[Snyk] Upgrade @sentry/node from 9.43.0 to 10.12.0

[snyk-io]

Snyk has created this PR to upgrade @sentry/node from 9.43.0 to 10.12.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 22 versions ahead of your current version.

• The recommended version was released 23 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	57	Proof of Concept

Release notes

Package name: @sentry/node

• 10.12.0 - 2025-09-16
  

  Important Changes

  • ref: Add and Adjust error event mechanism values

    This release includes a variety of changes aimed at setting the mechanism field on errors captured automatically by the Sentry SDKs. The intention is to clearly mark which instrumentation captured an error. In addition, some instrumentations previously did not yet annotate the error as handled or unhandled which this series of PRs corrects as well.

    Relevant PRs

    
    

    Released in 10.12.0:

    • ref(angular): Adjust ErrorHandler event mechanism (#17608)
    • ref(astro): Adjust mechanism on error events captured by astro middleware (#17613)
    • ref(aws-severless): Slightly adjust aws-serverless mechanism type (#17614)
    • ref(bun): Adjust mechanism of errors captured in Bun.serve (#17616)
    • ref(cloudflare): Adjust event mechanisms and durable object origin (#17618)
    • ref(core): Adjust mechanism in captureConsoleIntegration (#17633)
    • ref(core): Adjust MCP server error event mechanism (#17622)
    • ref(core): Simplify linkedErrors mechanism logic (#17600)
    • ref(deno): Adjust mechanism of errors caught by globalHandlersIntegration (#17635)
    • ref(nextjs): Set more specific event mechanisms (#17543)
    • ref(node): Adjust mechanism of express, hapi and fastify error handlers (#17623)
    • ref(node-core): Add mechanism to cron instrumentations (#17544)
    • ref(node-core): Add more specific mechanism.type to worker thread errors from childProcessIntegration (#17578)
    • ref(node-core): Adjust mechanism of onUnhandledRejection and onUnhandledException integrations (#17636)
    • ref(node): Add mechanism to errors captured via connect and koa integrations (#17579)
    • ref(nuxt): Add and adjust mechanism.type in error events (#17599)
    • ref(react): Add mechanism to reactErrorHandler and adjust mechanism in ErrorBoundary (#17602)
    • ref(remix): Adjust event mechanism of captureRemixServerException (#17629)
    • ref(replay-internal): Add mechanism to error caught by replayIntegration in debug mode (#17606)
    • ref(solid): Add mechanism to error captured by withSentryErrorBoundary (#17607)
    • ref(solidstart): Adjust event mechanism in withServerActionInstrumentation (#17637)
    • ref(sveltekit): Adjust mechanism of error events (#17646)
    • ref(vue): Adjust mechanism in Vue error handler (#17647)

    
    

    Released in 10.11.0:

    • ref(browser): Add more specific mechanism.type to errors captured by httpClientIntegration (#17254)
    • ref(browser): Set more descriptive mechanism.type in browserApiErrorsIntergation (#17251)
    • ref(core): Add mechanism.type to trpcMiddleware errors (#17287)
    • ref(core): Add more specific event mechanisms and span origins to openAiIntegration (#17288)
    • ref(nestjs): Add mechanism to captured errors (#17312)
  • feat(node) Ensure prismaIntegration works with Prisma 5 (#17595)

  We used to require to pass in the v5 version of @ prisma/instrumentation into prismaIntegration({ prismaInstrumentation: new PrismaInstrumentation() }), if you wanted to get full instrumentation for Prisma v5. However, it turns out this does not work on v10 of the SDK anymore, because @ prisma/instrumentation@5 requires OTEL v1.

  With this release, we dropped the requirement to configure anything to get v5 support of Prisma. You do not need to configure anything in the integration anymore, and can remove the dependency on @ prisma/instrumentation@5 if you had it in your application. You only need to configure the tracing preview feature according to our docs.

