chore(deps): update dependency @sentry/node to v10.27.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/node (source)	10.26.0 -> 10.27.0

GitHub Vulnerability Alerts

CVE-2025-65944

Impact

When a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user's application.

Users may be impacted if:

1. The Sentry SDK configuration has sendDefaultPii set to true
2. The application uses one of the Node.js Sentry SDKs with version from 10.11.0 to 10.26.0 inclusively:

• @​sentry/astro
• @​sentry/aws-serverless
• @​sentry/bun
• @​sentry/google-cloud-serverless
• @​sentry/nestjs
• @​sentry/nextjs
• @​sentry/node
• @​sentry/node-core
• @​sentry/nuxt
• @​sentry/remix
• @​sentry/solidstart
• @​sentry/sveltekit

Users can check if their project was affected, by visiting Explore → Traces and searching for “http.request.header.authorization”, “http.request.header.cookie” or similar. Any potentially sensitive values will be specific to the users' applications and configurations.

Patches

The issue has been patched in all Sentry JavaScript SDKs starting from the 10.27.0 version.

Workarounds

Sentry strongly encourages customers to upgrade the SDK to the latest available version, 10.27.0 or later.
If it is not possible, consider setting sendDefaultPii: false to avoid unintentionally sending sensitive headers. See here for documentation.

Resources

• https://develop.sentry.dev/sdk/expected-features/data-handling/#sensitive-data
• https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0
• https://github.com/getsentry/sentry-javascript/pull/17475
• https://docs.sentry.io/platforms/javascript/guides/node/data-management/data-collected/#cookies

---

Release Notes

getsentry/sentry-javascript (@​sentry/node)

v10.27.0

Compare Source

Important Changes

• feat(deps): Bump OpenTelemetry (#​18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#​18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler().
  The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#​18241)
• feat(core): Add scope attribute APIs (#​18165)
• feat(core): Re-add _experiments.enableLogs option (#​18299)
• feat(core): Use maxValueLength on error messages (#​18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#​18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#​18271)
• feat(node): Add tracing support for AzureOpenAI (#​18281)
• feat(node): Fix local variables capturing for out-of-app frames (#​18245)
• fix(core): Add a PromiseBuffer for incoming events on the client (#​18120)
• fix(core): Always redact content of sensitive headers regardless of sendDefaultPii (#​18311)
• fix(metrics): Update return type of beforeSendMetric (#​18261)
• fix(nextjs): universal random tunnel path support (#​18257)
• ref(react): Add more guarding against wildcards in lazy route transactions (#​18155)
• chore(deps): bump glob from 11.0.1 to 11.1.0 in /packages/react-router (#​18243)

Internal Changes

- build(deps): bump hono from 4.9.7 to 4.10.3 in /dev-packages/e2e-tests/test-applications/cloudflare-hono ([#​18038](https://redirect.github.com/getsentry/sentry-javascript/pull/18038)) - chore: Add `bump_otel_instrumentations` cursor command ([#​18253](https://redirect.github.com/getsentry/sentry-javascript/pull/18253)) - chore: Add external contributor to CHANGELOG.md ([#​18297](https://redirect.github.com/getsentry/sentry-javascript/pull/18297)) - chore: Add external contributor to CHANGELOG.md ([#​18300](https://redirect.github.com/getsentry/sentry-javascript/pull/18300)) - chore: Do not update opentelemetry ([#​18254](https://redirect.github.com/getsentry/sentry-javascript/pull/18254)) - chore(angular): Add Angular 21 Support ([#​18274](https://redirect.github.com/getsentry/sentry-javascript/pull/18274)) - chore(deps): bump astro from 4.16.18 to 5.15.9 in /dev-packages/e2e-tests/test-applications/cloudflare-astro ([#​18259](https://redirect.github.com/getsentry/sentry-javascript/pull/18259)) - chore(dev-deps): Update some dev dependencies ([#​17816](https://redirect.github.com/getsentry/sentry-javascript/pull/17816)) - ci(deps): Bump actions/create-github-app-token from 2.1.1 to 2.1.4 ([#​17825](https://redirect.github.com/getsentry/sentry-javascript/pull/17825)) - ci(deps): bump actions/setup-node from 4 to 6 ([#​18077](https://redirect.github.com/getsentry/sentry-javascript/pull/18077)) - ci(deps): bump actions/upload-artifact from 4 to 5 ([#​18075](https://redirect.github.com/getsentry/sentry-javascript/pull/18075)) - ci(deps): bump github/codeql-action from 3 to 4 ([#​18076](https://redirect.github.com/getsentry/sentry-javascript/pull/18076)) - doc(sveltekit): Update documentation link for SvelteKit guide ([#​18298](https://redirect.github.com/getsentry/sentry-javascript/pull/18298)) - test(e2e): Fix astro config in test app ([#​18282](https://redirect.github.com/getsentry/sentry-javascript/pull/18282)) - test(nextjs): Remove debug logs from e2e test ([#​18250](https://redirect.github.com/getsentry/sentry-javascript/pull/18250))

Work in this release was contributed by @​bignoncedric and @​adam-kov. Thank you for your contributions!

Bundle size 📦

Path	Size
@​sentry/browser	24.22 KB
@​sentry/browser - with treeshaking flags	22.76 KB
@​sentry/browser (incl. Tracing)	40.57 KB
@​sentry/browser (incl. Tracing, Profiling)	45.05 KB
@​sentry/browser (incl. Tracing, Replay)	78.08 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	68.05 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	82.65 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	94.61 KB
@​sentry/browser (incl. Feedback)	40.51 KB
@​sentry/browser (incl. sendFeedback)	28.8 KB
@​sentry/browser (incl. FeedbackAsync)	33.62 KB
@​sentry/react	25.9 KB
@​sentry/react (incl. Tracing)	42.71 KB
@​sentry/vue	28.56 KB
@​sentry/vue (incl. Tracing)	42.32 KB
@​sentry/svelte	24.24 KB
CDN Bundle	26.53 KB
CDN Bundle (incl. Tracing)	41.18 KB
CDN Bundle (incl. Tracing, Replay)	76.85 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	82.18 KB
CDN Bundle - uncompressed	77.97 KB
CDN Bundle (incl. Tracing) - uncompressed	122.28 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	235.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	248.06 KB
@​sentry/nextjs (client)	44.88 KB
@​sentry/sveltekit (client)	40.92 KB
@​sentry/node-core	49.99 KB
@​sentry/node	155.51 KB
@​sentry/node - without tracing	90.65 KB
@​sentry/aws-serverless	105.54 KB

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.