In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
[!NOTE]
This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version.
Also, the fix was backported to SDK v7 in 7.119.1.
This PR contains the following updates:
7.112.2->7.119.1GitHub Vulnerability Alerts
GHSA-593m-55hh-j8gv
Impact
In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version. Also, the fix was backported to SDK v7 in 7.119.1.
References
Release Notes
getsentry/sentry-javascript (@sentry/browser)
### [`v7.119.1`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.119.1) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.119.0...7.119.1) - fix(browser/v7): Ensure wrap() only returns functions ([#13838](https://redirect.github.com/getsentry/sentry-javascript/issues/13838) backport) Work in this release contributed by [@legobeat](https://redirect.github.com/legobeat). Thank you for your contribution! ### [`v7.119.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.119.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.118.0...7.119.0) - backport(tracing): Report dropped spans for transactions ([#13343](https://redirect.github.com/getsentry/sentry-javascript/issues/13343)) ##### Bundle size 📦 | Path | Size | | ---------------------------------------------------------------------------------- | ----------------- | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay, Feedback) - Webpack (gzipped) | 80.96 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - Webpack (gzipped) | 71.89 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay with Canvas) - Webpack (gzipped) | 76.14 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) | 65.52 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - Webpack (gzipped) | 35.77 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. browserTracingIntegration) - Webpack (gzipped) | 35.66 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Feedback) - Webpack (gzipped) | 31.71 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. sendFeedback) - Webpack (gzipped) | 31.72 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - Webpack (gzipped) | 22.91 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) | 79.17 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) | 70.49 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES6 CDN Bundle (gzipped) | 36.17 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - ES6 CDN Bundle (gzipped) | 25.41 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) | 221.92 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) | 109.52 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - ES6 CDN Bundle (minified & uncompressed) | 76.24 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES5 CDN Bundle (gzipped) | 39.45 KB | | [@sentry/react](https://redirect.github.com/sentry/react) (incl. Tracing, Replay) - Webpack (gzipped) | 72.4 KB | | [@sentry/react](https://redirect.github.com/sentry/react) - Webpack (gzipped) | 22.94 KB | | [@sentry/nextjs](https://redirect.github.com/sentry/nextjs) Client (incl. Tracing, Replay) - Webpack (gzipped) | 90.16 KB | | [@sentry/nextjs](https://redirect.github.com/sentry/nextjs) Client - Webpack (gzipped) | 54.27 KB | | [@sentry-internal/feedback](https://redirect.github.com/sentry-internal/feedback) - Webpack (gzipped) | 17.34 KB | ### [`v7.118.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.118.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.117.0...7.118.0) - fix(v7/bundle): Ensure CDN bundles do not overwrite `window.Sentry` ([#12579](https://redirect.github.com/getsentry/sentry-javascript/issues/12579)) ### [`v7.117.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.117.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.116.0...7.117.0) - feat(browser/v7): Publish browserprofling CDN bundle ([#12224](https://redirect.github.com/getsentry/sentry-javascript/issues/12224)) - fix(v7/publish): Add `v7` tag to `@sentry/replay` ([#12304](https://redirect.github.com/getsentry/sentry-javascript/issues/12304)) ### [`v7.116.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.116.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.115.0...7.116.0) - build(craft): Publish lambda layer under its own name for v7 ([#12098](https://redirect.github.com/getsentry/sentry-javascript/issues/12098)) ([#12099](https://redirect.github.com/getsentry/sentry-javascript/issues/12099)) This release publishes a new AWS Lambda layer under the name `SentryNodeServerlessSDKv7` that users still running v7 can use instead of pinning themselves to `SentryNodeServerlessSDK:235`. ##### Bundle size 📦 | Path | Size | | ---------------------------------------------------------------------------------- | ----------------- | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay, Feedback) - Webpack (gzipped) | 80.83 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - Webpack (gzipped) | 71.77 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay with Canvas) - Webpack (gzipped) | 76.02 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) | 65.38 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - Webpack (gzipped) | 35.64 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. browserTracingIntegration) - Webpack (gzipped) | 35.53 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Feedback) - Webpack (gzipped) | 31.6 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. sendFeedback) - Webpack (gzipped) | 31.61 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - Webpack (gzipped) | 22.78 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) | 79.04 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) | 70.37 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES6 CDN Bundle (gzipped) | 36.05 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - ES6 CDN Bundle (gzipped) | 25.28 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) | 221.49 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) | 109.08 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - ES6 CDN Bundle (minified & uncompressed) | 75.81 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES5 CDN Bundle (gzipped) | 39.33 KB | | [@sentry/react](https://redirect.github.com/sentry/react) (incl. Tracing, Replay) - Webpack (gzipped) | 72.27 KB | | [@sentry/react](https://redirect.github.com/sentry/react) - Webpack (gzipped) | 22.81 KB | | [@sentry/nextjs](https://redirect.github.com/sentry/nextjs) Client (incl. Tracing, Replay) - Webpack (gzipped) | 90.03 KB | | [@sentry/nextjs](https://redirect.github.com/sentry/nextjs) Client - Webpack (gzipped) | 54.15 KB | | [@sentry-internal/feedback](https://redirect.github.com/sentry-internal/feedback) - Webpack (gzipped) | 17.34 KB | ### [`v7.115.