fix(deps): update dependency @sentry/node to v10.27.0 [security]#4017
fix(deps): update dependency @sentry/node to v10.27.0 [security]#4017renovate[bot] wants to merge 1 commit into
Conversation
|
Finished running flow.
|
||||||||||||
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
Check changeset necessityStatus:
Reason:
Changeset (copy & paste):---
"@liam-hq/package-a": patch
"@liam-hq/package-b": patch
---
- 🧩 No changeset needed for this PR
- Dependency bump to @sentry/node in ignored package only; no user-facing changes in target packages |
🤖 Agent Deep Modeling ExecutionStarted at: 2026-07-12 13:16:24 UTC View DetailsCommand Output
RUN v3.2.4 /home/runner/work/liam/liam/frontend/internal-packages/agent (node:7938) ExperimentalWarning: WASI is an experimental feature and might change at any time ✅ [INFO] 2026-07-12T13:16:27.056Z Context: trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=8dec22d6-867f-4fb5-9caf-6a28af5820ce; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=99b5ec64-5d52-41e8-8030-a02f5b2338c8; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=7c93820b-00ff-4072-85bc-a39698a3bdf3; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=97c46f45-5dc2-4261-8314-8d4b4ff176c6; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=b3dee1d7-2d75-4c81-bdc8-22caa2a85c9e; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=ae6d8d42-91d3-4f7d-ab21-c14ba15227bd; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=18610d2a-9132-4f2b-8f73-ff74ff63b52b; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=96e4ac31-8f54-4f47-a80a-1e38bb877f67; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=61449cb6-e42a-42b2-b83c-8ccbc1ac5cec; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=7fb9e652-72fa-4133-b069-002a7f913bac; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=9d09abd1-0c00-437a-9c08-66a581c8421b; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=1646a8b3-fb7b-4ee8-9628-947c9ffc46f9; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=5778d883-c461-4caa-bc3b-3d1d3e2ce17e; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=8653da10-bdf9-44b8-8a32-02ea41e254f8; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=8e6c96eb-37e8-4bd8-b6a2-bfceb62bfb58; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=7c5a1871-22cb-4c07-9ba7-e0a640ef777a; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=706a5349-3765-4ad7-b758-06e912ce7396; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=43ed3bd1-de2c-42fa-915f-ebd30f2dad06; trace=34a1df4d-4afe-4ce3-a3e8-c369dd88fcda,id=194151ba-6682-447d-bc59-c94af66c1019 x ⎯⎯⎯⎯⎯⎯⎯ Failed Tests 1 ⎯⎯⎯⎯⎯⎯⎯ FAIL src/createGraph.integration.test.ts > createGraph Integration > should execute complete workflow Troubleshooting URL: https://js.langchain.com/docs/troubleshooting/errors/MODEL_AUTHENTICATION/ ❯ RunnableCallable.analyzeRequirementsNode [as func] src/pm-agent/nodes/analyzeRequirementsNode.ts:38:11 ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[1/1]⎯ Test Files 1 failed (1) ELIFECYCLE Command failed with exit code 1. |
82019e6 to
bc42d1c
Compare
bc42d1c to
afec3bc
Compare
afec3bc to
4a91df4
Compare
ff4ac7e to
c59010c
Compare
c59010c to
df02d2c
Compare
df02d2c to
86b9944
Compare
86b9944 to
7720ba7
Compare
7720ba7 to
87bcc74
Compare
This PR contains the following updates:
10.19.0→10.27.0Sentry's sensitive headers are leaked when
sendDefaultPiiis set totrueCVE-2025-65944 / GHSA-6465-jgvq-jhgp
More information
Details
Impact
In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When
sendDefaultPii: truewas set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.Sentry’s server-side scrubbing (handled by Sentry's Relay edge proxy) normally serves as a second layer of protection. However, because it relied on the same matching logic as the SDK, it also failed to catch these headers in this case.
Users may be impacted if:
sendDefaultPiiset totrue10.11.0to10.26.0inclusively:Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to users' applications and configurations.
Patches
The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.
Workarounds
Sentry strongly encourage customers to upgrade the SDK to the latest available version, 10.27.0 or later.
