[Snyk] Upgrade: , commander, pino, prom-client #12

OKEAMAH · 2024-09-17T15:39:54Z

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Name	Versions	Released on

@sentry/node
from 7.119.0 to 8.27.0 | 50 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 21 days ago
on 2024-08-27
commander
from 11.1.0 to 12.1.0 | 4 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 4 months ago
on 2024-05-18
pino
from 8.21.0 to 9.3.2 | 6 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 2 months ago
on 2024-07-25
prom-client
from 14.2.0 to 15.1.3 | 7 versions ahead of your current version
⚠️ This is a major version upgrade, and may be a breaking change | 3 months ago
on 2024-06-27

Release notes

Package name: @sentry/node

8.27.0 - 2024-08-27
Important Changes
- fix(nestjs): Exception filters in main app module are not being executed (#13278)
  
  With this release nestjs error monitoring is no longer automatically set up after adding the SentryModule to your
  application, which led to issues in certain scenarios. You will now have to either add the SentryGlobalFilter to
  your main module providers or decorate the catch() method in your existing global exception filters with the newly
  released @ WithSentry() decorator. See the docs for
  more details.
Other Changes
- feat: Add options for passing nonces to feedback integration (#13347)
- feat: Add support for SENTRY_SPOTLIGHT env var in Node (#13325)
- feat(deps): bump @ prisma/instrumentation from 5.17.0 to 5.18.0 (#13327)
- feat(feedback): Improve error message for 403 errors (#13441)
- fix(deno): Don't rely on Deno.permissions.querySync (#13378)
- fix(replay): Ensure we publish replay CDN bundles (#13437)
Work in this release was contributed by @ charpeni. Thank you for your contribution!
8.26.0 - 2024-08-14
Important Changes
- feat(node): Add fsInstrumentation (#13291)
  
  This release adds fsIntegration, an integration that instruments the fs API to the Sentry Node SDK. The
  integration creates spans with naming patterns of fs.readFile, fs.unlink, and so on.
  
  This integration is not enabled by default and needs to be registered in your Sentry.init call. You can configure
  via options whether to include path arguments or error messages as span attributes when an fs call fails:
```
Sentry.init({
  integrations: [
    Sentry.fsIntegration({
      recordFilePaths: true,
      recordErrorMessagesAsSpanAttributes: true,
    }),
  ],
});
```
  WARNING: This integration may add significant overhead to your application. Especially in scenarios with a lot of
  file I/O, like for example when running a framework dev server, including this integration can massively slow down
  your application.
Other Changes
- feat(browser): Add spotlightBrowser integration (#13263)
- feat(browser): Allow sentry in safari extension background page (#13209)
- feat(browser): Send CLS as standalone span (experimental) (#13056)
- feat(core): Add OpenTelemetry-specific getTraceData implementation (#13281)
- feat(nextjs): Always add browserTracingIntegration (#13324)
- feat(nextjs): Always transmit trace data to the client (#13337)
- feat(nextjs): export SentryBuildOptions (#13296)
- feat(nextjs): Update experimental_captureRequestError to reflect RequestInfo.path change in Next.js canary
  (#13344)
- feat(nuxt): Always add tracing meta tags (#13273)
- feat(nuxt): Set transaction name for server error (#13292)
- feat(replay): Add a replay-specific logger (#13256)
- feat(sveltekit): Add bundle size optimizations to plugin options (#13318)
- feat(sveltekit): Always add browserTracingIntegration (#13322)
- feat(tracing): Make long animation frames opt-out (#13255)
- fix(astro): Correctly extract request data (#13315)
- fix(astro): Only track access request headers in dynamic page requests (#13306)
- fix(nuxt): Add import line for disabled autoImport (#13342)
- fix(nuxt): Add vue to excludeEsmLoaderHooks array (#13346)
- fix(opentelemetry): Do not overwrite http span name if kind is internal (#13282)
- fix(remix): Ensure origin is correctly set for remix server spans (#13305)
Work in this release was contributed by @ MonstraG, @ undead-voron and @ Zen-cronic. Thank you for your contributions!
8.25.0 - 2024-08-09
Important Changes
- Alpha release of Official Solid Start SDK
This release contains the alpha version of @ sentry/solidstart, our SDK for Solid Start!
For details on how to use it, please see the README. Any feedback/bug reports are
greatly appreciated, please reach out on GitHub.

