Skip to content

Update dependency @sentry/browser to v7 [SECURITY] #5451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency @sentry/browser to v7 [SECURITY] #5451

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"@fancyapps/fancybox": "^3.5.7",
"@material-ui/core": "^4.2.1",
"@mitodl/iso-3166-2": "^1.0.1",
Copy link
Copy Markdown

@sentry sentry Bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The Sentry v7 upgrade introduces ES6 syntax that is not being transpiled by Babel, which will break the application on older browsers like IE11.
Severity: HIGH

Suggested Fix

Update the include array for the babelSharedLoader in webpack.config.shared.js to also process the @sentry/browser package. This will ensure its ES6 syntax is correctly transpiled to ES5 for compatibility with older browsers.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L12

Potential issue: The upgrade to `@sentry/browser` v7 introduces untranspiled ES6 syntax
into the production bundle. The project's Babel configuration in
`webpack.config.shared.js` explicitly includes only `static/js` and `@material-ui` for
transpilation, excluding all other `node_modules` packages. Because `@sentry/browser` is
not included, its ES6 code will not be converted to ES5. This will cause JavaScript
parsing and execution errors for users on older browsers that do not support ES6, such
as Internet Explorer 11, potentially breaking the application for them.

"@sentry/browser": "^6.4.1",
"@sentry/browser": "^7.0.0",
Copy link
Copy Markdown

@sentry sentry Bot Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Upgrading @sentry/browser to v7.0.0 will ship untranspiled ES6 code to IE11 users because the Babel loader configuration does not process the @sentry/browser package.
Severity: CRITICAL

Suggested Fix

Update the babelSharedLoader configuration in your webpack settings to include the path to the @sentry/browser package. This will ensure its code is transpiled to ES5, making it compatible with older browsers like IE11. For example, add path.resolve(__dirname, "node_modules/@sentry/browser") to the include array.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13

Potential issue: Upgrading `@sentry/browser` to v7.0.0 introduces ES6 code. The
project's webpack configuration for the Babel loader explicitly specifies an `include`
path that only transpiles application code and the `@material-ui` library, but not other
`node_modules` like `@sentry/browser`. The application actively supports Internet
Explorer 11, which does not understand ES6 syntax. As a result, any IE11 user loading
the site will encounter a JavaScript syntax error when the untranspiled Sentry package
is loaded. This will prevent Sentry from initializing and is likely to break other
critical page functionality, preventing the page from loading correctly for those users.

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Copy Markdown

@sentry sentry Bot Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Upgrading @sentry/browser to v7 will break the application for IE11 users because its ES6 code is not being transpiled to ES5 by the current webpack configuration.
Severity: HIGH

Suggested Fix

Update the webpack configuration in webpack.config.shared.js to include @sentry/browser in the babelSharedLoader's include array. This will ensure the Sentry SDK is transpiled to ES5, maintaining compatibility with older browsers like IE11.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13

Potential issue: The upgrade to `@sentry/browser` v7 introduces untranspiled ES6 code.
The project's webpack configuration in `webpack.config.shared.js` does not include
`@sentry/browser` in its Babel transpilation process. The application has historically
supported Internet Explorer 11, which does not support modern ES6 syntax. Because the
Sentry client bundle is loaded early in the page's `<head>`, users on IE11 will
encounter JavaScript syntax errors during initialization, causing the application to
fail to load.

Copy link
Copy Markdown

@sentry sentry Bot Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The yarn.lock file was not updated after changing the @sentry/browser version in package.json. This results in the old, vulnerable version being installed.
Severity: CRITICAL

Suggested Fix

Regenerate the yarn.lock file to reflect the version change in package.json. This can be done by running yarn install or yarn upgrade @sentry/browser, which will update the lockfile to resolve to a secure version of @sentry/browser.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13

Potential issue: The pull request updates `package.json` to use `@sentry/browser:
^7.0.0` to patch a security vulnerability (GHSA-593m-55hh-j8gv). However, the
`yarn.lock` file was not regenerated. As a result, `yarn install` will continue to
install the old, vulnerable version (`6.7.1`) specified in the lockfile, instead of the
intended secure version. This leaves the application exposed to the Prototype Pollution
gadget attack that the upgrade was meant to fix.

"@sentry/webpack-plugin": "^1.18.3",
"ajaxchimp": "^1.3.0",
"autoprefixer": "^7.1.1",
Expand Down
Loading