fix(deps): update dependency @sentry/nextjs to v7.77.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/nextjs (source)	7.74.1 -> 7.77.0

GitHub Vulnerability Alerts

CVE-2023-46729

Impact

An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:

• client-side vulnerabilities: XSS/CSRF in the context of the trusted domain;
• interaction with internal network;
• read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.);
• local/remote port scan.

This issue only affects users who have Next.js SDK tunneling feature enabled.

Patches

The problem has been fixed in sentry/[email protected]

Workarounds

Disable tunneling by removing the tunnelRoute option from Sentry Next.js SDK config — next.config.js or next.config.mjs.

References

• Sentry Next.js tunneling feature
• The fix
• More Information

Credits

• Praveen Kumar

---

Release Notes

getsentry/sentry-javascript (@​sentry/nextjs)

v7.77.0

Compare Source

Security Fixes

• fix(nextjs): Match only numbers as orgid in tunnelRoute (#​9416) (CVE-2023-46729)
• fix(nextjs): Strictly validate tunnel target parameters (#​9415) (CVE-2023-46729)

Other Changes

• feat: Move LinkedErrors integration to @​sentry/core (#​9404)
• feat(remix): Update sentry-cli version to ^2.21.2 (#​9401)
• feat(replay): Allow to treeshake & configure compression worker URL (#​9409)
• fix(angular-ivy): Adjust package entry points to support Angular 17 with SSR config (#​9412)
• fix(feedback): Fixing feedback import (#​9403)
• fix(utils): Avoid keeping a reference of last used event (#​9387)

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	77.46 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	56.69 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.97 KB
@​sentry/browser - Webpack (gzipped)	21.29 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	67.83 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	29.09 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.23 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	216.89 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	88.28 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	63.28 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.8 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	77.84 KB
@​sentry/react - Webpack (gzipped)	21.34 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	94.18 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.86 KB

v7.76.0

Compare Source

Important Changes

• feat(core): Add cron monitor wrapper helper (#​9395)

This release adds Sentry.withMonitor(), a wrapping function that wraps a callback with a cron monitor that will automatically report completions and failures:

import * as Sentry from '@​sentry/node';

// withMonitor() will send checkin when callback is started/finished
// works with async and sync callbacks.
const result = Sentry.withMonitor(
  'dailyEmail',
  () => {
    // withMonitor return value is same return value here
    return sendEmail();
  },
  // Optional upsert options
  {
    schedule: {
      type: 'crontab',
      value: '0 * * * *',
    },
    // 🇨🇦🫡
    timezone: 'Canada/Eastern',
  },
);

Other Changes

• chore(angular-ivy): Allow Angular 17 in peer dependencies (#​9386)
• feat(nextjs): Instrument SSR page components (#​9346)
• feat(nextjs): Trace errors in page component SSR (#​9388)
• fix(nextjs): Instrument route handlers with jsx and tsx file extensions (#​9362)
• fix(nextjs): Trace with performance disabled (#​9389)
• fix(replay): Ensure replay_id is not added to DSC if session expired (#​9359)
• fix(replay): Remove unused parts of pako from build (#​9369)
• fix(serverless): Don't mark all errors as unhandled (#​9368)
• fix(tracing-internal): Fix case when middleware contain array of routes with special chars as @​ (#​9375)
• meta(nextjs): Bump peer deps for Next.js 14 (#​9390)

Work in this release contributed by @​LubomirIgonda1. Thank you for your contribution!

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	77.44 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	66.48 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.94 KB
@​sentry/browser - Webpack (gzipped)	21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	67.66 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	216.39 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	77.83 KB
@​sentry/react - Webpack (gzipped)	21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	94.16 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.83 KB

v7.75.1

Compare Source

• feat(browser): Allow collecting of pageload profiles (#​9317)
• fix(browser): Correct timestamp on pageload profiles (#​9350)
• fix(nextjs): Use webpack plugin release value to inject release (#​9348)

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	82.66 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	71.77 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.94 KB
@​sentry/browser - Webpack (gzipped)	21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	73.03 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	233.81 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	83.05 KB
@​sentry/react - Webpack (gzipped)	21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	99.43 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.83 KB

v7.75.0

Compare Source

Important Changes

• feat(opentelemetry): Add new @sentry/opentelemetry package (#​9238)

This release publishes a new package, @sentry/opentelemetry. This is a runtime agnostic replacement for @sentry/opentelemetry-node and exports a couple of useful utilities which can be used to use Sentry together with OpenTelemetry.

You can read more about @​sentry/opentelemetry in the Readme.

• feat(replay): Allow to treeshake rrweb features (#​9274)

Starting with this release, you can configure the following build-time flags in order to reduce the SDK bundle size:

• __RRWEB_EXCLUDE_CANVAS__
• __RRWEB_EXCLUDE_IFRAME__
• __RRWEB_EXCLUDE_SHADOW_DOM__

You can read more about tree shaking in our docs.

Other Changes

• build(deno): Prepare Deno SDK for release on npm (#​9281)
• feat: Remove tslib (#​9299)
• feat(node): Add abnormal session support for ANR (#​9268)
• feat(node): Remove lru_map dependency (#​9300)
• feat(node): Vendor cookie module (#​9308)
• feat(replay): Share performance instrumentation with tracing (#​9296)
• feat(types): Add missing Profiling types (macho debug image, profile measurements, stack frame properties) (#​9277)
• feat(types): Add statsd envelope types (#​9304)
• fix(astro): Add integration default export to types entry point (#​9337)
• fix(astro): Convert SDK init file import paths to POSIX paths (#​9336)
• fix(astro): Make Replay and BrowserTracing integrations tree-shakeable (#​9287)
• fix(integrations): Fix transaction integration (#​9334)
• fix(nextjs): Restore autoInstrumentMiddleware functionality (#​9323)
• fix(nextjs): Guard for case where getInitialProps may return undefined (#​9342)
• fix(node-experimental): Make node-fetch support optional (#​9321)
• fix(node): Check buffer length when attempting to parse ANR frame (#​9314)
• fix(replay): Fix xhr start timestamps (#​9341)
• fix(tracing-internal): Remove query params from urls with a trailing slash (#​9328)
• fix(types): Remove typo with CheckInEnvelope (#​9303)

Bundle size 📦

Path	Size
@​sentry/browser (incl. Tracing, Replay) - Webpack (gzipped)	82.66 KB
@​sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped)	71.77 KB
@​sentry/browser (incl. Tracing) - Webpack (gzipped)	30.94 KB
@​sentry/browser - Webpack (gzipped)	21.26 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped)	73.03 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped)	28.93 KB
@​sentry/browser - ES6 CDN Bundle (gzipped)	21.09 KB
@​sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed)	233.81 KB
@​sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed)	87.77 KB
@​sentry/browser - ES6 CDN Bundle (minified & uncompressed)	62.76 KB
@​sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped)	31.71 KB
@​sentry/react (incl. Tracing, Replay) - Webpack (gzipped)	83.05 KB
@​sentry/react - Webpack (gzipped)	21.29 KB
@​sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped)	99.43 KB
@​sentry/nextjs Client - Webpack (gzipped)	47.83 KB

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📦 Next.js Bundle Analysis for mx-kami

This analysis was generated by the Next.js Bundle Analysis action. 🤖

Eight Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load	% of Budget (350 KB)
/[page]	52.82 KB	255.1 KB	72.89% (+/- <0.01%)
/_error	6.04 KB	208.32 KB	59.52% (🟡 +0.01%)
/friends	58.16 KB	260.44 KB	74.41% (🟡 +0.01%)
/notes/[id]	75.67 KB	277.95 KB	79.42% (+/- <0.01%)
/posts/[category]/[slug]	80 KB	282.27 KB	80.65% (🟡 +0.01%)
/preview	56.66 KB	258.94 KB	73.98% (🟡 +0.01%)
/projects/[id]	51.98 KB	254.26 KB	72.65% (+/- <0.01%)
/recently	97.26 KB	299.53 KB	85.58% (🟡 +0.01%)

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

The "Budget %" column shows what percentage of your performance budget the First Load total takes up. For example, if your budget was 100kb, and a given page's first load size was 10kb, it would be 10% of your budget. You can also see how much this has increased or decreased compared to the base branch of your PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this. If you see "+/- <0.01%" it means that there was a change in bundle size, but it is a trivial enough amount that it can be ignored.

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
@eslint-community/regexpp @ 4.11.0 pnpm-lock.yaml				🔗
@innei/eslint-config-ts @ 0.15.0 pnpm-lock.yaml				🔗
@sentry-internal/tracing @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/browser @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/core @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/integrations @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/nextjs @ 7.77.0 package.json pnpm-lock.yaml				🔗
@sentry/node @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/react @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/replay @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/types @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/utils @ 7.77.0 pnpm-lock.yaml				🔗
@sentry/vercel-edge @ 7.77.0 pnpm-lock.yaml				🔗
@typescript-eslint/eslint-plugin @ 8.0.1 pnpm-lock.yaml				🔗
@typescript-eslint/parser @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/project-service @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/scope-manager @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/scope-manager @ 8.0.1 pnpm-lock.yaml				🔗
@typescript-eslint/tsconfig-utils @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/type-utils @ 8.0.1 pnpm-lock.yaml				🔗
@typescript-eslint/types @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/types @ 8.0.1 pnpm-lock.yaml				🔗
@typescript-eslint/typescript-estree @ 8.0.1 pnpm-lock.yaml				🔗
@typescript-eslint/typescript-estree @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/utils @ 8.0.1 pnpm-lock.yaml				🔗
@typescript-eslint/visitor-keys @ 8.46.3 pnpm-lock.yaml				🔗
@typescript-eslint/visitor-keys @ 8.0.1 pnpm-lock.yaml				🔗
braces @ 3.0.3 pnpm-lock.yaml				🔗
eslint-plugin-unused-imports @ 4.0.1 pnpm-lock.yaml				🔗
eslint-visitor-keys @ 4.2.1 pnpm-lock.yaml				🔗
fast-glob @ 3.3.3 pnpm-lock.yaml				🔗
fill-range @ 7.1.1 pnpm-lock.yaml				🔗
ignore @ 5.3.1 pnpm-lock.yaml				🔗
is-core-module @ 2.14.0 pnpm-lock.yaml				🔗
micromatch @ 4.0.8 pnpm-lock.yaml				🔗
ts-api-utils @ 2.1.0 pnpm-lock.yaml				🔗

_{This report is generated by SafeDep Github App}