⬆️(dependencies) update @sentry/node to v8.49.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/node (source)	8.48.0 -> 8.49.0

GitHub Vulnerability Alerts

GHSA-r5w7-f542-q2j4

Impact

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events.

The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS).

The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs that run in Node.js environments (@sentry/astro, @sentry/aws-serverless, @sentry/bun, @sentry/google-cloud-serverless, @sentry/nestjs, @sentry/nextjs, @sentry/nuxt, @sentry/remix, @sentry/solidstart, @sentry/sveltekit).

Patches

Users should upgrade to version 8.49.0 or higher.

Workarounds

To remediate this issue in affected versions without upgrading to version 8.49.0 and above you can disable the ContextLines integration. See the docs for more details.

Sentry.init({
  // ...
  integrations: function (integrations) {
    // integrations will be all default integrations
    return integrations.filter(function (integration) {
      return integration.name !== "ContextLines";
    });
  },
});

If you disable the ContextLines integration, you will lose source context on your error events.

References

• Reported issue: https://github.com/getsentry/sentry-javascript/issues/14892
• PR Fix: https://github.com/getsentry/sentry-javascript/pull/14997

---

Release Notes

getsentry/sentry-javascript (@​sentry/node)

v8.49.0

Compare Source

• feat(v8/browser): Flush offline queue on flush and browser online event (#​14969)
• feat(v8/react): Add a handled prop to ErrorBoundary (#​14978)
• fix(profiling/v8): Don't put require, __filename and __dirname on global object (#​14952)
• fix(v8/node): Enforce that ContextLines integration does not leave open file handles (#​14997)
• fix(v8/replay): Disable mousemove sampling in rrweb for iOS browsers (#​14944)
• fix(v8/sveltekit): Ensure source maps deletion is called after source ma… (#​14963)
• fix(v8/vue): Re-throw error when no errorHandler exists (#​14943)

Work in this release was contributed by @​HHK1 and @​mstrokin. Thank you for your contribution!

Bundle size 📦

Path	Size
@​sentry/browser	23.29 KB
@​sentry/browser - with treeshaking flags	21.96 KB
@​sentry/browser (incl. Tracing)	35.85 KB
@​sentry/browser (incl. Tracing, Replay)	73.19 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	63.58 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	77.5 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	89.44 KB
@​sentry/browser (incl. Feedback)	39.5 KB
@​sentry/browser (incl. sendFeedback)	27.89 KB
@​sentry/browser (incl. FeedbackAsync)	32.69 KB
@​sentry/react	25.97 KB
@​sentry/react (incl. Tracing)	38.67 KB
@​sentry/vue	27.57 KB
@​sentry/vue (incl. Tracing)	37.71 KB
@​sentry/svelte	23.45 KB
CDN Bundle	24.49 KB
CDN Bundle (incl. Tracing)	37.56 KB
CDN Bundle (incl. Tracing, Replay)	72.84 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	78.2 KB
CDN Bundle - uncompressed	71.93 KB
CDN Bundle (incl. Tracing) - uncompressed	111.42 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	225.68 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	238.78 KB
@​sentry/nextjs (client)	38.92 KB
@​sentry/sveltekit (client)	36.36 KB
@​sentry/node	162.82 KB
@​sentry/node - without tracing	98.95 KB
@​sentry/aws-serverless	126.65 KB

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.