fix: re-patch all random API calls

Author: logaretm

packages/core/src/client.ts

@@ -1,4 +1,5 @@
 /* eslint-disable max-lines */
+import { _INTERNAL_safeMathRandom } from '.';
 import { getEnvelopeEndpointWithUrlEncodedAuth } from './api';
 import { DEFAULT_ENVIRONMENT } from './constants';
 import { getCurrentScope, getIsolationScope, getTraceContextFromScope } from './currentScopes';
@@ -1288,7 +1289,7 @@ export abstract class Client<O extends ClientOptions = ClientOptions> {
     // 0.0 === 0% events are sent
     // Sampling for transaction happens somewhere else
     const parsedSampleRate = typeof sampleRate === 'undefined' ? undefined : parseSampleRate(sampleRate);
-    if (isError && typeof parsedSampleRate === 'number' && Math.random() > parsedSampleRate) {
+    if (isError && typeof parsedSampleRate === 'number' && _INTERNAL_safeMathRandom() > parsedSampleRate) {
       this.recordDroppedEvent('sample_rate', 'error');
       return rejectedSyncPromise(
         _makeDoNotSendEventError(

packages/core/src/index.ts

@@ -516,4 +516,6 @@ export type {
 export {
   withRandomSafeContext as _INTERNAL_withRandomSafeContext,
   type RandomSafeContextRunner as _INTERNAL_RandomSafeContextRunner,
+  safeMathRandom as _INTERNAL_safeMathRandom,
+  safeDateNow as _INTERNAL_safeDateNow,
 } from './utils/randomSafeContext';

packages/core/src/integrations/mcp-server/correlation.ts

@@ -46,6 +46,7 @@ export function storeSpanForRequest(transport: MCPTransport, requestId: RequestI
   spanMap.set(requestId, {
     span,
     method,
+    // eslint-disable-next-line @sentry-internal/sdk/no-unsafe-random-apis
     startTime: Date.now(),
   });
 }

packages/core/src/scope.ts

@@ -22,7 +22,7 @@ import { isPlainObject } from './utils/is';
 import { merge } from './utils/merge';
 import { uuid4 } from './utils/misc';
 import { generateTraceId } from './utils/propagationContext';
-import { withRandomSafeContext } from './utils/randomSafeContext';
+import { safeMathRandom } from './utils/randomSafeContext';
 import { _getSpanForScope, _setSpanForScope } from './utils/spanOnScope';
 import { truncate } from './utils/string';
 import { dateTimestampInSeconds } from './utils/time';
@@ -168,8 +168,8 @@ export class Scope {
     this._contexts = {};
     this._sdkProcessingMetadata = {};
     this._propagationContext = {
-      traceId: withRandomSafeContext(generateTraceId),
-      sampleRand: withRandomSafeContext(() => Math.random()),
+      traceId: generateTraceId(),
+      sampleRand: safeMathRandom(),
     };
   }
 
@@ -552,8 +552,8 @@ export class Scope {
     _setSpanForScope(this, undefined);
     this._attachments = [];
     this.setPropagationContext({
-      traceId: withRandomSafeContext(generateTraceId),
-      sampleRand: withRandomSafeContext(() => Math.random()),
+      traceId: generateTraceId(),
+      sampleRand: safeMathRandom(),
     });
 
     this._notifyScopeListeners();

packages/core/src/tracing/sentrySpan.ts

@@ -26,7 +26,6 @@ import type { SpanStatus } from '../types-hoist/spanStatus';
 import type { TimedEvent } from '../types-hoist/timedEvent';
 import { debug } from '../utils/debug-logger';
 import { generateSpanId, generateTraceId } from '../utils/propagationContext';
-import { withRandomSafeContext } from '../utils/randomSafeContext';
 import {
   convertSpanLinksForEnvelope,
   getRootSpan,
@@ -77,9 +76,9 @@ export class SentrySpan implements Span {
    * @hidden
    */
   public constructor(spanContext: SentrySpanArguments = {}) {
-    this._traceId = spanContext.traceId || withRandomSafeContext(generateTraceId);
-    this._spanId = spanContext.spanId || withRandomSafeContext(generateSpanId);
-    this._startTime = spanContext.startTimestamp || withRandomSafeContext(timestampInSeconds);
+    this._traceId = spanContext.traceId || generateTraceId();
+    this._spanId = spanContext.spanId || generateSpanId();
+    this._startTime = spanContext.startTimestamp || timestampInSeconds();
     this._links = spanContext.links;
 
     this._attributes = {};

packages/core/src/tracing/trace.ts

@@ -17,6 +17,7 @@ import { handleCallbackErrors } from '../utils/handleCallbackErrors';
 import { hasSpansEnabled } from '../utils/hasSpansEnabled';
 import { parseSampleRate } from '../utils/parseSampleRate';
 import { generateTraceId } from '../utils/propagationContext';
+import { safeMathRandom } from '../utils/randomSafeContext';
 import { _getSpanForScope, _setSpanForScope } from '../utils/spanOnScope';
 import { addChildSpanToSpan, getRootSpan, spanIsSampled, spanTimeInputToSeconds, spanToJSON } from '../utils/spanUtils';
 import { propagationContextFromHeaders, shouldContinueTrace } from '../utils/tracing';
@@ -293,7 +294,7 @@ export function startNewTrace<T>(callback: () => T): T {
   return withScope(scope => {
     scope.setPropagationContext({
       traceId: generateTraceId(),
-      sampleRand: Math.random(),
+      sampleRand: safeMathRandom(),
     });
     DEBUG_BUILD && debug.log(`Starting a new trace with id ${scope.getPropagationContext().traceId}`);
     return withActiveSpan(null, callback);

packages/core/src/utils/misc.ts

@@ -3,6 +3,7 @@ import type { Exception } from '../types-hoist/exception';
 import type { Mechanism } from '../types-hoist/mechanism';
 import type { StackFrame } from '../types-hoist/stackframe';
 import { addNonEnumerableProperty } from './object';
+import { safeMathRandom, withRandomSafeContext } from './randomSafeContext';
 import { snipLine } from './string';
 import { GLOBAL_OBJ } from './worldwide';
 
