chore(deps): bump the minor-and-patch group across 1 directory with 4 updates

[dependabot]

Bumps the minor-and-patch group with 3 updates in the /backend directory: @sentry/core, @sentry/node-core and rolldown.

Updates @sentry/core from 10.59.0 to 10.60.0

Release notes

Sourced from @​sentry/core's releases.

10.60.0

Other Changes

• feat(cloudflare): Add R2 bucket auto-instrumentation (#21327)
• feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#21594)
• feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#21178)
• fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#21660)
• fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#21662)
• fix(server-utils): Remove optional vite peer dependency (#21677)

• chore: Add bundler-plugins to craft (#21701)
• chore: Cleanup unused imports of @opentelemetry/core (#21679)
• fix(bundler-plugins): Integration with monorepo build (#21479)
• ref(core): Gate updateName() custom source on an OTel inference brand (#21649)
• ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#21648)
• ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#21688)
• ref(node): Streamline kafkajs instrumentation (#21647)
• ref(node): Streamline undici (node-fetch) instrumentation (#21650)
• ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#21691)
• ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)

Bundle size 📦

Path	Size
@​sentry/browser	26.83 KB
@​sentry/browser - with treeshaking flags	25.3 KB
@​sentry/browser (incl. Tracing)	44.89 KB
@​sentry/browser (incl. Tracing + Span Streaming)	46.6 KB
@​sentry/browser (incl. Tracing, Profiling)	49.56 KB
@​sentry/browser (incl. Tracing, Replay)	83.18 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	73.02 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	87.76 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	100.12 KB
@​sentry/browser (incl. Feedback)	43.61 KB
@​sentry/browser (incl. sendFeedback)	31.5 KB
@​sentry/browser (incl. FeedbackAsync)	36.52 KB
@​sentry/browser (incl. Metrics)	27.87 KB
@​sentry/browser (incl. Logs)	28.11 KB
@​sentry/browser (incl. Metrics & Logs)	28.78 KB
@​sentry/react	28.59 KB
@​sentry/react (incl. Tracing)	47.14 KB
@​sentry/vue	31.86 KB
@​sentry/vue (incl. Tracing)	46.71 KB
@​sentry/svelte	26.85 KB

... (truncated)

Changelog

Sourced from @​sentry/core's changelog.

10.60.0

Other Changes

• feat(cloudflare): Add R2 bucket auto-instrumentation (#21327)
• feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#21594)
• feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#21178)
• fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#21660)
• fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#21662)
• fix(server-utils): Remove optional vite peer dependency (#21677)

• chore: Add bundler-plugins to craft (#21701)
• chore: Cleanup unused imports of @opentelemetry/core (#21679)
• fix(bundler-plugins): Integration with monorepo build (#21479)
• ref(core): Gate updateName() custom source on an OTel inference brand (#21649)
• ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#21648)
• ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#21688)
• ref(node): Streamline kafkajs instrumentation (#21647)
• ref(node): Streamline undici (node-fetch) instrumentation (#21650)
• ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#21691)
• ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)

Commits

• 4548afc test: Make bundler plugins tests work after release
• 499c327 chore: fix yarn.lock
• 4d26c19 release: 10.60.0
• cc7dea4 Merge pull request #21703 from getsentry/prepare-release/10.60.0
• bcef5d9 meta(changelog): Update changelog for 10.60.0
• 8285066 chore: Add bundler-plugins to craft (#21701)
• b953c6f fix(browser): Ensure url.full and http.url attributes have the same value...
• b54777a ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependenc...
• 2e29cd3 ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)
• c5e245f ref(node): Remove unusued sql-common helper and @opentelemetry/core dep (#2...
• Additional commits viewable in compare view

Updates @sentry/node-core from 10.59.0 to 10.60.0

Release notes

Sourced from @​sentry/node-core's releases.

10.60.0

Other Changes

• feat(cloudflare): Add R2 bucket auto-instrumentation (#21327)
• feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#21594)
• feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#21178)
• fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#21660)
• fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#21662)
• fix(server-utils): Remove optional vite peer dependency (#21677)

• chore: Add bundler-plugins to craft (#21701)
• chore: Cleanup unused imports of @opentelemetry/core (#21679)
• fix(bundler-plugins): Integration with monorepo build (#21479)
• ref(core): Gate updateName() custom source on an OTel inference brand (#21649)
• ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#21648)
• ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#21688)
• ref(node): Streamline kafkajs instrumentation (#21647)
• ref(node): Streamline undici (node-fetch) instrumentation (#21650)
• ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#21691)
• ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)

Bundle size 📦

Path	Size
@​sentry/browser	26.83 KB
@​sentry/browser - with treeshaking flags	25.3 KB
@​sentry/browser (incl. Tracing)	44.89 KB
@​sentry/browser (incl. Tracing + Span Streaming)	46.6 KB
@​sentry/browser (incl. Tracing, Profiling)	49.56 KB
@​sentry/browser (incl. Tracing, Replay)	83.18 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	73.02 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	87.76 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	100.12 KB
@​sentry/browser (incl. Feedback)	43.61 KB
@​sentry/browser (incl. sendFeedback)	31.5 KB
@​sentry/browser (incl. FeedbackAsync)	36.52 KB
@​sentry/browser (incl. Metrics)	27.87 KB
@​sentry/browser (incl. Logs)	28.11 KB
@​sentry/browser (incl. Metrics & Logs)	28.78 KB
@​sentry/react	28.59 KB
@​sentry/react (incl. Tracing)	47.14 KB
@​sentry/vue	31.86 KB
@​sentry/vue (incl. Tracing)	46.71 KB
@​sentry/svelte	26.85 KB

... (truncated)

Changelog

Sourced from @​sentry/node-core's changelog.

10.60.0

Other Changes

• feat(cloudflare): Add R2 bucket auto-instrumentation (#21327)
• feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#21594)
• feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#21178)
• fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#21660)
• fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#21662)
• fix(server-utils): Remove optional vite peer dependency (#21677)

• chore: Add bundler-plugins to craft (#21701)
• chore: Cleanup unused imports of @opentelemetry/core (#21679)
• fix(bundler-plugins): Integration with monorepo build (#21479)
• ref(core): Gate updateName() custom source on an OTel inference brand (#21649)
• ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#21648)
• ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#21688)
• ref(node): Streamline kafkajs instrumentation (#21647)
• ref(node): Streamline undici (node-fetch) instrumentation (#21650)
• ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#21691)
• ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)

Commits

• 4548afc test: Make bundler plugins tests work after release
• 499c327 chore: fix yarn.lock
• 4d26c19 release: 10.60.0
• cc7dea4 Merge pull request #21703 from getsentry/prepare-release/10.60.0
• bcef5d9 meta(changelog): Update changelog for 10.60.0
• 8285066 chore: Add bundler-plugins to craft (#21701)
• b953c6f fix(browser): Ensure url.full and http.url attributes have the same value...
• b54777a ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependenc...
• 2e29cd3 ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)
• c5e245f ref(node): Remove unusued sql-common helper and @opentelemetry/core dep (#2...
• Additional commits viewable in compare view

Updates @sentry/opentelemetry from 10.59.0 to 10.60.0

Release notes

Sourced from @​sentry/opentelemetry's releases.

10.60.0

Other Changes

• feat(cloudflare): Add R2 bucket auto-instrumentation (#21327)
• feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#21594)
• feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#21178)
• fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#21660)
• fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#21662)
• fix(server-utils): Remove optional vite peer dependency (#21677)

• chore: Add bundler-plugins to craft (#21701)
• chore: Cleanup unused imports of @opentelemetry/core (#21679)
• fix(bundler-plugins): Integration with monorepo build (#21479)
• ref(core): Gate updateName() custom source on an OTel inference brand (#21649)
• ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#21648)
• ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#21688)
• ref(node): Streamline kafkajs instrumentation (#21647)
• ref(node): Streamline undici (node-fetch) instrumentation (#21650)
• ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#21691)
• ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)

Bundle size 📦

Path	Size
@​sentry/browser	26.83 KB
@​sentry/browser - with treeshaking flags	25.3 KB
@​sentry/browser (incl. Tracing)	44.89 KB
@​sentry/browser (incl. Tracing + Span Streaming)	46.6 KB
@​sentry/browser (incl. Tracing, Profiling)	49.56 KB
@​sentry/browser (incl. Tracing, Replay)	83.18 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	73.02 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	87.76 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	100.12 KB
@​sentry/browser (incl. Feedback)	43.61 KB
@​sentry/browser (incl. sendFeedback)	31.5 KB
@​sentry/browser (incl. FeedbackAsync)	36.52 KB
@​sentry/browser (incl. Metrics)	27.87 KB
@​sentry/browser (incl. Logs)	28.11 KB
@​sentry/browser (incl. Metrics & Logs)	28.78 KB
@​sentry/react	28.59 KB
@​sentry/react (incl. Tracing)	47.14 KB
@​sentry/vue	31.86 KB
@​sentry/vue (incl. Tracing)	46.71 KB
@​sentry/svelte	26.85 KB

... (truncated)

Changelog

Sourced from @​sentry/opentelemetry's changelog.

10.60.0

Other Changes

• feat(cloudflare): Add R2 bucket auto-instrumentation (#21327)
• feat(core): Add bindScopeToEmitter to bind a scope to an event emitter (#21594)
• feat(deps): Bump @​hapi/wreck from 18.1.0 to 18.1.2 (#21178)
• fix(browser): Ensure url.full and http.url attributes have the same values on http.client spans (#21660)
• fix(server-utils): Avoid directly importing tracingChannel for Node v18 compatibility (#21662)
• fix(server-utils): Remove optional vite peer dependency (#21677)

• chore: Add bundler-plugins to craft (#21701)
• chore: Cleanup unused imports of @opentelemetry/core (#21679)
• fix(bundler-plugins): Integration with monorepo build (#21479)
• ref(core): Gate updateName() custom source on an OTel inference brand (#21649)
• ref(core/opentelemetry): Move OTel span data inference from captureSpan to SentrySpanProcessor (#21648)
• ref(node): Remove unused sql-common helper and @opentelemetry/core dep (#21688)
• ref(node): Streamline kafkajs instrumentation (#21647)
• ref(node): Streamline undici (node-fetch) instrumentation (#21650)
• ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependency (#21691)
• ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)

Commits

• 4548afc test: Make bundler plugins tests work after release
• 499c327 chore: fix yarn.lock
• 4d26c19 release: 10.60.0
• cc7dea4 Merge pull request #21703 from getsentry/prepare-release/10.60.0
• bcef5d9 meta(changelog): Update changelog for 10.60.0
• 8285066 chore: Add bundler-plugins to craft (#21701)
• b953c6f fix(browser): Ensure url.full and http.url attributes have the same value...
• b54777a ref(vercel-edge): Drop unused @opentelemetry/semantic-conventions dependenc...
• 2e29cd3 ref(vercel-edge): Remove @opentelemetry/resources dependency (#21690)
• c5e245f ref(node): Remove unusued sql-common helper and @opentelemetry/core dep (#2...
• Additional commits viewable in compare view

Updates rolldown from 1.1.2 to 1.1.3

Release notes

Sourced from rolldown's releases.

v1.1.3

[1.1.3] - 2026-06-24

🐛 Bug Fixes

• defer_drop crashes the browser main thread (#9942) by @​shulaoda
• camel-case: correct camel case for nested values (#9933) by @​kb019
• cli: display --help options in camelCase (#9941) by @​IWANABETHATGUY
• preserve used re-exports under preserveModules (#9122) (#9934) by @​IWANABETHATGUY
• watch: make close reentrant in event callbacks (#9904) by @​hyf0
• git for windows treats symlink files as regular files (#9915) by @​AliceLanniste
• dev: cancel pending full reload on build error (#9903) by @​h-a-n-a
• chunking: pass plugin meta to codeSplitting groups name function (#9267) by @​Kyujenius
• dev: serve assets emitted during HMR/lazy compile (vite#22596) (#9815) by @​h-a-n-a
• release: dry-run step no longer publishes binding packages (#9866) by @​Boshen

🚜 Refactor

• rolldown_common: model ModuleId as a classified Path/Virtual/Bare enum (#9927) by @​Boshen
• remove unused LegacyModuleIdx (#9872) by @​shulaoda
• remove unused StmtInfos::get_namespace_stmt_info (#9870) by @​shulaoda
• remove unused Module::as_external_mut (#9871) by @​shulaoda
• remove unused EcmaAst::is_body_empty (#9869) by @​shulaoda
• drop dead is_css_module handling in resolve_dependencies (#9867) by @​shulaoda
• drop redundant with_commonjs on cjs source type (#9868) by @​shulaoda

📚 Documentation

• clarify on drafting PRs (#9952) by @​h-a-n-a
• update contribution guidelines (#9944) by @​fubhy
• note Rust crates don't follow semver in AGENTS.md (#9905) by @​IWANABETHATGUY
• add feedback form (#9159) by @​TheAlexLichter

⚡ Performance

• utils: avoid allocation in default_sanitize_file_name for clean names (#9928) by @​Boshen
• binding: box once-per-build futures before spawn_future (#9864) by @​Boshen
• utils: avoid wasted allocation in legitimize_identifier_name (#9926) by @​Boshen
• rolldown: fuse the canonical-name dedup and insert in the renamer (#9900) by @​Boshen
• rolldown: probe the name map once in ConflictResolver::resolve (#9899) by @​Boshen
• cut two heap allocations from wrapped ESM init finalize (#9901) by @​Boshen
• rolldown_plugin_vite_reporter: hoist invariant out_dir prefix out of reporter loop (#9873) by @​shulaoda
• drop throwaway Vec in wrapped esm init stmt (#9878) by @​shulaoda
• borrow owner_filename in build-import-analysis AddDeps (#9874) by @​shulaoda

🧪 Testing

• cover preserveModules named export via namespace re-export (#6010) (#9937) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

... (truncated)

Changelog

Sourced from rolldown's changelog.

