chore(deps): update dependency @sentry/nestjs to v10.27.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/nestjs (source)	10.26.0 → 10.27.0

GitHub Vulnerability Alerts

CVE-2025-65944

Impact

In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, a few headers that were previously redacted - including Authorization and Cookie - were unintentionally allowed through.

Sentry’s server-side scrubbing (handled by Sentry's Relay edge proxy) normally serves as a second layer of protection. However, because it relied on the same matching logic as the SDK, it also failed to catch these headers in this case.

Users may be impacted if:

1. Their Sentry SDK configuration has sendDefaultPii set to true
2. Their application uses one of the Node.js Sentry SDKs with version from 10.11.0 to 10.26.0 inclusively:

• @​sentry/astro
• @​sentry/aws-serverless
• @​sentry/bun
• @​sentry/google-cloud-serverless
• @​sentry/nestjs
• @​sentry/nextjs
• @​sentry/node
• @​sentry/node-core
• @​sentry/nuxt
• @​sentry/remix
• @​sentry/solidstart
• @​sentry/sveltekit

Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to users' applications and configurations.

Patches

The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.

Workarounds

Sentry strongly encourage customers to upgrade the SDK to the latest available version, 10.27.0 or later.
If it is not possible, consider setting sendDefaultPii: false to avoid unintentionally sending sensitive headers. See here for documentation.

Resources

• https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data
• https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0
• https://github.com/getsentry/sentry-javascript/pull/17475
• https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies

---

Release Notes

getsentry/sentry-javascript (@​sentry/nestjs)

v10.27.0

Compare Source

Important Changes

• feat(deps): Bump OpenTelemetry (#​18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#​18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler().
  The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#​18241)
• feat(core): Add scope attribute APIs (#​18165)
• feat(core): Re-add _experiments.enableLogs option (#​18299)
• feat(core): Use maxValueLength on error messages (#​18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#​18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#​18271)
• feat(node): Add tracing support for AzureOpenAI (#​18281)
• feat(node): Fix local variables capturing for out-of-app frames (#​18245)
• fix(core): Add a PromiseBuffer for incoming events on the client (#​18120)
• fix(core): Always redact content of sensitive headers regardless of sendDefaultPii (#​18311)
• fix(metrics): Update return type of beforeSendMetric (#​18261)
• fix(nextjs): universal random tunnel path support (#​18257)
• ref(react): Add more guarding against wildcards in lazy route transactions (#​18155)
• chore(deps): bump glob from 11.0.1 to 11.1.0 in /packages/react-router (#​18243)

Internal Changes

- build(deps): bump hono from 4.9.7 to 4.10.3 in /dev-packages/e2e-tests/test-applications/cloudflare-hono ([#​18038](https://redirect.github.com/getsentry/sentry-javascript/pull/18038)) - chore: Add `bump_otel_instrumentations` cursor command ([#​18253](https://redirect.github.com/getsentry/sentry-javascript/pull/18253)) - chore: Add external contributor to CHANGELOG.md ([#​18297](https://redirect.github.com/getsentry/sentry-javascript/pull/18297)) - chore: Add external contributor to CHANGELOG.md ([#​18300](https://redirect.github.com/getsentry/sentry-javascript/pull/18300)) - chore: Do not update opentelemetry ([#​18254](https://redirect.github.com/getsentry/sentry-javascript/pull/18254)) - chore(angular): Add Angular 21 Support ([#​18274](https://redirect.github.com/getsentry/sentry-javascript/pull/18274)) - chore(deps): bump astro from 4.16.18 to 5.15.9 in /dev-packages/e2e-tests/test-applications/cloudflare-astro ([#​18259](https://redirect.github.com/getsentry/sentry-javascript/pull/18259)) - chore(dev-deps): Update some dev dependencies ([#​17816](https://redirect.github.com/getsentry/sentry-javascript/pull/17816)) - ci(deps): Bump actions/create-github-app-token from 2.1.1 to 2.1.4 ([#​17825](https://redirect.github.com/getsentry/sentry-javascript/pull/17825)) - ci(deps): bump actions/setup-node from 4 to 6 ([#​18077](https://redirect.github.com/getsentry/sentry-javascript/pull/18077)) - ci(deps): bump actions/upload-artifact from 4 to 5 ([#​18075](https://redirect.github.com/getsentry/sentry-javascript/pull/18075)) - ci(deps): bump github/codeql-action from 3 to 4 ([#​18076](https://redirect.github.com/getsentry/sentry-javascript/pull/18076)) - doc(sveltekit): Update documentation link for SvelteKit guide ([#​18298](https://redirect.github.com/getsentry/sentry-javascript/pull/18298)) - test(e2e): Fix astro config in test app ([#​18282](https://redirect.github.com/getsentry/sentry-javascript/pull/18282)) - test(nextjs): Remove debug logs from e2e test ([#​18250](https://redirect.github.com/getsentry/sentry-javascript/pull/18250))

Work in this release was contributed by @​bignoncedric and @​adam-kov. Thank you for your contributions!

Bundle size 📦

Path	Size
@​sentry/browser	24.22 KB
@​sentry/browser - with treeshaking flags	22.76 KB
@​sentry/browser (incl. Tracing)	40.57 KB
@​sentry/browser (incl. Tracing, Profiling)	45.05 KB
@​sentry/browser (incl. Tracing, Replay)	78.08 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	68.05 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	82.65 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	94.61 KB
@​sentry/browser (incl. Feedback)	40.51 KB
@​sentry/browser (incl. sendFeedback)	28.8 KB
@​sentry/browser (incl. FeedbackAsync)	33.62 KB
@​sentry/react	25.9 KB
@​sentry/react (incl. Tracing)	42.71 KB
@​sentry/vue	28.56 KB
@​sentry/vue (incl. Tracing)	42.32 KB
@​sentry/svelte	24.24 KB
CDN Bundle	26.53 KB
CDN Bundle (incl. Tracing)	41.18 KB
CDN Bundle (incl. Tracing, Replay)	76.85 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	82.18 KB
CDN Bundle - uncompressed	77.97 KB
CDN Bundle (incl. Tracing) - uncompressed	122.28 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	235.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	248.06 KB
@​sentry/nextjs (client)	44.88 KB
@​sentry/sveltekit (client)	40.92 KB
@​sentry/node-core	49.99 KB
@​sentry/node	155.51 KB
@​sentry/node - without tracing	90.65 KB
@​sentry/aws-serverless	105.54 KB

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.