Merge branch 'develop' into feat/spotlight-environment-variable-support

Author: BYK

.craft.yml

@@ -153,6 +153,7 @@ targets:
           - nodejs18.x
           - nodejs20.x
           - nodejs22.x
+          - nodejs24.x
     license: MIT
 
   # CDN Bundle Target

.cursor/BUGBOT.md

@@ -32,7 +32,11 @@ Do not flag the issues below if they appear in tests.
 
 - When calling any `startSpan` API (`startInactiveSpan`, `startSpanManual`, etc), always ensure that the following span attributes are set:
   - `SEMANTIC_ATTRIBUTE_SENTRY_ORIGIN` (`'sentry.origin'`) with a proper span origin
+    - a proper origin must only contain [a-z], [A-Z], [0-9], `_` and `.` characters.
+    - flag any non-conforming origin values as invalid and link to the trace origin specification (https://develop.sentry.dev/sdk/telemetry/traces/trace-origin/)
   - `SEMANTIC_ATTRIBUTE_SENTRY_OP` (`'sentry.op'`) with a proper span op
+    - Span ops should be lower case only, and use snake_case. The `.` character is used to delimit op parts.
+    - flag any non-conforming origin values as invalid and link to the span op specification (https://develop.sentry.dev/sdk/telemetry/traces/span-operations/)
 - When calling `captureException`, always make sure that the `mechanism` is set:
   - `handled`: must be set to `true` or `false`
   - `type`: must be set to a proper origin (i.e. identify the integration and part in the integration that caught the exception).

.cursor/commands/bump_otel_instrumentations.md

@@ -0,0 +1,32 @@
+# Bump OpenTelemetry instrumentations
+
+1. Ensure you're on the `develop` branch with the latest changes:
+   - If you have unsaved changes, stash them with `git stash -u`.
+   - If you're on a different branch than `develop`, check out the develop branch using `git checkout develop`.
+   - Pull the latest updates from the remote repository by running `git pull origin develop`.
+
+2. Create a new branch `bump-otel-{yyyy-mm-dd}`, e.g. `bump-otel-2025-03-03`
+
+3. Create a new empty commit with the commit message `feat(deps): Bump OpenTelemetry instrumentations`
+
+4. Push the branch and create a draft PR, note down the PR number as {PR_NUMBER}
+
+5. Create a changelog entry in `CHANGELOG.md` under
+   `- "You miss 100 percent of the chances you don't take. — Wayne Gretzky" — Michael Scott` with the following format:
+   `- feat(deps): Bump OpenTelemetry instrumentations ([#{PR_NUMBER}](https://github.com/getsentry/sentry-javascript/pull/{PR_NUMBER}))`
+
+6. Find the "Upgrade OpenTelemetry instrumentations" rule in `.cursor/rules/upgrade_opentelemetry_instrumentations` and
+   follow those complete instructions step by step.
+   - Create one commit per package in `packages/**` with the commit message
+     `Bump OpenTelemetry instrumentations for {SDK}`, e.g. `Bump OpenTelemetry instrumentation for @sentry/node`
+
+   - For each OpenTelemetry dependency bump, record an entry in the changelog with the format indented under the main
+     entry created in step 5: `- Bump @opentelemetry/{instrumentation} from {previous_version} to {new_version}`, e.g.
+     `- Bump @opentelemetry/instrumentation from 0.204.0 to 0.207.0` **CRITICAL**: Avoid duplicated entries, e.g. if we
+     bump @opentelemetry/instrumentation in two packages, keep a single changelog entry.
+
+7. Regenerate the yarn lockfile and run `yarn yarn-deduplicate`
+
+8. Run `yarn fix` to fix all formatting issues
+
+9. Finally update the PR description to list all dependency bumps

.cursor/rules/upgrade_opentelemetry_instrumentations.mdc

@@ -0,0 +1,33 @@
+---
+description: Use this rule if you are looking to grade OpenTelemetry instrumentations for the Sentry JavaScript SDKs
+globs: *
+alwaysApply: false
+---
+
+# Upgrading OpenTelemetry instrumentations
+
+1. For every package in packages/\*\*:
+   - When upgrading dependencies for OpenTelemetry instrumentations we need to first upgrade `@opentelemetry/instrumentation` to the latest version.
+     **CRITICAL**: `@opentelemetry/instrumentation` MUST NOT include any breaking changes.
+     Read through the changelog of `@opentelemetry/instrumentation` to figure out if breaking changes are included and fail with the reason if it does include breaking changes.
+     You can find the changelog at `https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/CHANGELOG.md`
+
+   - After successfully upgrading `@opentelemetry/instrumentation` upgrade all `@opentelemetry/instrumentation-{instrumentation}` packages, e.g. `@opentelemetry/instrumentation-pg`
+     **CRITICAL**: `@opentelemetry/instrumentation-{instrumentation}` MUST NOT include any breaking changes.
+     Read through the changelog of `@opentelemetry/instrumentation-{instrumentation}` to figure out if breaking changes are included and fail with the reason if it does including breaking changes.
+     You can find the changelogs at `https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/packages/instrumentation-{instrumentation}/CHANGELOG.md`.
+
+   - Finally, upgrade third party instrumentations to their latest versions, these are currently:
+     - @prisma/instrumentation
+
+     **CRITICAL**: Upgrades to third party instrumentations MUST NOT include breaking changes.
+     Read through the changelog of each third party instrumentation to figure out if breaking changes are included and fail with the reason if it does include breaking changes.
+
+2. For packages and apps in dev-packages/\*\*:
+   - If an app depends on `@opentelemetry/instrumentation` >= 0.200.x upgrade it to the latest version.
+     **CRITICAL**: `@opentelemetry/instrumentation` MUST NOT include any breaking changes.
+
+   - If an app depends on `@opentelemetry/instrumentation-http` >= 0.200.x upgrade it to the latest version.
+     **CRITICAL**: `@opentelemetry/instrumentation-http` MUST NOT include any breaking changes.
+
+3. Generate a new yarn lock file.

.github/dependabot.yml

@@ -14,9 +14,15 @@ updates:
       interval: 'weekly'
     allow:
       - dependency-name: '@sentry/*'
-      - dependency-name: '@opentelemetry/*'
-      - dependency-name: '@prisma/instrumentation'
       - dependency-name: '@playwright/test'
+      - dependency-name: '@opentelemetry/*'
+    ignore:
+      - dependency-name: '@opentelemetry/instrumentation'
+      - dependency-name: '@opentelemetry/instrumentation-*'
+    groups:
+      opentelemetry:
+        patterns:
+          - '@opentelemetry/*'
     versioning-strategy: increase
     commit-message:
       prefix: feat

.github/dependency-review-config.yml

@@ -9,3 +9,5 @@ allow-ghsas:
   - GHSA-v784-fjjh-f8r4
   # Next.js Cache poisoning - We require a vulnerable version for E2E testing
   - GHSA-gp8f-8m3g-qvj9
+  # devalue vulnerability - this is just used by nuxt & astro as transitive dependency
+  - GHSA-vj54-72f3-p5jv

.github/workflows/auto-release.yml

@@ -15,12 +15,12 @@ jobs:
     steps:
       - name: Get auth token
         id: token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
@@ -42,7 +42,7 @@ jobs:
           echo "version=$version" >> $GITHUB_OUTPUT
 
       - name: Set up Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: 'package.json'