getsentry · nicohrubec · May 7, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
diff --git a/.agents/skills/fix-security-vulnerability/SKILL.md b/.agents/skills/fix-security-vulnerability/SKILL.md
@@ -92,7 +92,7 @@ git pull origin develop
 git checkout -b fix/dependabot-alert-<alert-number>
 ```
 
-Then apply the fix commands from Step 5 of the single-alert workflow (edit `package.json`, `yarn install`, `yarn dedupe-deps:fix`, verify) — but **skip the "Do NOT commit" instruction**, since user approval was already obtained in Step 2b. After applying:
+Then apply the fix commands from Step 5 of the single-alert workflow (`npx yarn-update-dependency@latest <package>`, `yarn dedupe-deps:fix`, verify) — but **skip the "Do NOT commit" instruction**, since user approval was already obtained in Step 2b. After applying:
 
 ```bash
 # 3. Stage and commit the changes
@@ -263,8 +263,8 @@ Present findings and **wait for user approval** before making changes:
 <One of: Safe to bump / Version-specific test - do not bump / Bump parent package>
 
 ### Proposed Fix
-1. Update <file>: "<package>": "<new-version>"
-2. yarn install && yarn dedupe-deps:fix
+1. npx yarn-update-dependency@latest <package>
+2. yarn dedupe-deps:fix
 3. Verify with: yarn why <package>
 
 Proceed?
@@ -273,15 +273,14 @@ Proceed?
 ### Step 5: Apply Fix (After Approval)
 
 ```bash
-# 1. Edit package.json
-# 2. Update lockfile
-yarn install
-# 3. Deduplicate
+# 1. Upgrade the package (updates package.json + lockfile)
+npx yarn-update-dependency@latest <package>
+# 2. Deduplicate
 yarn dedupe-deps:fix
-# 4. Verify
+# 3. Verify
 yarn dedupe-deps:check
 yarn why <package>
-# 5. Show changes
+# 4. Show changes
 git diff
 ```
 
@@ -325,6 +324,7 @@ gh api --method PATCH repos/getsentry/sentry-javascript/dependabot/alerts/<numbe
 
 | Command                                                                                                      | Purpose                      |
 | ------------------------------------------------------------------------------------------------------------ | ---------------------------- |
+| `npx yarn-update-dependency@latest <pkg>`                                                                    | Upgrade package across repo  |
 | `yarn why <pkg>`                                                                                             | Show dependency tree         |
 | `yarn dedupe-deps:fix`                                                                                       | Fix duplicates in yarn.lock  |
 | `yarn dedupe-deps:check`                                                                                     | Verify no duplicate issues   |

diff --git a/.agents/skills/write-tests/SKILL.md b/.agents/skills/write-tests/SKILL.md
@@ -22,7 +22,17 @@ Follow these steps in order before writing any test code.
 1. **Decide the framework.** Testing a function's return value, side effects, or module interactions
    → Vitest (lives under `packages/<name>/test/`). Testing that a real HTTP request to a running app
    produces the correct Sentry envelope → Playwright (lives under
-   `dev-packages/e2e-tests/test-applications/<app>/tests/`).
+   `dev-packages/e2e-tests/test-applications/<app>/tests/`). Testing Node SDK instrumentation
+   against real envelope output → node-integration-tests (lives under
+   `dev-packages/node-integration-tests/suites/`).
+
+   **Parameterization differs by framework — pick the right one:**
+
+   | Framework              | How to parameterize                                           |
+   | ---------------------- | ------------------------------------------------------------- |
+   | Vitest                 | `it.each` / `it.for` (runner-integrated, one test each)       |
+   | Playwright E2E         | `.forEach()` outside `test()` (registers separate tests)      |
+   | Node integration tests | Loops **inside** a single `test()` body (one Node.js process) |
 
 2. **Read 2–3 existing test files** in the target `test/` directory. Specifically note:
    - Which `vi.mock` style they use (string path or import form)
@@ -299,6 +309,64 @@ describe('patchRoute', () => {
 
