agentic-dev-template/docs/library-decisions/2026-05-14-@sentry/react.md

---
package: "@sentry/react"
version: "^10.51.0"
tier: core
decision: approved
date: 2026-05-14
deciders: [Danijel Martinek]
adr: adr-014
filter-results:
  license: MIT
  types: native
  maintenance: active
  boundary-fit: pass
  shadow-check: pass
  eu-residency: ok
  cve-scan: clean
  named-consumer: pass
  socketRisk: clean
verification-commands:
  - npm view @sentry/react license
  - npm view @sentry/react version
  - pnpm audit --audit-level=moderate
accepted-cves: []
---

## Filter: license

<!-- Result: MIT -->

`npm view @sentry/react license` returns `MIT`. MIT is on the allowlist.

## Filter: types

<!-- Result: native -->

`@sentry/react` is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/` package is needed.

## Filter: maintenance

<!-- Result: active -->

Actively maintained by Sentry Inc. The 10.x line is current. Regular releases track React minor versions and address browser compatibility issues.

## Filter: boundary-fit

<!-- Result: pass -->

ADR-014 designates Sentry as the error-capture and session-replay backend for browser clients. `@sentry/react` is consumed exclusively in `core-shared/instrumentation/sentry/init-client-react.ts` and the web apps' client-side `instrumentation-client.ts` entry points. Feature packages MUST NOT import `@sentry/react` directly (ESLint `no-restricted-imports`, ADR-014 §6).

## Filter: shadow-check

<!-- Result: pass -->

`@sentry/react` is the sole React browser error-monitoring SDK in the workspace. No competing session-replay or crash-reporter library is present.

## Filter: eu-residency

<!-- Result: ok -->

Sentry offers EU-region data residency (`de.sentry.io`). The `NEXT_PUBLIC_WEB_NEXT_SENTRY_DSN` environment variable can point to an EU-hosted project. Session replay default-masks all text/inputs/media (allowlist empty by default, ADR-014 §4 R34) and `setUser` accepts only `{ id }`, minimising PII exposure at source.

## Filter: cve-scan

<!-- Result: clean -->

`pnpm audit --audit-level=moderate` reports no advisories against `@sentry/react` at the time of this trace.

## Filter: named-consumer

<!-- Result: pass -->

`packages/core-shared` lists `@sentry/react` as an optional peer dependency. `apps/web-next/src/instrumentation-client.ts` is the concrete consumer, initializing the React SDK with session replay for the Next.js browser bundle. A named, non-hypothetical consumer exists today.

## Prompt: replaces

No prior browser error monitoring or session replay was in place. `@sentry/react` replaces unstructured `window.onerror` / uncaught promise rejections that surfaced only in browser dev-tools — invisible to the engineering team in production.

## Prompt: migration-cost-out

Low. `@sentry/react` is initialized in one file per app (`instrumentation-client.ts`). The vendor-neutral `ITracer`/`ILogger` interfaces (ADR-014 §1) ensure feature packages have zero references to it. Removal means replacing the client initialization file and dropping the browser DSN env var.

## Prompt: alternatives-considered

1. **`@sentry/nextjs` on the client** — `@sentry/nextjs` wraps `@sentry/react` for Next.js server-side use. For browser-only client initialization, `@sentry/react` is the more targeted SDK with a smaller bundle size.
2. **LogRocket / FullStory for replay** — Separate replay vendors would add a second SDK with its own PII risk surface. Sentry's built-in replay with default-masking satisfies the requirement with one SDK.
3. **No session replay** — Insufficient for diagnosing hard-to-reproduce user-facing bugs. Replay is opt-in per error event (deferred load), so the cost is bounded to errored sessions.

See ADR-014 for the full decision rationale.