Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
88 lines
3.3 KiB
Markdown
88 lines
3.3 KiB
Markdown
---
|
|
package: "@sentry/node"
|
|
version: "^10.51.0"
|
|
tier: core
|
|
decision: approved
|
|
date: 2026-05-14
|
|
deciders: [Danijel Martinek]
|
|
adr: adr-014
|
|
filter-results:
|
|
license: MIT
|
|
types: native
|
|
maintenance: active
|
|
boundary-fit: pass
|
|
shadow-check: pass
|
|
eu-residency: ok
|
|
cve-scan: clean
|
|
named-consumer: pass
|
|
socketRisk: clean
|
|
verification-commands:
|
|
- npm view @sentry/node license
|
|
- npm view @sentry/node version
|
|
- pnpm audit --audit-level=moderate
|
|
accepted-cves: []
|
|
---
|
|
|
|
## Filter: license
|
|
|
|
<!-- Result: MIT -->
|
|
|
|
`npm view @sentry/node license` returns `MIT`. MIT is on the allowlist.
|
|
|
|
## Filter: types
|
|
|
|
<!-- Result: native -->
|
|
|
|
`@sentry/node` is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/` package is needed.
|
|
|
|
## Filter: maintenance
|
|
|
|
<!-- Result: active -->
|
|
|
|
Actively maintained by Sentry Inc. The 10.x line is the current major. Regular releases track Node.js LTS versions and fix security issues promptly.
|
|
|
|
## Filter: boundary-fit
|
|
|
|
<!-- Result: pass -->
|
|
|
|
ADR-014 designates Sentry as the error-capture and tracing backend for Node.js server processes. `@sentry/node` is an optional peer dependency of `core-shared` — it is consumed exclusively within `core-shared/instrumentation/sentry/init-server-node.ts` and the CMS app's `instrumentation.ts`. Feature packages MUST NOT import `@sentry/node` directly (ESLint `no-restricted-imports`, ADR-014 §6).
|
|
|
|
## Filter: shadow-check
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@sentry/node` is the sole Node.js server error-monitoring SDK in the workspace. No competing APM agent or crash reporter is present.
|
|
|
|
## Filter: eu-residency
|
|
|
|
<!-- Result: ok -->
|
|
|
|
Sentry offers EU-region data residency (`de.sentry.io`). The `CMS_SENTRY_DSN` environment variable can point to an EU-hosted project; all payloads route to the DSN host. PII scrubbing at the OTel processor layer (ADR-017, ADR-014 §4) ensures only scrubbed data is exported.
|
|
|
|
## Filter: cve-scan
|
|
|
|
<!-- Result: clean -->
|
|
|
|
`pnpm audit --audit-level=moderate` reports no advisories against `@sentry/node` at the time of this trace.
|
|
|
|
## Filter: named-consumer
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`packages/core-shared` lists `@sentry/node` as an optional peer dependency. `apps/cms/src/instrumentation.ts` is the concrete consumer, initializing the Node SDK for the Payload CMS process. A named, non-hypothetical consumer exists today.
|
|
|
|
## Prompt: replaces
|
|
|
|
No prior server-side error monitoring was in place for the CMS process. `@sentry/node` replaces unstructured `console.error` calls that left CMS mutation failures undetected in production.
|
|
|
|
## Prompt: migration-cost-out
|
|
|
|
Low. `@sentry/node` is used only in `core-shared/instrumentation/sentry/init-server-node.ts` and the CMS app's `instrumentation.ts`. The interface boundary (ADR-014 §1) means no feature package references it. Replacement requires swapping the initialization file and updating the `CMS_SENTRY_DSN` env var.
|
|
|
|
## Prompt: alternatives-considered
|
|
|
|
1. **`@sentry/nextjs` for CMS** — Rejected: the Payload CMS process is a plain Node server, not a Next.js app. `@sentry/node` is the correct SDK for non-Next processes.
|
|
2. **OpenTelemetry OTLP exporter only** — Considered but deferred; Sentry's session grouping and alert routing add value beyond raw OTLP. The bridge via `@sentry/opentelemetry` preserves OTel portability.
|
|
|
|
See ADR-014 for the full decision rationale.
|