chore(deps): update CLI to v3.4.3

[github-actions]

Bumps scripts/update-cli.sh from 2.58.6 to 3.4.3.

Auto-generated by a dependency updater.

Changelog

3.4.3

Security Fixes

• Behavior-breaking: Disable Xcode Info.plist preprocessing by default to avoid passing project-controlled compiler settings to cc during release auto-discovery. This affects sentry-cli releases propose-version, sentry-cli send-event and sentry-cli bash-hook --send-event release inference, and sentry-cli react-native xcode auto-release detection. Use --allow-xcode-infoplist-preprocessing only for trusted projects that require preprocessing.
• Ensure restrictive file permissions maintained when sentry-cli login updates existing config files.
• Disable TLS verification only when http.verify_ssl is set to false, case-insensitively.
• Shell-escape generated bash-hook arguments, including paths, tags, release names, and the CLI path.
• Stop sending environment variables in sentry-cli bash-hook events.
• Verify the downloaded binary checksum before replacing the current executable in sentry-cli update.

Performance

• (snapshots) Skip uploading images that already exist in objectstore by batch-checking with HEAD requests first (#3305)

Fixes

• (snapshots) Reject snapshot uploads that have a PR number but no base SHA, since comparisons cannot work without a base reference (#3300)

3.4.2

Fixes

• (snapshots) Stop sending Sentry auth token to Objectstore (#3286)
• (js) Fix argument injection in JavaScript API's serializeOptions. String/number options now validate input types and prevent Array.prototype.concat() from flattening array values into separate CLI arguments. (#3287)

3.4.1

Improvements

• (bundle-jvm) Warn and skip subsequent duplicates when multiple files strip to the same URL (e.g. Android build variants contributing the same FQCN). The warning points users at --exclude to scope the bundle to a single variant (#3275).

Fixes

• (bundle-jvm) Strip the [<module>/]src/<sourceset>/<lang>/ prefix from bundle URLs so Symbolicator can resolve them from package-based stack traces (e.g. sentry-android-core/src/main/java/io/sentry/android/core/ANRWatchDog.java → ~/io/sentry/android/core/ANRWatchDog.jvm) (#3275).

3.4.0

Features

• (snapshots) Add --selective flag to build snapshots to indicate the upload contains only a subset of images (#3268)
• (bundle-jvm) Allow running directly on a project root (including multi-module repos) by automatically collecting only JVM source files (.java, .kt, .scala, .groovy), respecting .gitignore, and excluding common build output directories (#3260)
• (bundle-jvm) Add --exclude option for custom glob patterns to exclude files/directories from source collection (#3260)

Performance

• (snapshots) Parallelize image hashing with rayon (#3250)

Fixes

• (snapshots) Chunk image uploads to avoid file descriptor exhaustion and 413 errors when uploading hundreds of images (#3249)
• (snapshots) Preserve subdirectory structure in snapshot manifest keys instead of flattening to bare filenames (#3269)
• Replace eprintln! with log::info! for progress bar completion messages when the progress bar is disabled (e.g. in CI). This avoids spurious stderr output that some CI systems treat as errors (#3223).

3.3.5

Performance

• (snapshots) Parallelize image hashing with rayon (#3250)

Fixes

• (sourcemaps) Skip non-base64 embedded sourcemaps during injection (#3243)

3.3.4

New Features ✨

• (snapshots) Add --diff-threshold option to build snapshots to set a minimum pixel difference percentage for reporting image changes (#3259)
• Add sentry-cli build download command to download installable builds (IPA/APK) by build ID (#3221).
• Add sentry-cli code-mappings upload command to bulk upload code mappings from a JSON file (#3207, #3208, #3209, #3210).
  • Code mappings link stack trace paths (e.g. com/example/module) to source paths in your repository (e.g. src/main/java/com/example/module), enabling Sentry to display source context and link directly to your code from error stack traces.
  • Repository name and default branch are automatically inferred from your local git remotes, or can be specified explicitly with --repo and --default-branch.
  • Large mapping files are automatically split into batches for upload.

3.3.3

Internal Changes 🔧

• (npm) 🤖 Bump optional dependencies to 3.3.2 in afdef906

3.3.2

New Features ✨

• (preprod) Add VCS parameters to snapshots upload command by rbro112 in #3200

Internal Changes 🔧

• (npm) 🤖 Bump optional dependencies to 3.3.1 in 3200dfb9

3.3.1

Fixes

• Accept ProGuard mapping files without line information instead of rejecting them (#3192).
• Improve error message when uploading .xcarchive or .ipa files on non-Apple Silicon Macs (#3211).

Experimental Feature 🧑‍🔬 (internal-only)

• Pipe snapshot sidecar metadata into upload as part of sentry-cli build snapshots command (#3163).

3.3.0

New Features

• Added sentry-cli proguard uuid <PATH> to compute and print the UUID for a ProGuard mapping file (#3176).

Improvements

• Moved sentry-cli upload-proguard to sentry-cli proguard upload, aligning the API with similar upload commands like debug-files upload and sourcemaps upload (#3174). sentry-cli upload-proguard remains supported as an alias, so no migration is required.

Experimental Feature 🧑‍🔬 (internal-only)

• Print snapshot URL after successful upload (#3167).

3.2.3

Experimental Feature 🧑‍🔬 (internal-only)

• Added experimental sentry-cli build snapshots command to upload build snapshots to a project (#3110).
  • This command uploads files from a specified directory to Sentry's Objectstore, associating them with a snapshot identifier.
  • The command is experimental and subject to breaking changes or removal in future releases.

3.2.2

Fixes

• Updated minimatch dependency to fix a vulnerability (#3153)

3.2.1

Fixes

• The dart-symbol-map upload command now correctly resolves the organization from the auth token payload (#3065).
• Retry DNS resolution failures for sentry.io requests to reduce intermittent failures for some users (#3085)

3.2.0

Features

• Add sourceMaps.inject() for injecting debug IDs (#3088)
• Add --install-group parameter to sentry-cli build upload for controlling update visibility between builds (#3094)

Fixes

• Recognize *.ghe.com URLs as github_enterprise VCS provider (#3127).
• Fixed a bug where the dart-symbol-map command did not accept the --url argument (#3108).
• Add timeout to build upload polling loop to prevent infinite loop when server returns unexpected state (#3118).

3.1.0

New Features

• In the JavaScript API, added multi-project support to releases.newDeploy() method. This method now accept a projects option (array of project slugs), aligning them with the Rust CLI's multi-project capabilities and matching the existing behavior of releases.new() and releases.uploadSourceMaps() (#3001).

Improvements

• This release includes some changes to enable support for older self-hosted Sentry versions. With these changes, Sentry CLI now officially self-hosted Sentry versions 24.11.1 and above (#3070)

Fixes

• Fixed a bug that prevented project IDs from being used with the sentry-cli releases new command for users with self-hosted Sentry instances on versions older than 25.12.1 (#3068).
• Fixed a bug, introduced in version 3.0.0, where the sentry-cli releases list command ignored the --project option (#3048). The command now correctly can filter releases by a single project when supplied via --project. This change does not enable filtering by multiple projects, which has never been supported.

3.0.3

Fixes

• Fixed a bug on Intel-based macOS systems that prevented Sentry CLI from respecting self-signed certificates trusted in the macOS keychain (#3059).

3.0.2

Fixes

• Fixed a bug on ARM-based macOS systems that prevented Sentry CLI from respecting self-signed certificates trusted in the macOS keychain (#3057).

Versioning Policy Update

Our versioning policy has reclassified the minimum supported self-hosted Sentry version as being part of the public API. Therefore, we will only increase this minimum supported self-hosted Sentry version in a major release of Sentry CLI.

3.0.1

Performance Improvements

• We switch to a faster compression algorithm (zstd) for uploading size analysis builds (sentry build upload) in preparation for this week's beta release! (#3038)

3.0.0

New Sentry Support Policy

sentry-cli 3.0.0 and above only officially supports Sentry SaaS and Sentry self-hosted versions 25.11.1 and higher. While many Sentry CLI features may, in practice, continue working with some older Sentry versions, continued support for Sentry versions older than 25.11.1 is not guaranteed. Changes which break support for Sentry versions below 25.11.1 may occur in minor or patch releases.

New Versioning Policy

Sentry CLI now defines a semantic versioning policy. We did not explicitly define a versioning policy previously, and this new policy should give more clarity about what can change in minor or patch releases versus what requires a major version bump.

Breaking Changes

• Removed all sentry-cli files ... and sentry-cli releases files ... subcommands (#2956). These commands provided functionality for managing release files, a feature that has been deprecated in Sentry. Users still using sentry-cli files upload to upload source maps should migrate to sentry-cli sourcemaps upload.
• Removed the sentry-cli sourcemaps explain command (#2947). The command had been deprecated for some time, since Sentry now has a better in-product debugging flow for source map problems via the "Unminify Code" button, which is displayed on any JavaScript issues which could not be unminified.
• Removed the sentry-cli send-metric ... subcommands (#3006). These commands have been deprecated, and the data they send is no longer accepted by Sentry.
• Removed support for the legacy API key authentication method (#2935). Sentry CLI now only supports authenticating with Auth Tokens. If you are using API key authentication via any of the following methods, you need to generate and use an Auth Token, instead:
  • --api-key CLI flag
  • SENTRY_API_KEY environment variable
  • api_key configuration file field
  • apiKey option in the JavaScript API
• Removed the upload-proguard subcommand's --app-id, --version, --version-code, --android-manifest, and --platform arguments (#2876, #2940, #2948). Users using these arguments should stop using them, as they are unnecessary. The information passed to these arguments is no longer visible in Sentry.
• Removed the --started argument from the sentry-cli releases finalize command (#2972). This argument is a no-op, so any users using it should simply stop using it.
• Removed the --use-artifact-bundle flag from sentry-cli sourcemaps upload (#3002). The flag was a no-op that only emitted a deprecation warning.

Node.js Wrapper Breakages

The following changes only apply when using sentry-cli via the npm package sentry/cli:

• The SentryCli.execute method's live parameter now only takes boolean values (#2971). Setting live to true now behaves like 'rejectOnError' did previously, with a zero exit status resolving the returned promise with "success (live mode)" and a non-zero status rejecting the promise with an error message.

• The option parameter to Releases.uploadSourceMaps no longer takes a live property (#2971). We now always execute the command with live set to true.

• Removed the apiKey option from SentryCliOptions (#2935). If you are using apiKey, you need to generate and use an Auth Token via the authToken option, instead.

• Removed the useArtifactBundle option from SentryCliUploadSourceMapsOptions (#3002). This deprecated option was a no-op that users should simply stop passing.

• Drop support for Node.js <18. The minimum required Node.js version is now 18.0.0 (#2985).

• The type export SentryCliReleases has been removed.

• The JavaScript wrapper now uses named exports instead of default exports (#2989). You need to update your imports:

  // Old (default import)
  const SentryCli = require('sentry/cli');
  
  // New (named import)
  const { SentryCli } = require('sentry/cli');

  For ESM imports:

  // Old
  import SentryCli from 'sentry/cli';
  
  // New
  import { SentryCli } from 'sentry/cli';

Improvements

• The sentry-cli upload-proguard command now uses chunked uploading by default (#2918). Users who previously set the SENTRY_EXPERIMENTAL_PROGUARD_CHUNK_UPLOAD environment variable to opt into this behavior no longer need to set the variable.
• We now place source map debug IDs under the source map's debugId field, per the TC39 Debug ID proposal (#3005). This change affects the sentry-cli sourcemaps inject command and, unless --no-rewrite is passed, the sentry-cli sourcemaps upload command. Sentry CLI can still read the debug_id field, but whenever the CLI writes or rewrites a source map, we always use debugId.
• The sentry-cli build upload command now automatically tracks Sentry plugin versions from the SENTRY_PIPELINE environment variable (#2994). When SENTRY_PIPELINE contains a recognized Sentry plugin (e.g., sentry-gradle-plugin/4.12.0 or sentry-fastlane-plugin/1.2.3), the plugin version is written to the .sentry-cli-metadata.txt file in uploaded build archives, enabling the backend to store metadata for size analysis and build distribution tracking.

Fixes

• Fixed misleading error message claiming the server doesn't support chunk uploading when the actual error was a non-existent organization (#2930).

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Legacy source map upload uses removed CLI command

High Severity

Bumping sentry-cli from 2.x to 3.x breaks the legacyWebSymbolication code path. The _executeCliForLegacySourceMaps method constructs commands using releases files <release> upload-sourcemaps, but sentry-cli 3.0.0 explicitly removed all releases files subcommands. Users with legacy_web_symbolication: true in their config will experience runtime failures when uploading source maps. The option is still exposed and configurable with no deprecation warning or guard.

 

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Internal Changes 🔧

Deps

• Bump actions/create-github-app-token from 2.0.6 to 2.1.4 by dependabot in #356
• Bump actions/upload-artifact from 4 to 5 by dependabot in #365
• Bump actions/setup-java from 4 to 5 by dependabot in #353
• Bump actions/checkout from 4 to 5 by dependabot in #350

Release

• Fix changelog-preview permissions by BYK in #373
• Switch from action-prepare-release to Craft by BYK in #371

Other

• Use pull_request_target for changelog preview by BYK in #372

Other

• (dont merge) chore(deps): update CLI to v3.3.3 by github-actions[bot] in #354

• internal: Instrument plugin with Sentry tracing & error by buenaflor in #381

---

_{🤖 This preview updates automatically when you update the PR.}

[sentry]

Bug: The legacyWebSymbolication option uses a sentry-cli command that was removed in the updated version, causing source map uploads to fail.
_{Severity: HIGH}

Suggested Fix

Update the _executeCliForLegacySourceMaps method to use the modern sentry-cli sourcemaps upload command instead of the removed sentry-cli releases files ... upload-sourcemaps command. This will restore compatibility for the legacy web symbolication feature with the new CLI version.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: lib/src/cli/_sources.dart#L4

Potential issue: The plugin's `legacyWebSymbolication` feature invokes the `sentry-cli
releases files <release> upload-sourcemaps <folder>` command. This pull request updates
the bundled `sentry-cli` to a version where `sentry-cli releases files ...` subcommands
have been removed. Consequently, users who have `legacyWebSymbolication: true` in their
configuration will experience command-line failures when the
`_executeCliForLegacySourceMaps` method attempts to upload source maps using the
now-nonexistent command.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The _executeCliForLegacySourceMaps function uses the releases files upload-sourcemaps command, which was removed in sentry-cli v3.0.0, breaking legacy web symbolication.
_{Severity: HIGH}

Suggested Fix

Update the _executeCliForLegacySourceMaps function to use the new sentry-cli sourcemaps upload command, which is the recommended replacement. Alternatively, implement a version check for sentry-cli and either use the correct command based on the version or show an error if a user attempts to use legacy symbolication with an incompatible CLI version.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: lib/src/cli/_sources.dart#L4

Potential issue: The PR updates `sentry-cli` to v3.4.3, which removes the `releases
files upload-sourcemaps` command. The `_executeCliForLegacySourceMaps` function,
triggered when `legacy_web_symbolication` is set to `true`, still uses this removed
command. This will cause a runtime error when the CLI is executed, preventing source map
uploads for users who have opted into this legacy mode. The failure will break
symbolication for their web builds. The code does not contain any version checking or
fallback logic to handle this breaking change introduced by the `sentry-cli` update.