WIP: POC to use orchestrion-js for instrumentation#20900
Conversation
![semgrep-code-getsentry[bot]](https://avatars.githubusercontent.com/in/1153895?s=60&v=4){kind=small}
| form-data "^4.0.5" | ||
| proxy-from-env "^2.1.0" | ||
|
|
||
| axios@^0.26.1: |
There was a problem hiding this comment.
Medium severity vulnerability introduced by a package you're using:
Line 11806 lists a dependency (axios) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.
To resolve this comment:
Upgrade this dependency to at least version 0.31.0 at yarn.lock.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| form-data "^4.0.5" | ||
| proxy-from-env "^2.1.0" | ||
|
|
||
| axios@^0.26.1: |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 11806 lists a dependency (axios) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.
To resolve this comment:
Check if you have NO_PROXY configured in your environment.
- If you're affected, upgrade this dependency to at least version 0.31.0 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
size-limit report 📦
|
|
Note: dependency warning stuff should be addressed when this is merged/released: apm-js-collab/code-transformer-bundler-plugins#2 |
| }); | ||
| debug('module.register() called for @apm-js-collab/tracing-hooks/hook.mjs'); | ||
|
|
||
| // ALSO patch `Module.prototype._compile` for the CJS side: when an ESM file |
There was a problem hiding this comment.
This is not the case when using synchronous module.registerHooks. In that case, the same hooks cover all CJS and ESM, even internal to CJS packages.
Once apm-js-collab/tracing-hooks#27 lands, we can feature detect like:
import { initialize, resolve, load } from '@apm-js-collab/tracing-hooks/hook-sync.mjs';
import Module from 'node:module';
if (runtime) {
// ...
} else {
// detection to decide module loader hooks to use
// registerHooks was present but not stable until 24.13 and 25.1
const version = (process.versions.node ?? '0.0.0')
.split('.')
.map(n => parseInt(n, 10));
const stableSyncHooks = version[0] > 25 ||
version[0] === 25 && version[1] >= 1 ||
version[0] === 24 && version[1] >= 13;
if (typeof Module.registerHooks === 'function' && stableSyncHooks) {
initialize({ instrumentations });
Module.registerHooks({ resolve, load });
} else if (typeof Module.register === 'function') {
// what you have here already, Module.register() and the cjs patch
} else {
throw new Error('No available API to apply module load hooks');
}
}There was a problem hiding this comment.
updated and applied this change, seems to work well! 🎉
mydea
force-pushed
the
experiment/orchestrionjs-auto-instrumentation
branch
from
b1b6ed6 to
9e8b070
Compare
mydea
force-pushed
the
experiment/orchestrionjs-auto-instrumentation
branch
from
9e8b070 to
26ccdf4
Compare
mydea
force-pushed
the
experiment/orchestrionjs-auto-instrumentation
branch
from
26ccdf4 to
c8be420
Compare
mydea
force-pushed
the
experiment/orchestrionjs-auto-instrumentation
branch
from
a38481b to
c095626
Compare
| code: SPAN_STATUS_ERROR, | ||
| message: ctx.error instanceof Error ? ctx.error.message : 'unknown_error', | ||
| }); | ||
| }, |
There was a problem hiding this comment.
Missing captureException call in error handling paths
Low Severity
The startInactiveSpan call's error paths (both the channel error handler and the streamable Query's 'error' event listener) set span status to SPAN_STATUS_ERROR but never call captureException. Per the review rules, when using any startSpan API (including startInactiveSpan), error cases need to be checked and it may make sense to call captureException. This may be intentional for DB query errors (to avoid noise), but worth flagging per the rules.
Additional Locations (1)
Triggered by project rule: PR Review Guidelines for Cursor Bot
Reviewed by Cursor Bugbot for commit 5d957bf. Configure here.
| * Warns if neither (channels never fire — integrations silently record nothing) | ||
| * or both (double-wrapped — duplicate spans) ran. | ||
| */ | ||
| export function detectOrchestrionSetup(): void { |
There was a problem hiding this comment.
