Merge branch 'develop' into sig/nuxt-cloudflare

Author: s1gr1d

.cursor/rules/publishing_release.mdc

@@ -3,6 +3,7 @@ description: Use this rule if you are looking to publish a release for the Sentr
 globs:
 alwaysApply: false
 ---
+
 # Publishing a Release
 
 Use these guidelines when publishing a new Sentry JavaScript SDK release.

.cursor/rules/sdk_dependency_upgrades.mdc

@@ -0,0 +1,163 @@
+---
+description: Use this rule if you are looking to upgrade a dependency in the Sentry JavaScript SDKs
+globs:
+alwaysApply: false
+---
+# Yarn v1 Dependency Upgrades
+
+## Upgrade Process
+
+### Dependency Analysis
+
+```bash
+# Check dependency tree
+yarn list --depth=0
+
+# Find why package is installed
+yarn why [package-name]
+```
+
+### Root Workspace vs. Package Dependencies
+
+**CRITICAL**: Understand the difference between dependency types:
+
+- **Root Workspace dependencies**: Shared dev tools, build tools, testing frameworks
+- **Package dependencies**: Package-specific runtime and dev dependencies
+- Always check if dependency should be in root workspace or package level
+
+### Upgrade Dependencies
+
+**MANDATORY**: Only ever upgrade a single package at a time.
+
+**CRITICAL RULE**: If a dependency is not defined in `package.json` anywhere, the upgrade must be run in the root workspace as the `yarn.lock` file is contained there.
+
+```bash
+# Upgrade specific package to latest compatible version
+npx yarn-update-dependency@latest [package-name]
+```
+
+Avoid upgrading top-level dependencies (defined in `package.json`), especially if they are used for tests. If you are going to upgrade them, ask the user before proceeding.
+
+**REQUIREMENT**: If a `package.json` file is updated, make sure it has a new line at the end.
+
+#### CRITICAL: OpenTelemetry Dependency Constraint
+
+**STOP UPGRADE IMMEDIATELY** if upgrading any dependency with `opentelemetry` in the name and the new version or any of its dependencies uses forbidden OpenTelemetry versions.
+
+**FORBIDDEN VERSION PATTERNS:**
+- `2.x.x` versions (e.g., `2.0.0`, `2.1.0`)
+- `0.2xx.x` versions (e.g., `0.200.0`, `0.201.0`)
+
+When upgrading OpenTelemetry dependencies:
+1. Check the dependency's `package.json` after upgrade
+2. Verify the package itself doesn't use forbidden version patterns
+3. Verify none of its dependencies use `@opentelemetry/*` packages with forbidden version patterns
+4. **Example**: `@opentelemetry/instrumentation-pg@0.52.0` is forbidden because it bumped to core `2.0.0` and instrumentation `0.200.0`
+5. If forbidden OpenTelemetry versions are detected, **ABORT the upgrade** and notify the user that this upgrade cannot proceed due to OpenTelemetry v2+ compatibility constraints
+
+#### CRITICAL: E2E Test Dependencies
+
+**DO NOT UPGRADE** the major version of dependencies in test applications where the test name explicitly mentions a dependency version.
+
