chore(deps): Upgrade @sentry/browser from 8.33.1 to 10.38.0#42867
Draft
Copilot wants to merge 36 commits into
Draft
chore(deps): Upgrade @sentry/browser from 8.33.1 to 10.38.0#42867Copilot wants to merge 36 commits into
@sentry/browser from 8.33.1 to 10.38.0#42867Copilot wants to merge 36 commits into
Conversation
Agent-Logs-Url: https://github.com/MetaMask/metamask-extension/sessions/66deb05c-d6c0-4fae-953c-8842d8e47c25 Co-authored-by: MajorLift <34228073+MajorLift@users.noreply.github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning MetaMask internal reviewing guidelines:
Ignoring alerts on:
|
Agent-Logs-Url: https://github.com/MetaMask/metamask-extension/sessions/66deb05c-d6c0-4fae-953c-8842d8e47c25 Co-authored-by: MajorLift <34228073+MajorLift@users.noreply.github.com>
Agent-Logs-Url: https://github.com/MetaMask/metamask-extension/sessions/66deb05c-d6c0-4fae-953c-8842d8e47c25 Co-authored-by: MajorLift <34228073+MajorLift@users.noreply.github.com>
Agent-Logs-Url: https://github.com/MetaMask/metamask-extension/sessions/66deb05c-d6c0-4fae-953c-8842d8e47c25 Co-authored-by: MajorLift <34228073+MajorLift@users.noreply.github.com>
Agent-Logs-Url: https://github.com/MetaMask/metamask-extension/sessions/66deb05c-d6c0-4fae-953c-8842d8e47c25 Co-authored-by: MajorLift <34228073+MajorLift@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Upgrade Sentry SDK from v8.33.1 to v10.x
build: upgrade browser Sentry SDK to v10.38.0
May 21, 2026
Contributor
|
@metamaskbot update-policies |
Collaborator
|
Policies updated. Tip Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers. 👀 lavamoat/browserify/beta/policy.json changes differ from lavamoat/browserify/main/policy.json changes |
Contributor
✨ Files requiring CODEOWNER review ✨👨🔧 @MetaMask/extension-platform (3 files, +11 -0)
📜 @MetaMask/policy-reviewers (8 files, +216 -296)
Tip Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers. 🧪 @MetaMask/qa (1 files, +31 -9)
👨🔧 @itsyoboieltr (3 files, +11 -0)
|
Contributor
Builds ready [5c7e650]
⚡ Performance Benchmarks (Total: 🟢 17 pass · 🟡 0 warn · 🔴 0 fail)
Bundle size diffs [🚀 Bundle size reduced!]
|
Contributor
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
Contributor
Builds ready [393b097]
⚡ Performance Benchmarks (Total: 🟢 17 pass · 🟡 0 warn · 🔴 0 fail)
Bundle size diffs
|
Builds ready [83c026e]
⚡ Performance Benchmarks (Total: 🟢 15 pass · 🟡 10 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Root cause of the snap/multichain e2e failures: the shared `waitForNonEvmAccountsLoaded` (hit by every login-based test) waits for the Solana/Bitcoin snap account icons with the default 10s timeout. The icons render in <1s locally, but on constrained 2-core CI runners the v10 Sentry SDK's heavier startup pushes the render just past 10s — so it's a runner timing margin, not a functional regression (the specs pass locally on v10). Allow 30s for these snap-backed icons.
MajorLift
added a commit
that referenced
this pull request
Jun 16, 2026
Once the Sentry v10 upgrade (#42867) ships, `propagateTraceparent: true` attaches `traceparent` to outbound requests natively, so the manual traceparent build/inject path here becomes dead. Add TODOs flagging the removable pieces and where to enable `propagateTraceparent` in setupSentry. The RAPID baggage and `consensys-request-id` correlation stay.
Reconcile `yarn.lock` against the merged `package.json`, keeping the v10 `@sentry/*` resolutions alongside main's dependency bumps.
Builds ready [d5c7da6]
⚡ Performance Benchmarks (Total: 🟢 12 pass · 🟡 13 warn · 🔴 0 fail)
Bundle size diffs
|
After a wallet unlock the controllers re-initialize, and the v10 Sentry SDK's heavier startup pushes `.controller-loaded` past the default 10s selenium wait on 2-core CI runners (`multichain-accounts/add-account.spec.ts` "added account should persist after wallet lock"). Bump the startup wait in `navigate` and `waitForControllersLoaded` to 30s without inflating the global `this.timeout`.
Resolve `errors.spec.ts`: drop `MetaMetricsController.latestNonAnonymousEventTimestamp` from `removedBackgroundFields` per main's #43556 (the field was removed from the controller), keeping the timing-dependent `pendingShieldCohort` / `srpSessionData` masks. Reconcile and dedupe `yarn.lock` against the merged `package.json` (material-ui→mui migration, `transaction-controller` 67→68).
Builds ready [6a9af03]
⚡ Performance Benchmarks (Total: 🟢 15 pass · 🟡 10 warn · 🔴 0 fail)
Bundle size diffs
|
The `.controller-loaded` and snap-backed non-EVM icon waits are polled ceilings, not fixed delays — they return as soon as their readiness signal appears. The earlier hard-coded 30s only mattered on a genuine hang, but it also slowed local failures from 10s to 30s for no benefit (local runners aren't the 2-core CI constraint). Replace the four literals with a single named `STARTUP_LOAD_TIMEOUT` (30s on CI, 10s locally): CI keeps the headroom for the heavier Sentry v10 startup, local fails fast again.
Port newly-merged trace-propagation code off the v10-removed `@sentry/utils`: `addFetchInstrumentationHandler` now imports from `@sentry/core`, and the scope propagation context's `spanId` is read as v10's renamed `propagationSpanId` (`sentry-trace-propagation.ts` + its test). Reconcile and dedupe `yarn.lock` against the merged `package.json`. Drop the e2e startup-timeout band-aids (`STARTUP_LOAD_TIMEOUT` and the 30s `.controller-loaded` / non-EVM-icon bumps). The "heavier v10 startup" premise behind them was never measured, so restore the default 10s waits and let CI reveal whether the slowness is real rather than masking it.
Builds ready [29c8c11]
⚡ Performance Benchmarks (Total: 🟢 14 pass · 🟡 11 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
3 tasks
7 tasks
5 tasks
On 2-core CI the Solana/Bitcoin snap account discovery hits an unmocked-network retry storm (~9s) before the icons render, landing at the default 10s wait. Give `waitForNonEvmAccountsLoaded` a 20s ceiling as a stopgap; it stays polled, so the happy path is unaffected. Not a Sentry/v10 issue — root cause and the real fix (globalize the snap discovery mocks) are tracked in #43817; revert this then.
7 tasks
Builds ready [d932004]
⚡ Performance Benchmarks (Total: 🟢 14 pass · 🟡 11 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Contributor
…re globalized #43818 globalized the Bitcoin esplora and Solana `getSignaturesForAddress` discovery mocks in `mock-e2e.js`, eliminating the unmocked-network retry storm that delayed non-EVM icon render. `waitForNonEvmAccountsLoaded` returns to the default timeout, matching `main`. Resolves the stopgap tracked by #43817.
Builds ready [9f8f4f0]
⚡ Performance Benchmarks (Total: 🟢 13 pass · 🟡 12 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
… v10 Reverting the stopgap removal: with the default 10s wait, three webpack-chrome e2e shards time out on `img[src="./images/bitcoin-logo.svg"]` (`test-snap-bip-44`, `multichain-account-list-menu`, `add-account`), each at ~10s. #43818's globalized Bitcoin/Solana discovery mocks are present in this branch but the non-EVM icons still render between 10s and 20s on the v10 SDK, so the widened wait is required. The residual latency (v10 snap-account discovery vs. a remaining unmocked call) needs a separate root-cause pass.
|
Builds ready [ed560c5]
⚡ Performance Benchmarks (Total: 🟢 10 pass · 🟡 14 warn · 🔴 0 fail)
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Root cause of the slow non-EVM account icons (and the e2e timeouts that the
`NON_EVM_ICON_TIMEOUT` stopgap was masking): the Bitcoin snap requests
`GET /esplora/block-height/{n}` during account discovery, but the global
`setupDefaultNonEvmDiscoveryMocks` only covered `/blocks`, `/blocks/tip/*`,
`/scripthash/*` and `/fee-estimates`. The unmocked `/block-height` request fell
through to the generic empty-200 catch-all, whose malformed body throws in the
snap and restarts the entire discovery cycle. The failing CI run shows the storm
directly: `/blocks`, `/scripthash/<h>/txs` and `/block-height/0` each requested
97 times in one spec, so the Bitcoin icon never renders within the default wait.
The snap is byte-identical on v8 and v10, so the gap predates this PR; the v10
SDK's far heavier startup envelope volume (~1100 Sentry POSTs per spec vs. a
fraction of that on v8) is what tips the same storm past the 10s threshold v8
fit under. Mocking `/block-height` lets discovery complete in a single pass on
both, eliminating the storm at its source and removing the need for the stopgap.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Upgrades
@sentry/browserfrom8.33.1to10.38.0, plus the supporting changes needed for v10 to run inside the extension's LavaMoat-scuttled environment.Why: keep the error-reporting SDK current and pick up v10's tracing/transport changes. v8 is no longer the supported major.
What changed:
package.json/yarn.lockpin@sentry/browser@10.38.0.lazyLoadIntegrationpatch — re-applied for v10. The v8 patch is removed and replaced by.yarn/patches/@sentry-browser-npm-10.38.0-d1e984c1c7.patch, which stubslazyLoadIntegration(CDN-based remote-code loading, not permitted in extension stores) across v10's four build variants (cjs/dev,cjs/prod,esm/dev,esm/prod).setupSentry.js— adapted to v10 (loggernow imported from@sentry/corerather than@sentry/utils,propagateTraceparent, transport wiring); tests updated (setupSentry.test.js,sentry-make-transport.test.ts).@sentry/utilsremoval — v10 folded@sentry/utilsinto@sentry/core. After mergingmain(which addedsentry-trace-propagation.tson v8 via feat(sentry): propagate W3C traceparent + RAPID baggage on outbound HTTP #43201), ported itsaddFetchInstrumentationHandlerimport to@sentry/coreand adapted the propagation context's renamedspanId→propagationSpanId(sentry-trace-propagation.ts+ test).undefined) or throws on (webpack → "inaccessible under scuttling mode"). Without these the extension fails to boot and every e2e job times out at.controller-loaded:development/build/index.js):WebAssembly,Request.development/webpack/utils/plugins/LavamoatPlugin/index.ts):WebAssembly,Request, andrequestIdleCallback(v10 web-vitalswhenIdleOrHiddenfeature-detects it; under scuttling the detection itself throws).sentry-installbundle proxy allowlist (development/build/scripts.js):addEventListener,removeEventListener, bound towindow— v10'sbrowserTracingIntegrationregisters an INP interaction listener viaglobalThis.addEventListenersynchronously insideSentry.init.builds.yml— empty serverless environment-detection vars so v10's environment checks don't pick up host values.Migration verification & coverage equivalence
The upgrade must preserve equivalent telemetry coverage — the same errors, transactions, tags, scrubbing, sampling, and no volume increase — not just a green suite. Verified at three layers (tracked in #43819):
test/e2e/tests/metrics/*capture the real envelopes sent to a mocked DSN anddeepStrictEqualthe attached state against committed fixtures (state-snapshots/errors-*), pinning exactly which state fields are sent / masked / removed, and which transactions fire (traces.spec.ts:UI Startup,/home.html). Any required snapshot change is a behavioral delta triaged as benign (timing — e.g. thependingShieldCohort/srpSessionDatarace resolved here) vs regression.metamaskSentry project last-v8 vs first-v10 release: error volume & grouping, transaction/span volume & perf-unit consumption (quota — [Epic] Sentry Quota Breach Incident — Extension Telemetry (May 28 – Jun 2026) #43410), tag/trace completeness, sampling ≈ 0.75%.v10-specific deltas asserted explicitly: (a) privacy-critical state masking unchanged (no unmasked field leaks); (b) span serialization — the snap
startTraceRPC returns a serializableTraceContext; (c)propagateTraceparentemits exactly onetraceparent(no double-injection with the manualconsensysTracePropagation); (d)beforeSend/rewriteReportscrubbing intact.Note on the "v10 heavier startup" framing: earlier e2e timeout bumps attributed slow
.controller-loaded/ non-EVM-icon renders to v10. This was disproven — the v10 diff touches startup by ~7 lines, a v8-vs-v10 microbench showsSentry.init()flat (~16 ms) and total SDK delta in tens of ms, and the residual e2e flake is a snap-discovery network-mock gap (~9 s provider retry storm), unrelated to Sentry → tracked separately in #43817. The startup-timeout band-aids were removed accordingly.Changelog
CHANGELOG entry: null
Related issues
Manual testing steps
yarn build:testandyarn build:test:webpack) and load it — it should boot to the home screen with no.controller-loadedtimeout and noinaccessible under scuttling mode/addEventListener is not a functionerrors in the console.browser.sentry-cdn.comis absent from the builtdist/output (thelazyLoadIntegrationstub must hold — store compliance).Screenshots/Recordings
N/A — no user-facing UI change.
Before
After
Pre-merge author checklist
Pre-merge reviewer checklist