feat(node): Add ESM support for postgres.js instrumentation

[onurtemizkan]

Resolves: #17889

This PR rewrites the postgresjs instrumentation with a new architecture:

• Added ESM support via replaceExports

• Moved to main export wrapping instead of internal module patching

  • Previously, we were patching connection.js and query.js internal modules
  • New approach: We are wrapping the main postgres module export to intercept sql instance creation

• Connection context is now stored directly on sql instances using CONNECTION_CONTEXT_SYMBOL

• Query.prototype fallback (CJS only)

  • Patches Query.prototype.handle as a fallback for pre-existing sql instances
  • Uses QUERY_FROM_INSTRUMENTED_SQL marker to prevent duplicate spans

Also,

• Improved SQL sanitization
• port attribute is now stored as a number per OTEL semantic conventions
• Added fallback regex extraction for operation name when command isn't available

[github-actions]

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	24.81 kB	-	-
@sentry/browser - with treeshaking flags	23.3 kB	-	-
@sentry/browser (incl. Tracing)	41.56 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	46.15 kB	-	-
@sentry/browser (incl. Tracing, Replay)	79.98 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	69.7 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	84.65 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	96.9 kB	-	-
@sentry/browser (incl. Feedback)	41.52 kB	-	-
@sentry/browser (incl. sendFeedback)	29.49 kB	-	-
@sentry/browser (incl. FeedbackAsync)	34.48 kB	-	-
@sentry/react	26.52 kB	-	-
@sentry/react (incl. Tracing)	43.76 kB	-	-
@sentry/vue	29.27 kB	-	-
@sentry/vue (incl. Tracing)	43.37 kB	-	-
@sentry/svelte	24.82 kB	-	-
CDN Bundle	27.24 kB	-	-
CDN Bundle (incl. Tracing)	42.23 kB	-	-
CDN Bundle (incl. Tracing, Replay)	78.75 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	84.21 kB	-	-
CDN Bundle - uncompressed	80.04 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	125.39 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	241.42 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	254.18 kB	-	-
@sentry/nextjs (client)	45.98 kB	-	-
@sentry/sveltekit (client)	41.93 kB	-	-
@sentry/node-core	51.5 kB	-	-
@sentry/node	161.36 kB	+0.66%	+1.05 kB 🔺
@sentry/node - without tracing	92.91 kB	-	-
@sentry/aws-serverless	108.44 kB	-	-

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	8,745	-	11,561	-24%
GET With Sentry	1,611	18%	1,986	-19%
GET With Sentry (error only)	6,091	70%	7,859	-22%
POST Baseline	1,175	-	1,188	-1%
POST With Sentry	569	48%	583	-2%
POST With Sentry (error only)	1,047	89%	1,047	-
MYSQL Baseline	3,259	-	4,051	-20%
MYSQL With Sentry	553	17%	570	-3%
MYSQL With Sentry (error only)	2,650	81%	3,351	-21%

View base workflow run

[Copilot]

Pull request overview

This PR adds ESM (ECMAScript Module) support for postgres.js instrumentation by refactoring the patching approach from file-based module instrumentation to module export wrapping. The instrumentation now wraps the main postgres export function to intercept SQL instance creation and instrument query methods dynamically.

Key changes:

• Refactored instrumentation to wrap the main postgres export instead of patching internal files
• Added comprehensive ESM test coverage alongside existing CJS tests
• Enhanced SQL query sanitization to handle PostgreSQL placeholders ($1, $2, etc.)

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/node/src/integrations/tracing/postgresjs.ts	Complete rewrite of instrumentation using module export wrapping; adds ESM support and improves query/connection handling
dev-packages/node-integration-tests/suites/tracing/postgresjs/test.ts	Added ESM tests, requestHook tests, URL initialization tests, and unsafe query tests
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario.mjs	New ESM scenario file for testing ESM imports
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario.cjs	New CJS scenario file with consolidated initialization
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario.js	Enhanced with additional query test cases
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario-url.mjs	New ESM test scenario for URL-based postgres initialization
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario-url.cjs	New CJS test scenario for URL-based postgres initialization
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario-unsafe.cjs	New test scenario for sql.unsafe() method
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario-requestHook.mjs	New ESM test scenario for requestHook functionality
dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario-requestHook.js	New CJS test scenario for requestHook functionality
dev-packages/node-integration-tests/suites/tracing/postgresjs/instrument.mjs	New ESM instrumentation file for tests
dev-packages/node-integration-tests/suites/tracing/postgresjs/instrument.cjs	New CJS instrumentation file for tests
dev-packages/node-integration-tests/suites/tracing/postgresjs/instrument-requestHook.mjs	New ESM instrumentation with requestHook configuration
dev-packages/node-integration-tests/suites/tracing/postgresjs/instrument-requestHook.cjs	New CJS instrumentation with requestHook configuration

Comments suppressed due to low confidence (1)

dev-packages/node-integration-tests/suites/tracing/postgresjs/scenario.js:83

• The floating promise should be handled with proper error handling. Consider using run().catch(console.error) or wrapping in an async IIFE to ensure errors are not silently swallowed.

// eslint-disable-next-line @typescript-eslint/no-floating-promises
run();

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Logic error: spanName is set to the trimmed sanitizedSqlQuery on line 363, which means the condition !spanName on line 364 will only be true if sanitizedSqlQuery is empty or undefined. However, line 366 attempts to match the same sanitizedSqlQuery against SQL_OPERATION_REGEX. This code path is unreachable when sanitizedSqlQuery has content. The fallback logic appears to be intended for cases where sanitizedSqlQuery exists but is not suitable as a span name, but the current implementation doesn't achieve this.

Suggested change

	let spanName = sanitizedSqlQuery?.trim() || '';
	if (!spanName) {
	// Fallback: try to extract operation from the sanitized query
	const operationMatch = sanitizedSqlQuery?.match(SQL_OPERATION_REGEX);
	spanName = operationMatch?.[1] ? `db.${operationMatch[1].toLowerCase()}` : 'db.query';
	let spanName: string;
	const operationMatch = sanitizedSqlQuery?.match(SQL_OPERATION_REGEX);
	if (operationMatch?.[1]) {
	spanName = `db.${operationMatch[1].toLowerCase()}`;
	} else if (sanitizedSqlQuery?.trim()) {
	spanName = sanitizedSqlQuery.trim();
	} else {
	spanName = 'db.query';

[Copilot]

The import of safeExecuteInTheMiddle should be removed from '@opentelemetry/instrumentation' and imported from '@sentry/core' instead, as indicated by the usage pattern at line 394. However, checking the actual usage shows it is used correctly. If this import is not used elsewhere in the file, it should be removed.

[cursor]

Bug: Span description uses operation prefix instead of full query

The span name logic sets spanName to db.${operation} (e.g., db.create, db.select) for recognized SQL operations, but this value becomes the span's description when serialized (as confirmed in sentrySpan.ts line 226: description: this._name). The tests in this same PR explicitly expect the span description to be the full sanitized SQL query (e.g., 'CREATE TABLE "User" (...)'), not the abbreviated db.create format. This mismatch means the detailed test expectations will fail.

 

[aldy505]

...any updates?

[Lms24]

Thanks for making the changes. This looks good to me for now, though I'd like us to improve parameterization in a follow-up PR (see slack convo).

[Lms24]

thanks for making the changes!

[onurtemizkan]

@Lms24 - Implemented complete sanitization. 4ae3e66

[Lms24]

Thanks! Let's fix the last lint warning and then we can merge it.