meta(changelog): Update changelog for 10.32.0 #18560
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Gitflow] Merge master into develop
This PR updates the Sentry Next.js integration to improve tree-shaking configuration and add new options for finer control over what SDK code is included in the final bundle. The most significant changes are: - Added several new tree-shaking flags for better user DX. Closes #18417 --------- Co-authored-by: Copilot <[email protected]>
…es/e2e-tests/test-applications/node-express-incorrect-instrumentation (#18530) Bumps [@trpc/server](https://github.com/trpc/trpc/tree/HEAD/packages/server) from 10.45.2 to 10.45.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/trpc/trpc/commits/HEAD/packages/server">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Undo #18524 as the issue has been resolved and `1.25.1` has been released
…#18501) Previously, we only got the body from the `fetch` options. However, some people use the `Request` object which can also contain a body. As this body is a `ReadableStream`, we could only read that async. With `attachRawBodyFromRequest`, the `Request` object is patched to include the raw body as a `Symbol` so it can be read synchronously. Linear ticket (internal): https://linear.app/getsentry/issue/JS-1255/investigate-sdk-issues-causing-all-requests-to-default-to-get
Closes #18539 (added automatically)
This PR adds tracing for tss server functions. To achieve this I added a
new `wrapFetchWithSentry` wrapper that can be used to instrument the tss
server entry point:
```
import { wrapFetchWithSentry } from '@sentry/tanstackstart-react';
import handler, { createServerEntry } from '@tanstack/react-start/server-entry';
const requestHandler = wrapFetchWithSentry({
fetch(request: Request) {
return handler.fetch(request);
},
});
export default createServerEntry(requestHandler);
```
With this we get spans for server functions executed via `fetch` calls
to the server. A limitation of this approach is that out-of-the-box this
will only start a single span for the initial request made to the
server. So for instance if a server function calls another server
function, we will still only get a single span for the outer server
function and users would need to wrap the inner call manually.
Tests added:
- E2E: Basic transaction test to verify that we get spans if a server
function is executed.
- E2E: Another transaction test documenting that users need to manually
wrap "nested" server functions.
- Unit: Tests to verify the sha256 extraction.
Closes #18287
With this PR we get this attributes from the initialization request and response into the `initialize` span: - `mcp.client.name`, `mcp.client.version`, `mcp.client.title` (from request) - `mcp.server.name`, `mcp.server.version`, `mcp.server.title` (from response) - `mcp.protocol.version` (from both request and response) Changes: - Extract client info and protocol version from the `initialize` request and set them on the span after creation in `transport.ts` - Extract server info and protocol version from the `initialize` response in `completeSpanWithResults` and add them to the span - Add two new helper functions `buildClientAttributesFromInfo` and `buildServerAttributesFromInfo` to build attributes directly from `PartyInfo` objects Closes #18532 (added automatically)
The newly released [React Router 7.11.0](remix-run/react-router#14507) introduced vite preview support(remix-run/react-router#14507). This change has a bug that affects SPA mode (`ssr: false`). When building in SPA mode, React Router correctly builds the server bundle (`build/server/index.js`) and then removes it with the message `Removing the server build... due to ssr:false`. The new vite preview implementation doesn't account for this removal and attempts to import the deleted `build/server/index.js` file when starting the preview server, causing: > Cannot find module '/build/server/index.js' Closes #18549 (added automatically)
Add support for scope attributes on logs. For now, only
primitive attribute values are supported despite type declarations of
`Scope.setAttribute(s)` also allowing array attribute values. The reason
for this limited support is that Relay still discards array attribute
values. Therefore, our serialization strategy for now is:
- **As previously**: We continue to stringify non-primitive values for
log/metric attributes
- **New:** We apply only primitive scope attributes on logs/metrics and
discard any non-primitive values
- **Future:** We'll uniformly handle arrays (properly) in v11 (i.e. no
longer stringify them), i.e. treat all attributes equally.