+**RULE**: For `dev-packages/e2e-tests/test-applications/*`, if the test directory name mentions a specific version (e.g., `nestjs-8`), do not upgrade that dependency beyond the mentioned major version.
+
+**Example**: Do not upgrade the nestjs version of `dev-packages/e2e-tests/test-applications/nestjs-8` to nestjs 9 or above because the test name mentions nestjs 8.
+
+## Safety Protocols
+
+### Pre-Upgrade Checklist
+
+**COMPLETE ALL STEPS** before proceeding with any upgrade:
+
+1. **Backup**: Ensure clean git state or create backup branch
+2. **CI Status**: Verify all tests are passing
+3. **Lockfile works**: Confirm `yarn.lock` is in a good state (no merge conflicts)
+4. **OpenTelemetry Check**: For OpenTelemetry dependencies, verify no forbidden version patterns (`2.x.x` or `0.2xx.x`) will be introduced
+
+### Post-Upgrade Verification
+
+```bash
+# rebuild everything
+yarn install
+
+# Build the project
+yarn build:dev
+
+# Make sure dependencies are deduplicated
+yarn dedupe-deps:fix
+
+# Fix any linting issues
+yarn fix
+
+# Check circular dependencies
+yarn circularDepCheck
+```
+
+## Version Management
+
+### Pinning Strategies
+
+- **Exact versions** (`1.2.3`): Use for critical dependencies
+- **Caret versions** (`^1.2.3`): Allow minor updates only
+- **Latest tag**: Avoid as much as possible other than in certain testing and development scenarios
+
+## Troubleshooting
+
+- **Yarn Version**: Run `yarn --version` - must be yarn v1 (not v2/v3/v4)
+- **Lockfile Issues**: Verify yarn.lock exists and is properly maintained. Fix merge conflicts by running `yarn install`
+
+## Best Practices
+
+### Security Audits
+
+```bash
+# Check for security vulnerabilities
+yarn audit
+
+# Fix automatically fixable vulnerabilities
+yarn audit fix
+
+# Install security patches only
+yarn upgrade --security-only
+```
+
+### Check for Outdated Dependencies
+
+```bash
+# Check all outdated dependencies
+yarn outdated
+
+# Check specific package
+yarn outdated [package-name]
+
+# Check dependencies in specific workspace
+yarn workspace [workspace-name] outdated
+```
+
+### Using yarn info for Dependency Inspection
+
+Use `yarn info` to inspect package dependencies before and after upgrades:
+
+```bash
+# Check current version and dependencies
+yarn info <package-name>
+
+# Check specific version dependencies
+yarn info <package-name>@<version>
+
+# Check dependencies field specifically
+yarn info <package-name>@<version> dependencies
+
+# Check all available versions
+yarn info <package-name> versions
+```
+
+The `yarn info` command provides detailed dependency information without requiring installation, making it particularly useful for:
+- Verifying OpenTelemetry packages don't introduce forbidden version patterns (`2.x.x` or `0.2xx.x`)
+- Checking what dependencies a package will bring in before upgrading
+- Understanding package version history and compatibility
+
+### Documentation
+
+- Update README or code comments if dependency change affects usage of the SDK or its integrations
+- Notify team of significant changes

.github/ISSUE_TEMPLATE/bug.yml

@@ -37,6 +37,7 @@ body:
         - '@sentry/node - koa'
         - '@sentry/node - hapi'
         - '@sentry/node - connect'
+        - '@sentry/node-native'
         - '@sentry/angular'
         - '@sentry/astro'
         - '@sentry/aws-serverless'

CHANGELOG.md

@@ -4,6 +4,63 @@
 
 - "You miss 100 percent of the chances you don't take. — Wayne Gretzky" — Michael Scott
 
+## 9.32.0
+
+### Important Changes
+
+- feat(browser): Add CLS sources to span attributes ([#16710](https://github.com/getsentry/sentry-javascript/pull/16710))
+
+Enhances CLS (Cumulative Layout Shift) spans by adding attributes detailing the elements that caused layout shifts.
+
+- feat(cloudflare): Add `instrumentWorkflowWithSentry` to instrument workflows ([#16672](https://github.com/getsentry/sentry-javascript/pull/16672))
+
+We've added support for Cloudflare Workflows, enabling comprehensive tracing for your workflow runs. This integration uses the workflow's instanceId as the Sentry trace_id and for sampling, linking all steps together. You'll now be able to see full traces, including retries with exponential backoff.
+
+- feat(pino-transport): Add functionality to send logs to sentry ([#16667](https://github.com/getsentry/sentry-javascript/pull/16667))
+
+Adds the ability to send logs to Sentry via a pino transport.
+
+### Other Changes
+
+- feat(nextjs): Expose top level buildTime `errorHandler` option ([#16718](https://github.com/getsentry/sentry-javascript/pull/16718))
+- feat(node): update pipeline spans to use agent naming ([#16712](https://github.com/getsentry/sentry-javascript/pull/16712))
+- feat(deps): bump @prisma/instrumentation from 6.9.0 to 6.10.1 ([#16698](https://github.com/getsentry/sentry-javascript/pull/16698))
+- fix(sveltekit): Export logger from sveltekit worker ([#16716](https://github.com/getsentry/sentry-javascript/pull/16716))
+- fix(google-cloud-serverless): Make `CloudEventsContext` compatible with `CloudEvent` ([#16705](https://github.com/getsentry/sentry-javascript/pull/16705))
+- fix(nextjs): Stop injecting release value when create release options is set to `false` ([#16695](https://github.com/getsentry/sentry-javascript/pull/16695))
+- fix(node): account for Object. syntax with local variables matching ([#16702](https://github.com/getsentry/sentry-javascript/pull/16702))
+- fix(nuxt): Add alias for `@opentelemetry/resources` ([#16727](https://github.com/getsentry/sentry-javascript/pull/16727))
+
+Work in this release was contributed by @flaeppe. Thank you for your contribution!
+
+## 9.31.0
+
+### Important Changes
+
+- feat(nextjs): Add option for auto-generated random tunnel route ([#16626](https://github.com/getsentry/sentry-javascript/pull/16626))
+
+Adds an option to automatically generate a random tunnel route for the Next.js SDK. This helps prevent ad blockers and other tools from blocking Sentry requests by using a randomized path instead of the predictable `/monitoring` endpoint.
+
+- feat(core): Allow to pass `scope` & `client` to `getTraceData` ([#16633](https://github.com/getsentry/sentry-javascript/pull/16633))
+
+Adds the ability to pass custom `scope` and `client` parameters to the `getTraceData` function, providing more flexibility when generating trace data for distributed tracing.
+
+### Other Changes
+
+- feat(core): Add support for `x-forwarded-host` and `x-forwarded-proto` headers ([#16687](https://github.com/getsentry/sentry-javascript/pull/16687))
+- deps: Remove unused `@sentry/opentelemetry` dependency ([#16677](https://github.com/getsentry/sentry-javascript/pull/16677))
+- deps: Update all bundler plugin instances to latest & allow caret ranges ([#16641](https://github.com/getsentry/sentry-javascript/pull/16641))
+- feat(deps): Bump @prisma/instrumentation from 6.8.2 to 6.9.0 ([#16608](https://github.com/getsentry/sentry-javascript/pull/16608))
+- feat(flags): add node support for generic featureFlagsIntegration and move utils to core ([#16585](https://github.com/getsentry/sentry-javascript/pull/16585))
+- feat(flags): capture feature flag evaluations on spans ([#16485](https://github.com/getsentry/sentry-javascript/pull/16485))
+- feat(pino): Add initial package for `@sentry/pino-transport` ([#16652](https://github.com/getsentry/sentry-javascript/pull/16652))
+- fix: Wait for the correct clientWidth/clientHeight when showing Feedback Screenshot previews ([#16648](https://github.com/getsentry/sentry-javascript/pull/16648))
+- fix(browser): Remove usage of Array.at() method ([#16647](https://github.com/getsentry/sentry-javascript/pull/16647))
+- fix(core): Improve `safeJoin` usage in console logging integration ([#16658](https://github.com/getsentry/sentry-javascript/pull/16658))
+- fix(google-cloud-serverless): Make `CloudEvent` type compatible ([#16661](https://github.com/getsentry/sentry-javascript/pull/16661))
+- fix(nextjs): Fix lookup of `instrumentation-client.js` file ([#16637](https://github.com/getsentry/sentry-javascript/pull/16637))
+- fix(node): Ensure graphql errors result in errored spans ([#16678](https://github.com/getsentry/sentry-javascript/pull/16678))
+
 ## 9.30.0
 
 - feat(nextjs): Add URL to tags of server components and generation functions issues ([#16500](https://github.com/getsentry/sentry-javascript/pull/16500))

README.md

@@ -112,8 +112,6 @@ below:
   Provides the integration for Session Replay.
 - [`@sentry/core`](https://github.com/getsentry/sentry-javascript/tree/master/packages/core): The base for all
   JavaScript SDKs with interfaces, type definitions and base classes.
-- [`@sentry/pino-transport`](https://github.com/getsentry/sentry-javascript/tree/master/packages/pino-transport): Pino
-  transport for automatically sending log messages to Sentry.
 
