Skip to content

meta(changelog): Update changelog for 2.7.0#146

Merged
mydea merged 1 commit intosentry-v2from
fn/changelog-2.7.0
Dec 20, 2023
Merged

meta(changelog): Update changelog for 2.7.0#146
mydea merged 1 commit intosentry-v2from
fn/changelog-2.7.0

Conversation

@mydea
Copy link
Copy Markdown
Member

@mydea mydea commented Dec 20, 2023

Some build improvements, let's see if they help with the canvas manager tree shaking...

@mydea mydea requested review from Lms24, billyvg and lforst December 20, 2023 10:51
@mydea mydea self-assigned this Dec 20, 2023
Lms24
Lms24 approved these changes Dec 20, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@mydea mydea merged commit 355cf66 into sentry-v2 Dec 20, 2023
@mydea mydea deleted the fn/changelog-2.7.0 branch December 20, 2023 13:48
billyvg pushed a commit that referenced this pull request Apr 26, 2024
@mydea @billyvg
meta(changelog): Update changelog for 2.7.0 (#146)
3ec60b0 
Some build improvements, let's see if they help with the canvas manager
tree shaking...
@chargome chargome mentioned this pull request Mar 26, 2026
Merged
chargome added a commit that referenced this pull request Mar 31, 2026
@chargome @claude
chore(build): Bump vite 5→6, vitest 1→2, vite-plugin-dts 3→4 (#273)
09cc3e0 
Bump the core build/test tooling across all workspace packages:

- **vite** ^5.2.8 → ^6.4.1
- **vitest** ^1.4.0 → ^2.1.9
- **vite-plugin-dts** ^3.8.1 → ^4.5.4
- **rollup-plugin-terser** (deprecated) → **@rollup/plugin-terser** in
rrweb-worker

Added `cssFileName: 'style'` to the shared vite config to preserve the
`style.css` output filename (Vite 6 changed the default to
package-name-based).

### Dependabot alerts resolved

**Fully resolved** (vulnerable version completely removed from
lockfile):

| Alert | Severity | Package | Summary |
|-------|----------|---------|---------|
| #113 | CRITICAL | `vitest` | Remote Code Execution when accessing a
malicious website while Vitest API server is listening |
| #203 | HIGH | `rollup` | Rollup 4 has Arbitrary File Write via Path
Traversal |
| #110 | MEDIUM | `vue-template-compiler` | Client-side XSS (no fix
available — removed by vite-plugin-dts v4 dropping the dependency) |

**Partially resolved** (some vulnerable entries removed, but package
still exists via other dependency chains):

| Alert | Severity | Package | Remaining source |
|-------|----------|---------|-----------------|
| #154, #146, #145, #141, #140, #139, #138, #126, #111 | MEDIUM/LOW |
`vite` | `@sveltejs/vite-plugin-svelte@3` still pulls in vite@5 (needs
Svelte 5 upgrade) |
| #114 | MEDIUM | `esbuild` | `esbuild-plugin-umd-wrapper` still uses
esbuild@0.18 |
| #214 | HIGH | `serialize-javascript` | webpack (via `@size-limit`)
still pulls in v6 |
| #105, #104 | MEDIUM | `nanoid` | postcss (via vite internally) still
uses nanoid@3 |
| #165, #155 | HIGH/MEDIUM | `validator` | `@microsoft/api-extractor`
(via vite-plugin-dts) — needs further investigation |

The partially resolved alerts will be addressed in later phases (Svelte
5 upgrade, @size-limit bump, mop-up).

closes
https://linear.app/getsentry/issue/SDK-1095/bump-vitest-vite-56-1-critical-7-alerts

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: chargome <chargome@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lms24 Lms24 Lms24 approved these changes

@billyvg billyvg Awaiting requested review from billyvg

@lforst lforst Awaiting requested review from lforst

Assignees

@mydea mydea

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mydea @Lms24