Bump nuxt from ^3.13.2 to ^3.21.1 in @sentry/nuxt devDependencies. This
pulls in @nuxt/devtools@3.1.1 which depends on diff@^8.0.2, replacing
the vulnerable diff@7.0.0 (DoS via parsePatch infinite loop).

Nuxt can only be upgraded to `3.17.7` because later versions are using
Vite v7 as dependency and this causes our Node 18 tests to fail.

---

Summary of Vite dependency chain:
`nuxt` -
[@nuxt/vite-builder](https://github.com/nuxt/nuxt/blob/617b266c732267755a8771b967d693b32e74fca4/packages/nuxt/package.json#L83)
->
[vite-node](https://github.com/nuxt/nuxt/blob/617b266c732267755a8771b967d693b32e74fca4/packages/vite/package.json#L66)
->
[vite](https://github.com/antfu-collective/vite-node/blob/48f3ec7044513349597045ac7053efd8c3db2ba4/package.json#L89)

And from Nuxt `3.20.1`, vite-node was bumped from [major 3 to
5](nuxt/nuxt#33674) which uses [vite
7](https://github.com/antfu-collective/vite-node/blob/2a2d77749c6f97117557c6a584abef15e1f7a46e/package.json#L56)

But also, Nuxt `3.17.7` is the last version which uses Vite 6:
https://github.com/nuxt/nuxt/blob/b56bc134455391f3ea43d29140162f0b04b615b0/packages/vite/package.json#L62

---

Fixes
https://github.com/getsentry/sentry-javascript/security/dependabot/958

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: s1gr1d <32902192+s1gr1d@users.noreply.github.com>

This caused issues in releases where the file got modified somewhere in
the lerna pipeline which then failed our prettier job.

#19296)

Enhances the AI integration guidelines with:

- Runtime-specific placement rules (Node.js, Cloudflare Workers, Browser
only SDKs should stay in their respective packages)
- Mandatory auto-detection requirement for all AI integrations
- E2E testing references for Cloudflare Workers and Browser runtimes
- Attribute restriction rule (only use attributes from
https://getsentry.github.io/sentry-conventions/attributes/gen_ai/)

Closes #19297 (added automatically)

…19308)

Unblocking CI.

Closes #19309 (added automatically)

Closes #15455
Closes #12450

…l option (#19280)

- Adds `sourcemaps.filesToDeleteAfterUpload` to the Next.js SDK's
SentryBuildOptions type, allowing users to specify custom glob patterns
for
source map deletion after upload.
- When set, this option overrides the default deletion patterns computed
by `deleteSourcemapsAfterUpload`, giving users fine-grained control —
including the ability to target server-side source maps if desired.
  
 closes #19235

…vents (#19316)

Calls to `Sentry.captureException()` inside a Next.js App Router route
handler, lead to unparameterized transaction names

- This happens because non-transaction events read their `transaction`
from the isolation scope's `transactionName`, which is set to the raw
URL by `httpServerIntegration`. On turbopack, the webpack wrapping
loader doesn't run, so `wrapRouteHandlerWithSentry` (which sets the
parameterized name on the current scope) is never called.
- The fix updates `handleOnSpanStart` to also set the parameterized
route on the isolation scope when hoisting the `next.route` attribute to
the root span. This ensures manually captured events get the
parameterized route regardless of bundler.
- Adds E2E tests for route handler errors (`throw`), `captureException`,
and `captureMessage` with parameterized routes in the `nextjs-16` test
app.

closes #19312

- Adds a new E2E test application (nextjs-16-bun) that runs Next.js 16
on Bun's runtime via `bun --bun next build/start`
- Update CI to pick up this test for the bun runtime

 Some limitations we ran into:

**1. Outgoing fetch trace propagation is broken**

`sentry-trace` and `baggage` headers are not attached to outgoing
fetch() requests. The OTel `nativeNodeFetchIntegration` does not
intercept Bun's native fetch implementation, so distributed tracing
across services does not work. The inbound request starts a new trace
instead of continuing the caller's trace.

**2. HTTP request headers not extracted as span attributes**

Inbound HTTP request headers (e.g. User-Agent, custom headers) are not
populated as http.request.header.* attributes on server spans. The OTel
HTTP instrumentation doesn't extract these when running on Bun.

Will create tickets for the findings.

ref
https://linear.app/getsentry/issue/FE-713/investigate-nextjsbun-setup

This PR migrates our formatting tool from `prettier` to `oxfmt` which is
part of the oxc toolchain and offers faster checking and format fixing
speeds while [maintaining the same
coverage](https://x.com/boshen_c/status/2018329440607203471).

I created a follow up PR in #19311 to unignore a few rules and fix the
associated snapshot tests affected by it.

### Benchmarks

Benchmark | Prettier | oxfmt | Speedup
-- | -- | -- | --
CI | 45s | 6.0s-7.0s | ~5x-7.5×
Local M3 Pro | 22s | 1.22s-1.98s | ~11×

---
closes #19223

[Gitflow] Merge master into develop

When using `captureUnderscoreErrorException` on an `_error` page, the
events were mostly dropped because it already existed from a
Sentry-wrapped data fetcher (like `getServerProps`). This resulted in
not sending the error to Sentry but still generating a new event ID
which was used as `lastEventId` (and thus was wrong).

Closes #19217
Also, check out this specific comment within the issue as it gives more
context:
#19217 (comment)

The wrapper is not needed, as it's just making the sure the types are
correct. We can just use the type.

