chore(deps): bump the production-dependencies group with 12 updates

[dependabot]

Bumps the production-dependencies group with 12 updates:

Package	From	To
@astrojs/cloudflare	13.7.0	14.0.1
astro	6.4.8	7.0.3
@astrojs/starlight	0.40.0	0.41.1
sharp	0.34.5	0.35.2
three	0.184.0	0.185.0
@babel/parser	7.29.7	8.0.0
@hono/node-server	2.0.5	2.0.6
@sentry/node	10.60.0	10.62.0
@ungap/structured-clone	1.3.1	1.3.2
graphql	16.14.2	17.0.1
hono	4.12.26	4.12.27
posthog-node	4.18.0	5.38.7

Updates @astrojs/cloudflare from 13.7.0 to 14.0.1

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​14.0.1

Patch Changes

• #17175 7a7d879 Thanks @​astrobot-houston! - Fixes astro dev OOM crashes for @astrojs/cloudflare users on Vite 8 by migrating the frontmatter scan plugin to Rolldown-compatible options.

• #17187 0db4b57 Thanks @​matthewp! - Fixes React invalid hook warning during cold SSR optimizer reload when using ClientRouter

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​14.0.0

Major Changes

• #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

Minor Changes

• #16335 9a53f77 Thanks @​ascorbic! - Adds an opt-in CDN cache provider for Astro route caching on Cloudflare Workers

  [!WARNING] This provider requires the Cloudflare Workers Cache feature, which is currently in private beta. It is opt-in: nothing changes unless you import cacheCloudflare() and set it as your provider. But without beta access it does not work and should not be used. Cloudflare Workers run in front of the cache, so cached responses are never served, and calling cache.invalidate() throws an error.

  Setup

  Import cacheCloudflare() from @astrojs/cloudflare/cache and set it as your cache provider:

  import { defineConfig } from 'astro/config';
  import cloudflare from '@astrojs/cloudflare';
  import { cacheCloudflare } from '@astrojs/cloudflare/cache';
  export default defineConfig({
  adapter: cloudflare(),
  cache: {
  provider: cacheCloudflare(),
  },
  });

  The adapter automatically enables the Worker caching layer when a Cloudflare cache provider is configured. No manual wrangler.jsonc changes are needed.

  Caching responses

  Use Astro.cache.set() in your pages and API routes to cache responses. The provider sets Cloudflare-CDN-Cache-Control and Cache-Tag headers, which are read by Cloudflare's built-in caching layer. Cache hits bypass Worker execution entirely, meaning your Worker is not invoked for cached responses.

  ---
  Astro.cache.set({ maxAge: 300, tags: ['products'] });
  const data = await fetchProducts();
  ---

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

14.0.1

Patch Changes

• #17175 7a7d879 Thanks @​astrobot-houston! - Fixes astro dev OOM crashes for @astrojs/cloudflare users on Vite 8 by migrating the frontmatter scan plugin to Rolldown-compatible options.

• #17187 0db4b57 Thanks @​matthewp! - Fixes React invalid hook warning during cold SSR optimizer reload when using ClientRouter

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

14.0.0

Major Changes

• #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

Minor Changes

• #16335 9a53f77 Thanks @​ascorbic! - Adds an opt-in CDN cache provider for Astro route caching on Cloudflare Workers

  [!WARNING] This provider requires the Cloudflare Workers Cache feature, which is currently in private beta. It is opt-in: nothing changes unless you import cacheCloudflare() and set it as your provider. But without beta access it does not work and should not be used. Cloudflare Workers run in front of the cache, so cached responses are never served, and calling cache.invalidate() throws an error.

  Setup

  Import cacheCloudflare() from @astrojs/cloudflare/cache and set it as your cache provider:

  import { defineConfig } from 'astro/config';
  import cloudflare from '@astrojs/cloudflare';
  import { cacheCloudflare } from '@astrojs/cloudflare/cache';
  export default defineConfig({
  adapter: cloudflare(),
  cache: {
  provider: cacheCloudflare(),
  },
  });

  The adapter automatically enables the Worker caching layer when a Cloudflare cache provider is configured. No manual wrangler.jsonc changes are needed.

