Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency @sentry/nextjs to v7.77.0 [security] #628

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @sentry/nextjs to v7.77.0 [security] #628

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sentry/nextjs (source) 7.74.1 -> 7.77.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-46729

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

  • client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
  • interaction with internal network;
  • read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
  • local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/[email protected]

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

Credits

Release Notes

getsentry/sentry-javascript (@​sentry/nextjs)

v7.77.0

Compare Source

  • feat: Move LinkedErrors integration to @​sentry/core (#​9404)
  • feat(remix): Update sentry-cli version to ^2.21.2 (#​9401)
  • feat(replay): Allow to treeshake & configure compression worker URL (#​9409)
  • fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR config (#​9412)
  • fix(feedback): Fixing feedback import (#​9403)
  • fix(nextjs): Match only numbers as orgid in tunnelRoute (#​9416)
  • fix(nextjs): Strictly validate tunnel target parameters (#​9415)
  • fix(utils): Avoid keeping a reference of last used event (#​9387)

v7.76.0

Compare Source

Important Changes
  • feat(core): Add cron monitor wrapper helper (#​9395)

This release adds Sentry.withMonitor(), a wrapping function that wraps a callback with a cron monitor that will automatically report completions and failures:

import * as Sentry from '@​sentry/node';

// withMonitor() will send checkin when callback is started/finished
// works with async and sync callbacks.
const result = Sentry.withMonitor(
  'dailyEmail',
  () => {
    // withCheckIn return value is same return value here
    return sendEmail();
  },
  // Optional upsert options
  {
    schedule: {
      type: 'crontab',
      value: '0 * * * *',
    },
    // 🇨🇦🫡
    timezone: 'Canada/Eastern',
  },
);
Other Changes
  • chore(angular-ivy): Allow Angular 17 in peer dependencies (#​9386)
  • feat(nextjs): Instrument SSR page components (#​9346)
  • feat(nextjs): Trace errors in page component SSR (#​9388)
  • fix(nextjs): Instrument route handlers with jsx and tsx file extensions (#​9362)
  • fix(nextjs): Trace with performance disabled (#​9389)
  • fix(replay): Ensure replay_id is not added to DSC if session expired (#​9359)
  • fix(replay): Remove unused parts of pako from build (#​9369)
  • fix(serverless): Don't mark all errors as unhandled (#​9368)
  • fix(tracing-internal): Fix case when middleware contain array of routes with special chars as @​ (#​9375)
  • meta(nextjs): Bump peer deps for Next.js 14 (#​9390)

Work in this release contributed by @​LubomirIgonda1. Thank you for your contribution!

v7.75.1

Compare Source

  • feat(browser): Allow collecting of pageload profiles (#​9317)
  • fix(browser): Correct timestamp on pageload profiles (#​9350)
  • fix(nextjs): Use webpack plugin release value to inject release (#​9348)

v7.75.0

Compare Source

Important Changes
  • feat(opentelemetry): Add new @sentry/opentelemetry package (#​9238)

This release publishes a new package, @sentry/opentelemetry. This is a runtime agnostic replacement for @sentry/opentelemetry-node and exports a couple of useful utilities which can be used to use Sentry together with OpenTelemetry.

You can read more about @​sentry/opentelemetry in the Readme.

  • feat(replay): Allow to treeshake rrweb features (#​9274)

Starting with this release, you can configure the following build-time flags in order to reduce the SDK bundle size:

  • __RRWEB_EXCLUDE_CANVAS__
  • __RRWEB_EXCLUDE_IFRAME__
  • __RRWEB_EXCLUDE_SHADOW_DOM__

You can read more about tree shaking in our docs.

Other Changes
  • build(deno): Prepare Deno SDK for release on npm (#​9281)
  • feat: Remove tslib (#​9299)
  • feat(node): Add abnormal session support for ANR (#​9268)
  • feat(node): Remove lru_map dependency (#​9300)
  • feat(node): Vendor cookie module (#​9308)
  • feat(replay): Share performance instrumentation with tracing (#​9296)
  • feat(types): Add missing Profiling types (macho debug image, profile measurements, stack frame properties) (#​9277)
  • feat(types): Add statsd envelope types (#​9304)
  • fix(astro): Add integration default export to types entry point (#​9337)
  • fix(astro): Convert SDK init file import paths to POSIX paths (#​9336)
  • fix(astro): Make Replay and BrowserTracing integrations tree-shakeable (#​9287)
  • fix(integrations): Fix transaction integration (#​9334)
  • fix(nextjs): Restore autoInstrumentMiddleware functionality (#​9323)
  • fix(nextjs): Guard for case where getInitialProps may return undefined (#​9342)
  • fix(node-experimental): Make node-fetch support optional (#​9321)
  • fix(node): Check buffer length when attempting to parse ANR frame (#​9314)
  • fix(replay): Fix xhr start timestamps (#​9341)
  • fix(tracing-internal): Remove query params from urls with a trailing slash (#​9328)
  • fix(types): Remove typo with CheckInEnvelope (#​9303)

Bundle size 📦

Path Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 82.66 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 71.77 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped) 30.94 KB
@​sentry/browser - Webpack (gzipped) 21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 73.03 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped) 21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 233.81 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed) 62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 83.05 KB
@​sentry/react - Webpack (gzipped) 21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 99.43 KB
@​sentry/nextjs Client - Webpack (gzipped) 47.83 KB

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Aug 6, 2024
@socket-security Socket Security
Copy link

socket-security bot commented Aug 6, 2024
edited
Loading

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Critical CVE npm/[email protected] ⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@renovate renovate bot force-pushed the renovate/npm-sentry-nextjs-vulnerability branch from e2a8f88 to 96cca22 Compare September 1, 2024 23:29
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 1, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@renovate renovate bot force-pushed the renovate/npm-sentry-nextjs-vulnerability branch from 96cca22 to 2ef6b76 Compare October 9, 2024 10:28
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Oct 9, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@renovate renovate bot force-pushed the renovate/npm-sentry-nextjs-vulnerability branch from 2ef6b76 to 9b492c5 Compare December 2, 2024 10:13
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Dec 2, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate bot force-pushed the renovate/npm-sentry-nextjs-vulnerability branch from 9b492c5 to f7da420 Compare January 23, 2025 19:12
@renovate renovate bot force-pushed the renovate/npm-sentry-nextjs-vulnerability branch from f7da420 to 475338c Compare February 9, 2025 15:08
@socket-security Socket Security
Copy link

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@sentry-internal/[email protected] None 0 363 kB billyvg, evanpurkhiser, haza, ...6 more
npm/@sentry-internal/[email protected] None 0 504 kB billyvg, evanpurkhiser, haza, ...6 more
npm/@sentry-internal/[email protected] 🔁 npm/@sentry-internal/[email protected] network 0 1.4 MB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 744 kB billyvg, evanpurkhiser, haza, ...7 more
npm/@sentry/[email protected] environment, filesystem, network, shell 0 87.2 kB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 1.92 MB billyvg, evanpurkhiser, haza, ...7 more
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 276 kB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 1.95 MB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 2.13 MB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 341 kB billyvg, evanpurkhiser, haza, ...7 more
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 3.78 MB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 314 kB billyvg, evanpurkhiser, haza, ...7 more
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] network 0 1.28 MB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 142 kB sentry-bot
npm/@sentry/[email protected] 🔁 npm/@sentry/[email protected] None 0 55.3 kB sentry-bot
npm/[email protected] environment 0 11.3 kB jorgebucaran
npm/[email protected] None 0 7.46 kB juliangruber
npm/[email protected] None 0 19.7 kB dougwilson
npm/[email protected] None +1 101 kB cwmma
npm/[email protected] None 0 53.5 kB cwmma
npm/[email protected] None 0 553 kB niklasvh
npm/[email protected] None 0 6.49 kB mathias
npm/[email protected] environment, eval, filesystem 0 323 kB timer
npm/[email protected] None 0 2.51 kB timer
npm/[email protected] None 0 8.4 kB tootallnate
npm/[email protected] None 0 61.9 kB mscdex
npm/[email protected] None 0 17.3 kB cwmma
npm/[email protected] None 0 1.7 MB dolanmiu
npm/[email protected] 🔁 npm/[email protected] None 0 28.3 kB feedic
npm/[email protected] None 0 23.9 kB bevryme
npm/[email protected] 🔁 npm/[email protected], npm/[email protected] None 0 11.4 kB feedic
npm/[email protected] 🔁 npm/[email protected] None 0 44.6 kB feedic
npm/[email protected] None 0 730 kB cure53
npm/[email protected] 🔁 npm/[email protected], npm/[email protected] network 0 56.6 kB feedic
npm/[email protected] None 0 6.26 kB dougwilson
npm/[email protected] None 0 255 kB kilianvalkhof
npm/[email protected] None 0 130 kB jackbowman
npm/[email protected] None 0 160 kB eleith
npm/[email protected] 🔁 npm/[email protected], npm/[email protected] None 0 171 kB feedic
npm/[email protected] None 0 13.1 kB rubennorte
npm/[email protected] filesystem 0 11.4 kB lukeed
npm/[email protected] None 0 15.2 kB rich_harris
npm/[email protected] filesystem 0 10.8 kB dougwilson
npm/[email protected] None 0 260 kB 101arrowz
npm/[email protected] None 0 36 kB endless
npm/[email protected] filesystem 0 6.96 kB sindresorhus
npm/[email protected] None 0 66.3 kB mooyoul
npm/[email protected] None 0 149 kB remarkablemark
npm/[email protected] None 0 416 kB remarkablemark
npm/[email protected] None 0 3.38 MB niklasvh
npm/[email protected] 🔁 npm/[email protected] None 0 89.9 kB feedic
npm/[email protected] network 0 2.79 kB feross
npm/[email protected] None 0 6.8 kB feross
npm/[email protected] filesystem 0 44.8 kB netroy
npm/[email protected] None 0 30.6 kB remarkablemark
npm/[email protected] None 0 10.8 kB ljharb
npm/[email protected] None 0 90.7 kB jakesgordon
npm/[email protected] 🔁 npm/[email protected] None 0 82.4 kB simenb
npm/[email protected] None 0 34.7 kB dankogai
npm/[email protected] None 0 244 kB someatoms
npm/[email protected] filesystem 0 14.7 MB mrjameshall
npm/[email protected] None 0 762 kB stuk
npm/[email protected] filesystem 0 10 kB sindresorhus
npm/[email protected] None 0 4.31 kB stevemao
npm/[email protected] None 0 10.5 kB tigt
npm/[email protected] filesystem 0 27.9 kB linusu
npm/[email protected] None 0 94.7 kB janicklas-ralph
npm/[email protected] environment, filesystem, network, shell, unsafe 0 41.8 MB vercel-release-bot
npm/[email protected] None 0 160 kB taoqf
npm/[email protected] network, unsafe +5 70.8 kB sokra
npm/[email protected] 🔁 npm/[email protected] None 0 259 kB chicoxyzzy
npm/[email protected] None 0 23.3 kB ljharb
npm/[email protected] unsafe 0 13.7 kB dougwilson
npm/[email protected] None 0 788 kB vitaly
npm/[email protected] None 0 54.3 kB goto-bus-stop
npm/[email protected] None 0 13.8 kB cwmma
npm/[email protected] None 0 11.3 kB meryn
npm/[email protected] None 0 4.75 kB sindresorhus
npm/[email protected] None 0 47.1 kB d10
npm/[email protected] None 0 11.9 kB arcanis
npm/[email protected] environment, filesystem +1 987 kB ai
npm/[email protected] None +2 47.2 kB cwmma
npm/[email protected] None 0 9.39 kB medikoo
npm/[email protected] None 0 17.6 kB jessetane
npm/[email protected] None 0 8.1 kB cmtegner
npm/[email protected] None 0 6.84 kB cwmma
npm/[email protected] 🔁 npm/[email protected] None 0 22.8 kB dougwilson
npm/[email protected] None 0 40.6 kB remarkablemark
npm/[email protected] None 0 55.6 kB gaearon
npm/[email protected] filesystem 0 20.1 kB paulmillr
npm/[email protected] None 0 11.8 kB yetzt
npm/[email protected] 🔁 npm/[email protected] None 0 6.45 MB lukastaegert
npm/[email protected] None 0 55 kB isaacs
npm/[email protected] None 0 21 kB goto-bus-stop
npm/[email protected] filesystem 0 197 kB loganfsmyth
npm/[email protected] None 0 150 kB brettz9
npm/[email protected] None 0 11.6 kB goto-bus-stop
npm/[email protected] None 0 26.1 kB feross
npm/[email protected] None 0 26.1 kB tootallnate
npm/[email protected] None 0 10.1 kB mscdex
npm/[email protected] None 0 4.03 kB sindresorhus
npm/[email protected] None 0 50 kB remarkablemark
npm/[email protected] None 0 30.5 kB remarkablemark
npm/[email protected] None 0 104 kB zeit-bot
npm/[email protected] None 0 210 kB pioug
npm/[email protected] None 0 269 kB niklasvh
npm/[email protected] None 0 2 kB goto-bus-stop
npm/[email protected] environment 0 13.2 kB gaearon
npm/[email protected] 🔁 npm/[email protected] None 0 33.6 kB goto-bus-stop
npm/[email protected] None 0 359 kB niklasvh
npm/[email protected] environment, filesystem 0 55.3 kB sokra
npm/[email protected] None 0 421 kB nashwaan
npm/[email protected] None 0 23.4 kB dylang

🚮 Removed packages: npm/@ampproject/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@babel/[email protected], npm/@bcoe/[email protected], npm/@cspotcode/[email protected], npm/@eslint-community/[email protected], npm/@eslint/[email protected], npm/@humanwhocodes/[email protected], npm/@istanbuljs/[email protected], npm/@istanbuljs/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@next/[email protected], npm/@one-ini/[email protected], npm/@pkgr/[email protected], npm/@sinonjs/[email protected], npm/@sinonjs/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@tsconfig/[email protected], npm/@tsconfig/[email protected], npm/@tsconfig/[email protected], npm/@tsconfig/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Feb 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants