Merge branch 'develop' into feat/monitor-trace

Author: naaa760

.craft.yml

@@ -153,6 +153,7 @@ targets:
           - nodejs18.x
           - nodejs20.x
           - nodejs22.x
+          - nodejs24.x
     license: MIT
 
   # CDN Bundle Target

.cursor/commands/bump_otel_instrumentations.md

@@ -0,0 +1,32 @@
+# Bump OpenTelemetry instrumentations
+
+1. Ensure you're on the `develop` branch with the latest changes:
+   - If you have unsaved changes, stash them with `git stash -u`.
+   - If you're on a different branch than `develop`, check out the develop branch using `git checkout develop`.
+   - Pull the latest updates from the remote repository by running `git pull origin develop`.
+
+2. Create a new branch `bump-otel-{yyyy-mm-dd}`, e.g. `bump-otel-2025-03-03`
+
+3. Create a new empty commit with the commit message `feat(deps): Bump OpenTelemetry instrumentations`
+
+4. Push the branch and create a draft PR, note down the PR number as {PR_NUMBER}
+
+5. Create a changelog entry in `CHANGELOG.md` under
+   `- "You miss 100 percent of the chances you don't take. — Wayne Gretzky" — Michael Scott` with the following format:
+   `- feat(deps): Bump OpenTelemetry instrumentations ([#{PR_NUMBER}](https://github.com/getsentry/sentry-javascript/pull/{PR_NUMBER}))`
+
+6. Find the "Upgrade OpenTelemetry instrumentations" rule in `.cursor/rules/upgrade_opentelemetry_instrumentations` and
+   follow those complete instructions step by step.
+   - Create one commit per package in `packages/**` with the commit message
+     `Bump OpenTelemetry instrumentations for {SDK}`, e.g. `Bump OpenTelemetry instrumentation for @sentry/node`
+
+   - For each OpenTelemetry dependency bump, record an entry in the changelog with the format indented under the main
+     entry created in step 5: `- Bump @opentelemetry/{instrumentation} from {previous_version} to {new_version}`, e.g.
+     `- Bump @opentelemetry/instrumentation from 0.204.0 to 0.207.0` **CRITICAL**: Avoid duplicated entries, e.g. if we
+     bump @opentelemetry/instrumentation in two packages, keep a single changelog entry.
+
+7. Regenerate the yarn lockfile and run `yarn yarn-deduplicate`
+
+8. Run `yarn fix` to fix all formatting issues
+
+9. Finally update the PR description to list all dependency bumps

.cursor/rules/upgrade_opentelemetry_instrumentations.mdc

@@ -0,0 +1,33 @@
+---
+description: Use this rule if you are looking to grade OpenTelemetry instrumentations for the Sentry JavaScript SDKs
+globs: *
+alwaysApply: false
+---
+
+# Upgrading OpenTelemetry instrumentations
+
+1. For every package in packages/\*\*:
+   - When upgrading dependencies for OpenTelemetry instrumentations we need to first upgrade `@opentelemetry/instrumentation` to the latest version.
+     **CRITICAL**: `@opentelemetry/instrumentation` MUST NOT include any breaking changes.
+     Read through the changelog of `@opentelemetry/instrumentation` to figure out if breaking changes are included and fail with the reason if it does include breaking changes.
+     You can find the changelog at `https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/CHANGELOG.md`
+
+   - After successfully upgrading `@opentelemetry/instrumentation` upgrade all `@opentelemetry/instrumentation-{instrumentation}` packages, e.g. `@opentelemetry/instrumentation-pg`
+     **CRITICAL**: `@opentelemetry/instrumentation-{instrumentation}` MUST NOT include any breaking changes.
+     Read through the changelog of `@opentelemetry/instrumentation-{instrumentation}` to figure out if breaking changes are included and fail with the reason if it does including breaking changes.
+     You can find the changelogs at `https://github.com/open-telemetry/opentelemetry-js-contrib/blob/main/packages/instrumentation-{instrumentation}/CHANGELOG.md`.
+
+   - Finally, upgrade third party instrumentations to their latest versions, these are currently:
+     - @prisma/instrumentation
+
+     **CRITICAL**: Upgrades to third party instrumentations MUST NOT include breaking changes.
+     Read through the changelog of each third party instrumentation to figure out if breaking changes are included and fail with the reason if it does include breaking changes.
+
+2. For packages and apps in dev-packages/\*\*:
+   - If an app depends on `@opentelemetry/instrumentation` >= 0.200.x upgrade it to the latest version.
+     **CRITICAL**: `@opentelemetry/instrumentation` MUST NOT include any breaking changes.
+
+   - If an app depends on `@opentelemetry/instrumentation-http` >= 0.200.x upgrade it to the latest version.
+     **CRITICAL**: `@opentelemetry/instrumentation-http` MUST NOT include any breaking changes.
+
+3. Generate a new yarn lock file.

.github/ISSUE_TEMPLATE/bug.yml

@@ -136,13 +136,14 @@ body:
     id: additional
     attributes:
       label: Additional Context
-      description:
-        Add any other context here. Please keep the pre-filled text, which helps us manage issue prioritization.
-      value: |-
-        <sub>Tip: React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding `+1` or `me too`, to help us triage it.</sub>
+      description: Add any other context here.
     validations:
       required: false
-  - type: markdown
+  - type: dropdown
     attributes:
-      value: |-
-        ## Thanks 🙏
+      label: 'Priority'
+      description: Please keep the pre-filled option, which helps us manage issue prioritization.
+      default: 0
+      options:
+        - <sub>React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding `+1`
+          or `me too`, to help us triage it.</sub>

.github/ISSUE_TEMPLATE/feature.yml

@@ -27,14 +27,14 @@ body:
     id: additional
     attributes:
       label: Additional Context
-      description:
-        Add any other context here. Please keep the pre-filled text, which helps us manage feature prioritization.
-      value: |-
-        <sub>Tip: React with 👍 to help prioritize this improvement. Please use comments to provide useful context, avoiding `+1` or `me too`, to help us triage it.</sub>
+      description: Add any other context here.
     validations:
       required: false
-  - type: markdown
+  - type: dropdown
     attributes:
-      value: |-
-        ## Thanks 🙏
-        Check our [triage docs](https://open.sentry.io/triage/) for what to expect next.
+      label: 'Priority'
+      description: Please keep the pre-filled option, which helps us manage issue prioritization.
+      default: 0
+      options:
+        - <sub>React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding `+1`
+          or `me too`, to help us triage it.</sub>

.github/dependabot.yml

@@ -14,9 +14,15 @@ updates:
       interval: 'weekly'
     allow:
       - dependency-name: '@sentry/*'
-      - dependency-name: '@opentelemetry/*'
-      - dependency-name: '@prisma/instrumentation'
       - dependency-name: '@playwright/test'
+      - dependency-name: '@opentelemetry/*'
+    ignore:
+      - dependency-name: '@opentelemetry/instrumentation'
+      - dependency-name: '@opentelemetry/instrumentation-*'
+    groups:
+      opentelemetry:
+        patterns:
+          - '@opentelemetry/*'
     versioning-strategy: increase
     commit-message:
       prefix: feat

.github/dependency-review-config.yml

@@ -9,3 +9,5 @@ allow-ghsas:
   - GHSA-v784-fjjh-f8r4
   # Next.js Cache poisoning - We require a vulnerable version for E2E testing
   - GHSA-gp8f-8m3g-qvj9
+  # devalue vulnerability - this is just used by nuxt & astro as transitive dependency
+  - GHSA-vj54-72f3-p5jv

.github/workflows/auto-release.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Get auth token
         id: token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
@@ -42,7 +42,7 @@ jobs:
           echo "version=$version" >> $GITHUB_OUTPUT
 
       - name: Set up Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: 'package.json'