Other Changes
- feat(astro): Add bundleSizeOptimizations vite options to integration (#13250)
- feat(astro): Always add BrowserTracing (#13244)
- feat(core): Add getTraceMetaTags function (#13201)
- feat(nestjs): Automatic instrumentation of nestjs exception filters (#13230)
- feat(node): Add useOperationNameForRootSpan tographqlIntegration (#13248)
- feat(sveltekit): Add wrapServerRouteWithSentry wrapper (#13247)
- fix(aws-serverless): Extract sentry trace data from handler context over event (#13266)
- fix(browser): Initialize default integration if defaultIntegrations: undefined (#13261)
- fix(utils): Streamline IP capturing on incoming requests (#13272)
8.24.0 - 2024-08-06
- feat(nestjs): Filter RPC exceptions (#13227)
- fix: Guard getReader function for other fetch implementations (#13246)
- fix(feedback): Ensure feedback can be lazy loaded in CDN bundles (#13241)
8.23.0 - 2024-08-05
Important Changes
- feat(cloudflare): Add Cloudflare D1 instrumentation (#13142)
This release includes support for Cloudflare D1, Cloudflare's serverless SQL database. To instrument your Cloudflare D1
database, use the instrumentD1WithSentry method as follows:
```
// env.DB is the D1 DB binding configured in your `wrangler.toml`
const db = instrumentD1WithSentry(env.DB);
// Now you can use the database as usual
await db.prepare('SELECT * FROM table WHERE id = ?').bind(1).run();
```
Other Changes
- feat(cloudflare): Allow users to pass handler to sentryPagesPlugin (#13192)
- feat(cloudflare): Instrument scheduled handler (#13114)
- feat(core): Add getTraceData function (#13134)
- feat(nestjs): Automatic instrumentation of nestjs interceptors before route execution (#13153)
- feat(nestjs): Automatic instrumentation of nestjs pipes (#13137)
- feat(nuxt): Filter out Nuxt build assets (#13148)
- feat(profiling): Attach sdk info to chunks (#13145)
- feat(solidstart): Add sentry onBeforeResponse middleware to enable distributed tracing (#13221)
- feat(solidstart): Filter out low quality transactions for build assets (#13222)
- fix(browser): Avoid showing browser extension error message in non-window global scopes (#13156)
- fix(feedback): Call dialog.close() in dialog close callbacks in \_loadAndRenderDialog (#13203)
- fix(nestjs): Inline Observable type to resolve missing 'rxjs' dependency (#13166)
- fix(nuxt): Detect pageload by adding flag in Vue router (#13171)
- fix(utils): Handle when requests get aborted in fetch instrumentation (#13202)
- ref(browser): Improve browserMetrics collection (#13062)
Work in this release was contributed by @ horochx. Thank you for your contribution!

8.22.0 - 2024-08-01

Important Changes

feat(cloudflare): Add plugin for cloudflare pages (#13123)

This release adds support for Cloudflare Pages to @ sentry/cloudflare, our SDK for the
Cloudflare Workers JavaScript Runtime! For details on how to use it,
please see the README. Any feedback/bug reports are greatly appreciated, please
reach out on GitHub.

// functions/_middleware.js
import * as Sentry from '@ sentry/cloudflare';

export const onRequest = Sentry.sentryPagesPlugin({
dsn: PUBLIC_DSN,
// Set tracesSampleRate to 1.0 to capture 100% of spans for tracing.
tracesSampleRate: 1.0,
});

Other Changes

feat(meta-sdks): Remove runtime tags (#13105)
feat(nestjs): Automatic instrumentation of nestjs guards (#13129)
feat(nestjs): Filter all HttpExceptions (#13120)
feat(replay): Capture exception when internal_sdk_error client report happens (#13072)
fix: Use globalThis for code injection (#13132)

Bundle size 📦

Path	Size
@ sentry/browser	22.45 KB
@ sentry/browser (incl. Tracing)	34.22 KB
@ sentry/browser (incl. Tracing, Replay)	70.28 KB
@ sentry/browser (incl. Tracing, Replay) - with treeshaking flags	63.62 KB
@ sentry/browser (incl. Tracing, Replay with Canvas)	74.68 KB
@ sentry/browser (incl. Tracing, Replay, Feedback)	87.26 KB
@ sentry/browser (incl. Tracing, Replay, Feedback, metrics)	89.11 KB
@ sentry/browser (incl. metrics)	26.75 KB
@ sentry/browser (incl. Feedback)	39.37 KB
@ sentry/browser (incl. sendFeedback)	27.06 KB
@ sentry/browser (incl. FeedbackAsync)	31.7 KB
@ sentry/react	25.22 KB
@ sentry/react (incl. Tracing)	37.22 KB
@ sentry/vue	26.6 KB
@ sentry/vue (incl. Tracing)	36.06 KB
@ sentry/svelte	22.58 KB
CDN Bundle	23.64 KB
CDN Bundle (incl. Tracing)	35.88 KB
CDN Bundle (incl. Tracing, Replay)	70.31 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	75.57 KB
CDN Bundle - uncompressed	69.37 KB
CDN Bundle (incl. Tracing) - uncompressed	106.31 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	218.16 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	230.99 KB
@ sentry/nextjs (client)	37.07 KB
@ sentry/sveltekit (client)	34.79 KB
@ sentry/node	114.65 KB
@ sentry/node - without tracing	89.33 KB
@ sentry/aws-serverless	98.5 KB

8.21.0 - 2024-07-31
8.20.0 - 2024-07-24
8.19.0 - 2024-07-19
8.18.0 - 2024-07-16
8.17.0 - 2024-07-10
8.16.0 - 2024-07-09
8.15.0 - 2024-07-05
8.14.0 - 2024-07-04
8.13.0 - 2024-06-27
8.12.0 - 2024-06-25
8.12.0-beta.0 - 2024-06-24
8.11.0 - 2024-06-21
8.10.0 - 2024-06-19
8.9.2 - 2024-06-12
8.9.1 - 2024-06-11
8.9.0 - 2024-06-11
8.8.0 - 2024-06-07
8.7.0 - 2024-05-29
8.6.0 - 2024-05-29
8.5.0 - 2024-05-27
8.4.0 - 2024-05-23
8.3.0 - 2024-05-22
8.2.1 - 2024-05-16
8.2.0 - 2024-05-16
8.1.0 - 2024-05-16
8.0.0 - 2024-05-13
8.0.0-rc.3 - 2024-05-10
8.0.0-rc.2 - 2024-05-08
8.0.0-rc.1 - 2024-05-07
8.0.0-rc.0 - 2024-05-06
8.0.0-beta.6 - 2024-05-03
8.0.0-beta.5 - 2024-04-30
8.0.0-beta.4 - 2024-04-24
8.0.0-beta.3 - 2024-04-19
8.0.0-beta.2 - 2024-04-17
8.0.0-beta.1 - 2024-04-15
8.0.0-alpha.9 - 2024-04-08
8.0.0-alpha.8 - 2024-04-08
8.0.0-alpha.7 - 2024-03-27
8.0.0-alpha.5 - 2024-03-22
8.0.0-alpha.4 - 2024-03-14
8.0.0-alpha.3 - 2024-03-14
8.0.0-alpha.2 - 2024-03-05
8.0.0-alpha.1 - 2024-03-04

7.119.0 - 2024-08-14

backport(tracing): Report dropped spans for transactions (#13343)

Bundle size 📦

Path	Size
@ sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped)	80.96 KB
@ sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	71.89 KB
@ sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped)	76.14 KB
@ sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	65.52 KB
@ sentry/browser (incl. Tracing) - Webpack (gzipped)	35.77 KB
@ sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped)	35.66 KB
@ sentry/browser (incl. Feedback) - Webpack (gzipped)	31.71 KB
@ sentry/browser (incl. sendFeedback) - Webpack (gzipped)	31.72 KB
@ sentry/browser - Webpack (gzipped)	22.91 KB
@ sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped)	79.17 KB
@ sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	70.49 KB
@ sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	36.17 KB
@ sentry/browser - ES6 CDN Bundle (gzipped)	25.41 KB
@ sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	221.92 KB
@ sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	109.52 KB
@ sentry/browser - ES6 CDN Bundle (minified & uncompressed)	76.24 KB
@ sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	39.45 KB
@ sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	72.4 KB
@ sentry/react - Webpack (gzipped)	22.94 KB
@ sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	90.16 KB
@ sentry/nextjs Client - Webpack (gzipped)	54.27 KB
@ sentry-internal/feedback - Webpack (gzipped)	17.34 KB

from @sentry/node GitHub release notes

Package name: commander

12.1.0 - 2024-05-18
Added
- auto-detect special node flags node --eval and node --print when call .parse() with no arguments (#2164)
Changed
- prefix require of Node.js core modules with node: (#2170)
- format source files with Prettier (#2180)
- switch from StandardJS to directly calling ESLint for linting (#2153)
- extend security support for previous major version of Commander (#2150)
Removed
- removed unimplemented Option.fullDescription from TypeScript definition (#2191)
12.0.0 - 2024-02-03
Added
- .addHelpOption() as another way of configuring built-in help option (#2006)
- .helpCommand() for configuring built-in help command (#2087)
Fixed
- Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
- Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)
Changed
- Breaking: Commander 12 requires Node.js v18 or higher (#2027)
- Breaking: throw an error if add an option with a flag which is already in use (#2055)
- Breaking: throw an error if add a command with name or alias which is already in use (#2059)
- Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
- replace non-standard JSDoc of @ api private with documented @ private (#1949)
- .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
- refactor internal implementation of built-in help option (#2006)
- refactor internal implementation of built-in help command (#2087)
Deprecated
- .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)
Removed
- Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)
Migration Tips

global program

If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).
```
// const program = require('commander');
const { program } = require('commander');
```
option and command clashes

A couple of configuration problems now throw an error, which will pick up issues in existing programs:
- adding an option which uses the same flag as a previous option
- adding a command which uses the same name or alias as a previous command
12.0.0-1 - 2024-01-19
Added
- .addHelpOption() as another way of configuring built-in help option (#2006)
- .helpCommand() for configuring built-in help command (#2087)
Changed
- .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
- refactor internal implementation of built-in help option (#2006)
- refactor internal implementation of built-in help command (#2087)
Deprecated
- .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)
12.0.0-0 - 2023-11-11
Fixed
- Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
- Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)
Changed
- Breaking: Commander 12 requires Node.js v18 or higher (#2027)
- Breaking: throw an error if add an option with a flag which is already in use (#2055)
- Breaking: throw an error if add a command with name or alias which is already in use (#2059)
- Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
- replace non-standard JSDoc of @ api private with documented @ private (#1949)
Removed
- Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)
...

Snyk has created this PR to upgrade: - @sentry/node from 7.119.0 to 8.27.0. See this package in npm: https://www.npmjs.com/package/@sentry/node - commander from 11.1.0 to 12.1.0. See this package in npm: https://www.npmjs.com/package/commander - pino from 8.21.0 to 9.3.2. See this package in npm: https://www.npmjs.com/package/pino - prom-client from 14.2.0 to 15.1.3. See this package in npm: https://www.npmjs.com/package/prom-client See this project in Snyk: https://app.snyk.io/org/okeamah/project/7ee992c3-6f41-4a6b-9712-45234464b96d?utm_source=github&utm_medium=referral&page=upgrade-pr

sourcery-ai

We have skipped reviewing this pull request. Here's why:

It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
We don't review packaging changes - Let us know if you'd like us to change this.

socket-security · 2024-09-17T15:40:33Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@metamask/[email protected]	None	`0`	4.46 MB	gudahtt
npm/@playwright/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	`+2`	10.1 MB	dgozman-ms
npm/@synthetixio/[email protected]	environment, filesystem Transitive: eval, network, shell, unsafe	`+941`	132 MB	drptbl
npm/[email protected]	environment, filesystem	`0`	71.6 kB	motdotla
npm/[email protected]	filesystem, network, unsafe	`+3`	3.7 MB	simenb
npm/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	`+89`	4.43 MB	vercel-release-bot
npm/[email protected]	None	`0`	32 MB	typescript-bot
npm/[email protected]	network Transitive: environment	`+9`	10.2 MB	jmoxey

View full report↗︎

socket-security · 2024-09-17T15:40:34Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/[email protected]	CVE: GHSA-8mmm-9v2q-x3f9 tschaub gh-pages vulnerable to prototype pollution (CRITICAL) Affected versions: < 5.0.0 Patched version: 5.0.0	`ufm-test-services/metamask/package.json` `ufm-test-services/metamask/pnpm-lock.yaml`	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/[email protected]

sourcery-ai bot reviewed Sep 17, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade: , commander, pino, prom-client #12

[Snyk] Upgrade: , commander, pino, prom-client #12

OKEAMAH commented Sep 17, 2024

Important Changes

Other Changes

Important Changes

Other Changes

Important Changes

Other Changes

Important Changes

Other Changes

Important Changes

Other Changes

Bundle size 📦

Bundle size 📦

Added

Changed

Removed

Added

Fixed

Changed

Deprecated

Removed

Migration Tips

Added

Changed

Deprecated

Fixed

Changed

Removed

sourcery-ai bot left a comment

socket-security bot commented Sep 17, 2024

socket-security bot commented Sep 17, 2024

[Snyk] Upgrade: , commander, pino, prom-client #12

Are you sure you want to change the base?

[Snyk] Upgrade: , commander, pino, prom-client #12

Conversation

OKEAMAH commented Sep 17, 2024

Snyk has created this PR to upgrade multiple dependencies.

Important Changes

Other Changes

Important Changes

Other Changes

Important Changes

Other Changes

Important Changes

Other Changes

Important Changes

Other Changes

Bundle size 📦

Bundle size 📦

Added

Changed

Removed

Added

Fixed

Changed

Deprecated

Removed

Migration Tips

Added

Changed

Deprecated

Fixed

Changed

Removed

sourcery-ai bot left a comment

Choose a reason for hiding this comment

socket-security bot commented Sep 17, 2024

socket-security bot commented Sep 17, 2024

Next steps