chore(deps): update dependency @sentry/nextjs to v7.77.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/nextjs (source)	7.73.0 → 7.77.0

---

Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

CVE-2023-46729 / GHSA-2rmr-xw8m-22q9

More information

Details

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

• client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
• interaction with internal network;
• read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
• local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/nextjs@7.77.0

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

• Sentry Next.js tunneling feature
• The fix
• More Information

Credits

• Praveen Kumar

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-2rmr-xw8m-22q9
• https://github.com/getsentry/sentry-javascript/pull/9415
• https://github.com/getsentry/sentry-javascript/commit/ddbda3c02c35aba8c5235e0cf07fc5bf656f81be
• https://blog.sentry.io/next-js-sdk-security-advisory-cve-2023-46729/
• https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers
• https://www.npmjs.com/package/@​sentry/nextjs/v/7.77.0
• https://nvd.nist.gov/vuln/detail/CVE-2023-46729
• https://github.com/advisories/GHSA-2rmr-xw8m-22q9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

getsentry/sentry-javascript (@​sentry/nextjs)

v7.77.0

Compare Source

Security Fixes

• fix(nextjs): Match only numbers as orgid in tunnelRoute (#​9416) (CVE-2023-46729)
• fix(nextjs): Strictly validate tunnel target parameters (#​9415) (CVE-2023-46729)

Other Changes

• feat: Move LinkedErrors integration to @​sentry/core (#​9404)
• feat(remix): Update sentry-cli version to ^2.21.2 (#​9401)
• feat(replay): Allow to treeshake & configure compression worker URL (#​9409)
• fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR config (#​9412)
• fix(feedback): Fixing feedback import (#​9403)
• fix(utils): Avoid keeping a reference of last used event (#​9387)

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	77.46 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	56.69 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.97 KB
@​sentry/browser - Webpack (gzipped)	21.29 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	67.83 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	29.09 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.23 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	216.89 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	88.28 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	63.28 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.8 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	77.84 KB
@​sentry/react - Webpack (gzipped)	21.34 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	94.18 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.86 KB

v7.76.0

Compare Source

Important Changes

• feat(core): Add cron monitor wrapper helper (#​9395)

This release adds Sentry.withMonitor(), a wrapping function that wraps a callback with a cron monitor that will automatically report completions and failures:

import * as Sentry from '@​sentry/node';

// withMonitor() will send checkin when callback is started/finished
// works with async and sync callbacks.
const result = Sentry.withMonitor(
  'dailyEmail',
  () => {
    // withMonitor return value is same return value here
    return sendEmail();
  },
  // Optional upsert options
  {
    schedule: {
      type: 'crontab',
      value: '0 * * * *',
    },
    // 🇨🇦🫡
    timezone: 'Canada/Eastern',
  },
);

Other Changes

• chore(angular-ivy): Allow Angular 17 in peer dependencies (#​9386)
• feat(nextjs): Instrument SSR page components (#​9346)
• feat(nextjs): Trace errors in page component SSR (#​9388)
• fix(nextjs): Instrument route handlers with jsx and tsx file extensions (#​9362)
• fix(nextjs): Trace with performance disabled (#​9389)
• fix(replay): Ensure replay_id is not added to DSC if session expired (#​9359)
• fix(replay): Remove unused parts of pako from build (#​9369)
• fix(serverless): Don't mark all errors as unhandled (#​9368)
• fix(tracing-internal): Fix case when middleware contain array of routes with special chars as @​ (#​9375)
• meta(nextjs): Bump peer deps for Next.js 14 (#​9390)

Work in this release contributed by @​LubomirIgonda1. Thank you for your contribution!

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	77.44 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	66.48 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.94 KB
@​sentry/browser - Webpack (gzipped)	21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	67.66 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	216.39 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	77.83 KB
@​sentry/react - Webpack (gzipped)	21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	94.16 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.83 KB

v7.75.1

Compare Source

• feat(browser): Allow collecting of pageload profiles (#​9317)
• fix(browser): Correct timestamp on pageload profiles (#​9350)
• fix(nextjs): Use webpack plugin release value to inject release (#​9348)

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	82.66 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	71.77 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.94 KB
@​sentry/browser - Webpack (gzipped)	21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	73.03 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	233.81 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	83.05 KB
@​sentry/react - Webpack (gzipped)	21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	99.43 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.83 KB

v7.75.0

Compare Source

Important Changes

• feat(opentelemetry): Add new @sentry/opentelemetry package (#​9238)

This release publishes a new package, @sentry/opentelemetry. This is a runtime agnostic replacement for @sentry/opentelemetry-node and exports a couple of useful utilities which can be used to use Sentry together with OpenTelemetry.

You can read more about @​sentry/opentelemetry in the Readme.

• feat(replay): Allow to treeshake rrweb features (#​9274)

Starting with this release, you can configure the following build-time flags in order to reduce the SDK bundle size:

• __RRWEB_EXCLUDE_CANVAS__
• __RRWEB_EXCLUDE_IFRAME__
• __RRWEB_EXCLUDE_SHADOW_DOM__

You can read more about tree shaking in our docs.

Other Changes

• build(deno): Prepare Deno SDK for release on npm (#​9281)
• feat: Remove tslib (#​9299)
• feat(node): Add abnormal session support for ANR (#​9268)
• feat(node): Remove lru_map dependency (#​9300)
• feat(node): Vendor cookie module (#​9308)
• feat(replay): Share performance instrumentation with tracing (#​9296)
• feat(types): Add missing Profiling types (macho debug image, profile measurements, stack frame properties) (#​9277)
• feat(types): Add statsd envelope types (#​9304)
• fix(astro): Add integration default export to types entry point (#​9337)
• fix(astro): Convert SDK init file import paths to POSIX paths (#​9336)
• fix(astro): Make Replay and BrowserTracing integrations tree-shakeable (#​9287)
• fix(integrations): Fix transaction integration (#​9334)
• fix(nextjs): Restore autoInstrumentMiddleware functionality (#​9323)
• fix(nextjs): Guard for case where getInitialProps may return undefined (#​9342)
• fix(node-experimental): Make node-fetch support optional (#​9321)
• fix(node): Check buffer length when attempting to parse ANR frame (#​9314)
• fix(replay): Fix xhr start timestamps (#​9341)
• fix(tracing-internal): Remove query params from urls with a trailing slash (#​9328)
• fix(types): Remove typo with CheckInEnvelope (#​9303)

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	82.66 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	71.77 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.94 KB
@​sentry/browser - Webpack (gzipped)	21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	73.03 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	233.81 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	83.05 KB
@​sentry/react - Webpack (gzipped)	21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	99.43 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.83 KB

v7.74.1

Compare Source

• chore(astro): Add astro-integration keyword (#​9265)
• fix(core): Narrow filters for health check transactions (#​9257)
• fix(nextjs): Fix HMR by inserting new entrypoints at the end (#​9267)
• fix(nextjs): Fix resolution of request async storage module (#​9259)
• fix(node-experimental): Guard against missing fetch (#​9275)
• fix(remix): Update defer injection logic. (#​9242)
• fix(tracing-internal): Parameterize express middleware parameters (#​8668)
• fix(utils): Move Node specific ANR impl. out of utils (#​9258)

Work in this release contributed by @​LubomirIgonda1. Thank you for your contribution!

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	83.98 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	31.57 KB
@​sentry/browser - Webpack (gzipped)	21.75 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	80.47 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	29.51 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.69 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	245.55 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	85.53 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	61.45 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	32.64 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	84.05 KB
@​sentry/react - Webpack (gzipped)	21.79 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	102.18 KB
@​sentry/nextjs Client - Webpack (gzipped)	49.65 KB

v7.74.0

Compare Source

Important Changes

• feat(astro): Add sentryAstro integration (#​9218)

This Release introduces the first alpha version of our new SDK for Astro.
At this time, the SDK is considered experimental and things might break and change in future versions.

The core of the SDK is an Astro integration which you easily add to your Astro config:

// astro.config.js
import { defineConfig } from "astro/config";
import sentry from "@​sentry/astro";

export default defineConfig({
  integrations: [
    sentry({
      dsn: "__DSN__",
      sourceMapsUploadOptions: {
        project: "astro",
        authToken: process.env.SENTRY_AUTH_TOKEN,
      },
    }),
  ],
});

Check out the README for usage instructions and what to expect from this alpha release.

Other Changes

• feat(core): Add addIntegration utility (#​9186)
• feat(core): Add continueTrace method (#​9164)
• feat(node-experimental): Add NodeFetch integration (#​9226)
• feat(node-experimental): Use native OTEL Spans (#​9161, #​9214)
• feat(node-experimental): Sample in OTEL Sampler (#​9203)
• feat(serverlesss): Allow disabling transaction traces (#​9154)
• feat(tracing): Allow direct pg module to enable esbuild support (#​9227)
• feat(utils): Move common node ANR code to utils (#​9191)
• feat(vue): Expose VueIntegration to initialize vue app later (#​9180)
• fix: Don't set referrerPolicy on serverside fetch transports (#​9200)
• fix: Ensure we never mutate options passed to init (#​9162)
• fix(ember): Avoid pulling in utils at build time (#​9221)
• fix(ember): Drop undefined config values (#​9175)
• fix(node): Ensure mysql integration works without callback (#​9222)
• fix(node): Only require inspector when needed (#​9149)
• fix(node): Remove ANR debug option and instead add logger.isEnabled() (#​9230)
• fix(node): Strip .mjs and .cjs extensions from module name (#​9231)
• fix(replay): bump rrweb to 2.0.1 (#​9240)
• fix(replay): Fix potential broken CSS in styled-components (#​9234)
• fix(sveltekit): Flush in server wrappers before exiting (#​9153)
• fix(types): Update signature of processEvent integration hook (#​9151)
• fix(utils): Dereference DOM events after they have servered their purpose (#​9224)
• ref(integrations): Refactor pluggable integrations to use processEvent (#​9021)
• ref(serverless): Properly deprecate rethrowAfterCapture option (#​9159)
• ref(utils): Deprecate walk method (#​9157)

Work in this release contributed by @​aldenquimby. Thank you for your contributions!

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	84.27 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	31.43 KB
@​sentry/browser - Webpack (gzipped)	22.02 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	78.79 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.6 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.02 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	254.51 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	86.76 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.45 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.48 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	84.3 KB
@​sentry/react - Webpack (gzipped)	22.06 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	102.21 KB
@​sentry/nextjs Client - Webpack (gzipped)	50.96 KB

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[github-actions]

Code review by ChatGPT

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/markdown-it@14.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	buffer@​6.0.3
	superjson@​1.13.3

View full report