Merge branch 'develop' into fix/mcp-streamable-http-transport

Author: betegon

.cursor/BUGBOT.md

@@ -0,0 +1,42 @@
+# PR Review Guidelines for Cursor Bot
+
+You are reviewing a pull request for the Sentry JavaScript SDK.
+Flag any of the following indicators or missing requirements.
+If you find anything to flag, mention that you flagged this in the review because it was mentioned in this rules file.
+These issues are only relevant for production code.
+Do not flag the issues below if they appear in tests.
+
+## Critical Issues to Flag
+
+### Security Vulnerabilities
+
+- Exposed secrets, API keys, tokens or creentials in code or comments
+- Unsafe use of `eval()`, `Function()`, or `innerHTML`
+- Unsafe regular expressions that could cause ReDoS attacks
+
+### Breaking Changes
+
+- Public API changes without proper deprecation notices
+- Removal of publicly exported functions, classes, or types. Internal removals are fine!
+- Changes to function signatures in public APIs
+
+## SDK-relevant issues
+
+### Performance Issues
+
+- Multiple loops over the same array (for example, using `.filter`, .`foreach`, chained). Suggest a classic `for` loop as a replacement.
+- Memory leaks from event listeners, timers, or closures not being cleaned up or unsubscribing
+- Large bundle size increases in browser packages. Sometimes they're unavoidable but flag them anyway.
+
+### Auto instrumentation, SDK integrations, Sentry-specific conventions
+
+- When calling any `startSpan` API (`startInactiveSpan`, `startSpanManual`, etc), always ensure that the following span attributes are set:
+  - `SEMANTIC_ATTRIBUTE_SENTRY_ORIGIN` (`'sentry.origin'`) with a proper span origin
+  - `SEMANTIC_ATTRIBUTE_SENTRY_OP` (`'sentry.op'`) with a proper span op
+- When calling `captureException`, always make sure that the `mechanism` is set:
+  - `handled`: must be set to `true` or `false`
+  - `type`: must be set to a proper origin (i.e. identify the integration and part in the integration that caught the exception).
+    - The type should align with the `SEMANTIC_ATTRIBUTE_SENTRY_ORIGIN` if a span wraps the `captureException` call.
+    - If there's no direct span that's wrapping the captured exception, apply a proper `type` value, following the same naming
+      convention as the `SEMANTIC_ATTRIBUTE_SENTRY_ORIGIN` value.
+- When calling `startSpan`, check if error cases are handled. If flag that it might make sense to try/catch and call `captureException`.

.github/workflows/build.yml

@@ -910,6 +910,12 @@ jobs:
       - name: Set up Bun
         if: matrix.test-application == 'node-exports-test-app'
         uses: oven-sh/setup-bun@v2
+      - name: Set up AWS SAM
+        if: matrix.test-application == 'aws-serverless'
+        uses: aws-actions/setup-sam@v2
+        with:
+          use-installer: true
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Restore caches
         uses: ./.github/actions/restore-cache
         with:

CHANGELOG.md

@@ -80,6 +80,18 @@ The removal entails **no breaking API changes**. However, in rare cases, you mig
 - If you set up Sentry Alerts that depend on FID, be aware that these could trigger once you upgrade the SDK, due to a lack of new values.
   To replace them, adjust your alerts (or dashbaords) to use INP.
 
+### Update: User IP Address collection gated by `sendDefaultPii`
+
+Version `10.4.0` introduced a change that should have ideally been introduced with `10.0.0` of the SDK.
+Originally destined for [version `9.0.0`](https://docs.sentry.io/platforms/javascript/migration/v8-to-v9/#behavior-changes), but having not the desired effect until v10,
+SDKs will now control IP address inference of user IP addresses depending on the value of the top level `sendDefaultPii` init option.
+
+- If `sendDefaultPii` is `true`, Sentry will infer the IP address of users' devices to events (errors, traces, replays, etc) in all browser-based SDKs.
+- If `sendDefaultPii` is `false` or not set, Sentry will not infer or collect IP address data.
+
+Given that this was already the advertised behaviour since v9, we classify the change [as a fix](https://github.com/getsentry/sentry-javascript/pull/17364),
+though we recognize the potential impact of it. We apologize for any inconvenience caused.
+
 ## No Version Support Timeline
 
 Version support timelines are stressful for everybody using the SDK, so we won't be defining one.