  Caching responses

  Use Astro.cache.set() in your pages and API routes to cache responses. The provider sets Cloudflare-CDN-Cache-Control and Cache-Tag headers, which are read by Cloudflare's built-in caching layer. Cache hits bypass Worker execution entirely, meaning your Worker is not invoked for cached responses.

  ---
  Astro.cache.set({ maxAge: 300, tags: ['products'] });

... (truncated)

Commits

• f7283e0 [ci] release (#17180)
• fb0ab02 fix: localized error route status handling (#17087)
• 0db4b57 Add astro/virtual-modules/transitions.js to Cloudflare adapter optimizeDeps (...
• 7a7d879 fix(cloudflare): migrate optimizeDeps from esbuildOptions to rolldownOptions ...
• f55ba4c [ci] release (#17132)
• 9a53f77 feat: add CDN cache providers (#16335)
• 823f0d8 [ci] release (beta) (#17119)
• f95e58e feat: stabilise route caching (#17116)
• 96398e8 Skip Cloudflare runtime startup during type generation (#16961)
• 714e8c7 fix(cloudflare): relocate to assets root when base is set (#17107)
• Additional commits viewable in compare view

Updates astro from 6.4.8 to 7.0.3

Release notes

Sourced from astro's releases.

astro@7.0.3

Patch Changes

• #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

• #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

• #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

astro@7.0.2

Patch Changes

• Updated dependencies [3b5e994]:
  • @​astrojs/markdown-satteri@​0.3.2

astro@7.0.1

Patch Changes

• #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

• #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

• #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

• #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

astro@7.0.0

Major Changes

• #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

• #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

  Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

  This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

• #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

  When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

  A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

  New flag and subcommands

  • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
  • astro dev stop — Stop a running background dev server.
  • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
  • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

... (truncated)

Changelog

Sourced from astro's changelog.

7.0.3

Patch Changes

• #17189 24d2c9e Thanks @​astrobot-houston! - Fixes a bug where an error thrown inside one route's getStaticPaths() would prevent other valid routes from being matched in dev mode

• #16932 8f4a3db Thanks @​fkatsuhiro! - Fixes HMR for action files during development. Editing files in src/actions/ now takes effect on the next request without requiring a dev server restart.

• #17087 fb0ab02 Thanks @​jp-knj! - Fixes localized custom error pages in i18n projects so routes like /pt/404 are used for missing localized pages and return the correct status code

7.0.2

Patch Changes

• Updated dependencies [3b5e994]:
  • @​astrojs/markdown-satteri@​0.3.2

7.0.1

Patch Changes

• #17151 ccceda3 Thanks @​matthewp! - Fixes astro dev incorrectly starting in background mode for Warp terminal users. Hybrid environments like Warp are no longer treated as AI agents for auto-background detection.

• #17158 164df87 Thanks @​ematipico! - Fixes astro dev --background --host not listing the network addresses. The background server start output and astro dev status now show every exposed network URL, matching the foreground dev server.

• #17141 d785b9d Thanks @​astrobot-houston! - Fixes responsive image CSS overriding user styles defined inside CSS @layer blocks. The generated image styles are now wrapped in @layer astro.images, ensuring they have lower cascade priority than user-defined layers.

• #17150 1a61386 Thanks @​matthewp! - Fixes astro dev --background failing on Windows with "Failed to spawn background dev server process"

7.0.0

Major Changes

• #15819 cafec4e Thanks @​delucis! - Upgrade to Vite v8

• #16965 57ead0d Thanks @​Princesseuh! - Makes 'jsx' the default value for compressHTML

  Astro now strips whitespace from your HTML using JSX rules by default, the same way frameworks like React do. Whitespace and line breaks around elements are removed, but meaningful whitespace within a single line — like a space between two inline elements — is preserved. To keep a space that would otherwise be removed, write it explicitly in your source, for example with {" "}.

  This can change rendered output where whitespace between inline elements was previously meaningful. To keep Astro's earlier behavior, set compressHTML: true for HTML-aware compression, or compressHTML: false to preserve all whitespace.

• #16610 c63e7e4 Thanks @​matthewp! - Adds background dev server management for AI coding agents.

  When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

  A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

  New flag and subcommands

  • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
  • astro dev stop — Stop a running background dev server.

... (truncated)

Commits

• f7283e0 [ci] release (#17180)
• 24d2c9e Fix getStaticPaths error in one route blocking other matching routes in dev (...
• efdd4d1 [ci] format
• fb0ab02 fix: localized error route status handling (#17087)
• 8f4a3db Fix HMR for action files during development (#16932)
• fa6428a fix(dev): wire AbortController to socket close so request.signal reflects cli...
• ccd1e37 chore(head): remove meta title tag in favor of standard title tag (#17178)
• dc260da Remove legacy "X-UA-Compatible" meta tags (#17162)
• 74f5f24 chore: update Vite to 8.1 (#17160)
• a39b7a8 [ci] release (#17167)
• Additional commits viewable in compare view

Updates @astrojs/starlight from 0.40.0 to 0.41.1

Release notes

Sourced from @​astrojs/starlight's releases.

@​astrojs/starlight@​0.41.1

Patch Changes

• #3967 72e63dc Thanks @​HiDeoo! - Adds 2 new icons: link and link-alt.

• #3988 ac55cfa Thanks @​delucis! - Fixes a dependency resolution issue introduced in Starlight v0.41

• #3967 72e63dc Thanks @​HiDeoo! - Optimizes the icons of Markdown asides.

@​astrojs/starlight@​0.41.0

Minor Changes

• #3951 1202dd4 Thanks @​HiDeoo! - Adds support for Astro v7, drops support for Astro v6.

  Upgrade Astro and dependencies

  ⚠️ BREAKING CHANGE: Astro v6 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

  ⚠️ BREAKING CHANGE: This release drops official support for Chromium-based browsers prior to version 111 (released 07 March 2023) and Safari-based browsers prior to version 16.4 (released 27 March 2023). You can find a list of currently supported browsers and their versions using this browserslist query.

Patch Changes

• #3953 a935d33 Thanks @​HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.

Changelog

Sourced from @​astrojs/starlight's changelog.

0.41.1

Patch Changes

• #3967 72e63dc Thanks @​HiDeoo! - Adds 2 new icons: link and link-alt.

• #3988 ac55cfa Thanks @​delucis! - Fixes a dependency resolution issue introduced in Starlight v0.41

• #3967 72e63dc Thanks @​HiDeoo! - Optimizes the icons of Markdown asides.

0.41.0

Minor Changes

• #3951 1202dd4 Thanks @​HiDeoo! - Adds support for Astro v7, drops support for Astro v6.

  Upgrade Astro and dependencies

  ⚠️ BREAKING CHANGE: Astro v6 is no longer supported. Make sure you update Astro and any other official integrations at the same time as updating Starlight:

  npx @astrojs/upgrade

  Community Starlight plugins and Astro integrations may also need to be manually updated to work with Astro v7. If you encounter any issues, please reach out to the plugin or integration author to see if it is a known issue or if an updated version is being worked on.

  ⚠️ BREAKING CHANGE: This release drops official support for Chromium-based browsers prior to version 111 (released 07 March 2023) and Safari-based browsers prior to version 16.4 (released 27 March 2023). You can find a list of currently supported browsers and their versions using this browserslist query.

Patch Changes

• #3953 a935d33 Thanks @​HiDeoo! - Fixes Starlight Markdown processing being potentially applied to files that should not be processed.

Commits

• c1a3d6d [ci] release (#3989)
• 72e63dc Add link icons and dedupe Markdown/component icons (#3967)
• ac55cfa Update astro-expressive-code (#3988)
• fe11bb4 [ci] release (#3956)
• 1202dd4 Astro 7 support (#3951)
• a935d33 Fix Markdown processing path matching (#3953)
• 8deaf55 Improve Sätteri import comment (#3948)
• See full diff in compare view

Updates sharp from 0.34.5 to 0.35.2

Release notes

Sourced from sharp's releases.

v0.35.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

• Bound dilate and erode width to avoid mask-size overflow. #4548 @​metsw24-max

• Verify convolve kernel values are numbers. #4549 @​metsw24-max

v0.35.2-rc.2

• TypeScript: Add mediaType to metadata response. #4492

• Improve WebAssembly fallback detection. #4513

• Improve code bundler support with stub binaries. #4543

• Verify GIF effort option is an integer. #4544 @​metsw24-max

• Verify recomb matrix entries are numbers. #4545 @​metsw24-max

• TypeScript: Replace namespace with named exports for ESM. #4546

... (truncated)

Commits

• c9622a3 Release v0.35.2
• cd4568f Upgrade to sharp-libvips v1.3.1
• 78390cf Tests: Add font file to prevent font discovery flakiness (#4550)
• 61210b4 Verify convolve kernel values are numbers (#4549)
• 1cb27dc Prerelease v0.35.2-rc.2
• c7606c3 Upgrade to sharp-libvips v1.3.1-rc.0
• 29d1e9e Prerelease v0.35.2-rc.1
• bbba0a1 Improve code bundler support with stub binaries
• ab52866 Bound dilate and erode width to avoid mask-size overflow (#4548)
• 0f594dd Prerelease v0.35.2-rc.0
• Additional commits viewable in compare view

Updates three from 0.184.0 to 0.185.0

Commits

• See full diff in compare view

Updates @babel/parser from 7.29.7 to 8.0.0

Release notes

Sourced from @​babel/parser's releases.

v8.0.0 (2026-06-16)

NOTE: The changelog below is relative to v8.0.0-rc.6. You can find a summary of all the breaking changes shipped in the Babel 8 release line in the migration guide for users and migration guide for plugin developers.

Read the release blog post at http://babeljs.io/blog/2026/06/16/8.0.0!

👓 Spec Compliance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

💥 Breaking Change

• babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • #18069 Fallback to assuming ESM support with modules: auto (@​nicolo-ribaudo)
• babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • #18036 Remove corejs exports for @babe/runtime-corejs3 (@​liuxingbaoyu)
• babel-parser
  • #18034 Remove locations: "packed" (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #18046 fix(generator): improve new callee parens check (@​JLHwung)
• babel-plugin-transform-modules-systemjs
  • #18032 fix(systemjs): support proto as an export name (@​JLHwung)

📝 Documentation

• #18070 Add EOL date for Babel 7 (end of June 2027) to SECURITY.md (@​nicolo-ribaudo)

🏠 Internal

• #18018 ci: enforce yarn integrity (@​JLHwung)

🏃‍♀️ Performance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

Committers: 6

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• James Garbutt (@​43081j)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• Sandy Chen (@​sandy2008)
• @​liuxingbaoyu

v8.0.0-rc.6 (2026-05-25)

Re-release all packages with npm provenance attestations

🐛 Bug Fix

• babel-generator
  • #18011 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core

... (truncated)

Changelog

Sourced from @​babel/parser's changelog.

v8.0.0 (2026-06-16)

👓 Spec Compliance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

💥 Breaking Change

• babel-cli, babel-node, babel-plugin-proposal-decorators, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-modules-commonjs, babel-plugin-transform-object-rest-spread, babel-plugin-transform-parameters, babel-plugin-transform-react-constant-elements, babel-plugin-transform-regenerator, babel-preset-env, babel-register
  • #18069 Fallback to assuming ESM support with modules: auto (@​nicolo-ribaudo)
• babel-plugin-transform-runtime, babel-runtime-corejs3, babel-runtime
  • #18036 Remove corejs exports for @babe/runtime-corejs3 (@​liuxingbaoyu)
• babel-parser
  • #18034 Remove locations: "packed" (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #18046 fix(generator): improve new callee parens check (@​JLHwung)
• babel-plugin-transform-modules-systemjs
  • #18032 fix(systemjs): support proto as an export name (@​JLHwung)

📝 Documentation

• #18070 Add EOL date for Babel 7 (end of June 2027) to SECURITY.md (@​nicolo-ribaudo)