We don't have to worry about this double wrapping.
The Orchestrion hook specifically targets module name, version and relative file path from module root. Once the code is bundled, none of the above will be able to be matched.
There was a problem hiding this comment.
I guess we still want to detect if it is wrapped at all though, I guess?
There was a problem hiding this comment.
The only double wrapping case we need to consider is if someone else has registered orchestrion in a hook.
Once the code is bundled, node_modules, the modules it contains and the module paths that are matched are not loaded from those locations at runtime so they will not be matched and modified by the tracing hooks.
There was a problem hiding this comment.
The only double wrapping case we need to consider is if someone else has registered orchestrion in a hook.
Actually this is not entirely true. The only double wrapping we need to worry about are uses of orchestrion + tracing hooks + using the same tracing channel names as us. If we keep our channel names unique and enure we only register the hook once, the code might get wrapped by other libraries using orchestrion + tracing hooks but we will only be listening to our unique tracing channel names.
Have I written that in a comprehensible way? 🤣
| return [bundlerMarkerPlugin(), ...codeTransformerArray]; | ||
| } | ||
|
|
||
| function bundlerMarkerPlugin(): UnknownPlugin { |
There was a problem hiding this comment.
None of this is required!
| @@ -0,0 +1,33 @@ | |||
| // EXPERIMENTAL — entry point for `node --require @sentry/node/orchestrion app.js`. | |||
There was a problem hiding this comment.
We probably don't need to care about supplying a hook that works with --require
There was a problem hiding this comment.
ah, you mean it is good enough if everybody uses --import, even if their app is cjs?
There was a problem hiding this comment.
Yeah, @isaacs did some testing came up with this ESM code that can register all the hooks:
https://github.com/apm-js-collab/tracing-hooks/#usage
--import and --require just tell Node which kind of file you are passing after the flag and we can hook everything from ESM.
mydea
force-pushed
the
experiment/orchestrionjs-auto-instrumentation
branch
from
5d957bf to
12ac21c
Compare
|
I also added an e2e test app using the vite plugin, however this is failing, will need to wait on v0.2.0 of the plugins as this updates to the latest version of the code transformer, which we need here. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit caaf69b. Configure here.
| '`node --import @sentry/node/orchestrion app.js`, or add `sentryOrchestrionPlugin()` ' + | ||
| 'to your bundler config.', | ||
| ); | ||
| } |
There was a problem hiding this comment.
Misconfiguration warnings silenced in production builds
Medium Severity
All critical misconfiguration warnings in detectOrchestrionSetup and _experimentalSetupOrchestrion are gated behind DEBUG_BUILD, which is false in production builds and tree-shaken away entirely. A user who sets _experimentalUseOrchestrion: true but forgets the --import flag or bundler plugin will silently get zero MySQL spans with no warning — the exact "silent failure" the plan document's architecture goal #4 ("Loud about misconfiguration") was designed to prevent. The runtime hooks (import-hook.mjs, require-hook.cjs) correctly use unconditional console.warn for their double-load guards, but detect.ts inconsistently gates its warnings behind DEBUG_BUILD.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit caaf69b. Configure here.
3 participants
This is a WIP POC trying out usage of orchestrion-js for node SDK instrumentation.
Honestly it seems pretty straightforward... Usage for this POC is:
And then
This will disable the otel instrumentation that is already converted to orchestrion (in this PR, only Mysql) and add the respective orchestrion-based integrations instead. The exact API here is WIP and really just geared towards experimentation, so could change, and it's easy to see how this would be easier in v11 with this being the default.
Some general benefits of this approach:
--importscript only registers the mappings for orchestrion, all actual code registering stuff etc. happens inSentry.init(). This makes a bunch of things easier...--import. This also works when deploying to e.g. cloudflare etc. as long as one of the bundler plugins is used.