MIGRATION.md

@@ -1,6 +1,6 @@
 {
   "name": "@sentry-internal/browser-integration-tests",
-  "version": "10.0.0",
+  "version": "10.4.0",
   "main": "index.js",
   "license": "MIT",
   "engines": {
@@ -43,7 +43,7 @@
     "@babel/preset-typescript": "^7.16.7",
     "@playwright/test": "~1.53.2",
     "@sentry-internal/rrweb": "2.34.0",
-    "@sentry/browser": "10.0.0",
+    "@sentry/browser": "10.4.0",
     "@supabase/supabase-js": "2.49.3",
     "axios": "1.8.2",
     "babel-loader": "^8.2.2",

dev-packages/browser-integration-tests/package.json

@@ -24,7 +24,7 @@ sentryTest('handles fetch network errors @firefox', async ({ getLocalTestUrl, pa
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
   });
 });
@@ -51,7 +51,7 @@ sentryTest('handles fetch network errors on subdomains @firefox', async ({ getLo
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
   });
 });
@@ -78,7 +78,7 @@ sentryTest('handles fetch invalid header name errors @firefox', async ({ getLoca
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
     stacktrace: {
       frames: expect.any(Array),
@@ -110,7 +110,7 @@ sentryTest('handles fetch invalid header value errors @firefox', async ({ getLoc
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
     stacktrace: {
       frames: expect.any(Array),
@@ -152,7 +152,7 @@ sentryTest('handles fetch invalid URL scheme errors @firefox', async ({ getLocal
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
     stacktrace: {
       frames: expect.any(Array),
@@ -184,7 +184,7 @@ sentryTest('handles fetch credentials in url errors @firefox', async ({ getLocal
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
     stacktrace: {
       frames: expect.any(Array),
@@ -215,7 +215,7 @@ sentryTest('handles fetch invalid mode errors @firefox', async ({ getLocalTestUr
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
     stacktrace: {
       frames: expect.any(Array),
@@ -245,7 +245,7 @@ sentryTest('handles fetch invalid request method errors @firefox', async ({ getL
     value: error,
     mechanism: {
       handled: false,
-      type: 'onunhandledrejection',
+      type: 'auto.browser.global_handlers.onunhandledrejection',
     },
     stacktrace: {
       frames: expect.any(Array),
@@ -277,7 +277,7 @@ sentryTest(
       value: error,
       mechanism: {
         handled: false,
-        type: 'onunhandledrejection',
+        type: 'auto.browser.global_handlers.onunhandledrejection',
       },
       stacktrace: {
         frames: expect.any(Array),

dev-packages/browser-integration-tests/suites/errors/fetch/test.ts

@@ -61,6 +61,9 @@ sentryTest('should capture feedback with custom button', async ({ getLocalTestUr
       version: expect.any(String),
       name: 'sentry.javascript.browser',
       packages: expect.anything(),
+      settings: {
+        infer_ip: 'never',
+      },
     },
     request: {
       url: `${TEST_HOST}/index.html`,

dev-packages/browser-integration-tests/suites/feedback/attachTo/test.ts

@@ -61,6 +61,9 @@ sentryTest('should capture feedback', async ({ getLocalTestUrl, page }) => {
       version: expect.any(String),
       name: 'sentry.javascript.browser',
       packages: expect.anything(),
+      settings: {
+        infer_ip: 'never',
+      },
     },
     request: {
       url: `${TEST_HOST}/index.html`,

dev-packages/browser-integration-tests/suites/feedback/captureFeedback/test.ts

@@ -95,6 +95,9 @@ sentryTest('should capture feedback', async ({ forceFlushReplay, getLocalTestUrl
       version: expect.any(String),
       name: 'sentry.javascript.browser',
       packages: expect.anything(),
+      settings: {
+        infer_ip: 'never',
+      },
     },
     request: {
       url: `${TEST_HOST}/index.html`,

dev-packages/browser-integration-tests/suites/feedback/captureFeedbackAndReplay/hasSampling/test.ts

@@ -61,6 +61,9 @@ sentryTest('should capture feedback', async ({ getLocalTestUrl, page }) => {
       version: expect.any(String),
       name: 'sentry.javascript.browser',
       packages: expect.anything(),
+      settings: {
+        infer_ip: 'never',
+      },
     },
     request: {
       url: `${TEST_HOST}/index.html`,