> })</p> <p>const p = f().pipe(Effect.withSpan("p"))<br /> </code></pre></p> </li> </ul> <h2>3.20.1</h2> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/6133">#6133</a> <a href="https://github.com/Effect-TS/effect/commit/add06f4521403cbf4b9a692f9b59fb9d3d48293c"><code>add06f4</code></a> Thanks <a href="https://github.com/aniravi24"><code>@aniravi24</code></a>! - Fix <code>Equal.equals</code> crash when comparing <code>null</code> values inside <code>structuralRegion</code>. Added null guard before <code>Object.getPrototypeOf</code> calls to prevent <code>TypeError: Cannot convert undefined or null to object</code>.</p> </li> <li> <p><a href="https://redirect.github.com/Effect-TS/effect/pull/6093">#6093</a> <a href="https://github.com/Effect-TS/effect/commit/a03b6a29ed0b983b0440b8ef4be47f47c57d73d7"><code>a03b6a2</code></a> Thanks <a href="https://github.com/luchersou"><code>@luchersou</code></a>! - avoid class for PrettyError to preserve error.name</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Effect-TS/effect/commit/6e3782af7ad047bc006e543f2285fc35bcf798d9"><code>6e3782a</code></a> Version Packages (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/6135">#6135</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/f7bb09b022f195d1f2b3c23d49e74b011ec5d109"><code>f7bb09b</code></a> Add Cron.prev reverse iteration support (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/5786">#5786</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/bd7552a19cc0ed575507ac6cc0879a57e24ebd31"><code>bd7552a</code></a> Add type-level utils to asserting layer types (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/5920">#5920</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/ad1a7eb7f6bebaf91c80be2443ac0439226d0098"><code>ad1a7eb</code></a> RcMap: support dynamic idleTimeToLive values per key (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/5859">#5859</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/0d32048f9836e2b23a6ba3ec5f43f0a000bb92fb"><code>0d32048</code></a> Add logs to first propagated span (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/5710">#5710</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/37a8af53e32eb88e3c2d499a2659b0ff9405b4f4"><code>37a8af5</code></a> Version Packages (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/6134">#6134</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/a03b6a29ed0b983b0440b8ef4be47f47c57d73d7"><code>a03b6a2</code></a> fix(logger): use source maps for error stack traces in browser pretty logger ...</li> <li><a href="https://github.com/Effect-TS/effect/commit/7d8fc1ef2e79e0539a34278dce054b3c814b2529"><code>7d8fc1e</code></a> docs(Layer): clarify scopedDiscard JSDoc to match effectDiscard (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/5790">#5790</a>)</li> <li><a href="https://github.com/Effect-TS/effect/commit/add06f4521403cbf4b9a692f9b59fb9d3d48293c"><code>add06f4</code></a> fix(Equal): guard against null in structuralRegion comparison (<a href="https://github.com/Effect-TS/effect/tree/HEAD/packages/effect/issues/6133">#6133</a>)</li> <li>See full diff in <a href="https://github.com/Effect-TS/effect/commits/effect@3.21.0/packages/effect">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
To know whether a page is SWR cached, can now be found in `event.context.routeRules.swr` (Nitro v3) instead of `event.context.cache.options.swr` (Nitro v2). closes #20169
Co-Authored-By: Claude <noreply@anthropic.com> Made-with: Cursor
Contributor
Semver Impact of This PR🟢 Patch (bug fixes) 📋 Changelog PreviewThis is how your changes will appear in the changelog. Internal Changes 🔧
🤖 This preview updates automatically when you update the PR. |
Lms24
requested review from
a team,
JPeer264 and
chargome
and removed request for
a team
JPeer264
approved these changes
Apr 9, 2026
chargome
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog for 10.48.0