Skip to content

[Security] Bump @sentry/node and @sentry/nextjs

Ronan Amicel requested to merge dependabot-npm_and_yarn-sentry-node-and-sentry-nextjs-8.55.0 into main

Bumps @sentry/node to 8.55.0 and updates ancestor dependency @sentry/nextjs. These dependencies need to be updated together.

Updates @sentry/node from 8.47.0 to 8.55.0 This update includes a security fix.

Vulnerabilities fixed

Potential DoS when using ContextLines integration

Impact

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events.

The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS).

The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs that run in Node.js environments (@sentry/astro, @sentry/aws-serverless, @sentry/bun, @sentry/google-cloud-serverless, @sentry/nestjs, @sentry/nextjs, @sentry/nuxt, @sentry/remix, @sentry/solidstart, @sentry/sveltekit).

Patches

Users should upgrade to version 8.49.0 or higher.

Workarounds

To remediate this issue in affected versions without upgrading to version 8.49.0 and above you can disable the ContextLines integration. See the docs for more details.

Sentry.init({
  // ...
  integrations: function (integrations) {
    // integrations will be all default integrations
</tr></table>

... (truncated)

Patched versions: 8.49.0 Affected versions: >= 8.10.0, < 8.49.0

Release notes

Sourced from @​sentry/node's releases.

8.55.0

Important Changes

  • chore(ci/v8): Switch lambda layer name to SentryNodeServerlessSDKv8 (#15351)

The SentryNodeServerlessSDK AWS Lambda Layer will stop receiving updates. If you intend to stay on v8 and receive updates use SentryNodeServerlessSDKv8 instead.

Other Changes

  • feat(flags/v8): add Statsig browser integration (#15347)
  • feat(v8/node): Add missing vercelAIIntegration export (#15339)
  • feat(v8/nuxt): Add enabled to disable Sentry module (#15337) (#15381)
  • feat(v8/vue): Support Pinia v3 (#15384)
  • fix(astro): Add vue to registerEsmLoaderHooks (#15352)
  • fix(react/v8): Support lazy-loaded routes and components (#15281)
  • fix(v8/nuxt): Detect Azure Function runtime for flushing with timeout (#15297)
  • fix(v8/solidstart): Do not copy release-injection map file (#15304)
  • fix(v8/svelte): Guard component tracking beforeUpdate call (#15262)

Work in this release was contributed by @​aryanvdesh. Thank you for your contribution!

Bundle size 📦

Path Size
@​sentry/browser 23.3 KB
@​sentry/browser - with treeshaking flags 23.17 KB
@​sentry/browser (incl. Tracing) 35.9 KB
@​sentry/browser (incl. Tracing, Replay) 73.27 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 66.71 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 77.57 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 89.5 KB
@​sentry/browser (incl. Feedback) 39.51 KB
@​sentry/browser (incl. sendFeedback) 27.91 KB
@​sentry/browser (incl. FeedbackAsync) 32.71 KB
@​sentry/react 25.98 KB
@​sentry/react (incl. Tracing) 38.71 KB
@​sentry/vue 27.58 KB
@​sentry/vue (incl. Tracing) 37.75 KB
@​sentry/svelte 23.46 KB
CDN Bundle 24.49 KB
CDN Bundle (incl. Tracing) 37.6 KB
CDN Bundle (incl. Tracing, Replay) 72.9 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 78.23 KB
CDN Bundle - uncompressed 71.92 KB
CDN Bundle (incl. Tracing) - uncompressed 111.52 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 225.78 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 238.88 KB
@​sentry/nextjs (client) 38.96 KB

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

8.55.0

Important Changes

  • chore(ci/v8): Switch lambda layer name to SentryNodeServerlessSDKv8 (#15351)

The SentryNodeServerlessSDK AWS Lambda Layer will stop receiving updates. If you intend to stay on v8 and receive updates use SentryNodeServerlessSDKv8 instead.

Other Changes

  • feat(flags/v8): add Statsig browser integration (#15347)
  • feat(v8/node): Add missing vercelAIIntegration export (#15339)
  • feat(v8/nuxt): Add enabled to disable Sentry module (#15337) (#15381)
  • feat(v8/vue): Support Pinia v3 (#15384)
  • fix(astro): Add vue to registerEsmLoaderHooks (#15352)
  • fix(react/v8): Support lazy-loaded routes and components (#15281)
  • fix(v8/nuxt): Detect Azure Function runtime for flushing with timeout (#15297)
  • fix(v8/solidstart): Do not copy release-injection map file (#15304)
  • fix(v8/svelte): Guard component tracking beforeUpdate call (#15262)

Work in this release was contributed by @​aryanvdesh. Thank you for your contribution!

8.54.0

  • feat(v8/deps): Upgrade all OpenTelemetry dependencies (#15098)
  • fix(node/v8): Add compatibility layer for Prisma v5 (#15210)

Work in this release was contributed by @​nwalters512. Thank you for your contribution!

8.53.0

  • feat(v8/nuxt): Add url to SourcemapsUploadOptions (#15202)
  • fix(v8/react): fromLocation can be undefined in Tanstack Router Instrumentation (#15237)

Work in this release was contributed by @​tannerlinsley. Thank you for your contribution!