If it is not possible, consider setting
sendDefaultPii: falseto avoid unintentionally sending sensitive headers. See here for documentation.Resources
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
getsentry/sentry-javascript (@sentry/node)
v10.27.0Compare Source
Important Changes
feat(deps): Bump OpenTelemetry (#18239)
feat(browserprofiling): Add
manualmode and deprecate old profiling (#18189)Adds the
manuallifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually withSentry.uiProfiler.startProfiler()andSentry.uiProfiler.stopProfiler().The previous transaction-based profiling is with
profilesSampleRateis now deprecated in favor of the new UI Profiling withprofileSessionSampleRate.Other Changes
gibibyteandpebibytetoInformationUnittype (#18241)_experiments.enableLogsoption (#18299)maxValueLengthon error messages (#18301)sendDefaultPii(#18311)beforeSendMetric(#18261)Internal Changes
- build(deps): bump hono from 4.9.7 to 4.10.3 in /dev-packages/e2e-tests/test-applications/cloudflare-hono ([#18038](https://redirect.github.com/getsentry/sentry-javascript/pull/18038)) - chore: Add `bump_otel_instrumentations` cursor command ([#18253](https://redirect.github.com/getsentry/sentry-javascript/pull/18253)) - chore: Add external contributor to CHANGELOG.md ([#18297](https://redirect.github.com/getsentry/sentry-javascript/pull/18297)) - chore: Add external contributor to CHANGELOG.md ([#18300](https://redirect.github.com/getsentry/sentry-javascript/pull/18300)) - chore: Do not update opentelemetry ([#18254](https://redirect.github.com/getsentry/sentry-javascript/pull/18254)) - chore(angular): Add Angular 21 Support ([#18274](https://redirect.github.com/getsentry/sentry-javascript/pull/18274)) - chore(deps): bump astro from 4.16.18 to 5.15.9 in /dev-packages/e2e-tests/test-applications/cloudflare-astro ([#18259](https://redirect.github.com/getsentry/sentry-javascript/pull/18259)) - chore(dev-deps): Update some dev dependencies ([#17816](https://redirect.github.com/getsentry/sentry-javascript/pull/17816)) - ci(deps): Bump actions/create-github-app-token from 2.1.1 to 2.1.4 ([#17825](https://redirect.github.com/getsentry/sentry-javascript/pull/17825)) - ci(deps): bump actions/setup-node from 4 to 6 ([#18077](https://redirect.github.com/getsentry/sentry-javascript/pull/18077)) - ci(deps): bump actions/upload-artifact from 4 to 5 ([#18075](https://redirect.github.com/getsentry/sentry-javascript/pull/18075)) - ci(deps): bump github/codeql-action from 3 to 4 ([#18076](https://redirect.github.com/getsentry/sentry-javascript/pull/18076)) - doc(sveltekit): Update documentation link for SvelteKit guide ([#18298](https://redirect.github.com/getsentry/sentry-javascript/pull/18298)) - test(e2e): Fix astro config in test app ([#18282](https://redirect.github.com/getsentry/sentry-javascript/pull/18282)) - test(nextjs): Remove debug logs from e2e test ([#18250](https://redirect.github.com/getsentry/sentry-javascript/pull/18250))Work in this release was contributed by @bignoncedric and @adam-kov. Thank you for your contributions!
Bundle size 📦
v10.26.0Compare Source
Important Changes
Adds support for instrumenting LangGraph StateGraph operations in Node. The LangGraph integration can be configured as follows:
Instrumentation for LangGraph in Cloudflare Workers and Vercel Edge environments is supported by manually calling
instrumentLangGraph:Other Changes
server.addressattribute on server runtimes (#18242)okstatus to successfulidleSpans (#18139)fetchsupport with data URL (#18225)captureConsoleIntegration(#18096)MAX_LOG_BUFFER_SIZEare not swallowed (#18207)MAX_METRIC_BUFFER_SIZEare not swallowed (#18212)VNodeobjects with highnormalizeDepth(#18206)tracingChannelexport missing in older node versions (#18191)Internal Changes
@embroider/addon-shimto 1.10.0 for the e2e ember-embroider (#18173)testTimeoutfield in bundler-tests vitest config@embroider/addon-shimoverride (#18180)Scope.setTagbundle size and adjust test (#18182)v10.25.0Compare Source
v10.24.0Compare Source
Important Changes
feat(metrics): Add top level option
enableMetricsandbeforeSendMetric(#18088)This PR moves
enableMetricsandbeforeSendMetricout of the_experimentsoptions.The metrics feature will now be enabled by default (none of our integrations will auto-emit metrics as of now), but you can disable sending metrics via
enableMetrics: false.Metric options within
_experimentsgot deprecated but will still work as of now, they will be removed with the next major version of our SDKs.Other Changes
SENTRY_LAYER_EXTENSIONto configure using the lambda layer extension via env variables (#18101)background-imagewhenblockAllMediais enabled (#18019)Internal Changes
Bundle size 📦
v10.23.0Compare Source
user-agentheader with envelope requests in server SDKs (#17929)maxValueLength: 250(#18043)optionsparameter optional onattachErrorHandler(#18072)internal_errorinstead ofunknown_error(#17909)Internal Changes
Work in this release was contributed by @hanseo0507. Thank you for your contribution!
Bundle size 📦
v10.22.0Compare Source
Important Changes
feat(node): Instrument cloud functions for firebase v2 (#17952)
We added instrumentation for Cloud Functions for Firebase v2, enabling automatic performance tracking and error monitoring. This will be added automatically if you have enabled tracing.
feat(core): Instrument LangChain AI (#17955)
Instrumentation was added for LangChain AI operations. You can configure what is recorded like this:
Other Changes
err(#17999)/when getting pathname (#17985)spanEndfor potentially cancelled lazy-route transactions (#17962)Internal Changes
getMetaTagTransformertests for Vitest compatibility (#18013)createHashRouter(#17789)Bundle size 📦
v10.21.0Compare Source
Important Changes
feat(browserProfiling): Add
tracelifecycle mode for UI profiling (#17619)Adds a new
tracelifecycle mode for UI profiling, allowing profiles to be captured for the duration of a trace. Amanualmode will be added in a future release.feat(nuxt): Instrument Database (#17899)
Adds instrumentation for Nuxt database operations, enabling better performance tracking of database queries.
feat(nuxt): Instrument server cache API (#17886)
Adds instrumentation for Nuxt's server cache API, providing visibility into cache operations.
feat(nuxt): Instrument storage API (#17858)
Adds instrumentation for Nuxt's storage API, enabling tracking of storage operations.
Other Changes
onRequestSpanEndhook to browser tracing integration (#17884)clean-css(#17979)Internal Changes
Work in this release was contributed by @0xbad0c0d3. Thank you for your contribution!
Bundle size 📦
v10.20.0Compare Source
Important Changes
feat(flags): Add Growthbook integration (#17440)
Adds a new Growthbook integration for feature flag support.
**feat(solid): Add
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.