InReach
InReach copied to clipboard
weareinreach
fix(app): update dependency @sentry/browser to v8.33.0 [security]
This PR contains the following updates:
| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| @sentry/browser (source) | dependencies | minor | 8.32.0 -> 8.33.0 |
GitHub Vulnerability Alerts
GHSA-593m-55hh-j8gv
Impact
In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
[!NOTE] This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version. Also, the fix was backported to SDK v7 in 7.119.1.
References
Sentry SDK Prototype Pollution gadget in JavaScript SDKs
More information
Details
Impact
In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.
[!NOTE] This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.
Patches
The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version. Also, the fix was backported to SDK v7 in 7.119.1.
References
Severity
- CVSS Score: 5.6 / 10 (Medium)
- Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
References
- https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-593m-55hh-j8gv
- https://github.com/getsentry/sentry-javascript/pull/13838
- https://github.com/getsentry/sentry-javascript/commit/35bdc87dee3498794e34c1ad35dd9927950c8766
- https://github.com/getsentry/sentry-javascript
- https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1
- https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
getsentry/sentry-javascript (@sentry/browser)
v8.33.0
Important Changes
-
feat(nextjs): Support new async APIs (
headers(),params,searchParams) (#13828)
Adds support for new dynamic Next.js APIs.
-
feat(node): Add
lru-memoizerinstrumentation (#13796)
Adds integration for lru-memoizer using @opentelemetry/instrumentation-lru-memoizer.
-
feat(nuxt): Add
unstable_sentryBundlerPluginOptionsto module options (#13811)
Allows passing other options from the bundler plugins (vite and rollup) to Nuxt module options.
Other Changes
- fix(browser): Ensure
wrap()only returns functions (#13838) - fix(core): Adapt trpc middleware input attachment (#13831)
- fix(core): Don't return trace data in
getTraceDataandgetTraceMetaTagsif SDK is disabled (#13760) - fix(nuxt): Don't restrict source map assets upload (#13800)
- fix(nuxt): Use absolute path for client config (#13798)
- fix(replay): Stop global event handling for paused replays (#13815)
- fix(sveltekit): add url param to source map upload options (#13812)
- fix(types): Add jsdocs to cron types (#13776)
- fix(nextjs): Loosen @sentry/nextjs webpack peer dependency (#13826)
Work in this release was contributed by @joshuajaco. Thank you for your contribution!
Bundle size 📦
| Path | Size |
|---|---|
| @sentry/browser | 22.64 KB |
| @sentry/browser - with treeshaking flags | 21.42 KB |
| @sentry/browser (incl. Tracing) | 34.87 KB |
| @sentry/browser (incl. Tracing, Replay) | 71.37 KB |
| @sentry/browser (incl. Tracing, Replay) - with treeshaking flags | 61.8 KB |
| @sentry/browser (incl. Tracing, Replay with Canvas) | 75.72 KB |
| @sentry/browser (incl. Tracing, Replay, Feedback) | 88.49 KB |
| @sentry/browser (incl. Tracing, Replay, Feedback, metrics) | 90.37 KB |
| @sentry/browser (incl. metrics) | 26.91 KB |
| @sentry/browser (incl. Feedback) | 39.78 KB |
| @sentry/browser (incl. sendFeedback) | 27.3 KB |
| @sentry/browser (incl. FeedbackAsync) | 32.08 KB |
| @sentry/react | 25.39 KB |
| @sentry/react (incl. Tracing) | 37.85 KB |
| @sentry/vue | 26.8 KB |
| @sentry/vue (incl. Tracing) | 36.76 KB |
| @sentry/svelte | 22.77 KB |
| CDN Bundle | 23.95 KB |
| CDN Bundle (incl. Tracing) | 36.64 KB |
| CDN Bundle (incl. Tracing, Replay) | 71.14 KB |
| CDN Bundle (incl. Tracing, Replay, Feedback) | 76.45 KB |
| CDN Bundle - uncompressed | 70.17 KB |
| CDN Bundle (incl. Tracing) - uncompressed | 108.63 KB |
| CDN Bundle (incl. Tracing, Replay) - uncompressed | 220.53 KB |
| CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed | 233.74 KB |
| @sentry/nextjs (client) | 37.81 KB |
| @sentry/sveltekit (client) | 35.44 KB |
| @sentry/node | 125.13 KB |
| @sentry/node - without tracing | 93.58 KB |
| @sentry/aws-serverless | 103.28 KB |
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}