8.52.1

  • fix(v8/nextjs): Fix nextjs build warning (#15226)
  • ref(v8/browser): Add protocol attributes to resource spans #15224
  • ref(v8/core): Don't set this.name to new.target.prototype.constructor.name (#15222)

Work in this release was contributed by @​Zen-cronic. Thank you for your contribution!

8.52.0

Important Changes

  • feat(solidstart): Add withSentry wrapper for SolidStart config (#15135)

... (truncated)

Commits

Updates @sentry/nextjs from 8.47.0 to 8.55.0

Release notes

Sourced from @​sentry/nextjs's releases.

8.55.0

Important Changes

  • chore(ci/v8): Switch lambda layer name to SentryNodeServerlessSDKv8 (#15351)

The SentryNodeServerlessSDK AWS Lambda Layer will stop receiving updates. If you intend to stay on v8 and receive updates use SentryNodeServerlessSDKv8 instead.

Other Changes

  • feat(flags/v8): add Statsig browser integration (#15347)
  • feat(v8/node): Add missing vercelAIIntegration export (#15339)
  • feat(v8/nuxt): Add enabled to disable Sentry module (#15337) (#15381)
  • feat(v8/vue): Support Pinia v3 (#15384)
  • fix(astro): Add vue to registerEsmLoaderHooks (#15352)
  • fix(react/v8): Support lazy-loaded routes and components (#15281)
  • fix(v8/nuxt): Detect Azure Function runtime for flushing with timeout (#15297)
  • fix(v8/solidstart): Do not copy release-injection map file (#15304)
  • fix(v8/svelte): Guard component tracking beforeUpdate call (#15262)

Work in this release was contributed by @​aryanvdesh. Thank you for your contribution!

Bundle size 📦

Path Size
@​sentry/browser 23.3 KB
@​sentry/browser - with treeshaking flags 23.17 KB
@​sentry/browser (incl. Tracing) 35.9 KB
@​sentry/browser (incl. Tracing, Replay) 73.27 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags 66.71 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) 77.57 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) 89.5 KB
@​sentry/browser (incl. Feedback) 39.51 KB
@​sentry/browser (incl. sendFeedback) 27.91 KB
@​sentry/browser (incl. FeedbackAsync) 32.71 KB
@​sentry/react 25.98 KB
@​sentry/react (incl. Tracing) 38.71 KB
@​sentry/vue 27.58 KB
@​sentry/vue (incl. Tracing) 37.75 KB
@​sentry/svelte 23.46 KB
CDN Bundle 24.49 KB
CDN Bundle (incl. Tracing) 37.6 KB
CDN Bundle (incl. Tracing, Replay) 72.9 KB
CDN Bundle (incl. Tracing, Replay, Feedback) 78.23 KB
CDN Bundle - uncompressed 71.92 KB
CDN Bundle (incl. Tracing) - uncompressed 111.52 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed 225.78 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 238.88 KB
@​sentry/nextjs (client) 38.96 KB

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

8.55.0

Important Changes

  • chore(ci/v8): Switch lambda layer name to SentryNodeServerlessSDKv8 (#15351)

The SentryNodeServerlessSDK AWS Lambda Layer will stop receiving updates. If you intend to stay on v8 and receive updates use SentryNodeServerlessSDKv8 instead.

Other Changes

  • feat(flags/v8): add Statsig browser integration (#15347)
  • feat(v8/node): Add missing vercelAIIntegration export (#15339)
  • feat(v8/nuxt): Add enabled to disable Sentry module (#15337) (#15381)
  • feat(v8/vue): Support Pinia v3 (#15384)
  • fix(astro): Add vue to registerEsmLoaderHooks (#15352)
  • fix(react/v8): Support lazy-loaded routes and components (#15281)
  • fix(v8/nuxt): Detect Azure Function runtime for flushing with timeout (#15297)
  • fix(v8/solidstart): Do not copy release-injection map file (#15304)
  • fix(v8/svelte): Guard component tracking beforeUpdate call (#15262)

Work in this release was contributed by @​aryanvdesh. Thank you for your contribution!

8.54.0

  • feat(v8/deps): Upgrade all OpenTelemetry dependencies (#15098)
  • fix(node/v8): Add compatibility layer for Prisma v5 (#15210)

Work in this release was contributed by @​nwalters512. Thank you for your contribution!

8.53.0

  • feat(v8/nuxt): Add url to SourcemapsUploadOptions (#15202)
  • fix(v8/react): fromLocation can be undefined in Tanstack Router Instrumentation (#15237)

Work in this release was contributed by @​tannerlinsley. Thank you for your contribution!

8.52.1

  • fix(v8/nextjs): Fix nextjs build warning (#15226)
  • ref(v8/browser): Add protocol attributes to resource spans #15224
  • ref(v8/core): Don't set this.name to new.target.prototype.constructor.name (#15222)

Work in this release was contributed by @​Zen-cronic. Thank you for your contribution!

8.52.0

Important Changes

  • feat(solidstart): Add withSentry wrapper for SolidStart config (#15135)

... (truncated)

Commits

Merge request reports