Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
3.6 KiB
package, version, tier, decision, date, deciders, adr, filter-results, verification-commands, accepted-cves
| package | version | tier | decision | date | deciders | adr | filter-results | verification-commands | accepted-cves | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @sentry/react | ^10.51.0 | core | approved | 2026-05-14 |
|
adr-014 |
|
|
Filter: license
npm view @sentry/react license returns MIT. MIT is on the allowlist.
Filter: types
@sentry/react is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/ package is needed.
Filter: maintenance
Actively maintained by Sentry Inc. The 10.x line is current. Regular releases track React minor versions and address browser compatibility issues.
Filter: boundary-fit
ADR-014 designates Sentry as the error-capture and session-replay backend for browser clients. @sentry/react is consumed exclusively in core-shared/instrumentation/sentry/init-client-react.ts and the web apps' client-side instrumentation-client.ts entry points. Feature packages MUST NOT import @sentry/react directly (ESLint no-restricted-imports, ADR-014 §6).
Filter: shadow-check
@sentry/react is the sole React browser error-monitoring SDK in the workspace. No competing session-replay or crash-reporter library is present.
Filter: eu-residency
Sentry offers EU-region data residency (de.sentry.io). The NEXT_PUBLIC_WEB_NEXT_SENTRY_DSN environment variable can point to an EU-hosted project. Session replay default-masks all text/inputs/media (allowlist empty by default, ADR-014 §4 R34) and setUser accepts only { id }, minimising PII exposure at source.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against @sentry/react at the time of this trace.
Filter: named-consumer
packages/core-shared lists @sentry/react as an optional peer dependency. apps/web-next/src/instrumentation-client.ts is the concrete consumer, initializing the React SDK with session replay for the Next.js browser bundle. A named, non-hypothetical consumer exists today.
Prompt: replaces
No prior browser error monitoring or session replay was in place. @sentry/react replaces unstructured window.onerror / uncaught promise rejections that surfaced only in browser dev-tools — invisible to the engineering team in production.
Prompt: migration-cost-out
Low. @sentry/react is initialized in one file per app (instrumentation-client.ts). The vendor-neutral ITracer/ILogger interfaces (ADR-014 §1) ensure feature packages have zero references to it. Removal means replacing the client initialization file and dropping the browser DSN env var.
Prompt: alternatives-considered
@sentry/nextjson the client —@sentry/nextjswraps@sentry/reactfor Next.js server-side use. For browser-only client initialization,@sentry/reactis the more targeted SDK with a smaller bundle size.- LogRocket / FullStory for replay — Separate replay vendors would add a second SDK with its own PII risk surface. Sentry's built-in replay with default-masking satisfies the requirement with one SDK.
- No session replay — Insufficient for diagnosing hard-to-reproduce user-facing bugs. Replay is opt-in per error event (deferred load), so the cost is bounded to errored sessions.
See ADR-014 for the full decision rationale.