Skip to content

Update dependency @sentry/browser to v7 [SECURITY]#5451

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-sentry-browser-vulnerability
Open

Update dependency @sentry/browser to v7 [SECURITY]#5451
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-sentry-browser-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Jan 15, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@sentry/browser (source) ^6.4.1^7.0.0 age confidence

GitHub Vulnerability Alerts

GHSA-593m-55hh-j8gv

Impact

In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.

Note

This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.

Patches

The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version.
Also, the fix was backported to SDK v7 in 7.119.1.

References

Severity
  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Sentry SDK Prototype Pollution gadget in JavaScript SDKs

GHSA-593m-55hh-j8gv

More information

Details

Impact

In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.

[!NOTE]
This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.

Patches

The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version.
Also, the fix was backported to SDK v7 in 7.119.1.

References

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

getsentry/sentry-javascript (@​sentry/browser)

v7.119.1

Compare Source

  • fix(browser/v7): Ensure wrap() only returns functions (#​13838 backport)

Work in this release contributed by @​legobeat. Thank you for your contribution!

v7.119.0

Compare Source

  • backport(tracing): Report dropped spans for transactions (#​13343)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.96 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.89 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 76.14 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.52 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.77 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.66 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.71 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.72 KB
@​sentry/browser - Webpack (gzipped) 22.91 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 79.17 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.49 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 36.17 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.41 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 221.92 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 109.52 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 76.24 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.45 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.4 KB
@​sentry/react - Webpack (gzipped) 22.94 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 90.16 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.27 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.34 KB

v7.118.0

Compare Source

  • fix(v7/bundle): Ensure CDN bundles do not overwrite window.Sentry (#​12579)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.83 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.77 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 76.02 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.38 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.64 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.53 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.6 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.61 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 79.05 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.38 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 36.06 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.29 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 221.51 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 109.1 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.83 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.34 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.27 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 90.03 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.15 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.34 KB

v7.117.0

Compare Source

  • feat(browser/v7): Publish browserprofling CDN bundle (#​12224)
  • fix(v7/publish): Add v7 tag to @sentry/replay (#​12304)

v7.116.0

Compare Source

This release publishes a new AWS Lambda layer under the name SentryNodeServerlessSDKv7 that users still running v7 can
use instead of pinning themselves to SentryNodeServerlessSDK:235.

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.83 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.77 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 76.02 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.38 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.64 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.53 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.6 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.61 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 79.04 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.37 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 36.05 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.28 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 221.49 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 109.08 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.81 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.33 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.27 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 90.03 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.15 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.34 KB

v7.115.0

Compare Source

  • feat(v7): Add support for global onUnhandled Error/Promise for Bun (#​11959)
  • fix(replay/v7): Fix user activity not being updated in start() (#​12003)
  • ref(api): Remove lastEventId deprecation warnings (#​12042)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.83 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.77 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 76.02 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.38 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.64 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.53 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.6 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.61 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 79.04 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.37 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 36.05 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.28 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 221.49 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 109.08 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.81 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.33 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.27 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 90.03 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.15 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.34 KB

v7.114.0

Compare Source

Important Changes
  • fix(browser/v7): Continuously record CLS (#​11935)

This release fixes a bug that caused the cumulative layout shift (CLS) web vital not to be reported in a majority of the
cases where it should have been reported. With this change, the CLS web vital should now always be reported for
pageloads with layout shift. If a pageload did not have layout shift, no CLS web vital should be reported.

Please note that upgrading the SDK to this version may cause data in your dashboards to drastically change.

Other Changes
  • build(aws-lambda/v7): Turn off lambda layer publishing (#​11875)
  • feat(v7): Add tunnel support to multiplexed transport (#​11851)
  • fix(opentelemetry-node): support HTTP_REQUEST_METHOD attribute (#​11929)
  • fix(react/v7): Fix react router v4/v5 span names (#​11940)

v7.113.0

Compare Source

Important Changes

This release adds support for Node 22! 🎉

It also adds prebuilt-binaries for Node 22 to @sentry/profiling-node.

Other Changes
  • feat(feedback): [v7] New feedback button design (#​11841)
  • feat(replay/v7): Upgrade rrweb packages to 2.15.0 (#​11752)
  • fix(ember/v7): Ensure unnecessary spans are avoided (#​11848)

v7.112.2

Compare Source

  • fix(nextjs|sveltekit): Ensure we can pass browserTracingIntegration (#​11765)

v7.112.1

Compare Source

  • fix(ember/v7): Do not create rendering spans without transaction (#​11750)

v7.112.0

Compare Source

Important Changes
  • feat: Export pluggable integrations from SDK packages (#​11723)

Instead of installing @sentry/integrations, you can now import the pluggable integrations directly from your SDK
package:

// Before
import * as Sentry fromv '@​sentry/browser';
import { dedupeIntegration } from '@​sentry/integrations';

Sentry.init({
  integrations: [dedupeIntegration()],
});

// After
import * as Sentry from '@​sentry/browser';

Sentry.init({
  integrations: [Sentry.dedupeIntegration()],
});

Note that only the functional integrations (e.g. xxxIntegration()) are re-exported.