@@ -24,7 +25,7 @@ function getCrypto(): CryptoInternal | undefined {
 let emptyUuid: string | undefined;
 
 function getRandomByte(): number {
-  return Math.random() * 16;
+  return safeMathRandom() * 16;
 }
 
 /**
@@ -35,7 +36,8 @@ function getRandomByte(): number {
 export function uuid4(crypto = getCrypto()): string {
   try {
     if (crypto?.randomUUID) {
-      return crypto.randomUUID().replace(/-/g, '');
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      return withRandomSafeContext(() => crypto.randomUUID!()).replace(/-/g, '');
     }
   } catch {
     // some runtimes can crash invoking crypto

packages/core/src/utils/randomSafeContext.ts

@@ -23,3 +23,19 @@ export function withRandomSafeContext<T>(cb: () => T): T {
 
   return globalWithSymbol[sym](cb);
 }
+
+/**
+ * Identical to Math.random() but wrapped in withRandomSafeContext
+ * to ensure safe random number generation in certain contexts (e.g., Next.js Cache Components).
+ */
+export function safeMathRandom(): number {
+  return withRandomSafeContext(() => Math.random());
+}
+
+/**
+ * Identical to performance.now() but wrapped in withRandomSafeContext
+ * to ensure safe time value generation in certain contexts (e.g., Next.js Cache Components).
+ */
+export function safeDateNow(): number {
+  return withRandomSafeContext(() => Date.now());
+}

packages/core/src/utils/ratelimit.ts

@@ -1,5 +1,6 @@
 import type { DataCategory } from '../types-hoist/datacategory';
 import type { TransportMakeRequestResponse } from '../types-hoist/transport';
+import { safeDateNow } from './randomSafeContext';
 
 // Intentionally keeping the key broad, as we don't know for sure what rate limit headers get returned from backend
 export type RateLimits = Record<string, number>;
@@ -12,7 +13,7 @@ export const DEFAULT_RETRY_AFTER = 60 * 1000; // 60 seconds
  * @param now current unix timestamp
  *
  */
-export function parseRetryAfterHeader(header: string, now: number = Date.now()): number {
+export function parseRetryAfterHeader(header: string, now: number = safeDateNow()): number {
   const headerDelay = parseInt(`${header}`, 10);
   if (!isNaN(headerDelay)) {
     return headerDelay * 1000;
@@ -40,7 +41,7 @@ export function disabledUntil(limits: RateLimits, dataCategory: DataCategory): n
 /**
  * Checks if a category is rate limited
  */
-export function isRateLimited(limits: RateLimits, dataCategory: DataCategory, now: number = Date.now()): boolean {
+export function isRateLimited(limits: RateLimits, dataCategory: DataCategory, now: number = safeDateNow()): boolean {
   return disabledUntil(limits, dataCategory) > now;
 }
 
@@ -52,7 +53,7 @@ export function isRateLimited(limits: RateLimits, dataCategory: DataCategory, no
 export function updateRateLimits(
   limits: RateLimits,
   { statusCode, headers }: TransportMakeRequestResponse,
-  now: number = Date.now(),
+  now: number = safeDateNow(),
 ): RateLimits {
   const updatedRateLimits: RateLimits = {
     ...limits,

packages/core/src/utils/time.ts

@@ -1,3 +1,4 @@
+import { safeDateNow, withRandomSafeContext } from './randomSafeContext';
 import { GLOBAL_OBJ } from './worldwide';
 
 const ONE_SECOND_IN_MS = 1000;
@@ -21,7 +22,7 @@ interface Performance {
  * Returns a timestamp in seconds since the UNIX epoch using the Date API.
  */
 export function dateTimestampInSeconds(): number {
-  return Date.now() / ONE_SECOND_IN_MS;
+  return safeDateNow() / ONE_SECOND_IN_MS;
 }
 
 /**
@@ -50,7 +51,7 @@ function createUnixTimestampInSecondsFunc(): () => number {
   // See: https://github.com/mdn/content/issues/4713
   // See: https://dev.to/noamr/when-a-millisecond-is-not-a-millisecond-3h6
   return () => {
-    return (timeOrigin + performance.now()) / ONE_SECOND_IN_MS;
+    return (timeOrigin + withRandomSafeContext(() => performance.now())) / ONE_SECOND_IN_MS;
   };
 }
 
@@ -92,8 +93,8 @@ function getBrowserTimeOrigin(): number | undefined {
   }
 
   const threshold = 300_000; // 5 minutes in milliseconds
-  const performanceNow = performance.now();
-  const dateNow = Date.now();
+  const performanceNow = withRandomSafeContext(() => performance.now());
+  const dateNow = safeDateNow();
 
   const timeOrigin = performance.timeOrigin;
   if (typeof timeOrigin === 'number') {