Merge branch 'develop' into lforst-undici-normal-require

Author: lforst

.github/workflows/build.yml

@@ -913,6 +913,7 @@ jobs:
             'generic-ts3.8',
             'node-experimental-fastify-app',
             'node-hapi-app',
+            'node-exports-test-app',
           ]
         build-command:
           - false
@@ -946,6 +947,9 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: 'dev-packages/e2e-tests/package.json'
+      - name: Set up Bun
+        if: matrix.test-application == 'node-exports-test-app'
+        uses: oven-sh/setup-bun@v1
       - name: Restore caches
         uses: ./.github/actions/restore-cache
         env:

README.md

@@ -32,6 +32,7 @@ convenient interface and improved consistency between various JavaScript environ
 - [Supported Platforms](#supported-platforms)
 - [Installation and Usage](#installation-and-usage)
 - [Other Packages](#other-packages)
+- [Bug Bounty Program](#bug-bounty-program)
 
 ## Supported Platforms
 
@@ -104,3 +105,13 @@ below:
   utility functions useful for various SDKs.
 - [`@sentry/types`](https://github.com/getsentry/sentry-javascript/tree/master/packages/types): Types used in all
   packages.
+
+## Bug Bounty Program
+
+Our bug bounty program aims to improve the security of our open source projects by encouraging the community to identify
+and report potential security vulnerabilities. Your reward will depend on the severity of the identified vulnerability.
+
+Our program is currently running on an invitation basis. If you're interested in participating, please send us an email
+to [email protected] and tell us, that you are interested in auditing this repository.
+
+For more details, please have a look at https://sentry.io/security/#vulnerability-disclosure.

dev-packages/browser-integration-tests/suites/tracing/request/fetch-with-no-active-span/init.js

@@ -0,0 +1,10 @@
+import * as Sentry from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://[email protected]/1337',
+  // disable pageload transaction
+  integrations: [Sentry.BrowserTracing({ tracingOrigins: ['http://example.com'], startTransactionOnPageLoad: false })],
+  tracesSampleRate: 1,
+});

dev-packages/browser-integration-tests/suites/tracing/request/fetch-with-no-active-span/subject.js

@@ -0,0 +1 @@
+fetch('http://example.com/0').then(fetch('http://example.com/1').then(fetch('http://example.com/2')));

dev-packages/browser-integration-tests/suites/tracing/request/fetch-with-no-active-span/test.ts

@@ -0,0 +1,35 @@
+import { expect } from '@playwright/test';
+
+import { sentryTest } from '../../../../utils/fixtures';
+import { envelopeUrlRegex, shouldSkipTracingTest } from '../../../../utils/helpers';
+
+sentryTest(
+  'there should be no span created for fetch requests with no active span',
+  async ({ getLocalTestPath, page }) => {
+    if (shouldSkipTracingTest()) {
+      sentryTest.skip();
+    }
+
+    const url = await getLocalTestPath({ testDir: __dirname });
+
+    let requestCount = 0;
+    page.on('request', request => {
+      expect(envelopeUrlRegex.test(request.url())).toBe(false);
+      requestCount++;
+    });
+
+    await page.goto(url);
+
+    // Here are the requests that should exist:
+    // 1. HTML page
+    // 2. Init JS bundle
+    // 3. Subject JS bundle
+    // 4 [OPTIONAl] CDN JS bundle
+    // and then 3 fetch requests
+    if (process.env.PW_BUNDLE && process.env.PW_BUNDLE.startsWith('bundle_')) {
+      expect(requestCount).toBe(7);
+    } else {
+      expect(requestCount).toBe(6);
+    }
+  },
+);

dev-packages/browser-integration-tests/suites/tracing/request/xhr-with-no-active-span/init.js

@@ -0,0 +1,10 @@
+import * as Sentry from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://[email protected]/1337',
+  // disable pageload transaction
+  integrations: [Sentry.BrowserTracing({ tracingOrigins: ['http://example.com'], startTransactionOnPageLoad: false })],
+  tracesSampleRate: 1,
+});

dev-packages/browser-integration-tests/suites/tracing/request/xhr-with-no-active-span/subject.js

@@ -0,0 +1,11 @@
+const xhr_1 = new XMLHttpRequest();
+xhr_1.open('GET', 'http://example.com/0');
+xhr_1.send();
+
+const xhr_2 = new XMLHttpRequest();
+xhr_2.open('GET', 'http://example.com/1');
+xhr_2.send();
+
+const xhr_3 = new XMLHttpRequest();
+xhr_3.open('GET', 'http://example.com/2');
+xhr_3.send();

dev-packages/browser-integration-tests/suites/tracing/request/xhr-with-no-active-span/test.ts

@@ -0,0 +1,35 @@
+import { expect } from '@playwright/test';
+
+import { sentryTest } from '../../../../utils/fixtures';
+import { envelopeUrlRegex, shouldSkipTracingTest } from '../../../../utils/helpers';
+
+sentryTest(
+  'there should be no span created for xhr requests with no active span',
+  async ({ getLocalTestPath, page }) => {
+    if (shouldSkipTracingTest()) {
+      sentryTest.skip();
+    }
+
+    const url = await getLocalTestPath({ testDir: __dirname });
+
+    let requestCount = 0;
+    page.on('request', request => {
+      expect(envelopeUrlRegex.test(request.url())).toBe(false);
+      requestCount++;
+    });
+
+    await page.goto(url);
+
+    // Here are the requests that should exist:
+    // 1. HTML page
+    // 2. Init JS bundle
+    // 3. Subject JS bundle
+    // 4 [OPTIONAl] CDN JS bundle
+    // and then 3 fetch requests
+    if (process.env.PW_BUNDLE && process.env.PW_BUNDLE.startsWith('bundle_')) {
+      expect(requestCount).toBe(7);
+    } else {
+      expect(requestCount).toBe(6);
+    }
+  },
+);

dev-packages/browser-integration-tests/utils/helpers.ts

@@ -1,7 +1,7 @@
 import type { Page, Request } from '@playwright/test';
 import type { EnvelopeItemType, Event, EventEnvelopeHeaders } from '@sentry/types';
 
-const envelopeUrlRegex = /\.sentry\.io\/api\/\d+\/envelope\//;
+export const envelopeUrlRegex = /\.sentry\.io\/api\/\d+\/envelope\//;
 
 export const envelopeParser = (request: Request | null): unknown[] => {
   // https://develop.sentry.dev/sdk/envelopes/

dev-packages/e2e-tests/test-applications/node-exports-test-app/.npmrc

@@ -0,0 +1,2 @@
+@sentry:registry=http://127.0.0.1:4873
+@sentry-internal:registry=http://127.0.0.1:4873

dev-packages/e2e-tests/test-applications/node-exports-test-app/README.md

@@ -0,0 +1,18 @@
+# Consistent Node Export Test
+
+This test "app" ensures that we consistently re-export exports from `@sentry/node` in packages depending on
+`@sentry/node`.
+
+## How to add new package
+
+1. Add package as a dependency to the test app
+2. In `scripts/consistentExports.ts`:
+   - add namespace import
+   - add `DEPENDENTS` entry
+   - add any ignores/exclusion entries as necessary
+   - if the package is still under development, you can also set `skip: true`
+
+## Limitations:
+
+- This script only checks top-level exports for now (e.g. `metrics` but no sub-exports like `metrics.increment`)
+- This script only checks ESM transpiled code for now, not CJS

dev-packages/e2e-tests/test-applications/node-exports-test-app/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "node-express-app",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "build": "tsc",
+    "start": "pnpm build && bun run ./dist/consistentExports.js",
+    "test": " bun run ./dist/consistentExports.js",
+    "clean": "npx rimraf node_modules,pnpm-lock.yaml,dist",
+    "test:build": "pnpm install && pnpm build",
+    "test:assert": "pnpm test"
+  },
+  "dependencies": {
+    "@sentry/node": "latest || *",
+    "@sentry/sveltekit": "latest || *",
+    "@sentry/remix": "latest || *",
+    "@sentry/astro": "latest || *",
+    "@sentry/nextjs": "latest || *",
+    "@sentry/serverless": "latest || *",
+    "@sentry/bun": "latest || *",
+    "@sentry/types": "latest || *",
+    "@types/node": "18.15.1",
+    "typescript": "4.9.5"
+  },
+  "devDependencies": {
+    "ts-node": "10.9.1"
+  },
+  "volta": {
+    "extends": "../../package.json"
+  }
+}

dev-packages/e2e-tests/test-applications/node-exports-test-app/scripts/consistentExports.ts

@@ -0,0 +1,96 @@
+import * as SentryAstro from '@sentry/astro';
+import * as SentryBun from '@sentry/bun';
+import * as SentryNextJs from '@sentry/nextjs';
+import * as SentryNode from '@sentry/node';
+import * as SentryRemix from '@sentry/remix';
+import * as SentryServerless from '@sentry/serverless';
+import * as SentrySvelteKit from '@sentry/sveltekit';
+
+/* List of exports that are safe to ignore / we don't require in any depending package */
+const NODE_EXPORTS_IGNORE = [
+  'default',
+  // Probably generated by transpilation, no need to require it
+  '__esModule',
+  // this function was deprecated almost immediately after it was introduced
+  // due to a name change (startSpan). No need to re-export it IMHO.
+  'startActiveSpan',
+  // this was never meant for external use (and documented as such)
+  'trace',
+  // These Node exports were only made for type definition fixes (see #10339)
+  'Undici',
+  'Http',
+  'DebugSession',
+  'AnrIntegrationOptions',
+  'LocalVariablesIntegrationOptions',
+];
+
+type Dependent = {
+  package: string;
+  exports: string[];
+  ignoreExports?: string[];
+  skip?: boolean;
+};
+
+const DEPENDENTS: Dependent[] = [
+  {
+    package: '@sentry/astro',
+    exports: Object.keys(SentryAstro),
+  },
+  {
+    package: '@sentry/bun',
+    exports: Object.keys(SentryBun),
+    ignoreExports: [
+      // not supported in bun:
+      'Handlers',
+      'NodeClient',
+      'hapiErrorPlugin',
+      'makeNodeTransport',
+    ],
+  },
+  {
+    package: '@sentry/nextjs',
+    // Next.js doesn't require explicit exports, so we can just merge top level and `default` exports:
+    // @ts-expect-error: `default` is not in the type definition but it's defined
+    exports: Object.keys({ ...SentryNextJs, ...SentryNextJs.default }),
+  },
+  {
+    package: '@sentry/remix',
+    exports: Object.keys(SentryRemix),
+  },
+  {
+    package: '@sentry/serverless',
+    exports: Object.keys(SentryServerless),
+    ignoreExports: ['cron', 'hapiErrorPlugin', 'enableAnrDetection'],
+  },
+  {
+    package: '@sentry/sveltekit',
+    exports: Object.keys(SentrySvelteKit),
+  },
+];
+
+/* Sanitized list of node exports */
+const nodeExports = Object.keys(SentryNode).filter(e => !NODE_EXPORTS_IGNORE.includes(e));
+
+console.log('🔎 Checking for consistent exports of @sentry/node exports in depending packages');
+
+const missingExports: Record<string, string[]> = {};
+const dependentsToCheck = DEPENDENTS.filter(d => !d.skip);
+
+for (const nodeExport of nodeExports) {
+  for (const dependent of dependentsToCheck) {
+    if (dependent.ignoreExports?.includes(nodeExport)) {
+      continue;
+    }
+    if (!dependent.exports.includes(nodeExport)) {
+      missingExports[dependent.package] = [...(missingExports[dependent.package] ?? []), nodeExport];
+    }
+  }
+}
+
+if (Object.keys(missingExports).length > 0) {
+  console.error('\n❌ Found missing exports from @sentry/node in the following packages:\n');
+  console.log(JSON.stringify(missingExports, null, 2));
+  process.exit(1);
+}
+
+console.log('✅ All good :)');

dev-packages/e2e-tests/test-applications/node-exports-test-app/tsconfig.json

@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "types": ["node"],
+    "esModuleInterop": true,
+    "lib": ["ES6"],
+    "strict": true,
+    "outDir": "dist",
+    "target": "ESNext",
+    "moduleResolution": "node",
+    "skipLibCheck": true
+  },
+  "include": ["scripts/**/*.ts"]
+}

dev-packages/node-integration-tests/package.json

@@ -27,6 +27,7 @@
     "test:watch": "yarn test --watch"
   },
   "dependencies": {
+    "@hapi/hapi": "^20.3.0",
     "@prisma/client": "3.15.2",
     "@sentry/node": "7.98.0",
     "@sentry/tracing": "7.98.0",

dev-packages/node-integration-tests/src/index.ts

@@ -29,3 +29,11 @@ export function startExpressServerAndSendPortToRunner(app: Express): void {
     console.log(`{"port":${address.port}}`);
   });
 }
+
+/**
+ * Sends the port to the runner
+ */
+export function sendPortToRunner(port: number): void {
+  // eslint-disable-next-line no-console
+  console.log(`{"port":${port}}`);
+}