  • feat(deps): Update OpenTelemetry dependencies (#17558)
    • @ opentelemetry/core bumped to ^2.1.0
    • @ opentelemetry/context-async-hooks bumped to ^2.1.0
    • @ opentelemetry/resources bumped to ^2.1.0
    • @ opentelemetry/sdk-trace-base bumped to ^2.1.0
    • @ opentelemetry/semantic-conventions bumped to ^1.37.0
    • @ opentelemetry/instrumentation bumped to ^0.204.0
    • @ opentelemetry/instrumentation-http bumped to ^0.204.0
    • @ opentelemetry/instrumentation-amqplib bumped to ^0.51.0
    • @ opentelemetry/instrumentation-aws-sdk bumped to ^0.59.0
    • @ opentelemetry/instrumentation-connect bumped to ^0.48.0
    • @ opentelemetry/instrumentation-dataloader bumped to ^0.22.0
    • @ opentelemetry/instrumentation-express bumped to ^0.53.0
    • @ opentelemetry/instrumentation-fs bumped from to ^0.24.0
    • @ opentelemetry/instrumentation-generic-pool bumped to ^0.48.0
    • @ opentelemetry/instrumentation-graphql bumped to ^0.52.0
    • @ opentelemetry/instrumentation-hapi bumped to ^0.51.0
    • @ opentelemetry/instrumentation-ioredis bumped to ^0.52.0
    • @ opentelemetry/instrumentation-kafkajs bumped to ^0.14.0
    • @ opentelemetry/instrumentation-knex bumped to ^0.49.0
    • @ opentelemetry/instrumentation-koa bumped to ^0.52.0
    • @ opentelemetry/instrumentation-lru-memoizer bumped to ^0.49.0
    • @ opentelemetry/instrumentation-mongodb bumped from to ^0.57.0
    • @ opentelemetry/instrumentation-mongoose bumped from to ^0.51.0
    • @ opentelemetry/instrumentation-mysql bumped to ^0.50.0
    • @ opentelemetry/instrumentation-mysql2 bumped to ^0.51.0
    • @ opentelemetry/instrumentation-nestjs-core bumped to ^0.50.0
    • @ opentelemetry/instrumentation-pg bumped to ^0.57.0
    • @ opentelemetry/instrumentation-redis bumped to ^0.53.0
    • @ opentelemetry/instrumentation-undici bumped to ^0.15.0
    • @ prisma/instrumentation bumped to 6.15.0

  Other Changes

  • feat(browser): Add timing and status atttributes to resource spans (#17562)
  • feat(cloudflare,vercel-edge): Add support for Anthropic AI instrumentation (#17571)
  • feat(core): Add Consola integration (#17435)
  • feat(deps): Update OpenTelemetry dependencies (#17569)
  • feat(core): Export TracesSamplerSamplingContext type (#17523)
  • feat(deno): Add OpenTelemetry support and vercelAI integration (#17445)
  • feat(node-core): Remove experimental note from winston api (#17626)
  • feat(node): Ensure prismaIntegration works with Prisma v5 (#17595)
  • feat(node): Tidy existing ESM loader hook (#17566)
  • feat(sveltekit): Align build time options with shared type (#17413)
  • fix(core): Fix error handling when sending envelopes (#17662)
  • fix(browser): Always start navigation as root span (#17648)
  • fix(browser): Ensure propagated parentSpanId stays consistent during trace in TwP mode (#17526)
  • fix(cloudflare): Initialize once per workflow run and preserve scope for step.do (#17582)
  • fix(nextjs): Add edge polyfills for nextjs-13 in dev mode (#17488)
  • fix(nitro): Support nested _platform properties in Nitro 2.11.7+ (#17596)
  • fix(node): Preserve synchronous return behavior for streamText and other methods for AI (#17580)
  • ref(node): Inline types imported from shimmer (#17597) - ref(nuxt): Add and adjust mechanism.type in error events (#17599)
  • ref(browser): Improve fetchTransport error handling (#17661)
  Internal Changes

  • chore: Add changelog note about mechanism changes (#17632)
  • chore(aws): Update README.md (#17601)
  • chore(deps): bump hono from 4.7.10 to 4.9.7 in /dev-packages/e2e-tests/test-applications/cloudflare-hono (#17630)
  • chore(deps): bump next from 14.2.25 to 14.2.32 in /dev-packages/e2e-tests/test-applications/nextjs-app-dir (#17627)
  • chore(deps): bump next from 14.2.25 to 14.2.32 in /dev-packages/e2e-tests/test-applications/nextjs-pages-dir (#17620)
  • chore(deps): bump next from 14.2.29 to 14.2.32 in /dev-packages/e2e-tests/test-applications/nextjs-orpc (#17494)
  • chore(deps): bump next from 14.2.30 to 14.2.32 in /dev-packages/e2e-tests/test-applications/nextjs-14 (#17628)
  • chore(repo): Rename .claude/settings.local.json to .claude/settings.json (#17591)
  • docs(issue-template): Add note about prioritization (#17590)
  • ref(core): Streamline event processor handling (#17634)
  • test(angular): Bump TS version to 5.9.0 in Angular 20 e2e test (#17605)
  • test(nextjs): Remove Next 13 and pin Next 14 canary and latest tests (#17577)
  • test(react-router): Unflake flushIfServerless test (#17610)

  Bundle size 📦

  Path	Size
  @ sentry/browser	23.59 KB
  @ sentry/browser - with treeshaking flags	22.19 KB
  @ sentry/browser (incl. Tracing)	39.21 KB
  @ sentry/browser (incl. Tracing, Replay)	76.69 KB
  @ sentry/browser (incl. Tracing, Replay) - with treeshaking flags	66.64 KB
  @ sentry/browser (incl. Tracing, Replay with Canvas)	81.24 KB
  @ sentry/browser (incl. Tracing, Replay, Feedback)	93.16 KB
  @ sentry/browser (incl. Feedback)	39.92 KB
  @ sentry/browser (incl. sendFeedback)	28.13 KB
  @ sentry/browser (incl. FeedbackAsync)	32.96 KB
  @ sentry/react	25.27 KB
  @ sentry/react (incl. Tracing)	41.18 KB
  @ sentry/vue	27.97 KB
  @ sentry/vue (incl. Tracing)	40.99 KB
  @ sentry/svelte	23.62 KB
  CDN Bundle	25.13 KB
  CDN Bundle (incl. Tracing)	39.11 KB
  CDN Bundle (incl. Tracing, Replay)	74.48 KB
  CDN Bundle (incl. Tracing, Replay, Feedback)	79.86 KB
  CDN Bundle - uncompressed	73.41 KB
  CDN Bundle (incl. Tracing) - uncompressed	115.73 KB
  CDN Bundle (incl. Tracing, Replay) - uncompressed	228.13 KB
  CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	240.59 KB
  @ sentry/nextjs (client)	43.12 KB
  @ sentry/sveltekit (client)	39.64 KB
  @ sentry/node-core	48.69 KB
  @ sentry/node	147.6 KB
  @ sentry/node - without tracing	89.6 KB
  @ sentry/aws-serverless	102.73 KB

• 10.11.0 - 2025-09-09
  

  Important Changes

  • feat(aws): Add experimental AWS Lambda extension for tunnelling events (#17525)

    This release adds an experimental Sentry Lambda extension to the existing Sentry Lambda layer. Sentry events are now tunneled through the extension and then forwarded to Sentry. This has the benefit of reducing the request processing time.

    To enable it, set _experiments.enableLambdaExtension in your Sentry config like this:

    Sentry.init({
      dsn: '<YOUR_DSN>',
      _experiments: {
        enableLambdaExtension: true,
      },
    });

  Other Changes

  • feat(core): Add replay id to logs (#17563)
  • feat(core): Improve error handling for Anthropic AI instrumentation (#17535)
  • feat(deps): bump @ opentelemetry/instrumentation-ioredis from 0.51.0 to 0.52.0 (#17557)
  • feat(node): Add incoming request headers as OTel span attributes (#17475)
  • fix(astro): Ensure traces are correctly propagated for static routes (#17536)
  • fix(react): Remove handleExistingNavigation (#17534)
  • ref(browser): Add more specific mechanism.type to errors captured by httpClientIntegration (#17254)
  • ref(browser): Set more descriptive mechanism.type in browserApiErrorsIntergation (#17251)
  • ref(core): Add mechanism.type to trpcMiddleware errors (#17287)
  • ref(core): Add more specific event mechanisms and span origins to openAiIntegration (#17288)
  • ref(nestjs): Add mechanism to captured errors (#17312)
  Internal Changes