🏠 Internal

• #18018 ci: enforce yarn integrity (@​JLHwung)

🏃‍♀️ Performance

• babel-core
  • #18039 perf: Only extract source map comments at the end of the file (@​liuxingbaoyu)

v8.0.0-rc.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18011 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #17999 fix: improve inputSourceMap URL handling (@​JLHwung)
• babel-core, babel-generator
  • #17992 Preserve original identifier names from input sourcemaps (@​Andarist)

🏠 Internal

• babel-core
  • #17970 Always use native Node.js TS support for config files (@​nicolo-ribaudo)
• babel-compat-data, babel-register
  • #17993 chore: use bundled dts for register and eslint-* (@​JLHwung)
• babel-helper-transform-fixture-test-runner, babel-node
  • #17989 Test Node.js 26 on CI (@​nicolo-ribaudo)
• babel-build-external-helpers, babel-cli, babel-generator, babel-helper-fixtures, babel-helper-plugin-test-runner, babel-helper-transform-fixture-test-runner, babel-node, babel-parser, babel-plugin-transform-modules-systemjs, babel-types
  • #18002 Add file URL support for test runners (@​JLHwung)

🔬 Output optimization

... (truncated)

Commits

• 7dc825a v8.0.0
• 05eb4be Remove locations: "packed" (#18034)
• 827d003 Change jest snapshotFormat (#18029)
• 73bceef v8.0.0-rc.6
• c6d71f3 Enable strictFunctionTypes (#17946)
• 0b91d35 Add file URL support for test runners (#18002)
• dc91f90 v8.0.0-rc.5
• b34c4e7 Bump typescript-eslint to 8.59.2 (#17984)
• e77fa07 breaking(code-frame): use 0-based columns to match Babel AST locations (#1… (...
• 7f2dda1 chore: add custom no-extraneous-dependencies rule (#17971)
• Additional commits viewable in compare view

Updates @hono/node-server from 2.0.5 to 2.0.6

Release notes

Sourced from @​hono/node-server's releases.

v2.0.6

What's Changed

• ci: publish to npm from CI with OIDC trusted publishing and bump np by @​yusukebe in honojs/node-server#361
• ci: use npm Staged publishing by @​yusukebe in honojs/node-server#364
• fix: preserve status and statusText when cloning a Response with liveheaders by @​usualoma in honojs/node-server#363

Full Changelog: honojs/node-server@v2.0.5...v2.0.6

Commits

• ff75c61 2.0.6
• 814720f fix: preserve status and statusText when cloning a Response with live headers...
• a76209a ci: use npm Staged publishing (#364)
• 44c365a ci: publish to npm from CI with OIDC trusted publishing and bump np (#361)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hono/node-server since your current version.

Updates @sentry/node from 10.60.0 to 10.62.0

Release notes

Sourced from @​sentry/node's releases.

10.62.0

Important Changes

• feat(server-runtimes): Add v7 support for vercelAiIntegration (#21613)

  The vercelAiIntegration now supports v7 of the ai package. Note that v7 is not yet supported on Cloudflare.

Other Changes

• fix(node): Avoid failing at runtime if tracingChannel is not available (#21783)
• fix(sveltekit): Avoid capturing preloaded 400 errors on client (#21784)

Work in this release was contributed by @​hyunbinseo. Thank you for your contribution!

• chore(github): Update tracked packages (#21789)
• feat(core): Add spanKindToName helper for reverse span-kind lookup (#21780)
• ref(aws-serverless): Streamline AwsLambda instrumentation (#21758)
• ref(node): Fix server-utils name for VercelAI integration (#21809)
• ref(node): Streamline amqplib instrumentation (#21753)
• ref(node): Streamline Firebase instrumentation (#21748)
• test: Pin webpack to 5.107.0 (#21781)
• test(e2e): Add no-browser-session lighthouse e2e test mode (#21787)
• test(e2e): Add more test modes, pre-init and element timing (#21760)

Bundle size 📦

Path	Size
@​sentry/browser	26.83 KB
@​sentry/browser - with treeshaking flags	25.3 KB
@​sentry/browser (incl. Tracing)	44.89 KB
@​sentry/browser (incl. Tracing + Span Streaming)	46.6 KB
@​sentry/browser (incl. Tracing, Profiling)	49.57 KB
@​sentry/browser (incl. Tracing, Replay)	83.22 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	73.06 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	87.8 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	100.17 KB
@​sentry/browser (incl. Feedback)	43.61 KB
@​sentry/browser (incl. sendFeedback)	31.5 KB
@​sentry/browser (incl. FeedbackAsync)	36.52 KB
@​sentry/browser (incl. Metrics)	27.87 KB
@​sentry/browser (incl. Logs)	28.11 KB
@​sentry/browser (incl. Metrics & Logs)	28.78 KB
@​sentry/react	28.59 KB
@​sentry/react (incl. Tracing)	47.15 KB

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.62.0

Important Changes

• feat(server-runtimes): Add v7 support for vercelAiIntegration (#21613)

  The vercelAiIntegration now supports v7 of the ai package. Note that v7 is not yet supported on Cloudflare.

Other Changes

• fix(node): Avoid failing at runtime if tracingChannel is not available (#21783)
• fix(sveltekit): Avoid capturing preloaded 400 errors on client (#21784)

Work in this release was contributed by @​hyunbinseo. Thank you for your contribution!

• chore(github): Update tracked packages (#21789)
• feat(core): Add spanKindToName helper for reverse span-kind lookup (#21780)
• ref(aws-serverless): Streamline AwsLambda instrumentation (#21758)
• ref(node): Fix server-utils name for VercelAI integration (#21809)
• ref(node): Streamline amqplib instrumentation (#21753)
• ref(node): Streamline Firebase instrumentation (#21748)
• test: Pin webpack to 5.107.0 (#21781)
• test(e2e): Add no-browser-session lighthouse e2e test mode (#21787)
• test(e2e): Add more test modes, pre-init and element timing (#21760)

10.61.0

Important Changes

• feat(core): Enable streamGenAiSpans by default (#21732)

  The SDK now extracts all gen_ai spans out of a transaction and sends them as v2 envelope items by default. This prevents gen_ai spans from being dropped when the transaction payload exceeds size limits. Because they are no longer constrained by transaction size limits, AI message data is also no longer truncated by default. Set enableTruncation: true on the respective AI integration to re-enable truncation. To keep the previous behavior, set streamGenAiSpans: false.

  Self-hosted Sentry users should opt out with streamGenAiSpans: false, since streamed gen_ai spans may not be ingested by their Sentry instance.

Other Changes

• feat(cloudflare): Add batch, exec, and withSession D1 instrumentation (#21292)
• feat(cloudflare): Instrument SQL API in sqlite durable objects (#21656)
• feat(core): Add db.query.summary functionality (#21670)
• feat(core): Add top-level Sentry.setAttribute(s) APIs (#21705)
• fix(hono): Name transactions after the matched route handler (#21700)
• fix(react-router): Bump peerDependencies for react-router 8 (#21762)
• fix(replays): Record replay Description has been truncated

[greptile-apps]

PR author is in the excluded authors list.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	posthog-node@​5.38.7
	@​types/​three@​0.185.0
	@​babel/​parser@​8.0.0
	@​astrojs/​cloudflare@​14.0.1
	@​astrojs/​starlight@​0.41.1
	three@​0.185.0
	astro@​7.0.3
	@​ungap/​structured-clone@​1.3.2
	@​hono/​node-server@​2.0.6
	sharp@​0.35.2
	@​sentry/​node@​10.62.0
	hono@​4.12.27
	graphql@​16.14.2 ⏵ 17.0.1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @sentry/node-core is 60.0% likely obfuscated Confidence: 0.60 Location: Package overview From: pnpm-lock.yaml → npm/@sentry/node@10.62.0 → npm/@sentry/node-core@10.62.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/node-core@10.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm astro is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/catalog/package.json → npm/astro@7.0.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm three is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/landing/package.json → npm/three@0.185.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/three@0.185.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml