feat(core): Add framework-agnostic tunnel handler

[nikolovlazar]

Update

After talking to the team, we decided to scope this PR only to the core util function, and handle framework adapters in other PRs. For that reason, I've deleted the initial TanStack Start adapter.

---

original PR description:

Overview

Right now only the Next.js SDK has a built-in tunnel handler on the backend side, but this PR aims to extract the tunnel handling logic in plain JavaScript in @sentry/core, and provide framework-specific adapters.

Framework-specific adapters checklist

• Next.js
• Remix
• SvelteKit
• Nuxt
• Astro
• Solid Start
• TanStack Start React
• Nest.js
• ...?

Questions for the team

• Is @sentry/core a good home for the framework-agnostic tunnel handler function?
• What framework-specific adapters am I missing in the checklist? (cloudflare, aws, google cloud services, vercel edge, bun, deno)
• How do we standardize this across all SDKs, not just JavaScript?

TODOs

• Finalize framework adapters list
• E2E tests

Closes #19394 (added automatically)

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,343	-	9,260	+1%
GET With Sentry	1,621	17%	1,651	-2%
GET With Sentry (error only)	6,024	64%	6,188	-3%
POST Baseline	1,165	-	1,202	-3%
POST With Sentry	565	48%	574	-2%
POST With Sentry (error only)	1,061	91%	1,057	+0%
MYSQL Baseline	3,186	-	3,266	-2%
MYSQL With Sentry	366	11%	431	-15%
MYSQL With Sentry (error only)	2,580	81%	2,643	-2%

View base workflow run

[logaretm]

Is @sentry/core a good home for the framework-agnostic tunnel handler function?

So the issue with @sentry/core is that adding any code to it increases the bundle size across all the SDKs, so this will increase the bundle size of strictly client-side SDKs (e.g: Vue and React) without providing value to their users.

I think having an agnostic tunnel implementation is worth having, but perhaps we should introduce a @sentry/server-utils SDK similiar to the browser-utils one which would contain this logic, and only SSR SDKs can then use it to implement their tunnel utility.

One thing to keep in mind is different implementations of the tunnel feature depends heavily on the framework itself, in Next.js it is implemented as simple re-write rules, so we almost don't have any runtime logic for it on the serve-side.

cc @Lms24

[timfish]

So the issue with @sentry/core is that adding any code to it increases the bundle size across all the SDKs

This is not the case because of tree-shaking. We have the ServerRuntimeClient in @sentry/core and it doesn't impact front-end bundle size.

If a helper like this ends up in the Node SDK it won't be usable in non-Node based SDKs.

[timfish]

I'm not sure it's enough to just check the host matches. We should have a list of allowed DSNs and only forward when they match.

[nikolovlazar]

Yeah the allowedDsnComponents are passed from the outside and they're exactly that - a list of allowed DSNs.

[nikolovlazar]

maybe instead of turning them in components we should pass them as string arrays and do a plain string comparison?

[Lms24]

I kinda like this approach over #14137 because it returns the response to the caller. We need to make sure that the client SDK receives Sentry's response to correctly handle rate limits to avoid backpressure build ups of rate-limited data. This way, the client SDK will apply the rate limits on its end and stop sending stuff to the tunnel endpoint. (Tim, let me know if I misinterpreted your PR and we do in fact handle rate limiting)

I have one request though: Let's split this PR up into the core change that adds the helper and then the Tanstack Start stuff on top. We should also add tests for the core handler alone. I'd recommend we take inspiration from #14137 on the integration test front.

[Lms24]

l: is this really the case? Do we have to create stubs from all of our server exports in TSS? (cc @nicohrubec)

[Lms24]

l: I think we should always assume bytes here, to avoid callers accidentally already strinfifying compressed/binary payloads

Suggested change

	body: string | Uint8Array,
	body: Uint8Array,

[Lms24]

I'd also refactor this a bit to an options object parameter (for future proofing) and as you suggested, make it accept a list of DSN strings. This should be easier for users to use. For us internally, it should make no difference.

[timfish]

This way, the client SDK will apply the rate limits on its end and stop sending stuff to the tunnel endpoint

No you're totally right. This is a better approach!

I think ideally we also want a wrapper with Request in, Response out which will be easier to use for many frameworks.

If we auto setup tunneling to frameworks (like nextjs does) we should use some random ID rather than /sentry or something static because ad-blockers are going to block that too. The nice thing with auto setup is we can include the server-side DSN as allowed.

[Lms24]

I think ideally we also want a wrapper with Request in, Response out which will be easier to use for many frameworks.

Yup that would be ideal. My thinking was that some frameworks use different kinds of Response objects but turns out the one I had in mind (Sveltekit) actually uses the builtin Response. So @nikolovlazar let's start with Request => Response and if necessary create another more abstract handler later.

If we auto setup tunneling to frameworks (like nextjs does) we should use some random ID rather than /sentry or something static because ad-blockers are going to block that too.

+1 for the random id but let's be careful about full auto setup. AFAIK, we don't auto enable tunnelRoute by default in NextJS. The reason being that this can massively increase users' billing.

[Copilot]

Pull request overview

This pull request extracts the tunnel handler logic from the Next.js SDK into a framework-agnostic core utility function in @sentry/core. The tunnel handler validates incoming Sentry envelopes against allowed DSNs and forwards them to the Sentry ingest endpoint, providing SSRF protection. The implementation supports the broader goal of standardizing tunnel functionality across multiple framework SDKs (Next.js, Remix, SvelteKit, Nuxt, Astro, etc.).

Changes:

• Adds handleTunnelRequest function to @sentry/core/utils/tunnel.ts as a framework-agnostic tunnel handler
• Adds comprehensive test suite for the tunnel handler covering various success and error scenarios
• Exports the new tunnel handler and its options type from @sentry/core
• Adds a client-side stub for createTunnelHandler in TanStack Start React package

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
packages/core/src/utils/tunnel.ts	Core tunnel handler implementation with DSN validation and envelope forwarding
packages/core/test/lib/utils/tunnel.test.ts	Test suite covering tunnel handler functionality
packages/core/src/index.ts	Exports for the tunnel handler function and options type
packages/tanstackstart-react/src/client/index.ts	Client-side no-op stub (appears to be unused/leftover code)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Codecov Results 📊

---

Generated by Codecov Action

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.61 kB	-	-
@sentry/browser - with treeshaking flags	24.12 kB	-	-
@sentry/browser (incl. Tracing)	42.42 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	47.08 kB	-	-
@sentry/browser (incl. Tracing, Replay)	81.24 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.86 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	85.93 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	98.09 kB	-	-
@sentry/browser (incl. Feedback)	42.33 kB	-	-
@sentry/browser (incl. sendFeedback)	30.28 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.28 kB	-	-
@sentry/browser (incl. Metrics)	26.78 kB	-	-
@sentry/browser (incl. Logs)	26.92 kB	-	-
@sentry/browser (incl. Metrics & Logs)	27.6 kB	-	-
@sentry/react	27.37 kB	-	-
@sentry/react (incl. Tracing)	44.76 kB	-	-
@sentry/vue	30.06 kB	-	-
@sentry/vue (incl. Tracing)	44.26 kB	-	-
@sentry/svelte	25.64 kB	-	-
CDN Bundle	28.16 kB	-	-
CDN Bundle (incl. Tracing)	43.25 kB	-	-
CDN Bundle (incl. Logs, Metrics)	29 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	44.09 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.08 kB	-	-
CDN Bundle (incl. Tracing, Replay)	80.12 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	80.99 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	85.56 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.46 kB	-	-
CDN Bundle - uncompressed	82.33 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	128.05 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.17 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	130.88 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	208.83 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.93 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	247.75 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.73 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	260.54 kB	-	-
@sentry/nextjs (client)	47.17 kB	-	-
@sentry/sveltekit (client)	42.88 kB	-	-
@sentry/node-core	52.18 kB	+0.02%	+9 B 🔺
@sentry/node	166.54 kB	+0.01%	+6 B 🔺
@sentry/node - without tracing	93.97 kB	+0.02%	+10 B 🔺
@sentry/aws-serverless	109.47 kB	+0.01%	+9 B 🔺

View base workflow run

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[Lms24]

Thanks Lazar! One more cleanup task, then let's merge this!

[Lms24]

Thanks for iterating and making the changes!

(heads-up: I adjusted the PR title to reflect our commit message conventions)

[github-actions]

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Breaking Changes 🛠

• (tanstackstart-react) Export Vite plugin from @sentry/tanstackstart-react/vite subpath by nicohrubec in #19182

New Features ✨

Astro

• Add Astro 6 support by Lms24 in #19745
• Add support for Astro on CF Workers by JPeer264 in #19265

Core

• Add framework-agnostic tunnel handler by nikolovlazar in #18892

• Add sentry.timestamp.sequence attribute for timestamp tie-breaking by logaretm in #19421
• Add framework-agnostic tunnel handler by nikolovlazar in #18892

Deno

• Set http response header attributes instead of response context headers by Lms24 in #19822
• Export logs API from Deno SDK by sergical in #19313
• Export metrics API from Deno SDK by sergical in #19305
• Instrument Deno.serve with async context support by isaacs in #19230

Deps

• Bump mongodb-memory-server-global from 10.1.4 to 11.0.1 by dependabot in #19888
• Bump stacktrace-parser from 0.1.10 to 0.1.11 by dependabot in #19887
• Bump yauzl from 3.2.0 to 3.2.1 by dependabot in #19809
• Bump mysql2 from 3.14.4 to 3.19.1 by dependabot in #19787
• Bump OpenTelemetry dependencies by andreiborza in #19682
• Bump hono from 4.12.5 to 4.12.7 by dependabot in #19747
• Bump simple-git from 3.30.0 to 3.33.0 by dependabot in #19744
• Bump @sentry/rollup-plugin from 5.1.0 to 5.1.1 by dependabot in #19658
• Bump @hono/node-server from 1.19.4 to 1.19.10 by dependabot in #19634
• Bump underscore from 1.12.1 to 1.13.8 by dependabot in #19616
• Bump rxjs from 7.8.1 to 7.8.2 by dependabot in #19545
• Bump the opentelemetry group with 4 updates by dependabot in #19425
• Bump hono from 4.11.7 to 4.11.10 by dependabot in #19440
• Bump body-parser from 1.20.4 to 2.2.2 by dependabot in #19191
• Bump babel-loader from 8.2.5 to 10.0.0 by dependabot in #19303
• Bump qs from 6.14.1 to 6.14.2 by dependabot in #19310
• Bump @rollup/plugin-node-resolve from 15.2.3 to 16.0.3 by dependabot in #19193

Hono

• Add basic instrumentation for Node runtime by s1gr1d in #19817
• Instrument middlewares app.use() by s1gr1d in #19611
• Use parametrized names for errors by s1gr1d in #19577

Nestjs

• Instrument @nestjs/bullmq by nicohrubec in #19759
• Use more specific span origins for NestJS guards, pipes, interceptors, and exception filters by nicohrubec in #19751
• Instrument @nestjs/schedule decorators by nicohrubec in #19735

Nextjs

• Vercel queue instrumentation by chargome in #19799
• Add experimental support for react component annotation in Turbopack by chargome in #19604
• Experimental support for thirdPartyErrorFilterIntegration on Turbopack by chargome in #19542
• Use not: foreign condition in turbopack loaders by chargome in #19502
• Add sourcemaps.filesToDeleteAfterUpload as a top-level option by chargome in #19280

Node

• Add nodeRuntimeMetricsIntegration by chargome in #19923
• Avoid OTEL instrumentation for outgoing requests on Node 22+ by mydea in #17355
• Expose headersToSpanAttributes option on nativeNodeFetchIntegration by andreiborza in #19770
• Bump to latest @fastify/otel by andreiborza in #19452
• Add ignoreConnectSpans option to postgresIntegration by Lms24 in #19291

Other

• (browser/cloudflare) Export conversation id from browser and cloudflare runtimes by nicohrubec in #19820
• (bun) Set http response header attributes instead of response context headers by Lms24 in #19821
• (ci) Add security vulnerability skill action by nicohrubec in #19355
• (cloudflare) Instrument async KV API by JPeer264 in #19404
• (consola) Enhance Consola integration to extract first-param object as searchable attributes by s1gr1d in #19534
• (core,cloudflare) Add dispose to the client for proper cleanup by JPeer264 in #19506
• (core,cloudflare,deno) Add instrumentPostgresJsSql instrumentation by andreiborza in #19566
• (effect) Add @sentry/effect SDK (alpha) by JPeer264 in #19644
• (elysia) Elysia SDK by logaretm in #19509
• (feedback) Add setTheme() to dynamically update feedback widget color scheme by chargome in #19430
• (node-core,node) Add tracePropagation option to http and fetch integrations by andreiborza in #19712
• (nuxt) Conditionally use plugins based on Nitro version (v2/v3) by s1gr1d in #19955
• (react-router) Include middleware function names and indices by onurtemizkan in #19109
• (remix) Server Timing Headers Trace Propagation by onurtemizkan in #18653
• (tanstackstart-react) Add global sentry exception middlewares by nicohrubec in #19330

Bug Fixes 🐛

Browser

• Skip browserTracingIntegration setup for bot user agents by chargome in #19708
• Fix missing traces for user feedback by andreiborza in #19660
• Ensure user id is consistently added to sessions by Lms24 in #19341

Cloudflare

• Send correct events in local development by JPeer264 in #19900
• Forward ctx argument to Workflow.do user callback by Lms24 in #19891
• Use correct env types for withSentry by JPeer264 in #19836
• Recreate client when previous one was disposed by JPeer264 in #19727
• Use correct Proxy receiver in instrumentDurableObjectStorage by dmmulroy in #19662

Core

• Preserve .withResponse() on Anthropic instrumentation by nicohrubec in #19935
• Truncate content array format in Vercel by nicohrubec in #19911
• Send internal_error as span status for Vercel error spans by nicohrubec in #19921
• Do not overwrite user provided conversation id in Vercel by nicohrubec in #19903
• Return same value from startSpan as callback returns by s1gr1d in #19300
• Align error span status message with core SpanStatusType for langchain/google-genai by nicohrubec in #19863
• Fallback to sendDefaultPii setting in langchain and langgraph in non-node environments by nicohrubec in #19813
• Align Vercel embedding spans with semantic conventions by nicohrubec in #19795
• Improve Vercel AI SDK instrumentation attributes by RulaKhaled in #19717
• Standardize Vercel AI span descriptions to align with GenAI semantic conventions by RulaKhaled in #19624
• Do not remove promiseBuffer entirely by JPeer264 in #19592
• Strip inline media from multimodal content before stringification by RulaKhaled in #19540
• Improve message truncation for multimodal content and normalize streaming span names by RulaKhaled in #19500
• Explicitly flush log buffer in client.close() by chargome in #19371
• Wrap decodeURI in node stack trace parser to handle malformed URIs by Lms24 in #19400
• Langgraph state graph invoke accepts null to resume by nicohrubec in #19374

Deps

• Update lockfile to resolve h3@1.15.10 by chargome in #19933
• Bump fast-xml-parser to 5.5.8 in @azure/core-xml chain by chargome in #19918
• Bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps by chargome in #19917
• Bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 by chargome in #19880
• Bump next to 15.5.13/16.1.7 to fix CVE-2026-1525, CVE-202-33036 and related by chargome in #19870
• Bump devalue 5.6.3 to 5.6.4 to fix CVE-2026-30226 by chargome in #19849
• Bump file-type to 21.3.2 and @nestjs/common to 11.1.17 by chargome in #19847
• Bump unhead 2.1.4 to 2.1.12 to fix CVE-2026-31860 and CVE-2026-31873 by chargome in #19848
• Bump flatted 3.3.1 to 3.4.2 to fix CVE-2026-32141 by chargome in #19842
• Bump tar 7.5.10 to 7.5.11 to fix CVE-2026-31802 by chargome in #19846
• Bump hono 4.12.5 to 4.12.7 in cloudflare-hono E2E test app by chargome in #19850
• Bump undici 6.23.0 to 6.24.1 to fix multiple CVEs by chargome in #19841
• Bump svgo to 4.0.1 to fix DoS via entity expansion by chargome in #19651
• Bump hono to 4.12.5 to fix multiple vulnerabilities by chargome in #19653
• Bump tar to 7.5.10 to fix hardlink path traversal by chargome in #19650
• Bump fast-xml-parser to 4.5.4 for CVE-2026-25896 by chargome in #19588
• Bump transitive rollup deps to patch CVE-2026-27606 by chargome in #19565
• Bump to latest version of each minimatch major by andreiborza in #19486
• Bump nuxt devDependency to fix CVE-2026-24001 by chargome in #19249

Hono

• Align error mechanism by s1gr1d in #19831
• Allow passing env and fix type issues by s1gr1d in #19825

Nestjs

• Add node to nest metadata by chargome in #19875
• Fork isolation scope in @nestjs/event-emitter instrumentation by nicohrubec in #19725
• Improve control flow exception filtering by nicohrubec in #19524

Nextjs

• Skip tracing for tunnel requests by chargome in #19861
• Strip sourceMappingURL comments after deleting source maps in turbopack builds by chargome in #19814
• Log correct lastEventId when error is thrown in component render by s1gr1d in #19764
• Align Turbopack module metadata injection with webpack behavior by chargome in #19645
• Normalize trailing slashes in App Router route parameterization by logaretm in #19365
• Don't set sentry.drop_transaction attribute on spans when skipOpenTelemetrySetup is enabled by chargome in #19333
• Apply environment from options if set by s1gr1d in #19274
• Return correct lastEventId for SSR pages by s1gr1d in #19240
• Set parameterized transaction name for non-transaction events by chargome in #19316

Node Core

• Recycle propagationContext for each request by Lms24 in #19835
• Align pino mechanism type with spec conventions by logaretm in #19363
• Reduce bundle size by removing apm-js-collab and requiring pino >= 9.10 by logaretm in #18631

Nuxt

• Upload client source maps by s1gr1d in #19805
• Use options.rootDir instead of options.srcDir by s1gr1d in #19343

Tanstackstart React

• Add workerd and worker export conditions by smorimoto in #19461
• Flush events in server entry point for serverless environments by nicohrubec in #19513

Other

• (astro) Do not inject withSentry into Cloudflare Pages by JPeer264 in #19558
• (aws-serverless) Prevent crash in isPromiseAllSettledResult with null/undefined array elements by chargome in #19346
• (consola) Normalize extra keys from consola by s1gr1d in #19511
• (core,browser) Delete SentryNonRecordingSpan from fetch/xhr map by JPeer264 in #19336
• (craft) Add missing mainDocsUrl for @sentry/effect SDK by bc-sentry in #19860
• (deno) Clear pre-existing OTel global before registering TracerProvider by sergical in #19723
• (langchain) Use runName argument in handleChainStart to fix unknown_chain spans by priscilawebdev in #19554
• (node) Prevent duplicate LangChain spans from double module patching by nicohrubec in #19684
• (node-core,vercel-edge) Use HEROKU_BUILD_COMMIT env var for default release by andreiborza in #19617
• (profiling-node) Fix NODE_VERSION rendered as [object Object] in warning by logaretm in #19788
• (react-router) Set correct transaction name when navigating with object argument by nicohrubec in #19590
• (serverless) Add node to metadata by nicohrubec in #19878
• (sveltekit) Fix file system race condition in source map cleaning by chargome in #19714
• (triage-issue) Fix Linear idempotency check to match actual report header by chargome in #19489
• (vercel-ai) Prevent tool call span map memory leak by lithdew in #19328
• (vue) Remove deprecated next callback from router instrumentation by YevheniiKotyrlo in #19476
• Bump bundler plugins to v5 by andreiborza in #19468
• Updated the codecov config by MathurAditya724 in #19350

Documentation 📚

New Release

• Document sdkName for craft by s1gr1d in #19736
• Update docs based on new Craft flow by s1gr1d in #19731

Other

• (changelog) Add entry for @sentry/hono alpha release by s1gr1d in #19828
• (hono) Document usage without "*" by s1gr1d in #19756
• (nuxt) Remove duplicated setup instructions by s1gr1d in #19422
• (release) Update publishing-a-release.md by nicohrubec in #19982

Internal Changes 🔧

Agents

• Be more explicit on linting and formatting by chargome in #19803
• Add skill-scanner skill by chargome in #19608
• Sync dotagents by chargome in #19606
• Add scan all mode for security skill by chargome in #19598
• Remove stale cursor commands by chargome in #19560
• Add nested AGENTS.md for nextjs by chargome in #19556
• Add nested AGENTS.md for browser by chargome in #19551
• Migrate repo-wide cursor rules to skills by chargome in #19549
• Add dotagents by chargome in #19526
• Consolidate SDK dev rules into AGENTS.md by chargome in #19521

Changelog

• Update changelog for 10.46.0 by nicohrubec in #19973
• Add changelog for 10.45.0 by Lms24 in #19877
• Update changelog for 10.44.0 by JPeer264 in #19843
• Update changelog for 10.43.0 by chargome in #19716
• Update changelog for 10.42.0 by JPeer264 in #19601
• Update changelog for 10.41.0 by andreiborza in #19576
• Update changelog for 10.40.0 by chargome in #19488

Ci

• Fix "Gatbsy" typo in issue package label workflow by chargome in #19905
• Extract metadata workflow by chargome in #19680
• Allow triage action to run on issues from external users by chargome in #19701
• Validate alert id by chargome in #19499
• Adapt max turns of triage issue agent by chargome in #19473
• Add id-token: write permission to triage workflow by chargome in #19381
• Add environment to triage action by chargome in #19375
• Move monorepo to nx by chargome in #19325

Cloudflare

• Enable multi-worker tests for CF integration tests by JPeer264 in #19938
• Prepare for WorkerEntrypoint by JPeer264 in #19742
• Move internal files and functions around by JPeer264 in #19369

Core

• Remove duplicate buildMethodPath utility from openai by nicohrubec in #19969
• Simplify core utility functions for smaller bundle by HazAT in #19854
• Fix flaky metric sequence number test by nicohrubec in #19754

Deps

• Bump next from 16.1.5 to 16.1.7 in /dev-packages/e2e-tests/test-applications/nextjs-16 by dependabot in #19851
• Bump tedious from 18.6.1 to 19.2.1 by dependabot in #19786
• Bump immutable from 4.0.0 to 4.3.8 by dependabot in #19637
• Bump @sveltejs/kit to 2.53.3 in sveltekit-2-svelte-5 E2E test by chargome in #19594
• Bump actions/checkout from 4 to 6 by dependabot in #19570
• Bump rollup to 4.59.0 to fix path traversal vulnerability by chargome in #19538
• Bump Sentry CLI to latest v2 by chargome in #19477
• Bump transitive dep fast-xml-parser by Lms24 in #19433
• Upgrade tar to 7.5.9 to fix CVE-2026-26960 by Lms24 in #19445
• Bump hono from 4.11.7 to 4.11.10 in /dev-packages/e2e-tests/test-applications/cloudflare-hono by dependabot in #19438
• Bump @actions/glob from 0.4.0 to 0.6.1 by dependabot in #19427
• Bump agents from 0.2.32 to 0.3.10 in /dev-packages/e2e-tests/test-applications/cloudflare-mcp by dependabot in #19326

Deps Dev

• Bump effect from 3.19.19 to 3.20.0 by dependabot in #19926
• Bump qunit-dom from 3.2.1 to 3.5.0 by dependabot in #19546
• Bump @react-router/node from 7.13.0 to 7.13.1 by dependabot in #19544
• Bump file-type from 20.5.0 to 21.3.1 by dependabot in #19748
• Bump @sveltejs/kit from 2.52.2 to 2.53.3 by dependabot in #19571
• Bump @sveltejs/kit from 2.49.5 to 2.52.2 in /dev-packages/e2e-tests/test-applications/sveltekit-cloudflare-pages by dependabot in #19462
• Bump @sveltejs/kit from 2.49.5 to 2.52.2 in /dev-packages/e2e-tests/test-applications/sveltekit-2 by dependabot in #19441
• Bump @sveltejs/kit from 2.49.5 to 2.52.2 in /dev-packages/e2e-tests/test-applications/sveltekit-2-kit-tracing by dependabot in #19446
• Bump @sveltejs/kit from 2.50.1 to 2.52.2 by dependabot in #19442
• Bump @types/ember__debug from 3.16.5 to 4.0.8 by dependabot in #19429
• Bump @testing-library/react from 13.0.0 to 15.0.5 by dependabot in #19194
• Bump ember-resolver from 13.0.2 to 13.1.1 by dependabot in #19301

E2e

• Add MFE e2e test using vite-plugin-federation by chargome in #19778
• Add websockets e2e for nestjs by nicohrubec in #19630
• Expand microservices E2E application with auto-tracing tests by nicohrubec in #19652
• Add microservices e2e for nestjs by nicohrubec in #19642

Fix Security Vulnerability

• Remove security vulnerability action by nicohrubec in #19602
• Run fetch alert first before executing skill by nicohrubec in #19418
• Use opus 4.6 by nicohrubec in #19416
• Be specific about how to fetch the alert page by nicohrubec in #19414
• Add id token write permission by nicohrubec in #19412

Github

• Add tilde to file path to not exact-match by s1gr1d in #19392
• Change tool permission path by s1gr1d in #19389
• Add write tool for markdown report by s1gr1d in #19387
• Add allowedTools to Claude GitHub action by s1gr1d in #19386
• Add workflow to trigger triage-issue skill by s1gr1d in #19358

Lint

• Resolve oxlint warnings by isaacs in #19893
• Rule adjustments and fix warnings by logaretm in #19612
• Remove junit report file by chargome in #19491

Llm

• Better defense against prompt injection in triage skill by chargome in #19410
• Make cross-repo search optional and remove file cleanup by chargome in #19401
• Add triage-issue skill by chargome in #19356

Nextjs

• Skip broken ISR tests by chargome in #19871
• Add vercel queue tests to next-16 by chargome in #19798
• Add sourcemaps test for nextjs turbopack by chargome in #19647
• Deactivate canary test for cf-workers by chargome in #19483
• Add bun e2e test app by chargome in #19318

Nuxt

• Extract core logic for storage/database to prepare for Nuxt v5 by s1gr1d in #19920
• Extract handler patching to extra plugin for Nitro v2/v3 by s1gr1d in #19915
• Use addVitePlugin instead of deprecated vite:extendConfig by s1gr1d in #19464
• Remove defineNitroPlugin wrapper by s1gr1d in #19334

Repo

• Increase number of concurrently running nx tasks by Lms24 in #19443
• Allow WebFetch for Sentry docs in Claude settings by philipphofmann in #18890

Skills

• Add skill-creator and update managed agent skills by chargome in #19713
• Add bump-size-limit skill by Lms24 in #19715
• Add security notes for injection defense by s1gr1d in #19379

Triage Skill

• Increase num_turns and add script to post summary by s1gr1d in #19456
• Run on opened issues by s1gr1d in #19423
• Add GitHub parsing python util script by s1gr1d in #19405
• Allow Write and remove rm permission by s1gr1d in #19397

Other

• (angular) Fix failing canary test by Lms24 in #19639
• (astro) Re-enable server island tracing e2e test in Astro 6 by Lms24 in #19872
• (astro,cloudflare) Add an E2E test for Astro 6 on Cloudflare by JPeer264 in #19781
• (aws-serverless) Don't build layer in build:dev command by s1gr1d in #19586
• (browser) Add simulated mfe integration test by chargome in #19768
• (claude) Enable Claude Code Intelligence (LSP) by s1gr1d in #19930
• (consola) Restructure tests (e.g. changing cases.forEach() to it.each) by s1gr1d in #19517
• (cursor) Add rules for fetching develop docs by s1gr1d in #19377
• (deno) Expand Deno E2E test coverage by chargome in #19957
• (effect) Add Effect to craft, README and issue templates by JPeer264 in #19837
• (elysia) Drop @elysiajs/opentelemetry dependency by logaretm in #19947
• (hono) Prepare readme and add craft entry by s1gr1d in #19583
• (langchain) Fix langchain v1 internal error tests by nicohrubec in #19409
• (nestjs) Move event instrumentation unit tests to separate file by nicohrubec in #19738
• (node) Test runName parameter in handleChainStart for langchain by RulaKhaled in #19562
• (node-core) Make @sentry/opentelemetry not a peer dep in node-core by andreiborza in #19308
• (node-integration-tests) Remove unnecessary file-type dependency by Lms24 in #19824
• (react) Add gql tests for react router by chargome in #19844
• (release) Switch from action-prepare-release to Craft by BYK in #18763
• (remix) Replace glob with native recursive fs walk by roli-lpci in #19531
• (sourcemaps) Make sourcemaps e2e test more generic by chargome in #19678
• (svelte,sveltekit) Use version range for magic-string by JPeer264 in #19520
• (sveltekit) Replace recast + @babel/parser with acorn by roli-lpci in #19533
• (tanstackstart) Fix leftover formatting issue by andreiborza in #19536
• (tanstackstart-react) Add link to docs in README by nicohrubec in #19697
• (triage-action) Fix JSON parsing by s1gr1d in #19471
• (triage-issue) Improve triage prompt for accuracy by s1gr1d in #19454
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19925
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19909
• Add oxlint migration commits to blame ignore by logaretm in #19784
• Bump oxlint and oxfmt by logaretm in #19771
• Clean up lint and format script names by logaretm in #19719
• Add oxlint typescript program suppression to workspace settings by logaretm in #19692
• Auto changes made from "yarn fix" by JPeer264 in #19710
• Migrate to oxlint by logaretm in #19134
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19548
• Updating minimatch by isaacs in #19434
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19395
• Add oxfmt changes to blame ignore rev list by logaretm in #19366
• Unignore HTML files and reformat with oxfmt by logaretm in #19311
• Add github action to notify stale PRs by andreiborza in #19361
• Migrate to oxfmt by logaretm in #19200
• Enhance AI integration guidelines with runtime-specific placem… by RulaKhaled in #19296
• Ignore lerna.json for prettier by chargome in #19288

Other

• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19980
• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19882
• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19857
• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19728
• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19605
• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19582
• [Gitflow] Merge master into develop by javascript-sdk-gitflow in #19505
• ref!(gatsby): Drop Gatsby v2 support by chargome in #19467
• fix(bun) Export pinoIntegration from @sentry/node by LudvigHz in #17990

---

_{🤖 This preview updates automatically when you update the PR.}