  • chore: Use proper test-utils dependency in workspace (#17538)
  • chore(test): Remove geist font (#17541)
  • ci: Check for stable lockfile (#17552)
  • ci: Fix running of only changed E2E tests (#17551)
  • ci: Remove project automation workflow (#17508)
  • test(node-integration-tests): pin ai@5.0.30 to fix test fails (#17542)

  Bundle size 📦

  Path	Size
  @ sentry/browser	23.61 KB
  @ sentry/browser - with treeshaking flags	22.22 KB
  @ sentry/browser (incl. Tracing)	39.2 KB
  @ sentry/browser (incl. Tracing, Replay)	76.66 KB
  @ sentry/browser (incl. Tracing, Replay) - with treeshaking flags	66.66 KB
  @ sentry/browser (incl. Tracing, Replay with Canvas)	81.23 KB
  @ sentry/browser (incl. Tracing, Replay, Feedback)	93.15 KB
  @ sentry/browser (incl. Feedback)	39.95 KB
  @ sentry/browser (incl. sendFeedback)	28.15 KB
  @ sentry/browser (incl. FeedbackAsync)	32.98 KB
  @ sentry/react	25.29 KB
  @ sentry/react (incl. Tracing)	41.12 KB
  @ sentry/vue	27.99 KB
  @ sentry/vue (incl. Tracing)	40.97 KB
  @ sentry/svelte	23.63 KB
  CDN Bundle	25.16 KB
  CDN Bundle (incl. Tracing)	39.07 KB
  CDN Bundle (incl. Tracing, Replay)	74.5 KB
  CDN Bundle (incl. Tracing, Replay, Feedback)	79.83 KB
  CDN Bundle - uncompressed	73.44 KB
  CDN Bundle (incl. Tracing) - uncompressed	115.53 KB
  CDN Bundle (incl. Tracing, Replay) - uncompressed	227.93 KB
  CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	240.39 KB
  @ sentry/nextjs (client)	43.11 KB
  @ sentry/sveltekit (client)	39.63 KB
  @ sentry/node-core	48.66 KB
  @ sentry/node	148.65 KB
  @ sentry/node - without tracing	90.07 KB
  @ sentry/aws-serverless	103.24 KB

• 10.10.0 - 2025-09-04
  

  Important Changes

  • feat(browser): Add support for propagateTraceparent SDK option (#17509)

  Adds support for a new browser SDK init option, propagateTraceparent for attaching a W3C compliant traceparent header to outgoing fetch and XHR requests, in addition to sentry-trace and baggage headers. More details can be found here.

  • feat(core): Add tool calls attributes for Anthropic AI (#17478)

  Adds missing tool call attributes, we add gen_ai.response.tool_calls attribute for Anthropic AI, supporting both streaming and non-streaming requests.

  • feat(nextjs): Use compiler hook for uploading turbopack sourcemaps (#17352)

  Adds a new experimental flag _experimental.useRunAfterProductionCompileHook to withSentryConfig for automatic source maps uploads when building a Next.js app with next build --turbopack.
  When set we:

  • Automatically enable source map generation for turbopack client files (if not explicitly disabled)
  • Upload generated source maps to Sentry at the end of the build by leveraging a Next.js compiler hook.

  Other Changes

  • feat(feedback): Add more labels so people can configure Highlight and Hide labels (#17513)
  • fix(node): Add origin for OpenAI spans & test auto instrumentation (#17519)