### Usage Example
```ts
Sentry.getCurrenScope().setAttribute('user_is_admin', true);
Sentry.logger.info(`user ${user.id} logged in`, { activeSince: 100 });
Sentry.logger.warn('unsupported version');
// `user_is_admin` attribute is applied to both logs
```
Some behavior notes:
- Scope attributes are merged from all active scopes (current,
isolation, global scopes) when the log is captured
- Log attributes have precedence over scope attributes
closes #18159
…es/e2e-tests/test-applications/node-express-v5 (#18550) Bumps [@trpc/server](https://github.com/trpc/trpc/tree/HEAD/packages/server) from 10.45.2 to 10.45.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/trpc/trpc/commits/HEAD/packages/server">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/getsentry/sentry-javascript/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
Comment on lines
21
to
31
| context: ServerComponentContext, | ||
| ): F { | ||
| const { componentRoute, componentType } = context; | ||
| // Even though users may define server components as async functions, for the client bundles | ||
| // Next.js will turn them into synchronous functions and it will transform any `await`s into instances of the `use` | ||
| // hook. 🤯 | ||
| return new Proxy(appDirComponent, { | ||
| apply: (originalFunction, thisArg, args) => { | ||
| const requestTraceId = getActiveSpan()?.spanContext().traceId; | ||
| const isolationScope = commonObjectToIsolationScope(context.headers); | ||
|
|
||
| const activeSpan = getActiveSpan(); | ||
| if (activeSpan) { | ||
| const rootSpan = getRootSpan(activeSpan); | ||
| const { scope } = getCapturedScopesOnSpan(rootSpan); | ||
| setCapturedScopesOnSpan(rootSpan, scope ?? new Scope(), isolationScope); | ||
| } | ||
| const isolationScope = getIsolationScope(); | ||
|
|
||
| const headersDict = context.headers ? winterCGHeadersToDict(context.headers) : undefined; | ||
|
|
There was a problem hiding this comment.
Bug: The removal of withIsolationScope in wrapServerComponentWithSentry prevents the transaction name and other scope data from being correctly propagated in the async context for server components.
Severity: HIGH | Confidence: High
🔍 Detailed Analysis
The refactored wrapServerComponentWithSentry function no longer uses the withIsolationScope context manager. This is critical for propagating scope changes, such as the transaction name set via isolationScope.setTransactionName(), to the async context. Without this wrapper, scope modifications are only applied to a local variable and are not reflected in child operations, breaking trace continuity and transaction naming for server components. Other similar functions like wrapGenerationFunctionWithSentry and wrapRouteHandlerWithSentry retain this wrapper, indicating its removal was likely an oversight. This change also removes explicit propagation context initialization from headers, further degrading tracing capabilities, especially in edge runtime environments.
💡 Suggested Fix
Reinstate the withIsolationScope wrapper around the component's execution logic in wrapServerComponentWithSentry. This will ensure that the isolation scope is correctly set in the async context, allowing transaction names and other context data to propagate correctly to child spans and operations. The implementation should be similar to the pattern used in wrapGenerationFunctionWithSentry.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: packages/nextjs/src/common/wrapServerComponentWithSentry.ts#L20-L31
Potential issue: The refactored `wrapServerComponentWithSentry` function no longer uses
the `withIsolationScope` context manager. This is critical for propagating scope
changes, such as the transaction name set via `isolationScope.setTransactionName()`, to
the async context. Without this wrapper, scope modifications are only applied to a local
variable and are not reflected in child operations, breaking trace continuity and
transaction naming for server components. Other similar functions like
`wrapGenerationFunctionWithSentry` and `wrapRouteHandlerWithSentry` retain this wrapper,
indicating its removal was likely an oversight. This change also removes explicit
propagation context initialization from headers, further degrading tracing capabilities,
especially in edge runtime environments.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7697270
nicohrubec
approved these changes
Dec 18, 2025
Contributor
size-limit report 📦
|
Lms24
approved these changes
Dec 18, 2025
s1gr1d
approved these changes
Dec 18, 2025
Contributor
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.