fix(deps): update dependency @sentry/node to v10.27.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/node (source)	10.25.0 -> 10.27.0

GitHub Vulnerability Alerts

CVE-2025-65944

Impact

When a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user's application.

Users may be impacted if:

1. The Sentry SDK configuration has sendDefaultPii set to true
2. The application uses one of the Node.js Sentry SDKs with version from 10.11.0 to 10.26.0 inclusively:

• @​sentry/astro
• @​sentry/aws-serverless
• @​sentry/bun
• @​sentry/google-cloud-serverless
• @​sentry/nestjs
• @​sentry/nextjs
• @​sentry/node
• @​sentry/node-core
• @​sentry/nuxt
• @​sentry/remix
• @​sentry/solidstart
• @​sentry/sveltekit

Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to the users' applications and configurations.

Patches

The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.

Workarounds

Sentry strongly encourages customers to upgrade the SDK to the latest available version, 10.27.0 or later.
If it is not possible, consider setting sendDefaultPii: false to avoid unintentionally sending sensitive headers. See here for documentation.

Resources

• https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data
• https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0
• https://github.com/getsentry/sentry-javascript/pull/17475
• https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies

---

Release Notes

getsentry/sentry-javascript (@​sentry/node)

v10.27.0

Compare Source

Important Changes

• feat(deps): Bump OpenTelemetry (#​18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#​18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler().
  The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#​18241)
• feat(core): Add scope attribute APIs (#​18165)
• feat(core): Re-add _experiments.enableLogs option (#​18299)
• feat(core): Use maxValueLength on error messages (#​18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#​18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#​18271)
• feat(node): Add tracing support for AzureOpenAI (#​18281)
• feat(node): Fix local variables capturing for out-of-app frames (#​18245)
• fix(core): Add a PromiseBuffer for incoming events on the client (#​18120)
• fix(core): Always redact content of sensitive headers regardless of sendDefaultPii (#​18311)
• fix(metrics): Update return type of beforeSendMetric (#​18261)
• fix(nextjs): universal random tunnel path support (#​18257)
• ref(react): Add more guarding against wildcards in lazy route transactions (#​18155)
• chore(deps): bump glob from 11.0.1 to 11.1.0 in /packages/react-router (#​18243)

Internal Changes

- build(deps): bump hono from 4.9.7 to 4.10.3 in /dev-packages/e2e-tests/test-applications/cloudflare-hono ([#​18038](https://redirect.github.com/getsentry/sentry-javascript/pull/18038)) - chore: Add `bump_otel_instrumentations` cursor command ([#​18253](https://redirect.github.com/getsentry/sentry-javascript/pull/18253)) - chore: Add external contributor to CHANGELOG.md ([#​18297](https://redirect.github.com/getsentry/sentry-javascript/pull/18297)) - chore: Add external contributor to CHANGELOG.md ([#​18300](https://redirect.github.com/getsentry/sentry-javascript/pull/18300)) - chore: Do not update opentelemetry ([#​18254](https://redirect.github.com/getsentry/sentry-javascript/pull/18254)) - chore(angular): Add Angular 21 Support ([#​18274](https://redirect.github.com/getsentry/sentry-javascript/pull/18274)) - chore(deps): bump astro from 4.16.18 to 5.15.9 in /dev-packages/e2e-tests/test-applications/cloudflare-astro ([#​18259](https://redirect.github.com/getsentry/sentry-javascript/pull/18259)) - chore(dev-deps): Update some dev dependencies ([#​17816](https://redirect.github.com/getsentry/sentry-javascript/pull/17816)) - ci(deps): Bump actions/create-github-app-token from 2.1.1 to 2.1.4 ([#​17825](https://redirect.github.com/getsentry/sentry-javascript/pull/17825)) - ci(deps): bump actions/setup-node from 4 to 6 ([#​18077](https://redirect.github.com/getsentry/sentry-javascript/pull/18077)) - ci(deps): bump actions/upload-artifact from 4 to 5 ([#​18075](https://redirect.github.com/getsentry/sentry-javascript/pull/18075)) - ci(deps): bump github/codeql-action from 3 to 4 ([#​18076](https://redirect.github.com/getsentry/sentry-javascript/pull/18076)) - doc(sveltekit): Update documentation link for SvelteKit guide ([#​18298](https://redirect.github.com/getsentry/sentry-javascript/pull/18298)) - test(e2e): Fix astro config in test app ([#​18282](https://redirect.github.com/getsentry/sentry-javascript/pull/18282)) - test(nextjs): Remove debug logs from e2e test ([#​18250](https://redirect.github.com/getsentry/sentry-javascript/pull/18250))

Work in this release was contributed by @​bignoncedric and @​adam-kov. Thank you for your contributions!

Bundle size 📦

Path	Size
@​sentry/browser	24.22 KB
@​sentry/browser - with treeshaking flags	22.76 KB
@​sentry/browser (incl. Tracing)	40.57 KB
@​sentry/browser (incl. Tracing, Profiling)	45.05 KB
@​sentry/browser (incl. Tracing, Replay)	78.08 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	68.05 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	82.65 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	94.61 KB
@​sentry/browser (incl. Feedback)	40.51 KB
@​sentry/browser (incl. sendFeedback)	28.8 KB
@​sentry/browser (incl. FeedbackAsync)	33.62 KB
@​sentry/react	25.9 KB
@​sentry/react (incl. Tracing)	42.71 KB
@​sentry/vue	28.56 KB
@​sentry/vue (incl. Tracing)	42.32 KB
@​sentry/svelte	24.24 KB
CDN Bundle	26.53 KB
CDN Bundle (incl. Tracing)	41.18 KB
CDN Bundle (incl. Tracing, Replay)	76.85 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	82.18 KB
CDN Bundle - uncompressed	77.97 KB
CDN Bundle (incl. Tracing) - uncompressed	122.28 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	235.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	248.06 KB
@​sentry/nextjs (client)	44.88 KB
@​sentry/sveltekit (client)	40.92 KB
@​sentry/node-core	49.99 KB
@​sentry/node	155.51 KB
@​sentry/node - without tracing	90.65 KB
@​sentry/aws-serverless	105.54 KB

v10.26.0

Compare Source

Important Changes

• feat(core): Instrument LangGraph Agent (#​18114)

Adds support for instrumenting LangGraph StateGraph operations in Node. The LangGraph integration can be configured as follows:

Sentry.init({
  dsn: '__DSN__',
  sendDefaultPii: false, // Even with PII disabled globally
  integrations: [
    Sentry.langGraphIntegration({
      recordInputs: true, // Force recording input messages
      recordOutputs: true, // Force recording response text
    }),
  ],
});

• feat(cloudflare/vercel-edge): Add manual instrumentation for LangGraph (#​18112)

Instrumentation for LangGraph in Cloudflare Workers and Vercel Edge environments is supported by manually calling instrumentLangGraph:

import * as Sentry from '@​sentry/cloudflare'; // or '@​sentry/vercel-edge'
import { StateGraph, START, END, MessagesAnnotation } from '@​langchain/langgraph';

// Create and instrument the graph
const graph = new StateGraph(MessagesAnnotation)
  .addNode('agent', agentFn)
  .addEdge(START, 'agent')
  .addEdge('agent', END);

Sentry.instrumentLangGraph(graph, {
  recordInputs: true,
  recordOutputs: true,
});

const compiled = graph.compile({ name: 'weather_assistant' });

await compiled.invoke({
  messages: [{ role: 'user', content: 'What is the weather in SF?' }],
});

• feat(node): Add OpenAI SDK v6 support (#​18244)

Other Changes

• feat(core): Support OpenAI embeddings API (#​18224)
• feat(browser-utils): bump web-vitals to 5.1.0 (#​18091)
• feat(core): Support truncation for LangChain integration request messages (#​18157)
• feat(metrics): Add default server.address attribute on server runtimes (#​18242)
• feat(nextjs): Add URL to server-side transaction events (#​18230)
• feat(node-core): Add mechanism to prevent wrapping ai providers multiple times(#​17972)
• feat(replay): Bump limit for minReplayDuration (#​18190)
• fix(browser): Add ok status to successful idleSpans (#​18139)
• fix(core): Check fetch support with data URL (#​18225)
• fix(core): Decrease number of Sentry stack frames for messages from captureConsoleIntegration (#​18096)
• fix(core): Emit processed metric (#​18222)
• fix(core): Ensure logs past MAX_LOG_BUFFER_SIZE are not swallowed (#​18207)
• fix(core): Ensure metrics past MAX_METRIC_BUFFER_SIZE are not swallowed (#​18212)
• fix(core): Fix logs and metrics flush timeout starvation with continuous logging (#​18211)
• fix(core): Flatten gen_ai.request.available_tools in google-genai (#​18194)
• fix(core): Stringify available tools sent from vercelai (#​18197)
• fix(core/vue): Detect and skip normalizing Vue VNode objects with high normalizeDepth (#​18206)
• fix(nextjs): Avoid wrapping middleware files when in standalone mode (#​18172)
• fix(nextjs): Drop meta trace tags if rendered page is ISR (#​18192)
• fix(nextjs): Respect PORT variable for dev error symbolication (#​18227)
• fix(nextjs): use LRU map instead of map for ISR route cache (#​18234)
• fix(node): tracingChannel export missing in older node versions (#​18191)
• fix(node): Fix Spotlight configuration precedence to match specification (#​18195)
• fix(react): Prevent navigation span leaks for consecutive navigations (#​18098)
• ref(react-router): Deprecate ErrorBoundary exports (#​18208)

Internal Changes

• chore: Fix missing changelog quote we use for attribution placement (#​18237)
• chore: move tip about prioritizing issues (#​18071)
• chore(e2e): Pin @embroider/addon-shim to 1.10.0 for the e2e ember-embroider (#​18173)
• chore(react-router): Fix casing on deprecation notices (#​18221)
• chore(test): Use correct testTimeout field in bundler-tests vitest config
• chore(e2e): Bump zod in e2e tests (#​18251)
• test(browser-integration): Fix incorrect tag value assertions (#​18162)
• test(profiling): Add test utils to validate Profile Chunk envelope (#​18170)
• ref(e2e-ember): Remove @embroider/addon-shim override (#​18180)
• ref(browser): Move trace lifecycle listeners to class function (#​18231)
• ref(browserprofiling): Move and rename profiler class to UIProfiler (#​18187)
• ref(core): Move ai integrations from utils to tracing (#​18185)
• ref(core): Optimize Scope.setTag bundle size and adjust test (#​18182)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.