  Bundle size 📦

  Path	Size
  @ sentry/browser	23.59 KB
  @ sentry/browser - with treeshaking flags	22.2 KB
  @ sentry/browser (incl. Tracing)	39.19 KB
  @ sentry/browser (incl. Tracing, Replay)	76.63 KB
  @ sentry/browser (incl. Tracing, Replay) - with treeshaking flags	66.64 KB
  @ sentry/browser (incl. Tracing, Replay with Canvas)	81.2 KB
  @ sentry/browser (incl. Tracing, Replay, Feedback)	93.13 KB
  @ sentry/browser (incl. Feedback)	39.93 KB
  @ sentry/browser (incl. sendFeedback)	28.13 KB
  @ sentry/browser (incl. FeedbackAsync)	32.96 KB
  @ sentry/react	25.27 KB
  @ sentry/react (incl. Tracing)	41.11 KB
  @ sentry/vue	27.97 KB
  @ sentry/vue (incl. Tracing)	40.95 KB
  @ sentry/svelte	23.62 KB
  CDN Bundle	25.14 KB
  CDN Bundle (incl. Tracing)	39.05 KB
  CDN Bundle (incl. Tracing, Replay)	74.48 KB
  CDN Bundle (incl. Tracing, Replay, Feedback)	79.82 KB
  CDN Bundle - uncompressed	73.4 KB
  CDN Bundle (incl. Tracing) - uncompressed	115.49 KB
  CDN Bundle (incl. Tracing, Replay) - uncompressed	227.88 KB
  CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	240.35 KB
  @ sentry/nextjs (client)	43.08 KB
  @ sentry/sveltekit (client)	39.62 KB
  @ sentry/node-core	48.49 KB
  @ sentry/node	147.1 KB
  @ sentry/node - without tracing	90.07 KB
  @ sentry/aws-serverless	103.06 KB

• 10.9.0 - 2025-09-03
  

  Important Changes

  • feat(node): Update httpIntegration handling of incoming requests (#17371)

  This version updates the handling of the Node SDK of incoming requests. Instead of relying on @ opentelemetry/instrumentation-http, we now handle incoming request instrumentation internally, ensuring that we can optimize performance as much as possible and avoid interop problems.

  This change should not affect you, unless you're relying on very in-depth implementation details. Importantly, this also drops the _experimentalConfig option of the integration - this will no longer do anything.
  Finally, you can still pass instrumentation.{requestHook,responseHook,applyCustomAttributesOnSpan} options, but they are deprecated and will be removed in v11. Instead, you can use the new incomingRequestSpanHook configuration option if you want to adjust the incoming request span.

  Other Changes

  • feat(browser): Add replay.feedback CDN bundle (#17496)
  • feat(browser): Export sendFeedback from CDN bundles (#17495)
  • fix(astro): Ensure span name from beforeStartSpan isn't overwritten (#17500)
  • fix(browser): Ensure source is set correctly when updating span name in-place in beforeStartSpan (#17501)
  • fix(core): Only set template attributes on logs if parameters exist (#17480)
  • fix(nextjs): Fix parameterization for root catchall routes (#17489)
  • fix(node-core): Shut down OTel TraceProvider when calling Sentry.close() (#17499)
  Internal Changes

  • chore: Add changelog script back to package.json (#17517)
  • chore: Ensure prettier is run on all files (#17497)
  • chore: Ignore prettier commit for git blame (#17498)
  • chore: Remove experimental from Nuxt SDK package description (#17483)
  • ci: Capture overhead in node app (#17420)
  • ci: Ensure we fail on cancelled jobs (#17506)
  • ci(deps): bump actions/checkout from 4 to 5 (#17505)
  • ci(deps): bump actions/create-github-app-token from 2.0.6 to 2.1.1 (#17504)
  • test(aws): Improve reliability on CI (#17502)

