meta(changelog): Update changelog for 10.35.0 #18886
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Gitflow] Merge master into develop
This PR adds `ignored` as a new allowed client report discard reason. The new reason can already be used (see [ticket](https://linear.app/getsentry/issue/FE-678/add-new-ignore-discard-reason-for-client-reports) for details). Technically, we only need it right now for span-first to record `ignoreSpans` hits. But this reason also meant for more telemetry types, so we can merge it into develop already.
This is only a temporary solution for LangChain v1 tests. LangChain changed the way they handle internal API errors occurring during gen_ai spans. For now, we’ll comment this out to unblock CI, then circle back with a proper solution. Ticket (TBD): https://linear.app/getsentry/issue/JS-1477/fix-internal-error-tests-for-langchain-v1
…18829) Before submitting a pull request, please take a look at our [Contributing](https://github.com/getsentry/sentry-javascript/blob/master/CONTRIBUTING.md) guidelines and verify: - [ ] If you've added code that should be tested, please add tests. - [ ] Ensure your code lints and the test suite passes (`yarn lint`) & (`yarn test`). - [ ] Link an issue if there is one related to your pull request. If no issue is linked, one will be auto-generated and linked. Closes #issue_link_here Closes #18830 (added automatically)
Bumps our dev dependency sveltekit version to the latest version in light of GHSA-j2f3-wq62-6q46. To be clear, this package is only used a dev dependency, so it wasn't shipped in our SvelteKit SDK NPM package. Closes #18849 (added automatically)
Bumps affected sveltekit and node adapter versions in our e2e test apps. Also took the opportunity to pin two `^` version ranges to the specific latest version | File | Package | Old Version | New Version | | ----------------------------------------- | ------------------------ | ----------- | ----------- | | `sveltekit-2-kit-tracing/package.json` | `@sveltejs/kit` | `2.31.0` | `2.49.5` | | `sveltekit-2-kit-tracing/package.json` | `@sveltejs/adapter-node` | `^5.3.1` | `5.5.1` | | `sveltekit-2-svelte-5/package.json` | `@sveltejs/kit` | `2.41.0` | `2.49.5` | | `sveltekit-2/package.json` | `@sveltejs/kit` | `2.21.3` | `2.49.5` | | `sveltekit-cloudflare-pages/package.json` | `@sveltejs/kit` | `^2.21.3` | `2.49.5` | Closes #18851 (added automatically)
This PR adds the external contributor to the CHANGELOG.md file, so that they are credited for their contribution. See #18858 Co-authored-by: andreiborza <168741329+andreiborza@users.noreply.github.com>
…age automatic source map uploads (#18712) Adds sentryTanstackStart Vite plugin to enable automatic source map uploads in TanStack Start applications. **What it does** I tried to align with what we do in other SDKs (e.g. SvelteKit). On a high-level it: - Uploads source maps to Sentry using @sentry/vite-plugin if configured, passing through all options set by the user (including release, sourcemaps, headers, etc.) - If the source maps option is not defined and also the files to delete option is not defined, we enable cleaning up all .map files after the source map upload - If the source map configuration is undefined, we additionally enable hidden source map generation **Usage** ``` // vite.config.ts import { defineConfig } from 'vite'; import { sentryTanstackStart } from '@sentry/tanstackstart-react'; import { tanstackStart } from '@tanstack/react-start/plugin/vite'; export default defineConfig({ plugins: [ sentryTanstackStart({ authToken: process.env.SENTRY_AUTH_TOKEN, org: 'my-org', project: 'my-project', }), tanstackStart(), ], }); ``` **Tests** - Added unit tests for sourceMaps.ts and sentryTanstackStart.ts covering plugin composition, options passing, and source map settings logic - Updated the E2E test to use the new plugin pattern Closes #18664
Adds a shim for the `logger` namespace since we'll soon ship the logs bundle in the loader and want to avoid breaking user apps when they switch back to a bundle that does not include logs closes #18826
When injecting tracing headers into fetch requests, the SDK was mutating the user's original options object. This caused issues when users reused config objects across requests or when the object was frozen (e.g., from Immer's `produce()`), leading to silent failures. This change shallow clones the options object before modifying it, ensuring the original remains unchanged while still properly injecting the `sentry-trace` and `baggage` headers. Closes #18828
…ts/test-applications/cloudflare-hono (#18806) Bumps [hono](https://github.com/honojs/hono) from 4.10.3 to 4.11.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.11.4</h2> <h2>Security</h2> <p>Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.</p> <p>Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.</p> <p>If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.</p> <h3>JWT middleware</h3> <pre lang="ts"><code>import { jwt } from 'hono/jwt' <p>app.use( '/auth/*', jwt({ secret: 'it-is-very-secret', alg: 'HS256', // required }) ) </code></pre></p> <h3>JWK/JWKS middleware</h3> <pre lang="ts"><code>import { jwk } from 'hono/jwk' <p>app.use( '/auth/*', jwk({ jwks_uri: '<a href="https://example.com/.well-known/jwks.json">https://example.com/.well-known/jwks.json</a>', alg: ['RS256'], // required (asymmetric algorithms only) }) ) </code></pre></p> <p>For more details, see the Security Advisory.</p> <ul> <li><a href="https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4">https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4</a></li> <li><a href="https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4">https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4</a></li> </ul> <h2>What's Changed</h2> <ul> <li>test(utils/jwt): add missing algorithm types in jwa.test.ts by <a href="https://github.com/flathill404"><code>@flathill404</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4607">honojs/hono#4607</a></li> <li>chore: bump <code>@hono/eslint-config</code> and enable curly rule by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4620">honojs/hono#4620</a></li> <li>docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by <a href="https://github.com/Itsnotaka"><code>@Itsnotaka</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4618">honojs/hono#4618</a></li> <li>test: support <code>alg</code> option for JWT middleware by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4624">honojs/hono#4624</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/flathill404"><code>@flathill404</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4607">honojs/hono#4607</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/28452f06319ef12df94b826450f36486e286565d"><code>28452f0</code></a> 4.11.4</li> <li><a href="https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134"><code>190f6e2</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/a48ef183d46c95053003dba4f107f95b5c637ffd"><code>a48ef18</code></a> test: support <code>alg</code> option for JWT middleware (<a href="https://redirect.github.com/honojs/hono/issues/4624">#4624</a>)</li> <li><a href="https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f"><code>cc0aa7a</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/ef2a4b8d77711c9308a6ddca9e35d4ff321f97fe"><code>ef2a4b8</code></a> docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated...</li> <li><a href="https://github.com/honojs/hono/commit/8139399f68e3f3f60adffee0c49630d34310a361"><code>8139399</code></a> chore: bump <code>@hono/eslint-config</code> and enable curly rule (<a href="https://redirect.github.com/honojs/hono/issues/4620">#4620</a>)</li> <li><a href="https://github.com/honojs/hono/commit/4e872759b092e34458aeecb8b72e3e0c4d4f1784"><code>4e87275</code></a> test(utils/jwt): add missing algorithm types in jwa.test.ts (<a href="https://redirect.github.com/honojs/hono/issues/4606">#4606</a>) (<a href="https://redirect.github.com/honojs/hono/issues/4607">#4607</a>)</li> <li><a href="https://github.com/honojs/hono/commit/79977401a0c97122999464f47bd383a2959532fd"><code>7997740</code></a> 4.11.3</li> <li><a href="https://github.com/honojs/hono/commit/489af0b0825fa85e8b15f4659204bf622e0573b9"><code>489af0b</code></a> fix(types): fix middleware union type merging in MergeMiddlewareResponse (<a href="https://redirect.github.com/honojs/hono/issues/4602">#4602</a>)</li> <li><a href="https://github.com/honojs/hono/commit/6ca01ec69b17c56f84fccd866702f7f999332030"><code>6ca01ec</code></a> 4.11.2</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.10.3...v4.11.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…18838) closes #18418 closes [JS-1260](https://linear.app/getsentry/issue/JS-1260/fastify-5-integration-replystatuscode-is-always-200-in) A test that verifies that the upstream issue got fixed. There was also [one tiny config for playwright](https://github.com/getsentry/sentry-javascript/pull/16845/files#diff-b3f13ce31676390f5b27a03da28c135f8412f211e90735bf6c2cf25c287a202c) which was missed, so the wrong application was running.
…TADATA is enabled (#18855) The `CF_VERSION_METADATA` only has one reason - to add the release id. Since we already set the release when `SENTRY_RELEASE` is enabled automatically, we can do the same for `CF_VERSION_METADATA`. The docs will then also be updated to state how the release id can be set in different ways: getsentry/sentry-docs#16006 Closes #18856 (added automatically) Closes [JS-1489](https://linear.app/getsentry/issue/JS-1489/featcloudflare-automatically-set-the-release-id-when-cf-version)
closes [FE-681](https://linear.app/getsentry/issue/FE-681/senddefaultpii-sets-cloudflare-worker-ip-instead-of-the-one-from-the) It seems that in some cases the headers do have a different casing. E.g. in Cloudflare Workers the `[CF-Connecting-IP](https://developers.cloudflare.com/fundamentals/reference/http-headers/#cf-connecting-ip)` is actually send as `Cf-Connecting-Ip`. <img width="635" height="223" alt="Screenshot 2026-01-19 at 13 15 27" src="https://github.com/user-attachments/assets/e427e10d-35b7-4743-980c-3ff0d5cc1d51" /> According to [RFC7540 8.1.2](https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2) the headers are case-insensitive, but for HTTP2 they must be lowercase. So theoretically this would fix also HTTP2 lower case headers
Align with PR Closes #18884 (added automatically)
andreiborza
reviewed
Jan 19, 2026
andreiborza
reviewed
Jan 19, 2026
JPeer264
force-pushed
the
prepare-release/10.35.0
branch
from
5c9ab95 to
8160ada
Compare
Contributor
size-limit report 📦
|
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.