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.115.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.114.0...7.115.0) - feat(v7): Add support for global onUnhandled Error/Promise for Bun ([#11959](https://redirect.github.com/getsentry/sentry-javascript/issues/11959)) - fix(replay/v7): Fix user activity not being updated in `start()` ([#12003](https://redirect.github.com/getsentry/sentry-javascript/issues/12003)) - ref(api): Remove `lastEventId` deprecation warnings ([#12042](https://redirect.github.com/getsentry/sentry-javascript/issues/12042)) ##### Bundle size 📦 | Path | Size | | ---------------------------------------------------------------------------------- | ----------------- | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay, Feedback) - Webpack (gzipped) | 80.83 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - Webpack (gzipped) | 71.77 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay with Canvas) - Webpack (gzipped) | 76.02 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) | 65.38 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - Webpack (gzipped) | 35.64 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. browserTracingIntegration) - Webpack (gzipped) | 35.53 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Feedback) - Webpack (gzipped) | 31.6 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. sendFeedback) - Webpack (gzipped) | 31.61 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - Webpack (gzipped) | 22.78 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) | 79.04 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) | 70.37 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES6 CDN Bundle (gzipped) | 36.05 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - ES6 CDN Bundle (gzipped) | 25.28 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) | 221.49 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) | 109.08 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) - ES6 CDN Bundle (minified & uncompressed) | 75.81 KB | | [@sentry/browser](https://redirect.github.com/sentry/browser) (incl. Tracing) - ES5 CDN Bundle (gzipped) | 39.33 KB | | [@sentry/react](https://redirect.github.com/sentry/react) (incl. Tracing, Replay) - Webpack (gzipped) | 72.27 KB | | [@sentry/react](https://redirect.github.com/sentry/react) - Webpack (gzipped) | 22.81 KB | | [@sentry/nextjs](https://redirect.github.com/sentry/nextjs) Client (incl. Tracing, Replay) - Webpack (gzipped) | 90.03 KB | | [@sentry/nextjs](https://redirect.github.com/sentry/nextjs) Client - Webpack (gzipped) | 54.15 KB | | [@sentry-internal/feedback](https://redirect.github.com/sentry-internal/feedback) - Webpack (gzipped) | 17.34 KB | ### [`v7.114.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.114.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.113.0...7.114.0) ##### Important Changes - **fix(browser/v7): Continuously record CLS ([#11935](https://redirect.github.com/getsentry/sentry-javascript/issues/11935))** This release fixes a bug that caused the cumulative layout shift (CLS) web vital not to be reported in a majority of the cases where it should have been reported. With this change, the CLS web vital should now always be reported for pageloads with layout shift. If a pageload did not have layout shift, no CLS web vital should be reported. **Please note that upgrading the SDK to this version may cause data in your dashboards to drastically change.** ##### Other Changes - build(aws-lambda/v7): Turn off lambda layer publishing ([#11875](https://redirect.github.com/getsentry/sentry-javascript/issues/11875)) - feat(v7): Add `tunnel` support to multiplexed transport ([#11851](https://redirect.github.com/getsentry/sentry-javascript/issues/11851)) - fix(opentelemetry-node): support `HTTP_REQUEST_METHOD` attribute ([#11929](https://redirect.github.com/getsentry/sentry-javascript/issues/11929)) - fix(react/v7): Fix react router v4/v5 span names ([#11940](https://redirect.github.com/getsentry/sentry-javascript/issues/11940)) ### [`v7.113.0`](https://redirect.github.com/getsentry/sentry-javascript/releases/tag/7.113.0) [Compare Source](https://redirect.github.com/getsentry/sentry-javascript/compare/7.112.2...7.113.0) ##### Important Changes - **feat(node): Support Node 22 ([#11754](https://redirect.github.com/getsentry/sentry-javascript/issues/11754))** This release adds support for Node 22! 🎉 It also adds prebuilt-binaries for Node 22 to `@sentry/profiling-node`. ##### Other Changes - feat(feedback): \[v7] New feedback button design ([#11841](https://redirect.github.com/getsentry/sentry-javascript/issues/11841)) - feat(replay/v7): Upgrade rrweb packages to 2.15.0 ([#11752](https://redirect.github.com/getsentry/sentry-javascript/issues/11752)) - fix(ember/v7): Ensure unnecessary spans are avoided ([#11848](https://redirect.github.com/getsentry/sentry-javascript/issues/11848))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.