[Snyk] Upgrade @sentry/profiling-node from 10.8.0 to 10.9.0 (#542)

![snyk-io[bot]](https://badgen.net/badge/icon/snyk-io%5Bbot%5D/green?label=)
![Contributor](https://badgen.net/badge/icon/Contributor/000000?label=)
[<img width="16" alt="Powered by Pull Request Badge"
src="https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=reisene&utm_campaign=badge_info)<!--
PR-BADGE: PLEASE DO NOT REMOVE THIS COMMENT -->


![snyk-top-banner](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests/pr-banner-default.svg)


<h3>Snyk has created this PR to upgrade @sentry/profiling-node from
10.8.0 to 10.9.0.</h3>

:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.

<hr/>


- The recommended version is **1 version** ahead of your current
version.

- The recommended version was released **22 days ago**.

#### Issues fixed by the recommended upgrade:

|  | Issue | Score | Exploit Maturity |

:-------------------------:|:-------------------------|:-------------------------|:-------------------------
![low
severity](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests//severity-low.svg
'low severity') | Regular Expression Denial of Service
(ReDoS)<br/>[SNYK-JS-BRACEEXPANSION-9789073](https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073)
| **57** | Proof of Concept
![low
severity](https://res.cloudinary.com/snyk/image/upload/r-d/scm-platform/snyk-pull-requests//severity-low.svg
'low severity') | Regular Expression Denial of Service
(ReDoS)<br/>[SNYK-JS-BRACEEXPANSION-9789073](https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073)
| **57** | Proof of Concept



<details>
<summary><b>Release notes</b></summary>
<br/>
  <details>
    <summary>Package name: <b>@sentry/profiling-node</b></summary>
    <ul>
      <li>
<b>10.9.0</b> - <a
href="https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.9.0">2025-09-03</a></br><h3>Important
Changes</h3>
<ul>
<li><strong>feat(node): Update <code>httpIntegration</code> handling of
incoming requests (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17371"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17371/hovercard">#17371</a>)</strong></li>
</ul>
<p>This version updates the handling of the Node SDK of incoming
requests. Instead of relying on @ opentelemetry/instrumentation-http, we
now handle incoming request instrumentation internally, ensuring that we
can optimize performance as much as possible and avoid interop
problems.</p>
<p>This change should not affect you, unless you're relying on very
in-depth implementation details. Importantly, this also drops the
<code>_experimentalConfig</code> option of the integration - this will
no longer do anything.<br>
Finally, you can still pass
<code>instrumentation.{requestHook,responseHook,applyCustomAttributesOnSpan}</code>
options, but they are deprecated and will be removed in v11. Instead,
you can use the new <code>incomingRequestSpanHook</code> configuration
option if you want to adjust the incoming request span.</p>
<h3>Other Changes</h3>
<ul>
<li>feat(browser): Add replay.feedback CDN bundle (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17496"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17496/hovercard">#17496</a>)</li>
<li>feat(browser): Export <code>sendFeedback</code> from CDN bundles (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17495"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17495/hovercard">#17495</a>)</li>
<li>fix(astro): Ensure span name from <code>beforeStartSpan</code> isn't
overwritten (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17500"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17500/hovercard">#17500</a>)</li>
<li>fix(browser): Ensure source is set correctly when updating span name
in-place in <code>beforeStartSpan</code> (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17501"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17501/hovercard">#17501</a>)</li>
<li>fix(core): Only set template attributes on logs if parameters exist
(<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17480"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17480/hovercard">#17480</a>)</li>
<li>fix(nextjs): Fix parameterization for root catchall routes (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17489"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17489/hovercard">#17489</a>)</li>
<li>fix(node-core): Shut down OTel TraceProvider when calling
<code>Sentry.close()</code> (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17499"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17499/hovercard">#17499</a>)</li>
</ul>
<details>
  <summary> <strong>Internal Changes</strong> </summary>
<ul>
<li>chore: Add <code>changelog</code> script back to package.json (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17517"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17517/hovercard">#17517</a>)</li>
<li>chore: Ensure prettier is run on all files (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17497"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17497/hovercard">#17497</a>)</li>
<li>chore: Ignore prettier commit for git blame (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17498"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17498/hovercard">#17498</a>)</li>
<li>chore: Remove experimental from Nuxt SDK package description (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17483"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17483/hovercard">#17483</a>)</li>
<li>ci: Capture overhead in node app (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17420"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17420/hovercard">#17420</a>)</li>
<li>ci: Ensure we fail on cancelled jobs (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17506"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17506/hovercard">#17506</a>)</li>
<li>ci(deps): bump actions/checkout from 4 to 5 (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17505"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17505/hovercard">#17505</a>)</li>
<li>ci(deps): bump actions/create-github-app-token from 2.0.6 to 2.1.1
(<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17504"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17504/hovercard">#17504</a>)</li>
<li>test(aws): Improve reliability on CI (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17502"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17502/hovercard">#17502</a>)</li>
</ul>
</details>
<h2>Bundle size 📦</h2>
<table>
<thead>
<tr>
<th>Path</th>
<th>Size</th>
</tr>
</thead>
<tbody>
<tr>
<td>@ sentry/browser</td>
<td>23.59 KB</td>
</tr>
<tr>
<td>@ sentry/browser - with treeshaking flags</td>
<td>22.2 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing)</td>
<td>38.93 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay)</td>
<td>76.4 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay) - with treeshaking
flags</td>
<td>66.43 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay with Canvas)</td>
<td>80.97 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay, Feedback)</td>
<td>92.81 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Feedback)</td>
<td>39.88 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. sendFeedback)</td>
<td>28.13 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. FeedbackAsync)</td>
<td>32.92 KB</td>
</tr>
<tr>
<td>@ sentry/react</td>
<td>25.27 KB</td>
</tr>
<tr>
<td>@ sentry/react (incl. Tracing)</td>
<td>40.91 KB</td>
</tr>
<tr>
<td>@ sentry/vue</td>
<td>27.97 KB</td>
</tr>
<tr>
<td>@ sentry/vue (incl. Tracing)</td>
<td>40.72 KB</td>
</tr>
<tr>
<td>@ sentry/svelte</td>
<td>23.62 KB</td>
</tr>
<tr>
<td>CDN Bundle</td>
<td>25.06 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing)</td>
<td>38.82 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay)</td>
<td>74.25 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay, Feedback)</td>
<td>79.56 KB</td>
</tr>
<tr>
<td>CDN Bundle - uncompressed</td>
<td>73.2 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing) - uncompressed</td>
<td>114.83 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay) - uncompressed</td>
<td>227.23 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed</td>
<td>239.56 KB</td>
</tr>
<tr>
<td>@ sentry/nextjs (client)</td>
<td>42.86 KB</td>
</tr>
<tr>
<td>@ sentry/sveltekit (client)</td>
<td>39.38 KB</td>
</tr>
<tr>
<td>@ sentry/node-core</td>
<td>48.45 KB</td>
</tr>
<tr>
<td>@ sentry/node</td>
<td>146.74 KB</td>
</tr>
<tr>
<td>@ sentry/node - without tracing</td>
<td>90.02 KB</td>
</tr>
<tr>
<td>@ sentry/aws-serverless</td>
<td>103.01 KB</td>
</tr>
</tbody>
</table>
      </li>
      <li>
<b>10.8.0</b> - <a
href="https://redirect.github.com/getsentry/sentry-javascript/releases/tag/10.8.0">2025-08-29</a></br><h3>Important
Changes</h3>
<ul>
<li>
<p><strong>feat(sveltekit): Add Compatibility for builtin SvelteKit
Tracing (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17423"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17423/hovercard">#17423</a>)</strong></p>
<p>This release makes the <code>@ sentry/sveltekit</code> SDK compatible
with SvelteKit's native <a
href="https://svelte.dev/docs/kit/observability"
rel="nofollow">observability support</a> introduced in SvelteKit version
<code>2.31.0</code>.<br>
If you enable both, instrumentation and tracing, the SDK will now
initialize early enough to set up additional instrumentation like
database queries and it will pick up spans emitted from SvelteKit.</p>
<p>We will follow up with docs how to set up the SDK soon.<br>
For now, If you're on SvelteKit version <code>2.31.0</code> or newer,
you can easily opt into the new feature:</p>
<ol>
<li>
<p>Enable <a href="https://svelte.dev/docs/kit/observability"
rel="nofollow">experimental tracing and instrumentation support</a> in
<code>svelte.config.js</code>:</p>
</li>
<li>
<p>Move your <code>Sentry.init()</code> call from
<code>src/hooks.server.(js|ts)</code> to the new
<code>instrumentation.server.(js|ts)</code> file:</p>
<div class="highlight highlight-source-ts notranslate position-relative
overflow-auto" data-snippet-clipboard-copy-content="//
instrumentation.server.ts
import * as Sentry from '@ sentry/sveltekit';

Sentry.init({
  dsn: '...',
  // rest of your config
});"><pre><span class="pl-c">// instrumentation.server.ts</span>
<span class="pl-k">import</span> <span class="pl-c1">*</span> <span
class="pl-k">as</span> <span class="pl-v">Sentry</span> <span
class="pl-k">from</span> <span class="pl-s">'@
sentry/sveltekit'</span><span class="pl-kos">;</span>

<span class="pl-v">Sentry</span><span class="pl-kos">.</span><span
class="pl-en">init</span><span class="pl-kos">(</span><span
class="pl-kos">{</span>
<span class="pl-c1">dsn</span>: <span class="pl-s">'...'</span><span
class="pl-kos">,</span>
  <span class="pl-c">// rest of your config</span>
<span class="pl-kos">}</span><span class="pl-kos">)</span><span
class="pl-kos">;</span></pre></div>
<p>The rest of your Sentry config in <code>hooks.server.ts</code>
(<code>sentryHandle</code> and <code>handleErrorWithSentry</code>)
should stay the same.</p>
</li>
</ol>
<p>If you prefer to stay on the hooks-file based config for now, the SDK
will continue to work as previously.</p>
<p>Thanks to the Svelte team and <a class="user-mention notranslate"
data-hovercard-type="user"
data-hovercard-url="/users/elliott-with-the-longest-name-on-github/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://redirect.github.com/elliott-with-the-longest-name-on-github">@
elliott-with-the-longest-name-on-github</a> for implementing
observability support and for reviewing our PR!</p>
</li>
</ul>
<h3>Other Changes</h3>
<ul>
<li>fix(react): Avoid multiple name updates on navigation spans (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17438"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17438/hovercard">#17438</a>)</li>
</ul>
<details>
  <summary> <strong>Internal Changes</strong> </summary>
<ul>
<li>test(profiling): Add tests for current state of profiling (<a
href="https://redirect.github.com/getsentry/sentry-javascript/pull/17470"
data-hovercard-type="pull_request"
data-hovercard-url="/getsentry/sentry-javascript/pull/17470/hovercard">#17470</a>)</li>
</ul>
</details>
<h2>Bundle size 📦</h2>
<table>
<thead>
<tr>
<th>Path</th>
<th>Size</th>
</tr>
</thead>
<tbody>
<tr>
<td>@ sentry/browser</td>
<td>23.59 KB</td>
</tr>
<tr>
<td>@ sentry/browser - with treeshaking flags</td>
<td>22.2 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing)</td>
<td>38.94 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay)</td>
<td>76.4 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay) - with treeshaking
flags</td>
<td>66.43 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay with Canvas)</td>
<td>80.97 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Tracing, Replay, Feedback)</td>
<td>92.8 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. Feedback)</td>
<td>39.88 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. sendFeedback)</td>
<td>28.13 KB</td>
</tr>
<tr>
<td>@ sentry/browser (incl. FeedbackAsync)</td>
<td>32.92 KB</td>
</tr>
<tr>
<td>@ sentry/react</td>
<td>25.27 KB</td>
</tr>
<tr>
<td>@ sentry/react (incl. Tracing)</td>
<td>40.91 KB</td>
</tr>
<tr>
<td>@ sentry/vue</td>
<td>27.97 KB</td>
</tr>
<tr>
<td>@ sentry/vue (incl. Tracing)</td>
<td>40.72 KB</td>
</tr>
<tr>
<td>@ sentry/svelte</td>
<td>23.62 KB</td>
</tr>
<tr>
<td>CDN Bundle</td>
<td>25.06 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing)</td>
<td>38.82 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay)</td>
<td>74.24 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay, Feedback)</td>
<td>79.55 KB</td>
</tr>
<tr>
<td>CDN Bundle - uncompressed</td>
<td>73.2 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing) - uncompressed</td>
<td>114.83 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay) - uncompressed</td>
<td>227.23 KB</td>
</tr>
<tr>
<td>CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed</td>
<td>239.53 KB</td>
</tr>
<tr>
<td>@ sentry/nextjs (client)</td>
<td>42.86 KB</td>
</tr>
<tr>
<td>@ sentry/sveltekit (client)</td>
<td>39.38 KB</td>
</tr>
<tr>
<td>@ sentry/node-core</td>
<td>46.87 KB</td>
</tr>
<tr>
<td>@ sentry/node</td>
<td>145.75 KB</td>
</tr>
<tr>
<td>@ sentry/node - without tracing</td>
<td>90.08 KB</td>
</tr>
<tr>
<td>@ sentry/aws-serverless</td>
<td>102.45 KB</td>
</tr>
</tbody>
</table>
      </li>
    </ul>
from <a
href="https://redirect.github.com/getsentry/sentry-javascript/releases">@sentry/profiling-node
GitHub release notes</a>
  </details>
</details>

---

> [!IMPORTANT]
>
> - Check the changes in this PR to ensure they won't cause issues with
your project.
> - This PR was automatically created by Snyk using the credentials of a
real user.
> - Max score is 1000. Note that the real score may have changed since
the PR was raised.

---

**Note:** _You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs._

**For more information:** <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI2MDhkOWU5ZS04ZDBlLTQ5N2EtYTNkZS1mMTVkYzU1YmNkNTciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjYwOGQ5ZTllLThkMGUtNDk3YS1hM2RlLWYxNWRjNTViY2Q1NyJ9fQ=="
width="0" height="0"/>

> - 🧐 [View latest project
report](https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59?utm_source&#x3D;github-cloud-app&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)
> - 📜 [Customise PR
templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template)
> - 🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59/settings/integration?utm_source&#x3D;github-cloud-app&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)
> - 🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59/settings/integration?pkg&#x3D;@sentry/profiling-node&amp;utm_source&#x3D;github-cloud-app&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr#auto-dep-upgrades)

[//]: #
'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"@sentry/profiling-node","from":"10.8.0","to":"10.9.0"}],"env":"prod","hasFixes":true,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":["SNYK-JS-BRACEEXPANSION-9789073","SNYK-JS-BRACEEXPANSION-9789073"],"prId":"608d9e9e-8d0e-497a-a3de-f15dc55bcd57","prPublicId":"608d9e9e-8d0e-497a-a3de-f15dc55bcd57","packageManager":"npm","priorityScoreList":[57],"projectPublicId":"55e114f8-489e-4f14-b900-20574b041e59","projectUrl":"https://app.snyk.io/org/reisene/project/55e114f8-489e-4f14-b900-20574b041e59?utm_source=github-cloud-app&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-JS-BRACEEXPANSION-9789073","SNYK-JS-BRACEEXPANSION-9789073"],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2025-09-03T12:59:52.227Z"},"vulns":["SNYK-JS-BRACEEXPANSION-9789073","SNYK-JS-BRACEEXPANSION-9789073"]}'

Author: mergify[bot]