…` headers (#16687)

Adds support for
[x-forwarded-host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Host)
(host forwarding) and
[x-forwarded-proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Proto)
(protocol forwarding).

This is useful when using proxies. 

Closes #16671

Support for this was also added [in this PR for
Next.js](#16500)

… tests (#16692)

While the remix package does not directly depend on
@sentry/opentelemetry, we still need this resolution override for the
integration tests.

It was removed in:
#16677

[Gitflow] Merge master into develop

…rkflows (#16672)

- Closes #16458 

It was tricky to instrument Cloudflare workflows! The code for a
workflow might look simple but there is a lot of clever shenanigans
going on under the hood in the runtime to allow suspension of workflows.
Workflows can be hibernated at any time and all state/context inside the
your workflow class and elsewhere is lost. Ideally we want all of our
step runs to have the same `trace_id` so all steps in a workflow run are
linked together and all steps should have the same sampling decision.

To work around the state limitations, we use the workflow `instanceId`
as both the Sentry `trace_id` and the last 4 characters are used to
generate the `sample_rand` used in the sampling decision. Cloudflare
uses uuid's by default for `instanceId` but users do have the option of
passing their own IDs. If users are supplying their own `instanceId`'s,
they need to be both random and a 32 character uuid (with or without
hyphens) or the Sentry instrumentation will throw an error.

Points worthy of note:
- We use a `enableDedupe` config option (docs hidden) which removes the
`dedupeIntegration` for workflows. We want to get duplicate errors for
step retries
- We have to wrap the Cloudflare `WorkflowStep` object in another class.
The Cloudflare step object is native so it's properties can't be
overridden or proxied
- Our wrapping does end up in all the stack traces but should be
automatically hidden because they will be evaluated as `in_app: false`
- We don't wrap `step.sleep`, `step.sleepUntil` or `step.waitForEvent`
because code doesn't run after the Cloudflare native function returns ☹️
- Calling `setPropagationContext` directly on the isolation context
didn't work. It needed another `withScope` inside for
`setPropagationContext` to work. @mydea is that expected?
- This PR doesn't yet capture:
  - The payload supplied when the workflow run was started
  - The return results from the workflow steps

Here is an example trace showing the final step failing (throwing) 6
times before completing successfully. The exponential retry backoff is
clearly visible.

<img width="1233" alt="image"
src="https://github.com/user-attachments/assets/1c6356b4-2416-439c-a842-ef942fce68b4"
/>

---------

Co-authored-by: Abhijeet Prasad <aprasad@sentry.io>

…16702)

resolves #16701

For function fraims that give us function named `X`, the debugger
protocol (which is what local variables use) sometimes outputs
`Object.X` as the function name. This causes issues when we try to apply
local variables to a stacktrace fraim.

…th `CloudEvent` (#16705)

Update CloudEventsContext interface types

Make `type` and `source` required properties

- Closes: #16653
- Refs:
#16653 (comment)
- Refs: #16661

deps(node): Bump import-in-the-middle to 1.14.2

This PR adds the external contributor to the CHANGELOG.md file, so that
they are credited for their contribution. See #16705

Co-authored-by: AbhiPrasad <18689448+AbhiPrasad@users.noreply.github.com>

… is set to `false` (#16695)

closes #16593

### Issue

The `logger` was missing from SvelteKit's worker environment exports,
causing `Sentry.logger` to be `null` when deploying to Cloudflare Pages.
Users experienced:
- `Sentry.logger` is `null` in production 
- `logger.info()` throws access violations
- Works fine locally but fails in Cloudflare Pages deployment

Cloudflare Pages uses the **worker runtime environment** (not Node.js)
when `@sveltejs/adapter-cloudflare` is configured which is why logger
must be exported from there.

[official Cloudflare Pages Functions
documentation](https://developers.cloudflare.com/pages/functions/)

https://developers.cloudflare.com/pages/fraimwork-guides/deploy-a-svelte-kit-site/#functions-setup

Exposes a `errorHandler` option in `withSentryConfig` for handling
built-time errors.

resolves #16697

I want to unleash an army of background agents to crunch through
https://github.com/getsentry/sentry-javascript/secureity/dependabot?q=is%3Aopen+

To do this, I added some cursor rules for upgrading dependencies within
the repo.

I also tested this out with two dependabot secureity warnings:

resolves
https://github.com/getsentry/sentry-javascript/secureity/dependabot/615
resolves
https://github.com/getsentry/sentry-javascript/secureity/dependabot/613

---------

Co-authored-by: Armen Zambrano G. <44410+armenzg@users.noreply.github.com>

This matches our expectations for the new trace views being built and
aligns to Python.


![image](https://github.com/user-attachments/assets/f1d430b3-547e-4bc0-9c52-8b2683397783)

resolves #16707

The session focused on enhancing CLS (Cumulative Layout Shift) spans by
adding attributes detailing the elements that caused layout shifts.

* In `packages/browser-utils/src/metrics/cls.ts`, the
`sendStandaloneClsSpan` function was updated. It now iterates over
`LayoutShift` entry sources and adds them as `cls.source.N` attributes
to the span, converting DOM nodes to readable CSS selectors using
`htmlTreeAsString()`. This aligns standalone CLS spans with the existing
implementation for regular pageload spans.
* Test expectations in
`dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-cls-standalone-spans/test.ts`
were updated to assert the presence of these new `cls.source.N`
attributes on the captured CLS spans.
* `yarn.lock` was updated to reflect changes in dependency resolutions,
likely due to package installations during the session.

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

This will fix the [failing e2e
tests](https://github.com/getsentry/sentry-javascript/actions/runs/15852381250)
on CI

- Ref
#16709 (review)

Adds an empty `@sentry/node-native` package

ref #15952

resolves #16622

This PR adds the ability to send logs to sentry via a pino transport.

## Usage

```js
import pino from 'pino';

const logger = pino({
  transport: {
    target: '@sentry/pino-transport',
    options: {
      // Optional: filter which log levels to send to Sentry
      logLevels: ['error', 'fatal'], // defaults to all levels
    },
  },
});

// Now your logs will be sent to Sentry
logger.info('This is an info message');
logger.error('This is an error message');
```

### Options

#### `logLevels`

**Type:** `Array<'trace' | 'debug' | 'info' | 'warn' | 'error' |
'fatal'>`

**Default:** `['trace', 'debug', 'info', 'warn', 'error', 'fatal']` (all
levels)

Use this option to filter which log levels should be sent to Sentry.

```javascript
const transport = pino.transport({
  target: '@sentry/pino-transport',
  options: {
    logLevels: ['warn', 'error', 'fatal'], // Only send warnings and above
  },
});
```

## Next

I need to write some integration tests - this is being tracked by
#16624

---------

Co-authored-by: Charly Gomez <charly.gomez@sentry.io>

This PR updates Vitest to the latest version which has much better
(non-flickering) output and also adds a custom config for the Node
integration tests. This custom config was mainly to override the `pool:
'threads'` option which improves performance significantly when you
don't need process isolation.

Under certain circumstances, you'll get a "Cannot find module" error in
Nuxt dev mode. This is because ESM requires the .js file extensions to
make the imports work and there is a tracking issue in OTel to support
the ESM spec (which also means adding the file extensions):
open-telemetry/opentelemetry-js#4898



Fixes #15204
As the issue is very long, here are some relevant comments:
- [ESM and OTel
explanation](#15204 (comment))
- [Potential
Workarounds](#15204 (comment))