Update dependency sentry-sdk to v2 [SECURITY] #134
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.45.0
->2.8.0
GitHub Vulnerability Alerts
CVE-2024-40647
Impact
The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the
env={}
setting.Details
In Python's
subprocess
calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may useenv
argument insubprocess
calls, like in this example:If you'd want to not pass any variables, you can set an empty dict:
However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when
env={}
is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.Patches
The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:
env={}
with the minimal dictenv={"EMPTY_ENV":"1"}
or similar.OR
References
Release Notes
getsentry/sentry-python (sentry-sdk)
v2.8.0
Compare Source
Various fixes & improvements
profiler_id
uses underscore (#3249) by @ZylphrexHub
inHttpTransport
(#3247) by @szokeasaurusrexipdb
from test requirements (#3237) by @rominfSentryPropagator
(#3086) by @mender8c13457
to88273a9
(#3225) by @dependabotv2.7.1
Compare Source
Various fixes & improvements
v2.7.0
Compare Source
origin
to spans and transactions (#3133) by @antonpirkerdb.query
todb
(#3186) by @0Caloriesv2.6.0
Compare Source
59f9683
to8c13457
(#3146) by @dependabotv2.5.1
Compare Source
This change fixes a regression in our cron monitoring feature, which caused cron checkins not to be sent. The regression appears to have been introduced in version 2.4.0.
We recommend that all users, who use Cron monitoring and are currently running sentry-python ≥2.4.0, upgrade to this release as soon as possible!
Other fixes & improvements
last_event_id
cleared (#3124) by @szokeasaurusrexv2.5.0
Compare Source
Various fixes & improvements
Allow to configure status codes to report to Sentry in Starlette and FastAPI (#3008) by @sentrivana
By passing a new option to the FastAPI and Starlette integrations, you're now able to configure what
status codes should be sent as events to Sentry. Here's how it works:
...
)
v2.4.0
Compare Source
Various fixes & improvements
cache.key
span data field a list (#3110) by @antonpirkerlast_event_id
from migration guide (#3126) by @szokeasaurusrex_last_event_id
inScope.__copy__
(#3123) by @szokeasaurusrex4381a97
to59f9683
(#3066) by @dependabotv2.3.1
Compare Source
Various fixes & improvements
v2.3.0
Compare Source
Various fixes & improvements
cohere
testsuite for new release ofcohere
(#3098) by @antonpirker_sentry_span
might be missing (#3096) by @sentrivanav2.2.1
Compare Source
Various fixes & improvements
v2.2.0
Compare Source
New features
last_event_id
function, which had been removed in 2.0.0Other fixes & improvements
get_client
typing (#3063) by @szokeasaurusrexMeasurementValue.unit
NotRequired (#3051) by @antonpirkerv2.1.1
Compare Source
v2.1.0
Compare Source
fix(quart): Fix Quart integration (#3043) by @szokeasaurusrex
New integration: Langchain (#2911) by @colin-sentry
Usage: (Langchain is auto enabling, so you do not need to do anything special)
Check out the LangChain docs for details.
New integration: Anthropic (#2831) by @czyber
Usage: (add the AnthropicIntegration to your
sentry_sdk.init()
call)Check out the Anthropic docs for details.
New integration: Huggingface Hub (#3033) by @colin-sentry
Usage: (Huggingface Hub is auto enabling, so you do not need to do anything special)
Check out the Huggingface docs for details. (comming soon!)
fix(huggingface): Reduce API cross-section for huggingface in test (#3042) by @colin-sentry
fix(django): Fix Django ASGI integration on Python 3.12 (#3027) by @bellini666
feat(perf): Add ability to put measurements directly on spans. (#2967) by @colin-sentry
fix(tests): Fix trytond tests (#3031) by @sentrivana
fix(tests): Update
pytest-asyncio
to fix CI (#3030) by @sentrivanafix(docs): Link to respective migration guides directly (#3020) by @sentrivana
docs(scope): Add docstring to
Scope.set_tags
(#2978) by @szokeasaurusrextest(scope): Fix typos in assert error message (#2978) by @szokeasaurusrex
feat(scope): New
set_tags
function (#2978) by @szokeasaurusrextest(scope): Add unit test for
Scope.set_tags
(#2978) by @szokeasaurusrexfeat(scope): Add
set_tags
to top-level API (#2978) by @szokeasaurusrextest(scope): Add unit test for top-level API
set_tags
(#2978) by @szokeasaurusrexfeat(tests): Parallelize tox (#3025) by @sentrivana
build(deps): Bump checkouts/data-schemas from
4aa14a7
to4381a97
(#3028) by @dependabotmeta(license): Bump copyright year (#3029) by @szokeasaurusrex
v2.0.1
Compare Source
Various fixes & improvements
pid
for test database name in Django tests (#2998) by @antonpirker1e17eb5
to4aa14a7
(#2997) by @dependabotv2.0.0
Compare Source
This is the first major update in a long time!
We dropped support for some ancient languages and frameworks (Yes, Python 2.7 is no longer supported). Additionally we refactored a big part of the foundation of the SDK (how data inside the SDK is handled).
We hope you like it!
For a shorter version of what you need to do, to upgrade to Sentry SDK 2.0 see: https://docs.sentry.io/platforms/python/migration/1.x-to-2.x
New Features
new_scope
,isolation_scope
. See the Deprecated section to see how they map to the existing APIs.Changed
(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))
authenticated_userid()
in a customAuthenticationPolicy
class.need_code_loation
of theMetricsAggregator
was renamed toneed_code_location
.BackgroundWorker
thread used to process events was renamed fromraven-sentry.BackgroundWorker
tosentry-sdk.BackgroundWorker
.reraise
function was moved fromsentry_sdk._compat
tosentry_sdk.utils
._ScopeManager
was moved fromsentry_sdk.hub
tosentry_sdk.scope
.tracing_utils_py3.py
totracing_utils.py
. Thestart_child_span_decorator
is now insentry_sdk.tracing_utils
.get_current_span
was moved tosentry_sdk.tracing_utils
.sentry_sdk.get_current_span
is still accessible as part of the top-level API.sentry_sdk.tracing_utils.add_query_source()
: Removed thehub
parameter. It is not necessary anymore.sentry_sdk.tracing_utils.record_sql_queries()
: Removed thehub
parameter. It is not necessary anymore.sentry_sdk.tracing_utils.get_current_span()
does now take ascope
instead of ahub
as parameter.sentry_sdk.tracing_utils.should_propagate_trace()
now takes aClient
instead of aHub
as first parameter.sentry_sdk.utils.is_sentry_url()
now takes aClient
instead of aHub
as first parameter.sentry_sdk.utils._get_contextvars
does not return a tuple with three values, but a tuple with two values. Thecopy_context
was removed.configure_scope
block this does not work anymore. Here is a recipe on how to change your code to make it work:Your existing implementation:
later in the code execution:
later in the code execution:
The classes listed in the table below are now abstract base classes. Therefore, they can no longer be instantiated. Subclasses can only be instantiated if they implement all of the abstract methods.
Show table
sentry_sdk.integrations.Integration
setup_once
sentry_sdk.metrics.Metric
add
,serialize_value
, andweight
sentry_sdk.profiler.Scheduler
setup
andteardown
sentry_sdk.transport.Transport
capture_envelope
Removed
(These changes are all backwards-incompatible. Breaking Change (if you are just skimming for that phrase))
last_event_id()
top level API. The last event ID is still returned bycapture_event()
,capture_exception()
andcapture_message()
but the top level APIsentry_sdk.last_event_id()
has been removed./store
endpoint. Everything is now sent to the/envelope
endpoint. If you're on SaaS you don't have to worry about this, but if you're running Sentry yourself you'll need version20.6.0
or higher of self-hosted Sentry.with_locals
configuration option was removed. Useinclude_local_variables
instead. See https://docs.sentry.io/platforms/python/configuration/options/#include-local-variables.request_bodies
configuration option was removed. Usemax_request_body_size
. See https://docs.sentry.io/platforms/python/configuration/options/#max-request-body-size.user.segment
. It was also removed from the trace header as well as from the dynamic sampling context.install
method for custom integrations. Please usesetup_once
instead.sentry_sdk.tracing.Span.new_span
. Usesentry_sdk.tracing.Span.start_child
instead.sentry_sdk.tracing.Transaction.new_span
. Usesentry_sdk.tracing.Transaction.start_child
instead.sentry_sdk.tracing.Span(transaction=...)
. To create a transaction, please usesentry_sdk.tracing.Transaction(name=...)
.sentry_sdk.utils.Auth.store_api_url
.sentry_sdk.utils.Auth.get_api_url
's now accepts asentry_sdk.consts.EndpointType
enum instead of a string as its only parameter. We recommend omitting this argument when calling the function, since the parameter's default value is the only possiblesentry_sdk.consts.EndpointType
value. The parameter exists for future compatibility.tracing_utils_py2.py
. Thestart_child_span_decorator
is now insentry_sdk.tracing_utils
.sentry_sdk.profiler.Scheduler.stop_profiling
method. Any calls to this method can simply be removed, since this was a no-op method.Deprecated
Using the
Hub
directly as well as using hub-based APIs has been deprecated. Where available, use the top-level API instead; otherwise use the scope API or the client API.Before:
do something
Hub cloning is deprecated.
Before:
do something with the cloned hub
configure_scope
is deprecated. Use the new isolation scope directly viaget_isolation_scope()
instead.Before:
do something with
scope
v1.45.1
Compare Source
This is a security backport release.
Don't send full env to subprocess (
892dd80
) by @kmichel-aivenSee also GHSA-g92j-qhmh-64v2
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.