Update dependency sentry-sdk to v1.45.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sentry-sdk (changelog)	==1.31.0 -> ==1.45.1

GitHub Vulnerability Alerts

CVE-2024-40647

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

2. Disable Stdlib integration:

import sentry_sdk

# Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)

References

• Sentry docs: Default integrations
• Python docs: subprocess module
• Patch https://github.com/getsentry/sentry-python/pull/3251

---

Release Notes

getsentry/sentry-python (sentry-sdk)

v1.45.1

Compare Source

This is a security backport release.

• Don't send full env to subprocess (892dd80) by @​kmichel-aiven

  See also GHSA-g92j-qhmh-64v2

v1.45.0

Compare Source

This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.

Various fixes & improvements

• Allow to upsert monitors (#​2929) by @​sentrivana

  It's now possible to provide monitor_config to the monitor decorator/context manager directly:

  from sentry_sdk.crons import monitor
  

v1.44.1

Compare Source

Various fixes & improvements

• Make monitor async friendly (#​2912) by @​sentrivana

  You can now decorate your async functions with the monitor
  decorator and they will correctly report their duration
  and completion status.

• Fixed Event | None runtime TypeError (#​2928) by @​szokeasaurusrex

v1.44.0

Compare Source

Various fixes & improvements

• ref: Define types at runtime (#​2914) by @​szokeasaurusrex
• Explicit reexport of types (#​2866) (#​2913) by @​szokeasaurusrex
• feat(profiling): Add thread data to spans (#​2843) by @​Zylphrex

v1.43.0

Compare Source

Various fixes & improvements

• Add optional keep_alive (#​2842) by @​sentrivana

  If you're experiencing frequent network issues between the SDK and Sentry,
  you can try turning on TCP keep-alive:

  import sentry_sdk
  
  sentry_sdk.init(
  

...your usual settings...

  keep_alive=True,

)

- Add support for Celery Redbeat cron tasks (#​2643) by @​kwigley

The SDK now supports the Redbeat scheduler in addition to the default
Celery Beat scheduler for auto instrumenting crons. See
[the docs](https://docs.sentry.io/platforms/python/integrations/celery/crons/)
for more information about how to set this up.

- `aws_event` can be an empty list (#​2849) by @​sentrivana
- Re-export `Event` in `types.py` (#​2829) by @​szokeasaurusrex
- Small API docs improvement (#​2828) by @​antonpirker
- Fixed OpenAI tests (#​2834) by @​antonpirker
- Bump `checkouts/data-schemas` from `ed078ed` to `8232f17` (#​2832) by @​dependabot

v1.42.0

Compare Source

Various fixes & improvements

• New integration: OpenAI integration (#​2791) by @​colin-sentry

  We added an integration for OpenAI to capture errors and also performance data when using the OpenAI Python SDK.

  Useage:

  This integrations is auto-enabling, so if you have the openai package in your project it will be enabled. Just initialize Sentry before you create your OpenAI client.

  from openai import OpenAI
  
  import sentry_sdk
  
  sentry_sdk.init(
      dsn="___PUBLIC_DSN___",
      enable_tracing=True,
      traces_sample_rate=1.0,
  )
  
  client = OpenAI()
  

  For more information, see the documentation for OpenAI integration.

• Discard open OpenTelemetry spans after 10 minutes (#​2801) by @​antonpirker

• Propagate sentry-trace and baggage headers to Huey tasks (#​2792) by @​cnschn

• Added Event type (#​2753) by @​szokeasaurusrex

• Improve scrub_dict typing (#​2768) by @​szokeasaurusrex

• Dependencies: bump types-protobuf from 4.24.0.20240302 to 4.24.0.20240311 (#​2797) by @​dependabot

v1.41.0

Compare Source

Various fixes & improvements

• Add recursive scrubbing to EventScrubber (#​2755) by @​Cheapshot003

  By default, the EventScrubber will not search your events for potential
  PII recursively. With this release, you can enable this behavior with:

  import sentry_sdk
  from sentry_sdk.scrubber import EventScrubber
  
  sentry_sdk.init(
  

...your usual settings...

  event_scrubber=EventScrubber(recursive=True),

)

- Expose `socket_options` (#​2786) by @​sentrivana

If the SDK is experiencing connection issues (connection resets, server
closing connection without response, etc.) while sending events to Sentry,
tweaking the default `urllib3` socket options to the following can help:

```python
import socket
from urllib3.connection import HTTPConnection
import sentry_sdk

sentry_sdk.init(

### ...your usual settings...
    socket_options=HTTPConnection.default_socket_options + [
        (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1),

### note: skip the following line if you're on MacOS since TCP_KEEPIDLE doesn't exist there
        (socket.SOL_TCP, socket.TCP_KEEPIDLE, 45),
        (socket.SOL_TCP, socket.TCP_KEEPINTVL, 10),
        (socket.SOL_TCP, socket.TCP_KEEPCNT, 6),
    ],
)

• Allow to configure merge target for releases (#​2777) by @​sentrivana
• Allow empty character in metric tags values (#​2775) by @​viglia
• Replace invalid tag values with an empty string instead of _ (#​2773) by @​markushi
• Add documentation comment to scrub_list (#​2769) by @​szokeasaurusrex
• Fixed regex to parse version in lambda package file (#​2767) by @​antonpirker
• xfail broken AWS Lambda tests for now (#​2794) by @​sentrivana
• Removed print statements because it messes with the tests (#​2789) by @​antonpirker
• Bump types-protobuf from 4.24.0.20240129 to 4.24.0.20240302 (#​2782) by @​dependabot
• Bump checkouts/data-schemas from eb941c2 to ed078ed (#​2781) by @​dependabot

v1.40.6

Compare Source

Various fixes & improvements

• Fix compatibility with greenlet/gevent (#​2756) by @​sentrivana
• Fix query source relative filepath (#​2717) by @​gggritso
• Support clickhouse-driver==0.2.7 (#​2752) by @​sentrivana
• Bump checkouts/data-schemas from 6121fd3 to eb941c2 (#​2747) by @​dependabot

v1.40.5

Compare Source

Various fixes & improvements

• Deprecate last_event_id(). (#​2749) by @​antonpirker

• Warn if uWSGI is set up without proper thread support (#​2738) by @​sentrivana

  uWSGI has to be run in threaded mode for the SDK to run properly. If this is
  not the case, the consequences could range from features not working unexpectedly
  to uWSGI workers crashing.

  Please make sure to run uWSGI with both --enable-threads and --py-call-uwsgi-fork-hooks.

• parsed_url can be None (#​2734) by @​sentrivana

• Python 3.7 is not supported anymore by Lambda, so removed it and added 3.12 (#​2729) by @​antonpirker

v1.40.4

Compare Source

Various fixes & improvements

• Only start metrics flusher thread on demand (#​2727) by @​sentrivana
• Bump checkouts/data-schemas from aa7058c to 6121fd3 (#​2724) by @​dependabot

v1.40.3

Compare Source

Various fixes & improvements

• Turn off metrics for uWSGI (#​2720) by @​sentrivana
• Minor improvements (#​2714) by @​antonpirker

v1.40.2

Compare Source

Various fixes & improvements

• test: Fix pytest error (#​2712) by @​szokeasaurusrex
• build(deps): bump types-protobuf from 4.24.0.4 to 4.24.0.20240129 (#​2691) by @​dependabot

v1.40.1

Compare Source

Various fixes & improvements

• Fix uWSGI workers hanging (#​2694) by @​sentrivana
• Make metrics work with gevent (#​2694) by @​sentrivana
• Guard against engine.url being None (#​2708) by @​sentrivana
• Fix performance regression in sentry_sdk.utils._generate_installed_modules (#​2703) by @​GlenWalker
• Guard against Sentry initialization mid SQLAlchemy cursor (#​2702) by @​apmorton
• Fix yaml generation script (#​2695) by @​sentrivana
• Fix AWS Lambda workflow (#​2710) by @​sentrivana
• Bump codecov/codecov-action from 3 to 4 (#​2706) by @​dependabot
• Bump actions/cache from 3 to 4 (#​2661) by @​dependabot
• Bump actions/checkout from 3.1.0 to 4.1.1 (#​2561) by @​dependabot
• Bump github/codeql-action from 2 to 3 (#​2603) by @​dependabot
• Bump actions/setup-python from 4 to 5 (#​2577) by @​dependabot

v1.40.0

Compare Source

Various fixes & improvements

• Enable metrics related settings by default (#​2685) by @​iambriccardo
• Fix UnicodeDecodeError on Python 2 (#​2657) by @​sentrivana
• Enable DB query source by default (#​2629) by @​sentrivana
• Fix query source duration check (#​2675) by @​sentrivana
• Reformat with black==24.1.0 (#​2680) by @​sentrivana
• Cleaning up existing code to prepare for new Scopes API (#​2611) by @​antonpirker
• Moved redis related tests to databases (#​2674) by @​antonpirker
• Improve sentry_sdk.trace type hints (#​2633) by @​szokeasaurusrex
• Bump checkouts/data-schemas from e9f7d58 to aa7058c (#​2639) by @​dependabot

v1.39.2

Compare Source

Various fixes & improvements

• Fix timestamp in transaction created by OTel (#​2627) by @​antonpirker
• Fix relative path in DB query source (#​2624) by @​antonpirker
• Run more CI checks on 2.0 branch (#​2625) by @​sentrivana
• Fix tracing TypeError for static and class methods (#​2559) by @​szokeasaurusrex
• Fix missing ctx in Arq integration (#​2600) by @​ivanovart
• Change data_category from check_in to monitor (#​2598) by @​sentrivana

v1.39.1

Compare Source

Various fixes & improvements

• Fix psycopg2 detection in the Django integration (#​2593) by @​sentrivana
• Filter out empty string releases (#​2591) by @​sentrivana
• Fixed local var not present when there is an error in a user's error_sampler function (#​2511) by @​antonpirker
• Fixed typing in aiohttp (#​2590) by @​antonpirker

v1.39.0

Compare Source

Various fixes & improvements

• Add support for cluster clients from Redis SDK (#​2394) by @​md384
• Improve location reporting for timer metrics (#​2552) by @​mitsuhiko
• Fix Celery TypeError with no-argument apply_async (#​2575) by @​szokeasaurusrex
• Fix Lambda integration with EventBridge source (#​2546) by @​davidcroda
• Add max tries to Spotlight (#​2571) by @​hazAT
• Handle os.path.devnull access issues (#​2579) by @​sentrivana
• Change code.filepath frame picking logic (#​2568) by @​sentrivana
• Trigger AWS Lambda tests on label (#​2538) by @​sentrivana
• Run permissions step on pull_request_target but not push (#​2548) by @​sentrivana
• Hash AWS Lambda test functions based on current revision (#​2557) by @​sentrivana
• Update Django version in tests (#​2562) by @​sentrivana
• Make metrics tests non-flaky (#​2572) by @​antonpirker

v1.38.0

Compare Source

Various fixes & improvements

• Only add trace context to checkins and do not run event_processors for checkins (#​2536) by @​antonpirker
• Metric span summaries (#​2522) by @​mitsuhiko
• Add source context to code locations (#​2539) by @​jan-auer
• Use in-app filepath instead of absolute path (#​2541) by @​antonpirker
• Switch to jinja2 for generating CI yamls (#​2534) by @​sentrivana

v1.37.1

Compare Source

Various fixes & improvements

• Fix NameError on parse_version with eventlet (#​2532) by @​sentrivana
• build(deps): bump checkouts/data-schemas from 68def1e to e9f7d58 (#​2501) by @​dependabot

v1.37.0

Compare Source

Various fixes & improvements

• Move installed modules code to utils (#​2429) by @​sentrivana

  Note: We moved the internal function _get_installed_modules from sentry_sdk.integrations.modules to sentry_sdk.utils.
  So if you use this function you have to update your imports

• Add code locations for metrics (#​2526) by @​jan-auer

• Add query source to DB spans (#​2521) by @​antonpirker

• Send events to Spotlight sidecar (#​2524) by @​HazAT

• Run integration tests with newest pytest (#​2518) by @​sentrivana

• Bring tests up to date (#​2512) by @​sentrivana

• Fix: Prevent global var from being discarded at shutdown (#​2530) by @​antonpirker

• Fix: Scope transaction source not being updated in scope.span setter (#​2519) by @​sl0thentr0py

v1.36.0

Compare Source

Various fixes & improvements

• Django: Support Django 5.0 (#​2490) by @​sentrivana
• Django: Handling ASGI body in the right way. (#​2513) by @​antonpirker
• Flask: Test with Flask 3.0 (#​2506) by @​sentrivana
• Celery: Do not create a span when task is triggered by Celery Beat (#​2510) by @​antonpirker
• Redis: Ensure RedisIntegration is disabled, unless redis is installed (#​2504) by @​szokeasaurusrex
• Quart: Fix Quart integration for Quart 0.19.4 (#​2516) by @​antonpirker
• gRPC: Make async gRPC less noisy (#​2507) by @​jyggen

v1.35.0

Compare Source

Various fixes & improvements

• Updated gRPC integration: Asyncio interceptors and easier setup (#​2369) by @​fdellekart

  Our gRPC integration now instruments incoming unary-unary grpc requests and outgoing unary-unary, unary-stream grpc requests using grpcio channels. Everything works now for sync and async code.