For reference, this is the code for the wrapper:
https://github.com/nitrojs/nitro/blob/f663e76df6b25610432c915f19d3cf7c5c19f72e/src/runtime/internal/plugin.ts

Closes #19277

…19336)

This resolves a leak where `SentryNonRecordingSpan` are pilled up when
`tracingSampleRate` is set to `0`. Theoretically
`SentryNonRecordingSpan` are still treated as spans and added to the
`spans` list, but never removed

By moving `shouldCreateSpanResult` closer to the actual span logic, this
is now resolved.

Closes #19337 (added automatically)

Closes #19335

## Summary

- Add `metrics` to the `@sentry/core` re-export block in
`packages/deno/src/index.ts`
- The `metrics` namespace is already exported from `@sentry/core` and
re-exported by `@sentry/node`, but was missing from the Deno SDK

## Test plan

- [x] `yarn build:dev:filter @sentry/deno` passes
- [x] `cd packages/deno && yarn test` — all 12 tests pass
- [x] `eslint src/index.ts` — no lint issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Closes #19307 (added automatically)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Came across this while working on the same issue in Nuxt:
#19243

We should respect both the environment option from the `options` and
from the environment variable.

Related: #19238

…19291)

OTel's `PgInstrumentation` exposes an option to ignore
`pg(.pool).connect` spans.
This option was added recently in
open-telemetry/opentelemetry-js-contrib#3280. We
should allow users to configure our wrapping `postgresIntegration` with
the same option.

…h null/undefined array elements (#19346)

Added a guard against null/undefined elements in
isPromiseAllSettledResult which caused TypeError: Cannot convert
undefined or null to object when captureAllSettledReasons: true and the
Lambda handler returned an array containing nullish values.

closes #19344

## Summary
- Re-export `logger` and `consoleLoggingIntegration` from `@sentry/core`
in the Deno SDK
- Add integration test verifying `logger.info()` produces a log envelope
item with correct `level` and `body`

## Test plan
- [x] `yarn build:dev:filter @sentry/deno` — builds successfully
- [x] `cd packages/deno && yarn test` — all 13 tests pass
- [x] `eslint packages/deno/src/index.ts` — no lint errors

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Closes #19314 (added automatically)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

- Replace lerna with Nx for all monorepo task execution (`lerna run` →
`nx run-many`). Lerna was already using Nx under the hood, so this
removes the wrapper layer and uses Nx directly.
- Replace `lerna version` with a custom `scripts/bump-version.js` for
release version bumping. The script replicates `lerna version
--force-publish --exact --no-git-tag-version --no-push` – bumps all
workspace package versions and updates internal dependency references to
exact versions. Also added some unit tests.
- Remove lerna dependency (`lerna.json`, `lerna` devDependency) and add
`nx` as a direct devDependency (22.5.0).
- Move lockfile stability check to its own CI jo (`job_check_lockfile`)
that runs in parallel with the build.
- Configure Nx TUI to auto-exit so `yarn build` doesn't hang waiting for
ESC.
- Adds a `.version.json` as a single source of truth for the current
version (this works well with triggering gitflow)
- Update docs (`CLAUDE.md`, `CONTRIBUTING.md`, `.cursor/rules`) to
reflect the migration.

Closes #19340 (added automatically)

Closes #19362 (added automatically)

…iring pino >= 9.10 (#18631)

We discussed this in Bikeshedding, apm-js runtime hooks gets bundled in
frameworks still using CJS like Next.js, even if the user was not using
Pino integration at all. Attempts to tree-shake it failed as Next.js is
still using CJS.

We can drop support for older versions of Pino, given that `pino@9.10`
already exposes a tracing channel that we use, and that the injected
channel was a backup for `pino<9.10`

This will reduce bundle sizes and ensure frameworks incapable of esm
tree-shaking don't pick it up as a dependency.

I will remove `@apm-js-collab/tracing-hooks` as a dep from `node-core`
since nothing else uses it.

closes #18199

Adds `WebFetch` permissions for `docs.sentry.io` and
`develop.sentry.dev` to Claude Code settings, enabling Claude to fetch
documentation content directly from Sentry's official documentation
sites.

This follows the same pattern used in the sentry-cocoa repository.

Closes #18891 (added automatically)

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

…19330)

This PR adds `sentryGlobalRequestMiddleware` and
`sentryGlobalFunctionMiddleware` that capture unhandled errors from all
HTTP requests and server function invocations. Users add these as the
first entries in the `requestMiddleware` / `functionMiddleware` arrays
of `createStart()`. These internal middlewares get marked with a
`__SENTRY_INTERNAL__`, so that they can be easily skipped in the vite
plugin to exclude them from middleware auto-instrumentation. Originally
we wanted to do this in the server-entry-point, but since there haven't
been any updates on this front in months I propose this as an
alternative solution for now. This is probably slightly worse UX but in
my case better than having nothing in place.

We could also think about auto-injecting this during the build, but
maybe not worth the effort since this is a one-time setup step.

**Limitations**

Tanstack Start has three types of server-side errors that we care about.
With these middlewares we can capture 2 of these (route, function
exceptions). We cannot capture SSR exceptions like this, because the
exceptions are serialized at a deeper layer and newer thrown.

**Usage**

```
import { sentryGlobalFunctionMiddleware, sentryGlobalRequestMiddleware } from '@sentry/tanstackstart-react';
import { createStart } from '@tanstack/react-start';

export const startInstance = createStart(() => ({
  requestMiddleware: [sentryGlobalRequestMiddleware, ...otherMiddleware],
  functionMiddleware: [sentryGlobalFunctionMiddleware, ...otherMiddleware],
}));
```

**Tests**

- Updated E2E tests to verify server side function/route errors are
being captured
- Added an E2E test to document that SSR exceptions are NOT being
captured

Closes #18283

…hen `skipOpenTelemetrySetup` is enabled (#19333)

When users bring their own OpenTelemetry setup, we were still mutating
their OTel spans by setting `sentry.drop_transaction` as a span
attribute.