 ## Bug Bounty Program
 

dev-packages/browser-integration-tests/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry-internal/browser-integration-tests",
-  "version": "9.30.0",
+  "version": "9.32.0",
   "main": "index.js",
   "license": "MIT",
   "engines": {
@@ -42,7 +42,7 @@
     "@babel/preset-typescript": "^7.16.7",
     "@playwright/test": "~1.50.0",
     "@sentry-internal/rrweb": "2.34.0",
-    "@sentry/browser": "9.30.0",
+    "@sentry/browser": "9.32.0",
     "@supabase/supabase-js": "2.49.3",
     "axios": "1.8.2",
     "babel-loader": "^8.2.2",

dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-cls-standalone-spans/test.ts

@@ -68,6 +68,7 @@ sentryTest('captures a "GOOD" CLS vital with its source as a standalone span', a
       transaction: expect.stringContaining('index.html'),
       'user_agent.original': expect.stringContaining('Chrome'),
       'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
+      'cls.source.1': expect.stringContaining('body > div#content > p'),
     },
     description: expect.stringContaining('body > div#content > p'),
     exclusive_time: 0,
@@ -136,6 +137,7 @@ sentryTest('captures a "MEH" CLS vital with its source as a standalone span', as
       transaction: expect.stringContaining('index.html'),
       'user_agent.original': expect.stringContaining('Chrome'),
       'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
+      'cls.source.1': expect.stringContaining('body > div#content > p'),
     },
     description: expect.stringContaining('body > div#content > p'),
     exclusive_time: 0,
@@ -202,6 +204,7 @@ sentryTest('captures a "POOR" CLS vital with its source as a standalone span.',
       transaction: expect.stringContaining('index.html'),
       'user_agent.original': expect.stringContaining('Chrome'),
       'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
+      'cls.source.1': expect.stringContaining('body > div#content > p'),
     },
     description: expect.stringContaining('body > div#content > p'),
     exclusive_time: 0,

dev-packages/browser-integration-tests/suites/tracing/trace-lifetime/startNewTraceSampling/init.js

@@ -0,0 +1,19 @@
+import * as Sentry from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+// Force this so that the initial sampleRand is consistent
+Math.random = () => 0.45;
+
+Sentry.init({
+  dsn: 'https://public@dsn.ingest.sentry.io/1337',
+  integrations: [Sentry.browserTracingIntegration()],
+  tracePropagationTargets: ['http://sentry-test-site.example'],
+  tracesSampler: ({ name }) => {
+    if (name === 'new-trace') {
+      return 0.9;
+    }
+
+    return 0.5;
+  },
+});

dev-packages/browser-integration-tests/suites/tracing/trace-lifetime/startNewTraceSampling/subject.js

@@ -0,0 +1,13 @@
+const newTraceBtn = document.getElementById('newTrace');
+newTraceBtn.addEventListener('click', async () => {
+  Sentry.startNewTrace(() => {
+    // We want to ensure the new trace is sampled, so we force the sample_rand to a value above 0.9
+    Sentry.getCurrentScope().setPropagationContext({
+      ...Sentry.getCurrentScope().getPropagationContext(),
+      sampleRand: 0.85,
+    });
+    Sentry.startSpan({ op: 'ui.interaction.click', name: 'new-trace' }, async () => {
+      await fetch('http://sentry-test-site.example');
+    });
+  });
+});

dev-packages/browser-integration-tests/suites/tracing/trace-lifetime/startNewTraceSampling/template.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+  </head>
+  <body>
+    <button id="newTrace">new Trace</button>
+  </body>
+</html>