fix(deps): update critical

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	OpenSSF
@sentry/nextjs (source)	dependencies	minor	10.38.0 → 10.39.0	10.40.0
@sentry/node-native (source)	dependencies	minor	10.38.0 → 10.39.0	10.40.0
@sentry/profiling-node (source)	dependencies	minor	10.38.0 → 10.39.0	10.40.0
@tanstack/react-query (source)	dependencies	patch	5.90.20 → 5.90.21
drizzle-orm (source)	dependencies	patch	1.0.0-beta.15-859cf75 → 1.0.0-beta.9-e89174b
next-intl (source)	dependencies	patch	4.8.1 → 4.8.3

---

Release Notes

getsentry/sentry-javascript (@​sentry/nextjs)

v10.39.0

Compare Source

Important Changes

• feat(tanstackstart-react): Auto-instrument server function middleware (#​19001)

  The sentryTanstackStart Vite plugin now automatically instruments middleware in createServerFn().middleware([...]) calls. This captures performance data without requiring manual wrapping with wrapMiddlewaresWithSentry().

• feat(nextjs): New experimental automatic vercel cron monitoring (#​19192)

  Setting _experimental.vercelCronMonitoring to true in your Sentry configuration will automatically create Sentry cron monitors for your Vercel Cron Jobs.

  Please note that this is an experimental unstable feature and subject to change.

  // next.config.ts
  export default withSentryConfig(nextConfig, {
    _experimental: {
      vercelCronMonitoring: true,
    },
  });

• feat(node-core): Add node-core/light (#​18502)

  This release adds a new light-weight @sentry/node-core/light export to @sentry/node-core. The export acts as a light-weight SDK that does not depend on OpenTelemetry and emits no spans.

  Use this SDK when:

  • You only need error tracking, logs or metrics without tracing data (no spans)
  • You want to minimize bundle size and runtime overhead
  • You don't need spans emitted by OpenTelemetry instrumentation

  It supports error tracking and reporting, logs, metrics, automatic request isolation (requires Node.js 22+) and basic tracing via our Sentry.startSpan* APIs.

  Install the SDK by running

  npm install @​sentry/node-core

  and add Sentry at the top of your application's entry file:

  import * as Sentry from '@​sentry/node-core/light';
  
  Sentry.init({
    dsn: '__DSN__',
  });

Other Changes

• feat(browser): Add mode option for the browser session integration (#​18997)
• feat(browser): Include culture context with events (#​19148)
• feat(browser): Trace continuation from server-timing headers (#​18673)
• feat(core,cloudflare): Enable certain fields with env variables (#​19245)
• feat(deps): bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 (#​19149)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.8.0 to 4.9.0 (#​19190)
• feat(deps): Bump glob in @sentry/react-router (#​19162)
• feat(deps): bump hono from 4.11.1 to 4.11.7 (#​19068)
• feat(hono): Add base for Sentry Hono middleware (Cloudflare) (#​18787)
• feat(nextjs): Set cloudflare runtime (#​19084)
• feat(node-core): Add outgoing fetch trace propagation to light mode (#​19262)
• feat(react): Add lazyRouteManifest option to resolve lazy-route names (#​19086)
• feat(vercel-ai): Add rerank support and fix token attribute mapping (#​19144)
• fix(core): Avoid blocking the process for weightBasedFlushing (#​19174)
• fix(core): Avoid blocking the process when calling flush on empty buffer (#​19062)
• fix(core): Ensure partially set SDK metadata options are preserved (#​19102)
• fix(core): Fix truncation to only keep last message in vercel (#​19080)
• fix(core): Intercept .withResponse() to preserve OpenAI stream instrumentation (#​19122)
• fix(core): Prevent infinite recursion when event processor throws (#​19110)
• fix(core): Record client report with reason for HTTP 413 responses (#​19093)
• fix(core): Remove outdated _experiments.enableMetrics references from metrics JSDoc (#​19252)
• fix(core): Respect event.event_id in scope.captureEvent return value (#​19113)
• fix(core): use sessionId for MCP transport correlation (#​19172)
• fix(deps): Bump @nestjs/platform-express to 11.1.13 (#​19206)
• fix(deps): Bump diff to 5.2.2 (#​19228)
• fix(deps): Bump js-yaml to 3.14.2 and 4.1.1 (#​19216)
• fix(deps): Bump lodash to 4.17.23 (#​19211)
• fix(deps): Bump mdast-util-to-hast to 13.2.1 (#​19205)
• fix(deps): Bump node-forge to 1.3.2 (#​19183)
• fix(deps): Bump react-router to 6.30.3 (#​19212)
• fix(deps): Bump sinon to 21.0.1 in @sentry/ember (#​19246)
• fix(deps): Bump vite to 5.4.21 (#​19214)
• fix(nextjs): Expose an event id when captureUnderscoreErrorException captures an exception (#​19185)
• fix(nextjs): Populate SENTRY_SERVER_MODULES in Turbopack (#​19231)
• fix(node): Use snake_case for Fastify's request-handler op. (#​18729)
• fix(nuxt): Avoid logging database skip warning when debug is disabled (#​19095)
• fix(nuxt): Respect configured environment settings (#​19243)
• fix(profiling-node): 137 ABI should not be pruned for node 24 (#​19236)
• fix(replay): Improve error messages when compression worker fails to load (#​19008)
• fix(svelte): Bump svelte dev dependency to 3.59.2 (#​19208)
• fix(sveltekit): Detect used adapter via svelte.config.js (#​19270)
• fix(tanstackstart-react): Use auto.middleware.tanstackstart as middleware trace origin (#​19137)
• ref(core): Move shouldPropagateTraceForUrl from opentelemetry to core (#​19254)
• ref(core): Move shouldPropagateTraceForUrl from opentelemetry to core (#​19258)
• ref(sveltekit): Use untrack to read route id without invalidation (#​19272)

Internal Changes

• chore: Add cursor rules for AI integrations contributions (#​19167)
• chore: Add Makefiles for dev-packages to make it convenient to run tests (#​19203)
• chore: bump prettier to 3.8 (#​19198)
• chore(bugbot): Add rule to flag not-unref'd timers (#​19082)
• chore(deps-dev): bump @​sveltejs/kit from 2.49.5 to 2.50.1 (#​19089)
• chore(deps-dev): bump ts-node from 10.9.1 to 10.9.2 (#​19189)
• chore(deps-dev): bump vite from 3.2.11 to 5.4.21 (#​19227)
• chore(deps-dev): bump webpack from 5.95.0 to 5.104.1 (#​19199)
• chore(deps-dev): bump yaml from 2.2.2 to 2.8.2 (#​19087)
• chore(deps): Bump Apollo Server from v3 to v5 in integration tests (#​19202)
• chore(deps): Bump express in test utils + e2e apps (#​19159)
• chore(deps): Bump Lerna to v9 (#​19244)
• chore(deps): Bump mongoose in integration tests (#​19175)
• chore(deps): Bump solidjs to 1.9.11 to fix seroval alerts (#​19150)
• chore(deps): Bump webpack from 5.97.0 to 5.104.0 in ember-classic e2e test (#​19239)
• chore(deps): Bump webpack from 5.104.0 to 5.104.1 in ember-classic e2e test (#​19247)
• chore(e2e): Add banner to readme (#​19138)
• chore(llm): Add skill for fixing security vulnerabilities (#​19178)
• chore(node-core): Fix node-core integration test assertions (#​19219)
• ci: Ignore ticket creation for base branches other than develop/master (#​19103)
• ci(e2e): Remove nextjs-turbo canary tests (#​19118)
• ref: Removes unused eslint rule (via yarn fix) (#​19266)
• test(e2e): Bump nextjs-t3 to next 15 (#​19130)
• test(e2e): Migrate test app nextjs-turbo into nextjs-15 (#​19107)

Work in this release was contributed by @​limbonaut and @​rfoel. Thank you for your contributions!

TanStack/query (@​tanstack/react-query)

v5.90.21

Compare Source

Patch Changes

• refactor(react-query/useQueries): remove unreachable 'willFetch' branch in suspense promise collection (#​10082)

amannn/next-intl (next-intl)

v4.8.3

Compare Source

Bug Fixes

• Update @formatjs/intl-localematcher (#​2265) (196f1f3) – by @​amannn

v4.8.2

Compare Source

Bug Fixes

• Avoid throwing config errors for non-Next.js consumers of next.config.ts (#​2245) (f57800e) – by @​amannn

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 13.34%. Comparing base (176b4bd) to head (adc9707).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #45   +/-   ##
=======================================
  Coverage   13.34%   13.34%           
=======================================
  Files         175      175           
  Lines        4383     4383           
  Branches     1174     1189   +15     
=======================================
  Hits          585      585           
  Misses       3798     3798           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.