  Before this release you had to add Sentry interceptors by hand to your gRPC code, now the only thing you need to do is adding the GRPCIntegration to you sentry_sdk_init() call. (See documentation for more information):

  import sentry_sdk
  from sentry_sdk.integrations.grpc import GRPCIntegration
  
  sentry_sdk.init(
      dsn="___PUBLIC_DSN___",
      enable_tracing=True,
      integrations=[
          GRPCIntegration(),
      ],
  )
  

  The old way still works, but we strongly encourage you to update your code to the way described above.

• Python 3.12: Replace deprecated datetime functions (#​2502) by @​sentrivana

• Metrics: Unify datetime format (#​2409) by @​mitsuhiko

• Celery: Set correct data in check_ins (#​2500) by @​antonpirker

• Celery: Read timezone for Crons monitors from celery_schedule if existing (#​2497) by @​antonpirker

• Django: Removing redundant code in Django tests (#​2491) by @​vagi8

• Django: Make reading the request body work in Django ASGI apps. (#​2495) by @​antonpirker

• FastAPI: Use wraps on fastapi request call wrapper (#​2476) by @​nkaras

• Fix: Probe for psycopg2 and psycopg3 parameters function. (#​2492) by @​antonpirker

• Fix: Remove unnecessary TYPE_CHECKING alias (#​2467) by @​rafrafek

v1.34.0

Compare Source

Various fixes & improvements

• Added Python 3.12 support (#​2471, #​2483)
• Handle missing connection_kwargs in patch_redis_client (#​2482) by @​szokeasaurusrex
• Run common test suite on Python 3.12 (#​2479) by @​sentrivana

v1.33.1

Compare Source

Various fixes & improvements

• Make parse_version work in utils.py itself. (#​2474) by @​antonpirker

v1.33.0

Compare Source

Various fixes & improvements

• New: Added error_sampler option (#​2456) by @​szokeasaurusrex
• Python 3.12: Detect interpreter in shutdown state on thread spawn (#​2468) by @​mitsuhiko
• Patch eventlet under Sentry SDK (#​2464) by @​szokeasaurusrex
• Mitigate CPU spikes when sending lots of events with lots of data (#​2449) by @​antonpirker
• Make debug option also configurable via environment (#​2450) by @​antonpirker
• Make sure get_dsn_parameters is an actual function (#​2441) by @​sentrivana
• Bump pytest-localserver, add compat comment (#​2448) by @​sentrivana
• AWS Lambda: Update compatible runtimes for AWS Lambda layer (#​2453) by @​antonpirker
• AWS Lambda: Load AWS Lambda secrets in Github CI (#​2153) by @​antonpirker
• Redis: Connection attributes in redis database spans (#​2398) by @​antonpirker
• Falcon: Falcon integration checks response status before reporting error (#​2465) by @​szokeasaurusrex
• Quart: Support Quart 0.19 onwards (#​2403) by @​pgjones
• Sanic: Sanic integration initial version (#​2419) by @​szokeasaurusrex
• Django: Fix parsing of Django path patterns (#​2452) by @​sentrivana
• Django: Add Django 4.2 to test suite (#​2462) by @​sentrivana
• Polish changelog (#​2434) by @​sentrivana
• Update CONTRIBUTING.md (#​2443) by @​krishvsoni
• Update README.md (#​2435) by @​sentrivana

v1.32.0

Compare Source

Various fixes & improvements

• New: Error monitoring for some of the most popular Python GraphQL libraries:

  • Add GQL GraphQL integration (#​2368) by @​szokeasaurusrex

    Usage:

      import sentry_sdk
      from sentry_sdk.integrations.gql import GQLIntegration
    
      sentry_sdk.init(
          dsn='___PUBLIC_DSN___',
          integrations=[
              GQLIntegration(),
          ],
      )
    

  • Add Graphene GraphQL error integration (#​2389) by @​sentrivana

    Usage:

      import sentry_sdk
      from sentry_sdk.integrations.graphene import GrapheneIntegration
    
      sentry_sdk.init(
          dsn='___PUBLIC_DSN___',
          integrations=[
              GrapheneIntegration(),
          ],
      )
    

  • Add Strawberry GraphQL error & tracing integration (#​2393) by @​sentrivana

    Usage:

      import sentry_sdk
      from sentry_sdk.integrations.strawberry import StrawberryIntegration
    
      sentry_sdk.init(
          dsn='___PUBLIC_DSN___',
          integrations=[
    

make sure to set async_execution to False if you're executing

GraphQL queries synchronously

          StrawberryIntegration(async_execution=True),
      ],
      traces_sample_rate=1.0,
  )
```

• Add Ariadne GraphQL error integration (#​2387) by @​sentrivana

  Usage:

    import sentry_sdk
    from sentry_sdk.integrations.ariadne import AriadneIntegration
  
    sentry_sdk.init(
        dsn='___PUBLIC_DSN___',
        integrations=[
            AriadneIntegration(),
        ],
    )
  

• Capture multiple named groups again (#​2432) by @​sentrivana

• Don't fail when upstream scheme is unusual (#​2371) by @​vanschelven

• Support new RQ version (#​2405) by @​antonpirker

• Remove utcnow, utcfromtimestamp deprecated in Python 3.12 (#​2415) by @​rmad17

• Add trace to __all__ in top-level __init__.py (#​2401) by @​lobsterkatie

• Move minimetrics code to the SDK (#​2385) by @​mitsuhiko

• Add configurable compression levels (#​2382) by @​mitsuhiko

• Shift flushing by up to a rollup window (#​2396) by @​mitsuhiko

• Make a consistent noop flush behavior (#​2428) by @​mitsuhiko

• Stronger recursion protection (#​2426) by @​mitsuhiko

• Remove OpenTelemetryIntegration from __init__.py (#​2379) by @​sentrivana

• Update API docs (#​2397) by @​antonpirker

• Pin some test requirements because new majors break our tests (#​2404) by @​antonpirker

• Run more requests, celery, falcon tests (#​2414) by @​sentrivana

• Move importorskips in tests to __init__.py files (#​2412) by @​sentrivana

• Fix mypy errors (#​2433) by @​sentrivana

• Fix pre-commit issues (#​2424) by @​bukzor-sentryio

• Update CONTRIBUTING.md (#​2411) by @​sentrivana

• Bump sphinx from 7.2.5 to 7.2.6 (#​2378) by @​dependabot

• [Experimental] Add explain plan to DB spans (#​2315) by @​antonpirker

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.29%. Comparing base (3ff0fe6) to head (8545d1f).

Additional details and impacted files

@@             Coverage Diff             @@
##              main     #388      +/-   ##
===========================================
- Coverage   100.00%   99.29%   -0.71%     
===========================================
  Files            6        6              
  Lines          141      141              
===========================================
- Hits           141      140       -1     
- Misses           0        1       +1     

Flag	Coverage Δ
unit	99.29% <ø> (-0.71%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.