  Bundle size 📦

  Path	Size
  @ sentry/browser	23.59 KB
  @ sentry/browser - with treeshaking flags	22.2 KB
  @ sentry/browser (incl. Tracing)	38.93 KB
  @ sentry/browser (incl. Tracing, Replay)	76.4 KB
  @ sentry/browser (incl. Tracing, Replay) - with treeshaking flags	66.43 KB
  @ sentry/browser (incl. Tracing, Replay with Canvas)	80.97 KB
  @ sentry/browser (incl. Tracing, Replay, Feedback)	92.81 KB
  @ sentry/browser (incl. Feedback)	39.88 KB
  @ sentry/browser (incl. sendFeedback)	28.13 KB
  @ sentry/browser (incl. FeedbackAsync)	32.92 KB
  @ sentry/react	25.27 KB
  @ sentry/react (incl. Tracing)	40.91 KB
  @ sentry/vue	27.97 KB
  @ sentry/vue (incl. Tracing)	40.72 KB
  @ sentry/svelte	23.62 KB
  CDN Bundle	25.06 KB
  CDN Bundle (incl. Tracing)	38.82 KB
  CDN Bundle (incl. Tracing, Replay)	74.25 KB
  CDN Bundle (incl. Tracing, Replay, Feedback)	79.56 KB
  CDN Bundle - uncompressed	73.2 KB
  CDN Bundle (incl. Tracing) - uncompressed	114.83 KB
  CDN Bundle (incl. Tracing, Replay) - uncompressed	227.23 KB
  CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	239.56 KB
  @ sentry/nextjs (client)	42.86 KB
  @ sentry/sveltekit (client)	39.38 KB
  @ sentry/node-core	48.45 KB
  @ sentry/node	146.74 KB
  @ sentry/node - without tracing	90.02 KB
  @ sentry/aws-serverless	103.01 KB

• 10.8.0 - 2025-08-29
• 10.7.0 - 2025-08-27
• 10.6.0 - 2025-08-26
• 10.5.0 - 2025-08-12
• 10.4.0 - 2025-08-11
• 10.3.0 - 2025-08-08
• 10.2.0 - 2025-08-06
• 10.1.0 - 2025-08-04
• 10.0.0 - 2025-07-31
• 10.0.0-beta.0 - 2025-07-30
• 10.0.0-alpha.2 - 2025-07-24
• 10.0.0-alpha.1 - 2025-07-21
• 10.0.0-alpha.0 - 2025-07-21
• 9.46.0 - 2025-08-13
• 9.45.0 - 2025-08-08
• 9.44.2 - 2025-08-04
• 9.44.1 - 2025-08-04
• 9.44.0 - 2025-07-31
• 9.43.0 - 2025-07-29

from @sentry/node GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[aviator-app]

Aviator Changeset actions:

• View Changeset dashboard - Open Changeset Dashboard on Aviator

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
package.json	51% smaller
package-lock.json	26% smaller

[aviator-app]

Current Aviator status

Aviator will automatically update this comment as the status of the PR changes.
Comment /aviator refresh to force Aviator to re-examine your PR (or learn about other /aviator commands).

This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.

---

See the real-time status of this PR on the Aviator webapp.

Use the Aviator Chrome Extension to see the status of your PR within GitHub.

[naming-conventions-bot]

Please follow naming conventions! 😿

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@apm-js-collab/code-transformer	0.8.2	Unknown	Unknown
npm/@apm-js-collab/tracing-hooks	0.3.1	Unknown	Unknown
npm/@sentry/core	10.18.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 77 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits
npm/@sentry/node	10.18.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 77 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits
npm/@sentry/node-core	10.18.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 77 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits
npm/@sentry/opentelemetry	10.18.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 77 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits
npm/module-details-from-path	1.0.4	🟢 3.4	Details Check Score Reason Code-Review ⚠️ 0 Found 2/23 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/semver	7.7.3	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 7 4 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 7 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 8 SAST tool detected but not run on all commits
npm/@sentry/node	^10.12.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 77 existing vulnerabilities detected SAST 🟢 7 SAST tool detected but not run on all commits

Scanned Files

• package-lock.json
• package.json

[deepsource-io]

Here's the code health analysis summary for commits 601dab1..25abf45. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
PHP	✅ Success		View Check ↗
Test coverage	⚠️ Artifact not reported	Timed out: Artifact was never reported	View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are almost up to date before merging

• #commits-behind <= 10

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

LGTM 👍

[aviator-app]

Skipping bot pull request creation because the queue is empty and this pull request is up to date with main.

[aviator-app]

This pull request failed to merge: new commit introduced for a queued PR, invalidating the status. After you have resolved the problem, you should remove the blocked pull request label from this PR and then try to re-queue the PR. Note that the pull request will be automatically re-queued if it has the mergequeue label.

[github-actions]

LGTM 👍

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud