docs(react-native): Use scoped @sentry/cli in sourcemap upload examples#17426
Open
docs(react-native): Use scoped @sentry/cli in sourcemap upload examples#17426
Conversation
The unscoped `sentry-cli` name on npm is held by a personal account that is no longer under Sentry's governance. Route the documented commands through the scope-locked `@sentry/cli` so the registry fallback path cannot resolve to a third-party-maintained package. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DESCRIBE YOUR PR
Replaces every
npx sentry-cli sourcemaps upload …invocation in the React Native source-map upload guides withnpx @sentry/cli sourcemaps upload …. 5 occurrences across 2 files:docs/platforms/react-native/sourcemaps/uploading/codepush.mdx(1)docs/platforms/react-native/sourcemaps/uploading/expo-advanced.mdx(4)IS YOUR CHANGE URGENT?
Motivation
The unscoped
sentry-cliname on npm is currently owned by a personal account (kamilogorek) that is no longer at Sentry. The package itself is a defensively crafted stub — nobin, and apostinstallthat exits with"Use @sentry/cli instead"— so a user who runsnpx sentry-cli …today without a local install gets a loud error rather than an exploit. That is the good case.The residual risk is that the account sits outside Sentry's governance. If the credentials were ever compromised, an attacker could push a new version with a real
binand active payload, and anyone following the documented command (CI step without a priornpm install, copy-pasted shell, fresh environment) would execute it. Everynpx sentry-cli …in the Sentry docs is a fall-through path into that account.Routing the documented command through the
@sentry/cliscoped name removes that fall-through entirely —@sentryis a locked npm scope that only Sentry members can publish to, so the transitive registry lookup can never reach a third-party-maintained package.In-project behavior is unchanged: users with
@sentry/cliinstalled locally already resolve the bin via./node_modules/.bin/sentry-cli, so the scoped form is purely a safer spelling of the same invocation.PRE-MERGE CHECKLIST
Follow-ups (not blocking this PR)
sentry-clinpm maintainer and transfer package ownership to the Sentry npm org. One-time cleanup; permanently removes the account-compromise risk.sentry-javascript,sentry-java, etc.) for barenpx sentry-cliin their READMEs or examples. No other hits insentry-docsitself (verified via grep).