chore: update and pin dotagents

[Flash0ver]

Summary

• update dotagents to 1.3.0
  • run dotagents doctor --fix to fix some issues that the new version now detects
• pin version via package.json
• update .gitignore with npm infrastructure

Remarks

It seems that I was able to avoid JavaScript outside of a Browser only for so long 😉.
It does feel a bit dirty though, adding npm tools before adding .NET tools ... well.
Enough rant.

This changeset not only updates and pins dotagents,
but also sets up the repository for some basic npm infrastructure.

#5024 builds on top of this changeset.

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

This PR will not appear in the changelog.

---

_{🤖 This preview updates automatically when you update the PR.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.94%. Comparing base (bfe5319) to head (405e718).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5026      +/-   ##
==========================================
+ Coverage   73.92%   73.94%   +0.02%     
==========================================
  Files         497      497              
  Lines       17974    17974              
  Branches     3517     3517              
==========================================
+ Hits        13287    13291       +4     
+ Misses       3832     3825       -7     
- Partials      855      858       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: Lock file added to .gitignore contradicts reproducibility intent
  • Removed agents.lock from .gitignore so the Dotagents lock file remains intentionally tracked for frozen installs.
• ✅ Fixed: package-lock.json gitignored reduces install reproducibility
  • Removed package-lock.json from .gitignore and committed a generated lock file to pin transitive npm dependencies reproducibly.

Or push these changes by commenting:

@cursor push 9fd1aceeb3

Preview (9fd1aceeb3)

diff --git a/.gitignore b/.gitignore
--- a/.gitignore
+++ b/.gitignore
@@ -34,11 +34,9 @@
 
 # Node Package Manager
 node_modules/
-package-lock.json
 
 # Local Claude Code settings that should not be committed
 .claude/settings.local.json
 
 # https://github.com/getsentry/dotagents
-agents.lock
 .agents/.gitignore

diff --git a/package-lock.json b/package-lock.json
new file mode 100644
--- /dev/null
+++ b/package-lock.json
@@ -1,0 +1,88 @@
+{
+  "name": "workspace",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@sentry/dotagents": "1.3.0"
+      }
+    },
+    "node_modules/@clack/core": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@clack/core/-/core-1.1.0.tgz",
+      "integrity": "sha512-SVcm4Dqm2ukn64/8Gub2wnlA5nS2iWJyCkdNHcvNHPIeBTGojpdJ+9cZKwLfmqy7irD4N5qLteSilJlE0WLAtA==",
+      "license": "MIT",
+      "dependencies": {
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "node_modules/@clack/prompts": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@clack/prompts/-/prompts-1.1.0.tgz",
+      "integrity": "sha512-pkqbPGtohJAvm4Dphs2M8xE29ggupihHdy1x84HNojZuMtFsHiUlRvqD24tM2+XmI+61LlfNceM3Wr7U5QES5g==",
+      "license": "MIT",
+      "dependencies": {
+        "@clack/core": "1.1.0",
+        "sisteransi": "^1.0.5"
+      }
+    },
+    "node_modules/@sentry/dotagents": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@sentry/dotagents/-/dotagents-1.3.0.tgz",
+      "integrity": "sha512-jHJOmwPSyM/bdZPi/UwWhzjrWk1vfnYDu4QjI203nw4B7HjnirpS3ENQA5AufrMeXlnktPU+iA2l8vBAitAAQQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@clack/prompts": "^1.0.1",
+        "chalk": "^5.6.2",
+        "smol-toml": "^1.6.0",
+        "zod": "^4.3.6"
+      },
+      "bin": {
+        "dotagents": "dist/cli/index.js"
+      },
+      "engines": {
+        "node": ">=20"
+      }
+    },
+    "node_modules/chalk": {
+      "version": "5.6.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.6.2.tgz",
+      "integrity": "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==",
+      "license": "MIT",
+      "engines": {
+        "node": "^12.17.0 || ^14.13 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
+    "node_modules/sisteransi": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/sisteransi/-/sisteransi-1.0.5.tgz",
+      "integrity": "sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==",
+      "license": "MIT"
+    },
+    "node_modules/smol-toml": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz",
+      "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==",
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/cyyynthia"
+      }
+    },
+    "node_modules/zod": {
+      "version": "4.3.6",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
+      "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    }
+  }
+}

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

Lock file added to .gitignore contradicts reproducibility intent

Medium Severity

agents.lock is added to .gitignore while the file is simultaneously being committed with updated content. Per dotagents documentation, agents.lock pins exact commits and integrity hashes and is meant to be committed so dotagents install --frozen works in CI for reproducibility. Since the file is already tracked, the .gitignore entry has no immediate effect, but it signals incorrect intent and will prevent re-tracking if the file is ever removed from the index.

 

[Flash0ver]

git rm via 405e718

[cursor]

package-lock.json gitignored reduces install reproducibility

Low Severity

package-lock.json is gitignored, preventing reproducible npm ci installs. While package.json pins @sentry/dotagents to an exact version (1.3.0), transitive dependencies remain unpinned. npm's official guidance is to commit package-lock.json for applications, allowing npm ci in CI and ensuring all collaborators resolve identical dependency trees.

 

[Flash0ver]

Hmm ... I'm indeed super unfamiliar with JavaScript-based build systems.
As long as we only use @sentry/ npm tools ... I have the feeling that we should be fine (in the terms of a package-lock.json won't really help us mitigating issues in this limited scenario).

However ... I might be super-wrong ... and am quite in need of feedback / thoughts here.

My thought / intention was to be consistent with the NuGet ecosystem that we use, where we don't use a packages.lock.json yet either.
Also, the ./package.json declares exact versions ... and no ranges or the like.
But ... I am unfamiliar with the resolution strategy of transitive dependencies within the npm ecosystem.