Added early returns in `dropNextjsRootContext()` and
`dropMiddlewareTunnelRequests()` to skip span mutation when
skipOpenTelemetrySetup is enabled

closes #19169

Builds on #19200 by:

- Removing the ignores that were affecting `*.hbs` and `*.html` files
- Fixed some malformed HTML in our tests

I initially thought it was some extra stuff done by oxfmt, but its just
we didn't have those file extensions in the extension list for the
format script. so, its the same output if prettier ran over those files.

closes #19223

closes #19215 
closes
[JS-1656](https://linear.app/getsentry/issue/JS-1656/support-astro-on-cloudflare-workers)

This allows to deploy Astro on CF Workers and instrument it with Sentry

The main issue was that within CF Workers everything needs to be wrapped
with `withSentry` from the `@sentry/cloudflare` SDK. With this PR the
config cannot be changed via code and it is for now only possible to
update the config on Cloudflare via [Environment
Variables](https://developers.cloudflare.com/workers/configuration/environment-variables/).

I couldn't come up with a nice solution to have the config and bundle it
with the entrypoint of `@astro/cloudflare`.

### Future ideas

However, in `@astro/cloudflare@13` the entry point is not [exporting a
function](https://github.com/withastro/astro/blob/%40astrojs/cloudflare%4012.6.12/packages/integrations/cloudflare/src/entrypoints/server.ts)
anymore, but a real module:
https://github.com/withastro/astro/blob/%40astrojs/cloudflare%4013.0.0-beta.6/packages/integrations/cloudflare/src/entrypoints/server.ts

With this we could possibly change the entrypoint entirely to a Sentry
entrypoint where `withSentry` is available as code.

### Merge checks

- [x] Create docs issue to update Astro on Cloudflare docs

- Adds a new local Claude Code skill at
`.claude/skills/triage-issue/SKILL.md`
- Invoked via `/triage-issue <issue-number-or-url> [--ci]` to triage
GitHub issues on getsentry/sentry-javascript
- Produces a structured report with classification, root cause analysis,
cross-repo search results, and actionable next steps
- Optional --ci flag outputs a Linear payload stub (to be wired up
later)

Closes #19357 (added automatically)

…19401)

1. **Removes file cleanup instructions** - The report markdown file no
longer needs to be deleted when running in CI, since the Docker
container shuts down automatically. This eliminates unnecessary cleanup
logic.

2. **Makes cross-repo searches conditional** - Cross-repo searches in
`sentry-javascript-bundler-plugins` and `sentry-docs` are now optional
and only performed when relevant to the issue:
- Bundler plugins: Only search when the issue involves build tools,
bundlers, source maps, or webpack/vite/rollup
- Docs: Only search when clarification is needed about documented
behavior

Closes #19402 (added automatically)

Adds some rules (not enabled by default) for fetching the develop docs
(in markdown format) in case they are needed.

I added the develop docs that contain mostly prose text and are not too
focused on the technical details (as this info can be retrieved from the
code itself).


Closes #19378 (added automatically)

Co-authored-by: Charly Gomez <charly.gomez@sentry.io>

Closes #19368 (added automatically)

The error tests for langchain v1 were commented out a while back, since
they started failing for some reason. I had another look and after
getting the attributes up to date they seem to work fine now, so I think
we can put them back in.

Closes #18835

Closes #19413 (added automatically)

…ert page (#19414)

Closes #19415 (added automatically)

Maybe we need a smarter clanker

Closes #19417 (added automatically)

Closes #19353

Co-Authored-By: John Dengis <jadengis@users.noreply.github.com>

Closes #19351 (added automatically)

…med URIs (#19400)

This PR wraps `decodeURI` in `node-stack-trace.ts` with a try/catch so
that malformed URIs (e.g. filenames containing `%` sequences that are
not valid percent-encoding) no longer throw a `URIError` and crash the
SDK. The raw filename is returned as a fallback. In addition, we only
call `getModule` if we successfully decode the filename, since in
`getModule` implementations, we also again attempt to decode filenames.

Since we don't have a concrete filename in #19391 which we can reproduce
this, this is rather a "best effort" fix. But I think it's worth having
this either way.

Closes #19391

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Bumps
[@actions/glob](https://github.com/actions/toolkit/tree/HEAD/packages/glob)
from 0.4.0 to 0.6.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/toolkit/blob/main/packages/glob/RELEASES.md"><code>@​actions/glob</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>0.6.1</h2>
<ul>
<li>Fix a bad import for <code>minimatch</code></li>
</ul>
<h2>0.6.0</h2>
<ul>
<li><strong>Breaking change</strong>: Package is now ESM-only
<ul>
<li>CommonJS consumers must use dynamic <code>import()</code> instead of
<code>require()</code></li>
</ul>
</li>
</ul>
<h2>0.5.1</h2>
<ul>
<li>Bump <code>@actions/core</code> to <code>2.0.3</code></li>
</ul>
<h2>0.5.0</h2>
<ul>
<li>Added <code>excludeHiddenFiles</code> option, which is disabled by
default to preserve existing behavior <a
href="https://redirect.github.com/actions/toolkit/pull/1791">#1791: Add
glob option to ignore hidden files</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/actions/toolkit/commits/HEAD/packages/glob">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for <code>@​actions/glob</code> since your
current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@actions/glob&package-manager=npm_and_yarn&previous-version=0.4.0&new-version=0.6.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps
[@types/ember__debug](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__debug)
from 3.16.5 to 4.0.8.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__debug">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@types/ember__debug&package-manager=npm_and_yarn&previous-version=3.16.5&new-version=4.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…sts/test-applications/cloudflare-hono (#19438)

Bumps [hono](https://github.com/honojs/hono) from 4.11.7 to 4.11.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/honojs/hono/releases">hono's
releases</a>.</em></p>
<blockquote>
<h2>v4.11.10</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: fixed to be more properly timing safe (Merge commit from fork
91def7ca)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.11.9...v4.11.10">https://github.com/honojs/hono/compare/v4.11.9...v4.11.10</a></p>
<h2>v4.11.9</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(url): ignore fragment identifiers in getPath() by <a
href="https://github.com/sano-suguru"><code>@​sano-suguru</code></a> in
<a
href="https://redirect.github.com/honojs/hono/pull/4627">honojs/hono#4627</a></li>
<li>fix: determine if rendered or not by <code>node.vC[0]</code> instead
of referring to <code>node.pP</code> by <a
href="https://github.com/usualoma"><code>@​usualoma</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4663">honojs/hono#4663</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.11.8...v4.11.9">https://github.com/honojs/hono/compare/v4.11.8...v4.11.9</a></p>
<h2>v4.11.8</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(jsx): preserve context when using await before html helper by <a
href="https://github.com/kaigritun"><code>@​kaigritun</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li>
<li>fix(bearer-auth): make auth-scheme case-insensitive by <a
href="https://github.com/bytaesu"><code>@​bytaesu</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4659">honojs/hono#4659</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/kaigritun"><code>@​kaigritun</code></a>
made their first contribution in <a
href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.8">https://github.com/honojs/hono/compare/v4.11.7...v4.11.8</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/honojs/hono/commit/a40d210834adfa4f24cc42faaed5661cd025e6af"><code>a40d210</code></a>
4.11.10</li>
<li><a
href="https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e"><code>91def7c</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/honojs/hono/commit/8b179354c10f13eaca87a24507d909886c39f124"><code>8b17935</code></a>
test(types): add regression tests for <a
href="https://redirect.github.com/honojs/hono/issues/4388">#4388</a>
(routes before .use() with explic...</li>
<li><a
href="https://github.com/honojs/hono/commit/4a03f4f9cded9f0ed95aeefe7ed95e8a5170260b"><code>4a03f4f</code></a>
doc(jwt): mark <code>options.secret</code> as required in JSDoc (<a
href="https://redirect.github.com/honojs/hono/issues/4718">#4718</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/730055133f2579ee56d2d8327bf0040c310293ae"><code>7300551</code></a>
chore(ci): bump typescript-go to the latest (<a
href="https://redirect.github.com/honojs/hono/issues/4716">#4716</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/4b2978060888718351941140a7e8e028b2e9d69b"><code>4b29780</code></a>
chore: update Zod import examples to use namespace imports (<a
href="https://redirect.github.com/honojs/hono/issues/4715">#4715</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/69ad8857df4eeef1a02e628ab8f5b2b60e643f19"><code>69ad885</code></a>
4.11.9</li>
<li><a
href="https://github.com/honojs/hono/commit/3d536ff38d5c24ca584866a7f01cf5691b96e983"><code>3d536ff</code></a>
fix: determine if rendered or not by <code>node.vC[0]</code> instead of
referring to `no...</li>
<li><a
href="https://github.com/honojs/hono/commit/0c1d4c76cf6b2aace8bbef745d375c2cc176d99f"><code>0c1d4c7</code></a>
fix(url): ignore fragment identifiers in getPath() (<a
href="https://redirect.github.com/honojs/hono/issues/4627">#4627</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/5ca5c3e9764486b31ad7db4c0c19b2c926753ae3"><code>5ca5c3e</code></a>
4.11.8</li>
<li>Additional commits viewable in <a
href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.10">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.11.7&new-version=4.11.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/getsentry/sentry-javascript/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Adds a request -> response handler for accepting and forwarding Sentry envelope requests from a client SDK to Sentry. Only forwards requests to DSNs matching a list of allowed DSNs. This will be used as a base for more framework-specific handlers, middleware, etc to simplify tunneling setup.

Bumps
[@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)
from 2.50.1 to 2.52.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/releases"><code>@​sveltejs/kit</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.52.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: validate <code>form</code> file information to prevent
amplification attacks (<a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p>
</li>
<li>
<p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p>
</li>
<li>
<p>fix: parse file offset table more strictly (<a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.52.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: <code>match</code> function to map a path back to a route id
and params (<a
href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: respect scroll-margin when navigating to a url-supplied anchor
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p>
</li>
<li>
<p>fix: <code>resolve</code> will narrow types to follow trailing slash
page settings (<a
href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.51.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>
<p>feat: add <code>scroll</code> property to
<code>NavigationTarget</code> in navigation callbacks (<a
href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</p>
<p>Navigation callbacks (<code>beforeNavigate</code>,
<code>onNavigate</code>, and <code>afterNavigate</code>) now include
scroll position information via the <code>scroll</code> property on
<code>from</code> and <code>to</code> targets:</p>
<ul>
<li><code>from.scroll</code>: The scroll position at the moment
navigation was triggered</li>
<li><code>to.scroll</code>: In <code>beforeNavigate</code> and
<code>onNavigate</code>, this is populated for <code>popstate</code>
navigations (back/forward) with the scroll position that will be
restored, and <code>null</code> for other navigation types. In
<code>afterNavigate</code>, this is always the final scroll position
after navigation completed.</li>
</ul>
<p>This enables use cases like animating transitions based on the target
scroll position when using browser back/forward navigation.</p>
</li>
<li>
<p>feat: <code>hydratable</code>'s injected script now works with CSP
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15048">#15048</a>)</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: put preloads before styles (<a
href="https://redirect.github.com/sveltejs/kit/pull/15232">#15232</a>)</p>
</li>
<li>
<p>fix: suppress false-positive inner content warning when children prop
is forwarded to a child component (<a
href="https://redirect.github.com/sveltejs/kit/pull/15269">#15269</a>)</p>
</li>
<li>
<p>fix: <code>fetch</code> not working when URL is same host but
different than <code>paths.base</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15291">#15291</a>)</p>
</li>
<li>
<p>fix: navigate to hash link when base element is present (<a
href="https://redirect.github.com/sveltejs/kit/pull/15236">#15236</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@​sveltejs/kit</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>2.52.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: validate <code>form</code> file information to prevent
amplification attacks (<a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p>
</li>
<li>
<p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p>
</li>
<li>
<p>fix: parse file offset table more strictly (<a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p>
</li>
</ul>
<h2>2.52.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: clear stale preflight issues on subsequent valid form
submissions (<a
href="https://redirect.github.com/sveltejs/kit/pull/15281">#15281</a>)</p>
</li>
<li>
<p>chore: remove dependency on <code>sade</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15272">#15272</a>)</p>
</li>
<li>
<p>fix: include <code>.txt</code> files in precompression (<a
href="https://redirect.github.com/sveltejs/kit/pull/15259">#15259</a>)</p>
</li>
<li>
<p>fix: escape backticks and dollar signs when creating inlined css (<a
href="https://redirect.github.com/sveltejs/kit/pull/15320">#15320</a>)</p>
</li>
<li>
<p>fix: increment <code>form.pending</code> count before preflight
validation (<a
href="https://redirect.github.com/sveltejs/kit/pull/15279">#15279</a>)</p>
</li>
</ul>
<h2>2.52.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: <code>match</code> function to map a path back to a route id
and params (<a
href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: respect scroll-margin when navigating to a url-supplied anchor
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p>
</li>
<li>
<p>fix: <code>resolve</code> will narrow types to follow trailing slash
page settings (<a
href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p>
</li>
</ul>
<h2>2.51.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: add <code>scroll</code> property to
<code>NavigationTarget</code> in navigation callbacks (<a
href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sveltejs/kit/commit/9c4a73733441acaa2f166d023fcdb977a9d88cf6"><code>9c4a737</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15338">#15338</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/kit/commit/62991c81db4f50ccfb08a9ac5e05ccba4ddab59e"><code>62991c8</code></a>
chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15339">#15339</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/kit/commit/6f69ded005c14db0c2e6a73843cc5e5cb15b684f"><code>6f69ded</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15321">#15321</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/e87efba90aeb04227e6a1a5e9017989e7f1c78dc"><code>e87efba</code></a>
fix: clear stale preflight issues on subsequent valid form submissions
(<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15281">#15281</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/4f367d5bf80935e99c9048e75d6f7e258730980f"><code>4f367d5</code></a>
chore: fix Node 18 CI by changing .remote.js import to .remote.ts (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15331">#15331</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/20dfadfbef312b4e750318aa871aebbfcb4396a4"><code>20dfadf</code></a>
fix: escape backticks and dollar signs before creating interpolated
string (#...</li>
<li><a
href="https://github.com/sveltejs/kit/commit/8c2384a346825d54eb4281f9da854388fb4d81b3"><code>8c2384a</code></a>
fix: increment <code>form.pending</code> count before preflight
validation (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15279">#15279</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/71ddbc7ff19a612cfcd483f3b7ba58586372528b"><code>71ddbc7</code></a>
chore: remove dependency on sade (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15272">#15272</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@sveltejs/kit&package-manager=npm_and_yarn&previous-version=2.50.1&new-version=2.52.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/getsentry/sentry-javascript/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [hono](https://github.com/honojs/hono) from 4.11.7 to 4.11.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/honojs/hono/releases">hono's
releases</a>.</em></p>
<blockquote>
<h2>v4.11.10</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: fixed to be more properly timing safe (Merge commit from fork
91def7ca)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.11.9...v4.11.10">https://github.com/honojs/hono/compare/v4.11.9...v4.11.10</a></p>
<h2>v4.11.9</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(url): ignore fragment identifiers in getPath() by <a
href="https://github.com/sano-suguru"><code>@​sano-suguru</code></a> in
<a
href="https://redirect.github.com/honojs/hono/pull/4627">honojs/hono#4627</a></li>
<li>fix: determine if rendered or not by <code>node.vC[0]</code> instead
of referring to <code>node.pP</code> by <a
href="https://github.com/usualoma"><code>@​usualoma</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4663">honojs/hono#4663</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.11.8...v4.11.9">https://github.com/honojs/hono/compare/v4.11.8...v4.11.9</a></p>
<h2>v4.11.8</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(jsx): preserve context when using await before html helper by <a
href="https://github.com/kaigritun"><code>@​kaigritun</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li>
<li>fix(bearer-auth): make auth-scheme case-insensitive by <a
href="https://github.com/bytaesu"><code>@​bytaesu</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4659">honojs/hono#4659</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/kaigritun"><code>@​kaigritun</code></a>
made their first contribution in <a
href="https://redirect.github.com/honojs/hono/pull/4662">honojs/hono#4662</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.8">https://github.com/honojs/hono/compare/v4.11.7...v4.11.8</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/honojs/hono/commit/a40d210834adfa4f24cc42faaed5661cd025e6af"><code>a40d210</code></a>
4.11.10</li>
<li><a
href="https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e"><code>91def7c</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/honojs/hono/commit/8b179354c10f13eaca87a24507d909886c39f124"><code>8b17935</code></a>
test(types): add regression tests for <a
href="https://redirect.github.com/honojs/hono/issues/4388">#4388</a>
(routes before .use() with explic...</li>
<li><a
href="https://github.com/honojs/hono/commit/4a03f4f9cded9f0ed95aeefe7ed95e8a5170260b"><code>4a03f4f</code></a>
doc(jwt): mark <code>options.secret</code> as required in JSDoc (<a
href="https://redirect.github.com/honojs/hono/issues/4718">#4718</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/730055133f2579ee56d2d8327bf0040c310293ae"><code>7300551</code></a>
chore(ci): bump typescript-go to the latest (<a
href="https://redirect.github.com/honojs/hono/issues/4716">#4716</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/4b2978060888718351941140a7e8e028b2e9d69b"><code>4b29780</code></a>
chore: update Zod import examples to use namespace imports (<a
href="https://redirect.github.com/honojs/hono/issues/4715">#4715</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/69ad8857df4eeef1a02e628ab8f5b2b60e643f19"><code>69ad885</code></a>
4.11.9</li>
<li><a
href="https://github.com/honojs/hono/commit/3d536ff38d5c24ca584866a7f01cf5691b96e983"><code>3d536ff</code></a>
fix: determine if rendered or not by <code>node.vC[0]</code> instead of
referring to `no...</li>
<li><a
href="https://github.com/honojs/hono/commit/0c1d4c76cf6b2aace8bbef745d375c2cc176d99f"><code>0c1d4c7</code></a>
fix(url): ignore fragment identifiers in getPath() (<a
href="https://redirect.github.com/honojs/hono/issues/4627">#4627</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/5ca5c3e9764486b31ad7db4c0c19b2c926753ae3"><code>5ca5c3e</code></a>
4.11.8</li>
<li>Additional commits viewable in <a
href="https://github.com/honojs/hono/compare/v4.11.7...v4.11.10">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.11.7&new-version=4.11.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/getsentry/sentry-javascript/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…kages/e2e-tests/test-applications/sveltekit-2-kit-tracing (#19446)

Bumps
[@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)
from 2.49.5 to 2.52.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/releases"><code>@​sveltejs/kit</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.52.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: validate <code>form</code> file information to prevent
amplification attacks (<a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p>
</li>
<li>
<p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p>
</li>
<li>
<p>fix: parse file offset table more strictly (<a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.52.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: <code>match</code> function to map a path back to a route id
and params (<a
href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: respect scroll-margin when navigating to a url-supplied anchor
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p>
</li>
<li>
<p>fix: <code>resolve</code> will narrow types to follow trailing slash
page settings (<a
href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.51.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>
<p>feat: add <code>scroll</code> property to
<code>NavigationTarget</code> in navigation callbacks (<a
href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</p>
<p>Navigation callbacks (<code>beforeNavigate</code>,
<code>onNavigate</code>, and <code>afterNavigate</code>) now include
scroll position information via the <code>scroll</code> property on
<code>from</code> and <code>to</code> targets:</p>
<ul>
<li><code>from.scroll</code>: The scroll position at the moment
navigation was triggered</li>
<li><code>to.scroll</code>: In <code>beforeNavigate</code> and
<code>onNavigate</code>, this is populated for <code>popstate</code>
navigations (back/forward) with the scroll position that will be
restored, and <code>null</code> for other navigation types. In
<code>afterNavigate</code>, this is always the final scroll position
after navigation completed.</li>
</ul>
<p>This enables use cases like animating transitions based on the target
scroll position when using browser back/forward navigation.</p>
</li>
<li>
<p>feat: <code>hydratable</code>'s injected script now works with CSP
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15048">#15048</a>)</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: put preloads before styles (<a
href="https://redirect.github.com/sveltejs/kit/pull/15232">#15232</a>)</p>
</li>
<li>
<p>fix: suppress false-positive inner content warning when children prop
is forwarded to a child component (<a
href="https://redirect.github.com/sveltejs/kit/pull/15269">#15269</a>)</p>
</li>
<li>
<p>fix: <code>fetch</code> not working when URL is same host but
different than <code>paths.base</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15291">#15291</a>)</p>
</li>
<li>
<p>fix: navigate to hash link when base element is present (<a
href="https://redirect.github.com/sveltejs/kit/pull/15236">#15236</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@​sveltejs/kit</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>2.52.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: validate <code>form</code> file information to prevent
amplification attacks (<a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p>
</li>
<li>
<p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p>
</li>
<li>
<p>fix: parse file offset table more strictly (<a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p>
</li>
</ul>
<h2>2.52.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: clear stale preflight issues on subsequent valid form
submissions (<a
href="https://redirect.github.com/sveltejs/kit/pull/15281">#15281</a>)</p>
</li>
<li>
<p>chore: remove dependency on <code>sade</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15272">#15272</a>)</p>
</li>
<li>
<p>fix: include <code>.txt</code> files in precompression (<a
href="https://redirect.github.com/sveltejs/kit/pull/15259">#15259</a>)</p>
</li>
<li>
<p>fix: escape backticks and dollar signs when creating inlined css (<a
href="https://redirect.github.com/sveltejs/kit/pull/15320">#15320</a>)</p>
</li>
<li>
<p>fix: increment <code>form.pending</code> count before preflight
validation (<a
href="https://redirect.github.com/sveltejs/kit/pull/15279">#15279</a>)</p>
</li>
</ul>
<h2>2.52.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: <code>match</code> function to map a path back to a route id
and params (<a
href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: respect scroll-margin when navigating to a url-supplied anchor
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p>
</li>
<li>
<p>fix: <code>resolve</code> will narrow types to follow trailing slash
page settings (<a
href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p>
</li>
</ul>
<h2>2.51.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: add <code>scroll</code> property to
<code>NavigationTarget</code> in navigation callbacks (<a
href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sveltejs/kit/commit/9c4a73733441acaa2f166d023fcdb977a9d88cf6"><code>9c4a737</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15338">#15338</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/kit/commit/62991c81db4f50ccfb08a9ac5e05ccba4ddab59e"><code>62991c8</code></a>
chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15339">#15339</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/kit/commit/6f69ded005c14db0c2e6a73843cc5e5cb15b684f"><code>6f69ded</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15321">#15321</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/e87efba90aeb04227e6a1a5e9017989e7f1c78dc"><code>e87efba</code></a>
fix: clear stale preflight issues on subsequent valid form submissions
(<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15281">#15281</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/4f367d5bf80935e99c9048e75d6f7e258730980f"><code>4f367d5</code></a>
chore: fix Node 18 CI by changing .remote.js import to .remote.ts (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15331">#15331</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/20dfadfbef312b4e750318aa871aebbfcb4396a4"><code>20dfadf</code></a>
fix: escape backticks and dollar signs before creating interpolated
string (#...</li>
<li><a
href="https://github.com/sveltejs/kit/commit/8c2384a346825d54eb4281f9da854388fb4d81b3"><code>8c2384a</code></a>
fix: increment <code>form.pending</code> count before preflight
validation (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15279">#15279</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/71ddbc7ff19a612cfcd483f3b7ba58586372528b"><code>71ddbc7</code></a>
chore: remove dependency on sade (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15272">#15272</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@sveltejs/kit&package-manager=npm_and_yarn&previous-version=2.49.5&new-version=2.52.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/getsentry/sentry-javascript/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…kages/e2e-tests/test-applications/sveltekit-2 (#19441)

Bumps
[@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)
from 2.49.5 to 2.52.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/releases"><code>@​sveltejs/kit</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.52.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: validate <code>form</code> file information to prevent
amplification attacks (<a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p>
</li>
<li>
<p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p>
</li>
<li>
<p>fix: parse file offset table more strictly (<a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.52.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: <code>match</code> function to map a path back to a route id
and params (<a
href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: respect scroll-margin when navigating to a url-supplied anchor
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p>
</li>
<li>
<p>fix: <code>resolve</code> will narrow types to follow trailing slash
page settings (<a
href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.51.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>
<p>feat: add <code>scroll</code> property to
<code>NavigationTarget</code> in navigation callbacks (<a
href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</p>
<p>Navigation callbacks (<code>beforeNavigate</code>,
<code>onNavigate</code>, and <code>afterNavigate</code>) now include
scroll position information via the <code>scroll</code> property on
<code>from</code> and <code>to</code> targets:</p>
<ul>
<li><code>from.scroll</code>: The scroll position at the moment
navigation was triggered</li>
<li><code>to.scroll</code>: In <code>beforeNavigate</code> and
<code>onNavigate</code>, this is populated for <code>popstate</code>
navigations (back/forward) with the scroll position that will be
restored, and <code>null</code> for other navigation types. In
<code>afterNavigate</code>, this is always the final scroll position
after navigation completed.</li>
</ul>
<p>This enables use cases like animating transitions based on the target
scroll position when using browser back/forward navigation.</p>
</li>
<li>
<p>feat: <code>hydratable</code>'s injected script now works with CSP
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15048">#15048</a>)</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: put preloads before styles (<a
href="https://redirect.github.com/sveltejs/kit/pull/15232">#15232</a>)</p>
</li>
<li>
<p>fix: suppress false-positive inner content warning when children prop
is forwarded to a child component (<a
href="https://redirect.github.com/sveltejs/kit/pull/15269">#15269</a>)</p>
</li>
<li>
<p>fix: <code>fetch</code> not working when URL is same host but
different than <code>paths.base</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15291">#15291</a>)</p>
</li>
<li>
<p>fix: navigate to hash link when base element is present (<a
href="https://redirect.github.com/sveltejs/kit/pull/15236">#15236</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@​sveltejs/kit</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>2.52.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: validate <code>form</code> file information to prevent
amplification attacks (<a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>)</p>
</li>
<li>
<p>chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15339">#15339</a>)</p>
</li>
<li>
<p>fix: parse file offset table more strictly (<a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>)</p>
</li>
</ul>
<h2>2.52.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: clear stale preflight issues on subsequent valid form
submissions (<a
href="https://redirect.github.com/sveltejs/kit/pull/15281">#15281</a>)</p>
</li>
<li>
<p>chore: remove dependency on <code>sade</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15272">#15272</a>)</p>
</li>
<li>
<p>fix: include <code>.txt</code> files in precompression (<a
href="https://redirect.github.com/sveltejs/kit/pull/15259">#15259</a>)</p>
</li>
<li>
<p>fix: escape backticks and dollar signs when creating inlined css (<a
href="https://redirect.github.com/sveltejs/kit/pull/15320">#15320</a>)</p>
</li>
<li>
<p>fix: increment <code>form.pending</code> count before preflight
validation (<a
href="https://redirect.github.com/sveltejs/kit/pull/15279">#15279</a>)</p>
</li>
</ul>
<h2>2.52.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: <code>match</code> function to map a path back to a route id
and params (<a
href="https://redirect.github.com/sveltejs/kit/pull/14997">#14997</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: respect scroll-margin when navigating to a url-supplied anchor
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15246">#15246</a>)</p>
</li>
<li>
<p>fix: <code>resolve</code> will narrow types to follow trailing slash
page settings (<a
href="https://redirect.github.com/sveltejs/kit/pull/15027">#15027</a>)</p>
</li>
</ul>
<h2>2.51.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>feat: add <code>scroll</code> property to
<code>NavigationTarget</code> in navigation callbacks (<a
href="https://redirect.github.com/sveltejs/kit/pull/15248">#15248</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sveltejs/kit/commit/9c4a73733441acaa2f166d023fcdb977a9d88cf6"><code>9c4a737</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15338">#15338</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"><code>3e607b3</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/kit/commit/62991c81db4f50ccfb08a9ac5e05ccba4ddab59e"><code>62991c8</code></a>
chore: upgrade <code>devalue</code> and <code>svelte</code> (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15339">#15339</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35"><code>f47c01b</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/kit/commit/6f69ded005c14db0c2e6a73843cc5e5cb15b684f"><code>6f69ded</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15321">#15321</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/e87efba90aeb04227e6a1a5e9017989e7f1c78dc"><code>e87efba</code></a>
fix: clear stale preflight issues on subsequent valid form submissions
(<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15281">#15281</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/4f367d5bf80935e99c9048e75d6f7e258730980f"><code>4f367d5</code></a>
chore: fix Node 18 CI by changing .remote.js import to .remote.ts (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15331">#15331</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/20dfadfbef312b4e750318aa871aebbfcb4396a4"><code>20dfadf</code></a>
fix: escape backticks and dollar signs before creating interpolated
string (#...</li>
<li><a
href="https://github.com/sveltejs/kit/commit/8c2384a346825d54eb4281f9da854388fb4d81b3"><code>8c2384a</code></a>
fix: increment <code>form.pending</code> count before preflight
validation (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15279">#15279</a>)</li>
<li><a
href="https://github.com/sveltejs/kit/commit/71ddbc7ff19a612cfcd483f3b7ba58586372528b"><code>71ddbc7</code></a>
chore: remove dependency on sade (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15272">#15272</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@sveltejs/kit&package-manager=npm_and_yarn&previous-version=2.49.5&new-version=2.52.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/getsentry/sentry-javascript/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Summary

- Bumps `@mapbox/node-pre-gyp` from `2.0.0` to `2.0.3` (transitive dep
via `@sentry/aws-serverless` → `@vercel/nft`)
- This resolves `tar` from `7.5.7` to `7.5.9`, patching
[GHSA-83g3-92jg-28cx](GHSA-83g3-92jg-28cx)
/ CVE-2026-26960
- No `package.json` changes — existing version ranges already permitted
the newer versions; only `yarn.lock` was updated

## Vulnerability

**CVE-2026-26960** (High, CVSS 7.1) — Arbitrary file read/write via
hardlink target escape through symlink chain in `tar.extract()`. An
attacker-controlled archive can create a hardlink inside the extraction
directory pointing to a file outside the extraction root using default
options.

**Affected:** `tar < 7.5.8` | **Patched:** `tar >= 7.5.8`

## Dependency chain

```
@sentry/aws-serverless
  → @vercel/nft
    → @mapbox/node-pre-gyp 2.0.0 → 2.0.3
      → tar 7.5.7 → 7.5.9
```

Fixes
https://github.com/getsentry/sentry-javascript/security/dependabot/1063

Made with [Cursor](https://cursor.com)

Co-authored-by: Cursor <cursoragent@cursor.com>

Closes #19424 (added automatically)

closes #19384
closes
[JS-1744](https://linear.app/getsentry/issue/JS-1744/cloudflare-instrument-async-kv-api)

With that we start to instrument DO objects starting with the Async KV
API.

Cloudflare is instrumenting these with underlines between:
`durable_object_storage_get`, without any more information to it.

In the future to make them a little more useful we could store the keys
as span attributes on it with `db.cloudflare.durable_object.storage.key`
or `db.cloudflare.durable_object.storage.keys`. First we have to add
them to our [semantic
conventions](https://getsentry.github.io/sentry-conventions/attributes/)
though

The Nuxt Modules page shows the readme as a documentation which can be
confusing as it does not contain all the details. This PR removes all
duplicated content that is also available in the docs and keeps the link
to the docs.

Nuxt Modules page: https://nuxt.com/modules/sentry

Closes #19403

…19410)

Adds
- **Language filter**: Reject non-English issues (detects accented
characters)
- **Injection detection**: Scan for malicious patterns with confidence
scoring

Closes #19411 (added automatically)

Improve the prompt to challenge the framing of the issue reporter and
consider misconfiguration etc.

Also fix some issues where the agent was trying to write where it was
not allowed in CI (e.g. writing to `tmp`). I added some general prompts
directly to the system prompt in the GitHub action (as it's only
relevant for CI).

Also allows `Bash(npm info *),Bash(npm ls *)` to get some general
package info.

Closes #19455 (added automatically)

bumps `fast-xml-parser` to `5.3.6` which resolves
https://github.com/getsentry/sentry-javascript/security/dependabot/1062
partially. The remaining case was usage of the dep in
`@langchain/anthropic@0.3.x` which we only use in node integration
tests. Given we intentionally test against 0.x, I dismissed the alert
due to this case.

h/t @chargome for the /fix-security-vulnerability skill 🙏 

Closes #19437 (added automatically)
Closes #19449

Co-authored-by: Cursor <cursoragent@cursor.com>