chore(deps): update dependency sentry-sdk to v1.45.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sentry-sdk (changelog)	==1.39.1 → ==1.45.1

GitHub Vulnerability Alerts

CVE-2024-40647

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

2. Disable Stdlib integration:

import sentry_sdk

# Should go before sentry_sdk.init
sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")

sentry_sdk.init(...)

References

• Sentry docs: Default integrations
• Python docs: subprocess module
• Patch https://github.com/getsentry/sentry-python/pull/3251

---

Release Notes

getsentry/sentry-python (sentry-sdk)

v1.45.1

Compare Source

This is a security backport release.

• Don't send full env to subprocess (892dd80) by @​kmichel-aiven

  See also GHSA-g92j-qhmh-64v2

v1.45.0

Compare Source

This is the final 1.x release for the forseeable future. Development will continue on the 2.x release line. The first 2.x version will be available in the next few weeks.

Various fixes & improvements

• Allow to upsert monitors (#​2929) by @​sentrivana

  It's now possible to provide monitor_config to the monitor decorator/context manager directly:

  from sentry_sdk.crons import monitor
  
  # All keys except `schedule` are optional
  monitor_config = {
      "schedule": {"type": "crontab", "value": "0 0 * * *"},
      "timezone": "Europe/Vienna",
      "checkin_margin": 10,
      "max_runtime": 10,
      "failure_issue_threshold": 5,
      "recovery_threshold": 5,
  }
  
  @&#8203;monitor(monitor_slug='<monitor-slug>', monitor_config=monitor_config)
  def tell_the_world():
      print('My scheduled task...')

  Check out the cron docs for details.

• Add Django signals_denylist to filter signals that are attached to by signals_spans (#​2758) by @​lieryan

  If you want to exclude some Django signals from performance tracking, you can use the new signals_denylist Django option:

  import django.db.models.signals
  import sentry_sdk
  
  sentry_sdk.init(
      ...
      integrations=[
          DjangoIntegration(
              ...
              signals_denylist=[
                  django.db.models.signals.pre_init,
                  django.db.models.signals.post_init,
              ],
          ),
      ],
  )

• increment for metrics (#​2588) by @​mitsuhiko

  increment and inc are equivalent, so you can pick whichever you like more.

• Add value, unit to before_emit_metric (#​2958) by @​sentrivana

  If you add a custom before_emit_metric, it'll now accept 4 arguments (the key, value, unit and tags) instead of just key and tags.

  def before_emit(key, value, unit, tags):
      if key == "removed-metric":
          return False
      tags["extra"] = "foo"
      del tags["release"]
      return True
  
  sentry_sdk.init(
      ...
      _experiments={
          "before_emit_metric": before_emit,
      }
  )

• Remove experimental metric summary options (#​2957) by @​sentrivana

  The _experiments options metrics_summary_sample_rate and should_summarize_metric have been removed.

• New normalization rules for metric keys, names, units, tags (#​2946) by @​sentrivana

• Change data_category from statsd to metric_bucket (#​2954) by @​cleptric

• Accessing __mro__ might throw a ValueError (#​2952) by @​sentrivana

• Suppress prompt spawned by subprocess when using pythonw (#​2936) by @​collinbanko

• Handle None in GraphQL query #​2715 (#​2762) by @​czyber

• Do not send "quiet" Sanic exceptions to Sentry (#​2821) by @​hamedsh

• Implement metric_bucket rate limits (#​2933) by @​cleptric

• Fix type hints for monitor decorator (#​2944) by @​szokeasaurusrex

• Remove deprecated typing imports in crons (#​2945) by @​szokeasaurusrex

• Make monitor_config a TypedDict (#​2931) by @​sentrivana

• Add devenv-requirements.txt and update env setup instructions (#​2761) by @​arr-ee

• Bump types-protobuf from 4.24.0.20240311 to 4.24.0.20240408 (#​2941) by @​dependabot

• Disable Codecov check run annotations (#​2537) by @​eliatcodecov

v1.44.1

Compare Source

Various fixes & improvements

• Make monitor async friendly (#​2912) by @​sentrivana

  You can now decorate your async functions with the monitor
  decorator and they will correctly report their duration
  and completion status.

• Fixed Event | None runtime TypeError (#​2928) by @​szokeasaurusrex

v1.44.0

Compare Source

Various fixes & improvements

• ref: Define types at runtime (#​2914) by @​szokeasaurusrex
• Explicit reexport of types (#​2866) (#​2913) by @​szokeasaurusrex
• feat(profiling): Add thread data to spans (#​2843) by @​Zylphrex

v1.43.0

Compare Source

Various fixes & improvements

• Add optional keep_alive (#​2842) by @​sentrivana

  If you're experiencing frequent network issues between the SDK and Sentry,
  you can try turning on TCP keep-alive:

  import sentry_sdk
  
  sentry_sdk.init(
      # ...your usual settings...
      keep_alive=True,
  )

• Add support for Celery Redbeat cron tasks (#​2643) by @​kwigley

  The SDK now supports the Redbeat scheduler in addition to the default
  Celery Beat scheduler for auto instrumenting crons. See
  the docs
  for more information about how to set this up.

• aws_event can be an empty list (#​2849) by @​sentrivana

• Re-export Event in types.py (#​2829) by @​szokeasaurusrex

• Small API docs improvement (#​2828) by @​antonpirker

• Fixed OpenAI tests (#​2834) by @​antonpirker

• Bump checkouts/data-schemas from ed078ed to 8232f17 (#​2832) by @​dependabot

v1.42.0

Compare Source

Various fixes & improvements

• New integration: OpenAI integration (#​2791) by @​colin-sentry

  We added an integration for OpenAI to capture errors and also performance data when using the OpenAI Python SDK.

  Useage:

  This integrations is auto-enabling, so if you have the openai package in your project it will be enabled. Just initialize Sentry before you create your OpenAI client.

  from openai import OpenAI
  
  import sentry_sdk
  
  sentry_sdk.init(
      dsn="___PUBLIC_DSN___",
      enable_tracing=True,
      traces_sample_rate=1.0,
  )
  
  client = OpenAI()

  For more information, see the documentation for OpenAI integration.

• Discard open OpenTelemetry spans after 10 minutes (#​2801) by @​antonpirker

• Propagate sentry-trace and baggage headers to Huey tasks (#​2792) by @​cnschn

• Added Event type (#​2753) by @​szokeasaurusrex

• Improve scrub_dict typing (#​2768) by @​szokeasaurusrex

• Dependencies: bump types-protobuf from 4.24.0.20240302 to 4.24.0.20240311 (#​2797) by @​dependabot

v1.41.0

Compare Source

Various fixes & improvements

• Add recursive scrubbing to EventScrubber (#​2755) by @​Cheapshot003

  By default, the EventScrubber will not search your events for potential
  PII recursively. With this release, you can enable this behavior with:

  import sentry_sdk
  from sentry_sdk.scrubber import EventScrubber
  
  sentry_sdk.init(
      # ...your usual settings...
      event_scrubber=EventScrubber(recursive=True),
  )

• Expose socket_options (#​2786) by @​sentrivana

  If the SDK is experiencing connection issues (connection resets, server
  closing connection without response, etc.) while sending events to Sentry,
  tweaking the default urllib3 socket options to the following can help:

  import socket
  from urllib3.connection import HTTPConnection
  import sentry_sdk
  
  sentry_sdk.init(
      # ...your usual settings...
      socket_options=HTTPConnection.default_socket_options + [
          (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1),
          # note: skip the following line if you're on MacOS since TCP_KEEPIDLE doesn't exist there
          (socket.SOL_TCP, socket.TCP_KEEPIDLE, 45),
          (socket.SOL_TCP, socket.TCP_KEEPINTVL, 10),
          (socket.SOL_TCP, socket.TCP_KEEPCNT, 6),
      ],
  )

• Allow to configure merge target for releases (#​2777) by @​sentrivana

• Allow empty character in metric tags values (#​2775) by @​viglia

• Replace invalid tag values with an empty string instead of _ (#​2773) by @​markushi

• Add documentation comment to scrub_list (#​2769) by @​szokeasaurusrex

• Fixed regex to parse version in lambda package file (#​2767) by @​antonpirker

• xfail broken AWS Lambda tests for now (#​2794) by @​sentrivana

• Removed print statements because it messes with the tests (#​2789) by @​antonpirker

• Bump types-protobuf from 4.24.0.20240129 to 4.24.0.20240302 (#​2782) by @​dependabot

• Bump checkouts/data-schemas from eb941c2 to ed078ed (#​2781) by @​dependabot

v1.40.6

Compare Source

Various fixes & improvements

• Fix compatibility with greenlet/gevent (#​2756) by @​sentrivana
• Fix query source relative filepath (#​2717) by @​gggritso
• Support clickhouse-driver==0.2.7 (#​2752) by @​sentrivana
• Bump checkouts/data-schemas from 6121fd3 to eb941c2 (#​2747) by @​dependabot

v1.40.5

Compare Source

Various fixes & improvements

• Deprecate last_event_id(). (#​2749) by @​antonpirker

• Warn if uWSGI is set up without proper thread support (#​2738) by @​sentrivana

  uWSGI has to be run in threaded mode for the SDK to run properly. If this is
  not the case, the consequences could range from features not working unexpectedly
  to uWSGI workers crashing.

  Please make sure to run uWSGI with both --enable-threads and --py-call-uwsgi-fork-hooks.

• parsed_url can be None (#​2734) by @​sentrivana

• Python 3.7 is not supported anymore by Lambda, so removed it and added 3.12 (#​2729) by @​antonpirker

v1.40.4

Compare Source

Various fixes & improvements

• Only start metrics flusher thread on demand (#​2727) by @​sentrivana
• Bump checkouts/data-schemas from aa7058c to 6121fd3 (#​2724) by @​dependabot

v1.40.3

Compare Source

Various fixes & improvements

• Turn off metrics for uWSGI (#​2720) by @​sentrivana
• Minor improvements (#​2714) by @​antonpirker

v1.40.2

Compare Source

Various fixes & improvements

• test: Fix pytest error (#​2712) by @​szokeasaurusrex
• build(deps): bump types-protobuf from 4.24.0.4 to 4.24.0.20240129 (#​2691) by @​dependabot

v1.40.1

Compare Source

Various fixes & improvements

• Fix uWSGI workers hanging (#​2694) by @​sentrivana
• Make metrics work with gevent (#​2694) by @​sentrivana
• Guard against engine.url being None (#​2708) by @​sentrivana
• Fix performance regression in sentry_sdk.utils._generate_installed_modules (#​2703) by @​GlenWalker
• Guard against Sentry initialization mid SQLAlchemy cursor (#​2702) by @​apmorton
• Fix yaml generation script (#​2695) by @​sentrivana
• Fix AWS Lambda workflow (#​2710) by @​sentrivana
• Bump codecov/codecov-action from 3 to 4 (#​2706) by @​dependabot
• Bump actions/cache from 3 to 4 (#​2661) by @​dependabot
• Bump actions/checkout from 3.1.0 to 4.1.1 (#​2561) by @​dependabot
• Bump github/codeql-action from 2 to 3 (#​2603) by @​dependabot
• Bump actions/setup-python from 4 to 5 (#​2577) by @​dependabot

v1.40.0

Compare Source

Various fixes & improvements

• Enable metrics related settings by default (#​2685) by @​iambriccardo
• Fix UnicodeDecodeError on Python 2 (#​2657) by @​sentrivana
• Enable DB query source by default (#​2629) by @​sentrivana
• Fix query source duration check (#​2675) by @​sentrivana
• Reformat with black==24.1.0 (#​2680) by @​sentrivana
• Cleaning up existing code to prepare for new Scopes API (#​2611) by @​antonpirker
• Moved redis related tests to databases (#​2674) by @​antonpirker
• Improve sentry_sdk.trace type hints (#​2633) by @​szokeasaurusrex
• Bump checkouts/data-schemas from e9f7d58 to aa7058c (#​2639) by @​dependabot

v1.39.2

Compare Source

Various fixes & improvements

• Fix timestamp in transaction created by OTel (#​2627) by @​antonpirker
• Fix relative path in DB query source (#​2624) by @​antonpirker
• Run more CI checks on 2.0 branch (#​2625) by @​sentrivana
• Fix tracing TypeError for static and class methods (#​2559) by @​szokeasaurusrex
• Fix missing ctx in Arq integration (#​2600) by @​ivanovart
• Change data_category from check_in to monitor (#​2598) by @​sentrivana

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.