[1.1.3] - 2026-06-24

🐛 Bug Fixes

• defer_drop crashes the browser main thread (#9942) by @​shulaoda
• camel-case: correct camel case for nested values (#9933) by @​kb019
• cli: display --help options in camelCase (#9941) by @​IWANABETHATGUY
• preserve used re-exports under preserveModules (#9122) (#9934) by @​IWANABETHATGUY
• watch: make close reentrant in event callbacks (#9904) by @​hyf0
• git for windows treats symlink files as regular files (#9915) by @​AliceLanniste
• dev: cancel pending full reload on build error (#9903) by @​h-a-n-a
• chunking: pass plugin meta to codeSplitting groups name function (#9267) by @​Kyujenius
• dev: serve assets emitted during HMR/lazy compile (vite#22596) (#9815) by @​h-a-n-a
• release: dry-run step no longer publishes binding packages (#9866) by @​Boshen

🚜 Refactor

• rolldown_common: model ModuleId as a classified Path/Virtual/Bare enum (#9927) by @​Boshen
• remove unused LegacyModuleIdx (#9872) by @​shulaoda
• remove unused StmtInfos::get_namespace_stmt_info (#9870) by @​shulaoda
• remove unused Module::as_external_mut (#9871) by @​shulaoda
• remove unused EcmaAst::is_body_empty (#9869) by @​shulaoda
• drop dead is_css_module handling in resolve_dependencies (#9867) by @​shulaoda
• drop redundant with_commonjs on cjs source type (#9868) by @​shulaoda

📚 Documentation

• clarify on drafting PRs (#9952) by @​h-a-n-a
• update contribution guidelines (#9944) by @​fubhy
• note Rust crates don't follow semver in AGENTS.md (#9905) by @​IWANABETHATGUY
• add feedback form (#9159) by @​TheAlexLichter

⚡ Performance

• utils: avoid allocation in default_sanitize_file_name for clean names (#9928) by @​Boshen
• binding: box once-per-build futures before spawn_future (#9864) by @​Boshen
• utils: avoid wasted allocation in legitimize_identifier_name (#9926) by @​Boshen
• rolldown: fuse the canonical-name dedup and insert in the renamer (#9900) by @​Boshen
• rolldown: probe the name map once in ConflictResolver::resolve (#9899) by @​Boshen
• cut two heap allocations from wrapped ESM init finalize (#9901) by @​Boshen
• rolldown_plugin_vite_reporter: hoist invariant out_dir prefix out of reporter loop (#9873) by @​shulaoda
• drop throwaway Vec in wrapped esm init stmt (#9878) by @​shulaoda
• borrow owner_filename in build-import-analysis AddDeps (#9874) by @​shulaoda

🧪 Testing

• cover preserveModules named export via namespace re-export (#6010) (#9937) by @​IWANABETHATGUY

⚙️ Miscellaneous Tasks

... (truncated)

Commits

• e77f7c7 release: v1.1.3 (#9958)
• 3fb2310 fix(camel-case): correct camel case for nested values (#9933)
• 2f66847 fix(cli): display --help options in camelCase (#9941)
• 9f960eb fix(watch): make close reentrant in event callbacks (#9904)
• 8cbf3ff chore(rolldown_plugin_vite_build_import_analysis): remove unused v2 code path...
• 828bfef fix: git for windows treats symlink files as regular files (#9915)
• 4ca8e87 chore(rolldown_plugin_vite_manifest): remove unused is_enable_v2 code path (#...
• 632c59e fix(chunking): pass plugin meta to codeSplitting groups name function (#9267)
• 752820d fix(dev): serve assets emitted during HMR/lazy compile (vite#22596) (#9815)
• dfe43a6 fix(release): dry-run step no longer publishes binding packages (#9866)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​sentry/​node-core@​10.59.0 ⏵ 10.60.0
	rolldown@​1.1.2 ⏵ 1.1.3	+4		+1	+1
	@​sentry/​core@​10.59.0 ⏵ 10.60.0	+1		+1
	@​sentry/​opentelemetry@​10.59.0 ⏵ 10.60.0	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @sentry/node-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: backend/package-lock.json → npm/@sentry/node-core@10.60.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/node-core@10.60.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report