 ---
 
+## Writing node-integration-tests
+
+Node integration tests (`dev-packages/node-integration-tests/`) use `createEsmAndCjsTests` to
+run a real Node scenario file and assert on captured Sentry envelopes.
+
+### Minimize `test()` calls — each one spawns a separate Node process
+
+**This is the opposite of the Playwright rule.** In Playwright, each `test()` is cheap — use
+`.forEach()` to register many tests. In node-integration-tests, each `test()` forks a fresh Node
+process with full startup cost. A `describe.each` matrix that looks reasonable in a unit test
+context balloons into dozens of cold starts and slows CI by a large factor.
+
+**Rule: loop inside the test body, not around `test()` calls.**
+
+```typescript
+// Bad: 2 routes × 5 methods = 10 separate Node processes
+createEsmAndCjsTests(__dirname, 'scenario.mjs', 'instrument.mjs', (createRunner, test) => {
+  describe.each(['/sync', '/async'])('when using %s route', route => {
+    describe.each(['get', 'post', 'put', 'delete', 'patch'])('when using %s method', method => {
+      test('handles transaction', async () => {
+        // ...
+      });
+    });
+  });
+});
+```
+
+```typescript
+// Good: one Node process, all combinations asserted in a single test run
+createEsmAndCjsTests(__dirname, 'scenario.mjs', 'instrument.mjs', (createRunner, test) => {
+  test('handles transactions for all route/method/path combinations', async () => {
+    const runner = createRunner();
+    const requests: Array<{ method: string; url: string }> = [];
+
+    for (const route of ['/sync', '/async']) {
+      for (const method of ['get', 'post', 'put', 'delete', 'patch']) {
+        const fullPath = `${route}${path}`;
+        runner.expect({
+          transaction: { transaction: `${method.toUpperCase()} ${fullPath}` },
+        });
+        requests.push({ method, url: fullPath });
+      }
+    }
+
+    const started = runner.start();
+    for (const req of requests) {
+      await started.makeRequest(req.method, req.url);
+    }
+    await started.completed();
+  }, 60_000);
+});
+```
+
+If a subset of cases has meaningfully different expectations (e.g., error vs. success), split
+into two tests — not thirty.
+
+---
+
 ## Writing Playwright E2E tests
 
 ### When to write E2E tests
@@ -366,17 +434,35 @@ expect(mechanism?.type).toBe('auto.http.hono.context_error');
 
 ### Parameterized E2E tests
 
-For Playwright tests (unlike Vitest), `for...of` loops are the established codebase convention.
-Use `for...of` (not `.forEach()`) so Playwright's test registration works correctly:
+For Playwright tests (unlike Vitest), use standard JS `.forEach()` as this is recommended by Playwright,
+**not** `it.each` or `it.for`, which are Vitest-only APIs. The `.forEach()` runs at discovery time, registering
+each case as its own independent test. All cases then run separately at execution time.
 
 ```typescript
-for (const { name, prefix } of SCENARIOS) {
-  test.describe(name, () => {
-    test('captures named middleware span', async ({ baseURL }) => {
-      // ...
-    });
+[
+  { a: 1, b: 1, expected: 2 },
+  { a: 1, b: 2, expected: 3 },
+  { a: 2, b: 1, expected: 3 },
+].forEach(({ a, b, expected }) => {
+  test(`given ${a} and ${b} as arguments, returns ${expected}`, ({ page }) => {
+    expect(a + b).toEqual(expected);
   });
-}
+});
+```
+
+**Don't put the loop inside a single test.** That collapses all cases into one test body — a
+failure in one iteration aborts the rest, and the runner reports a single failure with no
+per-case visibility:
+
+```typescript
+// Bad: all routes tested in one test — a failure on /users skips /posts entirely
+test('captures transactions for all routes', async ({ baseURL }) => {
+  for (const route of ['/users', '/posts', '/comments']) {
+    const txn = await waitForTransaction(APP_NAME, e => e.transaction === `GET ${route}`);
+    await fetch(`${baseURL}${route}`);
+    expect(txn.contexts?.trace?.op).toBe('http.server');
+  }
+});
 ```
 
 ### Common pitfalls

diff --git a/.github/FLAKY_CI_FAILURE_TEMPLATE.md b/.github/FLAKY_CI_FAILURE_TEMPLATE.md
@@ -1,6 +1,6 @@
 ---
 title: '[Flaky CI]: {{ env.JOB_NAME }} - {{ env.TEST_NAME }}'
-labels: Tests
+labels: Tests, Bug
 ---
 
 ### Flakiness Type

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Get auth token
         id: token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
@@ -51,7 +51,7 @@ jobs:
           node-version-file: 'package.json'
 
       - name: Prepare release
-        uses: getsentry/craft@013a7b2113c2cac0ff32d5180cfeaefc7c9ce5b6 # v2.24.1
+        uses: getsentry/craft@3dc647fee3586e57c7c31eb900fdec7cbb44f23f # v2.26.2
         if:
           github.event.pull_request.merged == true && steps.version-regex.outputs.match != '' &&
           steps.get_version.outputs.version != ''

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -274,7 +274,7 @@ jobs:
       pull-requests: write
     steps:
       - name: PR is opened against master
-        uses: mshick/add-pr-comment@e7516d74559b5514092f5b096ed29a629a1237c6
+        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0
         if: ${{ github.base_ref == 'master' && !startsWith(github.head_ref, 'prepare-release/') }}
         with:
           message: |
@@ -533,7 +533,7 @@ jobs:
         with:
           node-version-file: 'package.json'
       - name: Set up Deno
-        uses: denoland/setup-deno@v2.0.3
+        uses: denoland/setup-deno@v2.0.4
         with:
           deno-version: v2.1.5
       - name: Restore caches
@@ -1057,7 +1057,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Deno
         if: matrix.test-application == 'deno' || matrix.test-application == 'deno-streamed'
-        uses: denoland/setup-deno@v2.0.3
+        uses: denoland/setup-deno@v2.0.4
         with:
           deno-version: v2.1.5
       - name: Restore caches

diff --git a/.github/workflows/bump-size-limits.yml b/.github/workflows/bump-size-limits.yml
@@ -29,7 +29,7 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ vars.GITFLOW_APP_ID }}
           private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }}

diff --git a/.github/workflows/external-contributors.yml b/.github/workflows/external-contributors.yml
@@ -37,7 +37,7 @@ jobs:
 
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ vars.GITFLOW_APP_ID }}
           private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }}

diff --git a/.github/workflows/gitflow-sync-develop.yml b/.github/workflows/gitflow-sync-develop.yml
@@ -27,7 +27,7 @@ jobs:
 
       - name: Generate GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         with:
           app-id: ${{ vars.GITFLOW_APP_ID }}
           private-key: ${{ secrets.GITFLOW_APP_PRIVATE_KEY }}

diff --git a/.github/workflows/pr-review-reminder.yml b/.github/workflows/pr-review-reminder.yml
@@ -7,14 +7,12 @@ on:
     # Saturday/Sunday are never counted as business days.
     - cron: '0 10 * * 1-5'
 
-# pulls.* list + listRequestedReviewers → pull-requests: read
-# issues timeline + comments + createComment → issues: write
+# pulls.* list + listRequestedReviewers + createComment on PRs → pull-requests: write
 # repos.listCollaborators (outside) → Metadata read on the token (see GitHub App permission map)
 # checkout → contents: read
 permissions:
   contents: read
-  issues: write
-  pull-requests: read
+  pull-requests: write
 
 concurrency:
   group: ${{ github.workflow }}
@@ -27,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Remind pending reviewers
         uses: actions/github-script@v7

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
       - name: Get auth token
         id: token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
@@ -36,7 +36,7 @@ jobs:
         with:
           node-version-file: 'package.json'
       - name: Prepare release
-        uses: getsentry/craft@013a7b2113c2cac0ff32d5180cfeaefc7c9ce5b6 # v2.24.1
+        uses: getsentry/craft@3dc647fee3586e57c7c31eb900fdec7cbb44f23f # v2.26.2
         env:
           GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:

diff --git a/.oxlintrc.base.json b/.oxlintrc.base.json
@@ -131,13 +131,17 @@
       }
     },
     {
-      "files": [
-        "**/scenarios/**",
-        "**/rollup-utils/**",
-        "**/bundle-analyzer-scenarios/**",
-        "**/bundle-analyzer-scenarios/*.cjs",
-        "**/bundle-analyzer-scenarios/*.js"
-      ],
+      "files": ["**/integrations/tracing/redis/vendored/**/*.ts"],
+      "rules": {
+        "typescript/no-explicit-any": "off",
+        "typescript/no-unsafe-member-access": "off",
+        "typescript/no-this-alias": "off",
+        "max-lines": "off",
+        "no-bitwise": "off"
+      }
+    },
+    {
+      "files": ["**/scenarios/**", "**/rollup-utils/**"],
       "rules": {
         "no-console": "off"
       }