Other Changes
  • feat(replay): Add "maxCanvasSize" option for replay canvases (#​11732)
  • fix(serverless): [v7] Check if cloud event callback is a function (#​11734)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.72 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.69 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 75.91 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.32 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.62 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.5 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.57 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.58 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 78.9 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.27 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 36.02 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.28 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 221.25 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 109.01 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.79 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.3 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.18 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 90.01 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.15 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.32 KB

v7.111.0

Compare Source

  • feat(core): Add server.address to browser http.client spans (#​11663)
  • fix: Ensure next & sveltekit correctly handle browserTracingIntegration (#​11647)
  • fix(browser): Don't assume window.document is available (#​11598)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.71 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.68 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 75.7 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.31 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.62 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.5 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.57 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.58 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 78.89 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.25 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 36.02 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.27 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 221.21 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 109.01 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.79 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.3 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.17 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 90 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.15 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.32 KB

v7.110.1

Compare Source

  • fix(nextjs): Fix tunnelRoute matching logic for hybrid cloud (#​11577)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.58 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.55 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 75.57 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.18 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.49 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.37 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.57 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.58 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 78.76 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.12 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 35.9 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.27 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 220.72 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 108.53 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.79 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.17 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.03 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 89.87 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.01 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.32 KB

v7.110.0

Compare Source

Important Changes
  • feat(tracing): Add interactions sample rate to browser tracing integrations (#​11382)

You can now use a interactionsSampleRate to control the sample rate of INP spans. interactionsSampleRate is applied
on top of the global tracesSampleRate. Therefore if interactionsSampleRate is 0.5 and tracesSampleRate is 0.1,
then the actual sample rate for interactions is 0.05.

Sentry.init({
  tracesSampleRate: 0.1,
  integrations: [
    Sentry.browserTracingIntegration({
      interactionsSampleRate: 0.5,
    }),
  ],
});
  • Deprecations

This release deprecates the Hub class, as well as the addRequestDataToTransaction method. The trpcMiddleware
method is no longer on the Handlers export, but instead is a standalone export.

Please see the detailed Migration docs on how to migrate to the new APIs.

  • feat: Deprecate and relocate trpcMiddleware (#​11389)
  • feat(core): Deprecate Hub class (#​11528)
  • feat(types): Deprecate Hub interface (#​11530)
  • ref: Deprecate addRequestDataToTransaction (#​11368)
Other Changes
  • feat(core): Update metric normalization (#​11519)
  • feat(feedback): Customize feedback placeholder text color (#​11521)
  • feat(remix): Skip span creation for OPTIONS and HEAD request. (#​11485)
  • feat(utils): Add metric buckets rate limit (#​11506)
  • fix(core): unref timer to not block node exit (#​11483)
  • fix(metrics): Map statsd to metric_bucket (#​11505)
  • fix(spans): Allow zero exclusive time for INP spans (#​11408)
  • ref(feedback): Configure feedback fonts (#​11520)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.58 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.55 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 75.57 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.18 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.49 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.37 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.57 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.58 KB
@​sentry/browser - Webpack (gzipped) 22.78 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 78.76 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 70.12 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 35.9 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.27 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 220.72 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 108.53 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.79 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39.17 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 72.03 KB
@​sentry/react - Webpack (gzipped) 22.81 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 89.87 KB
@​sentry/nextjs Client - Webpack (gzipped) 54.01 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.32 KB

v7.109.0

Compare Source

This release deprecates some exports from the @sentry/replay package. These exports have been moved to the browser SDK
(or related framework SDKs like @sentry/react).

  • feat(feedback): Make "required" text for input elements configurable (#​11287)
  • feat(node): Add scope to ANR events (#​11267)
  • feat(replay): Bump rrweb to 2.12.0 (#​11317)
  • fix(node): Local variables skipped after Promise (#​11248)
  • fix(node): Skip capturing Hapi Boom error responses (#​11324)
  • fix(web-vitals): Check for undefined navigation entry (#​11312)
  • ref(replay): Deprecate @sentry/replay exports (#​11242)

Work in this release contributed by @​soerface. Thank you for your contribution!

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.48 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.47 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 75.49 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.11 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.41 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.29 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.52 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.53 KB
@​sentry/browser - Webpack (gzipped) 22.74 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 78.59 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 69.97 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 35.77 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.17 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 220.31 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 108.12 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.48 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 39 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 71.97 KB
@​sentry/react - Webpack (gzipped) 22.77 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 89.81 KB
@​sentry/nextjs Client - Webpack (gzipped) 53.95 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.3 KB

v7.108.0

Compare Source

This release fixes issues with Time to First Byte (TTFB) calculation in the SDK that was introduced with 7.95.0. It
also fixes some bugs with Interaction to First Paint (INP) instrumentation. This may impact your Sentry Performance
Score calculation.

  • feat(serverless): Add Node.js 20 to compatible runtimes (#​11104)
  • feat(core): Backport ResizeObserver and googletag default filters (#​11210)
  • feat(webvitals): Adds event entry names for INP handler. Also guard against empty metric value
  • fix(metrics): use correct statsd data category (#​11187)
  • fix(node): Record local variables with falsy values (v7) (#​11190)
  • fix(node): Use unique variable for ANR context transfer (v7) (#​11162)
  • fix(node): Time zone handling for cron (#​11225)
  • fix(tracing): use web-vitals ttfb calculation (#​11231)
  • fix(types): Fix incorrect sampled type on Transaction (#​11146)
  • fix(webvitals): Fix mapping not being maintained properly and sometimes not sending INP spans (#​11183)

Work in this release contributed by @​quisido and @​joshkel. Thank you for your contributions!

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 80.45 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 71.47 KB
@​sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 75.47 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 65.1 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 35.4 KB
@​sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 35.29 KB
@​sentry/browser (incl. Feedback) - Webpack (gzipped) 31.49 KB
@​sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.5 KB
@​sentry/browser - Webpack (gzipped) 22.74 KB
@​sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 78.55 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 69.97 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 35.77 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 25.17 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 220.29 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 108.1 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 75.48 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 38.99 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 71.96 KB
@​sentry/react - Webpack (gzipped) 22.77 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 89.81 KB
@​sentry/nextjs Client - Webpack (gzipped) 53.95 KB
@​sentry-internal/feedback - Webpack (gzipped) 17.28 KB

v7.107.0

Compare Source

This release fixes issues with INP instrumentation with the Next.js SDK and adds support for the enableInp option in
the deprecated BrowserTracing integration for backwards compatibility.

  • feat(performance): Port INP span instrumentation to old browser tracing (#​11085)
  • fix(ember): Ensure browser tracing is correctly lazy loaded (#​11027)
  • fix(node): Do not assert in vendored proxy code (v7 backport) (#​11009)
  • fix(react): Set handled value in ErrorBoundary depending on fallback [v7] (#​11037)

Bundle size 📦

| Path


Configuration

📅 Schedule: (in timezone US/Eastern)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Jan 15, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
/opt/containerbase/tools/corepack/0.34.6/14.18.2/node_modules/corepack/dist/yarn.js:2
process.env.COREPACK_ENABLE_DOWNLOAD_PROMPT??='1'
                                           ^^^

SyntaxError: Unexpected token '??='
    at wrapSafe (internal/modules/cjs/loader.js:1001:16)
    at Module._compile (internal/modules/cjs/loader.js:1049:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)
    at internal/main/run_main_module.js:17:47

@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 3 times, most recently from 91ff8cd to 387b76b Compare January 23, 2026 11:51
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch from 387b76b to ea989dd Compare February 3, 2026 15:03
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 6 times, most recently from aaa9844 to c03ddec Compare February 28, 2026 10:07
Comment thread package.json
"@material-ui/core": "^4.2.1",
"@mitodl/iso-3166-2": "^1.0.1",
"@sentry/browser": "^6.4.1",
"@sentry/browser": "^7.0.0",
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Upgrading @sentry/browser to v7.0.0 will ship untranspiled ES6 code to IE11 users because the Babel loader configuration does not process the @sentry/browser package.
Severity: CRITICAL

Suggested Fix

Update the babelSharedLoader configuration in your webpack settings to include the path to the @sentry/browser package. This will ensure its code is transpiled to ES5, making it compatible with older browsers like IE11. For example, add path.resolve(__dirname, "node_modules/@sentry/browser") to the include array.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13

Potential issue: Upgrading `@sentry/browser` to v7.0.0 introduces ES6 code. The
project's webpack configuration for the Babel loader explicitly specifies an `include`
path that only transpiles application code and the `@material-ui` library, but not other
`node_modules` like `@sentry/browser`. The application actively supports Internet
Explorer 11, which does not understand ES6 syntax. As a result, any IE11 user loading
the site will encounter a JavaScript syntax error when the untranspiled Sentry package
is loaded. This will prevent Sentry from initializing and is likely to break other
critical page functionality, preventing the page from loading correctly for those users.

Did we get this right? 👍 / 👎 to inform future reviews.

@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 4 times, most recently from a4fd6cc to e05c6c3 Compare March 1, 2026 09:02
Comment thread package.json
"@material-ui/core": "^4.2.1",
"@mitodl/iso-3166-2": "^1.0.1",
"@sentry/browser": "^6.4.1",
"@sentry/browser": "^7.0.0",
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Upgrading @sentry/browser to v7 will break the application for IE11 users because its ES6 code is not being transpiled to ES5 by the current webpack configuration.
Severity: HIGH

Suggested Fix

Update the webpack configuration in webpack.config.shared.js to include @sentry/browser in the babelSharedLoader's include array. This will ensure the Sentry SDK is transpiled to ES5, maintaining compatibility with older browsers like IE11.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13

Potential issue: The upgrade to `@sentry/browser` v7 introduces untranspiled ES6 code.
The project's webpack configuration in `webpack.config.shared.js` does not include
`@sentry/browser` in its Babel transpilation process. The application has historically
supported Internet Explorer 11, which does not support modern ES6 syntax. Because the
Sentry client bundle is loaded early in the page's `<head>`, users on IE11 will
encounter JavaScript syntax errors during initialization, causing the application to
fail to load.

@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 2 times, most recently from 4fb9a0f to d397cba Compare March 2, 2026 02:40
Comment thread package.json
"@material-ui/core": "^4.2.1",
"@mitodl/iso-3166-2": "^1.0.1",
"@sentry/browser": "^6.4.1",
"@sentry/browser": "^7.0.0",
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The yarn.lock file was not updated after changing the @sentry/browser version in package.json. This results in the old, vulnerable version being installed.
Severity: CRITICAL

Suggested Fix

Regenerate the yarn.lock file to reflect the version change in package.json. This can be done by running yarn install or yarn upgrade @sentry/browser, which will update the lockfile to resolve to a secure version of @sentry/browser.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13

Potential issue: The pull request updates `package.json` to use `@sentry/browser:
^7.0.0` to patch a security vulnerability (GHSA-593m-55hh-j8gv). However, the
`yarn.lock` file was not regenerated. As a result, `yarn install` will continue to
install the old, vulnerable version (`6.7.1`) specified in the lockfile, instead of the
intended secure version. This leaves the application exposed to the Prototype Pollution
gadget attack that the upgrade was meant to fix.

@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 2 times, most recently from 29baf1a to a7a1655 Compare March 5, 2026 19:40
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch from a7a1655 to 4c8686f Compare March 9, 2026 15:04
Comment thread package.json
@@ -10,7 +10,7 @@
"@fancyapps/fancybox": "^3.5.7",
"@material-ui/core": "^4.2.1",
"@mitodl/iso-3166-2": "^1.0.1",
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The Sentry v7 upgrade introduces ES6 syntax that is not being transpiled by Babel, which will break the application on older browsers like IE11.
Severity: HIGH

Suggested Fix

Update the include array for the babelSharedLoader in webpack.config.shared.js to also process the @sentry/browser package. This will ensure its ES6 syntax is correctly transpiled to ES5 for compatibility with older browsers.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L12

Potential issue: The upgrade to `@sentry/browser` v7 introduces untranspiled ES6 syntax
into the production bundle. The project's Babel configuration in
`webpack.config.shared.js` explicitly includes only `static/js` and `@material-ui` for
transpilation, excluding all other `node_modules` packages. Because `@sentry/browser` is
not included, its ES6 code will not be converted to ES5. This will cause JavaScript
parsing and execution errors for users on older browsers that do not support ES6, such
as Internet Explorer 11, potentially breaking the application for them.

@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 3 times, most recently from c2679c3 to b5ec281 Compare March 19, 2026 19:14
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 2 times, most recently from 2c8bd80 to 6c9c26b Compare March 26, 2026 14:13
@renovate renovate bot changed the title fix(deps): update dependency @sentry/browser to v7 [security] fix(deps): update dependency @sentry/browser to v7 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-sentry-browser-vulnerability branch March 27, 2026 02:51
@renovate renovate bot changed the title fix(deps): update dependency @sentry/browser to v7 [security] - autoclosed fix(deps): update dependency @sentry/browser to v7 [security] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 6 times, most recently from 9cb9134 to e3f0dc4 Compare April 1, 2026 15:15
@renovate renovate bot changed the title fix(deps): update dependency @sentry/browser to v7 [security] Update dependency @sentry/browser to v7 [SECURITY] Apr 8, 2026
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch 5 times, most recently from 0de7713 to 82bdab3 Compare April 15, 2026 15:02
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch from 82bdab3 to 251f2c9 Compare April 16, 2026 14:57
@renovate renovate bot force-pushed the renovate/npm-sentry-browser-vulnerability branch from 251f2c9 to 7d4a602 Compare April 16, 2026 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants