fix(app): update dependency @sentry/browser to v8.33.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@sentry/browser (source)	dependencies	minor	8.32.0 -> 8.33.0

GitHub Vulnerability Alerts

GHSA-593m-55hh-j8gv

Impact

In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.

Note

This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.

Patches

The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version.
Also, the fix was backported to SDK v7 in 7.119.1.

References

• Prototype Pollution
• Prototype Pollution gadgets
• sentry-javascript#13838

---

Sentry SDK Prototype Pollution gadget in JavaScript SDKs

GHSA-593m-55hh-j8gv

More information

Details

Impact

In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue.

[!NOTE]
This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk.

Patches

The issue was patched in all Sentry JavaScript SDKs starting from the 8.33.0 version.
Also, the fix was backported to SDK v7 in 7.119.1.

References

• Prototype Pollution
• Prototype Pollution gadgets
• sentry-javascript#13838

Severity

• CVSS Score: 5.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

• https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-593m-55hh-j8gv
• https://github.com/getsentry/sentry-javascript/pull/13838
• https://github.com/getsentry/sentry-javascript/commit/35bdc87dee3498794e34c1ad35dd9927950c8766
• https://github.com/getsentry/sentry-javascript
• https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1
• https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

getsentry/sentry-javascript (@​sentry/browser)

v8.33.0

Compare Source

Important Changes

• feat(nextjs): Support new async APIs (headers(), params, searchParams)
  (#​13828)

Adds support for new dynamic Next.js APIs.

• feat(node): Add lru-memoizer instrumentation
  (#​13796)

Adds integration for lru-memoizer using @​opentelemetry/instrumentation-lru-memoizer.

• feat(nuxt): Add unstable_sentryBundlerPluginOptions to module options
  (#​13811)

Allows passing other options from the bundler plugins (vite and rollup) to Nuxt module options.

Other Changes

• fix(browser): Ensure wrap() only returns functions
  (#​13838)
• fix(core): Adapt trpc middleware input attachment
  (#​13831)
• fix(core): Don't return trace data in getTraceData and getTraceMetaTags if SDK is disabled
  (#​13760)
• fix(nuxt): Don't restrict source map assets upload
  (#​13800)
• fix(nuxt): Use absolute path for client config (#​13798)
• fix(replay): Stop global event handling for paused replays
  (#​13815)
• fix(sveltekit): add url param to source map upload options
  (#​13812)
• fix(types): Add jsdocs to cron types (#​13776)
• fix(nextjs): Loosen @​sentry/nextjs webpack peer dependency
  (#​13826)

Work in this release was contributed by @​joshuajaco. Thank you for your contribution!

Bundle size 📦

Path	Size
@​sentry/browser	22.64 KB
@​sentry/browser - with treeshaking flags	21.42 KB
@​sentry/browser (incl. Tracing)	34.87 KB
@​sentry/browser (incl. Tracing, Replay)	71.37 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	61.8 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	75.72 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	88.49 KB
@​sentry/browser (incl. Tracing, Replay, Feedback, metrics)	90.37 KB
@​sentry/browser (incl. metrics)	26.91 KB
@​sentry/browser (incl. Feedback)	39.78 KB
@​sentry/browser (incl. sendFeedback)	27.3 KB
@​sentry/browser (incl. FeedbackAsync)	32.08 KB
@​sentry/react	25.39 KB
@​sentry/react (incl. Tracing)	37.85 KB
@​sentry/vue	26.8 KB
@​sentry/vue (incl. Tracing)	36.76 KB
@​sentry/svelte	22.77 KB
CDN Bundle	23.95 KB
CDN Bundle (incl. Tracing)	36.64 KB
CDN Bundle (incl. Tracing, Replay)	71.14 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	76.45 KB
CDN Bundle - uncompressed	70.17 KB
CDN Bundle (incl. Tracing) - uncompressed	108.63 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	220.53 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	233.74 KB
@​sentry/nextjs (client)	37.81 KB
@​sentry/sveltekit (client)	35.44 KB
@​sentry/node	125.13 KB
@​sentry/node - without tracing	93.58 KB
@​sentry/aws-serverless	103.28 KB

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
inreach-app	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 23, 2024 4:17pm

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or <!-- #coderabbitai summary --> to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@sentry/[email protected]	network	+7	10.1 MB	benvinegar, billyvg, evanpurkhiser, ...8 more

🚮 Removed packages: npm/@sentry/[email protected]

View full report↗︎

[relativeci]

#1630 Bundle Size — 3.51MiB (0%).

851062b(current) vs 6cc5151 dev#1628(baseline)

Warning

Bundle contains 5 duplicate packages – View duplicate packages

Bundle metrics   1 change

	Current #1630	Baseline #1628
Initial JS	3.05MiB	3.05MiB
Initial CSS	9.7KiB	9.7KiB
Cache Invalidation	32.33%	72.76%
Chunks	67	67
Assets	80	80
Modules	2016	2016
Duplicate Modules	361	361
Duplicate Code	10.01%	10.01%
Packages	159	159
Duplicate Packages	5	5

Bundle size by type  no changes

	Current #1630	Baseline #1628
JS	3.39MiB	3.39MiB
Fonts	94.54KiB	94.54KiB
CSS	9.7KiB	9.7KiB
Other	8.69KiB	8.69KiB
IMG	8.57KiB	8.57KiB

Bundle analysis report Branch renovate/npm-sentry-browser-vuln... Project dashboard

---

^{Generated by RelativeCI Documentation Report issue}

[github-actions]

📦 Next.js Bundle Analysis for @weareinreach/app

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌

[alwaysmeticulous]

🤖 No test run has been triggered as your Meticulous project has been deactivated (since you haven't viewed any test results in a while). Click here to reactivate.

_{Last updated for commit 851062b. This comment will update as new commits are pushed.}

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud