feat: Ensure to use unwrapped versions of setTimeout / clearTimeout#176
feat: Ensure to use unwrapped versions of setTimeout / clearTimeout#176
setTimeout / clearTimeout#176Conversation
Let's see if that helps with Angular performance some more...!
size-limit report 📦
|
There was a problem hiding this comment.
Very interesting! It kinda makes sense after thinking about it. ZoneJS patches all of these global APIs so let's see 🍿
(long term this might phase out with Angular becoming zone-less in favor of signals but this will take a long time until it's used broadly)
Yeah, I'd say the bundle size hit is acceptable here, and we can revert it later if we want/need to! |
billyvg
left a comment
There was a problem hiding this comment.
🙏
We will also want to do this for the setTimeouts in our replay package
Let's ship this, I'd say, and see if it already improves things, than we can also add this to replay itself, at least in hot paths related to rrweb events etc! |
@mydea when I was debugging, I saw that it was being triggered by our click handler in the replay package |
sad! I guess let's implement it there as well then, will add some bundle size but I guess it's worth it! |
…t` (#176) Let's see if that helps with Angular performance some more...! Closes getsentry/sentry-javascript#11661 (hopefully...)
Remove lerna and replace its two uses with lighter alternatives: - **`lerna version`** → `scripts/bump-version.js` — a ~80-line Node script that updates all workspace `package.json` versions and `@sentry-internal/*` cross-references to the exact new version. Modeled after [sentry-javascript#19325](getsentry/sentry-javascript#19325). - **`lerna run build:tarball`** → `turbo run build:tarball` — Turborepo is already used for all other cross-package tasks. Lerna was pulling in a large transitive dependency tree including packages with known vulnerabilities. This removes ~2,300 lines from `yarn.lock`. ### Dependabot alerts resolved **Fully resolved** (vulnerable package completely removed from lockfile): | Alert | Severity | Package | Summary | |-------|----------|---------|---------| | #217 | HIGH | `tar` | Symlink Path Traversal via Drive-Relative Linkpath | | #216 | HIGH | `tar` | Hardlink Path Traversal via Drive-Relative Linkpath | | #185 | HIGH | `tar` | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain | | #176 | HIGH | `tar` | Arbitrary File Creation/Overwrite via Hardlink Path Traversal | | #174 | HIGH | `tar` | Race Condition via Unicode Ligature Collisions on macOS APFS | | #172 | HIGH | `tar` | Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization | | #137 | HIGH | `axios` | SSRF and Credential Leakage via Absolute URL | **Partially resolved** (some vulnerable entries removed, but the package still exists via other dependency chains): | Alert | Severity | Package | Remaining source | |-------|----------|---------|-----------------| | #213, #208, #207, #205 | HIGH | `minimatch` | `markdownlint-cli`, `vite-plugin-dts` still pull in vulnerable versions | | #161 | HIGH | `glob` | `markdownlint-cli`, `web-ext-run` still pull in vulnerable versions | | #136, #135 | CRITICAL | `form-data` | `jest` (via jsdom) still pulls in `form-data@3.0.2` | | #158, #157 | MEDIUM | `js-yaml` | `@changesets/cli`, `jest` still pull in `js-yaml@3.14.1` | The partially resolved alerts will be addressed in later phases (Phase 6: mop up remaining — bumping `markdownlint-cli`, `@changesets/cli`, `jest`/rrvideo, etc.). Part of the ongoing effort to resolve all Dependabot alerts on this repo. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Let's see if that helps with Angular performance some more...!
Closes getsentry/sentry-javascript#11661 (hopefully...)