Sentry CLI

Features

• (snapshots) Add snapshots diff command for locally comparing directories of PNG snapshot images using odiff (#3306)
• (snapshots) Add snapshots download command for downloading baseline snapshot images from Sentry (#3310)
• (snapshots) Add --all-image-file-names and --all-image-file-names-file flags to snapshots upload for detecting image removals and renames in selective builds (#3312)
• Add PE DWARF companion support (#3240)
• Add Windows ARM64 PE unwind support (#3240)

Fixes

• Improve error message when organization slug is missing from config (#3311)
• Respect CURL_CA_BUNDLE and SSL_CERT_FILE when configuring TLS certificate authorities (#3301).

Internal changes

• Bump symbolic to 13.1.1 (#3240)

Security Fixes

• Behavior-breaking: Disable Xcode Info.plist preprocessing by default to avoid passing project-controlled compiler settings to cc during release auto-discovery. This affects sentry-cli releases propose-version, sentry-cli send-event and sentry-cli bash-hook --send-event release inference, and sentry-cli react-native xcode auto-release detection. Use --allow-xcode-infoplist-preprocessing only for trusted projects that require preprocessing.
• Ensure restrictive file permissions maintained when sentry-cli login updates existing config files.
• Disable TLS verification only when http.verify_ssl is set to false, case-insensitively.
• Shell-escape generated bash-hook arguments, including paths, tags, release names, and the CLI path.
• Stop sending environment variables in sentry-cli bash-hook events.
• Verify the downloaded binary checksum before replacing the current executable in sentry-cli update.

Performance

• (snapshots) Skip uploading images that already exist in objectstore by batch-checking with HEAD requests first (#3305)

Fixes

• (snapshots) Reject snapshot uploads that have a PR number but no base SHA, since comparisons cannot work without a base reference (#3300)

Security Fixes

• Behavior-breaking: Disable Xcode Info.plist preprocessing by default to avoid passing project-controlled compiler settings to cc during release auto-discovery. This affects sentry-cli releases propose-version, sentry-cli send-event and sentry-cli bash-hook --send-event release inference, and sentry-cli react-native xcode auto-release detection. Use --allow-xcode-infoplist-preprocessing only for trusted projects that require preprocessing.
• Ensure restrictive file permissions maintained when sentry-cli login updates existing config files.
• Disable TLS verification only when http.verify_ssl is set to false, case-insensitively.
• Shell-escape generated bash-hook arguments, including paths, tags, release names, and the CLI path.
• Stop sending environment variables in sentry-cli bash-hook events.
• Verify the downloaded binary checksum before replacing the current executable in sentry-cli update.

Fixes

• (snapshots) Stop sending Sentry auth token to Objectstore (#3286)
• (js) Fix argument injection in JavaScript API's serializeOptions. String/number options now validate input types and prevent Array.prototype.concat() from flattening array values into separate CLI arguments. (#3287)

Improvements

• (bundle-jvm) Warn and skip subsequent duplicates when multiple files strip to the same URL (e.g. Android build variants contributing the same FQCN). The warning points users at --exclude to scope the bundle to a single variant (#3275).

Fixes

• (bundle-jvm) Strip the [<module>/]src/<sourceset>/<lang>/ prefix from bundle URLs so Symbolicator can resolve them from package-based stack traces (e.g. sentry-android-core/src/main/java/io/sentry/android/core/ANRWatchDog.java → ~/io/sentry/android/core/ANRWatchDog.jvm) (#3275).

Features

• (snapshots) Add --selective flag to build snapshots to indicate the upload contains only a subset of images (#3268)
• (bundle-jvm) Allow running directly on a project root (including multi-module repos) by automatically collecting only JVM source files (.java, .kt, .scala, .groovy), respecting .gitignore, and excluding common build output directories (#3260)
• (bundle-jvm) Add --exclude option for custom glob patterns to exclude files/directories from source collection (#3260)

Performance

• (snapshots) Parallelize image hashing with rayon (#3250)

Fixes

• (snapshots) Chunk image uploads to avoid file descriptor exhaustion and 413 errors when uploading hundreds of images (#3249)
• (snapshots) Preserve subdirectory structure in snapshot manifest keys instead of flattening to bare filenames (#3269)
• Replace eprintln! with log::info! for progress bar completion messages when the progress bar is disabled (e.g. in CI). This avoids spurious stderr output that some CI systems treat as errors (#3223).

Performance

• (snapshots) Parallelize image hashing with rayon (#3250)

Fixes

• (sourcemaps) Skip non-base64 embedded sourcemaps during injection (#3243)

New Features ✨

• Add sentry-cli build download command to download installable builds (IPA/APK) by build ID (#3221).
• Add sentry-cli code-mappings upload command to bulk upload code mappings from a JSON file (#3207, #3208, #3209, #3210).
  • Code mappings link stack trace paths (e.g. com/example/module) to source paths in your repository (e.g. src/main/java/com/example/module), enabling Sentry to display source context and link directly to your code from error stack traces.
  • Repository name and default branch are automatically inferred from your local git remotes, or can be specified explicitly with --repo and --default-branch.
  • Large mapping files are automatically split into batches for upload.

Internal Changes 🔧

• (npm) 🤖 Bump optional dependencies to 3.3.2 in afdef906

New Features ✨

• (preprod) Add VCS parameters to snapshots upload command by @rbro112 in #3200

Internal Changes 🔧

• (npm) 🤖 Bump optional dependencies to 3.3.1 in 3200dfb9

Fixes

• Accept ProGuard mapping files without line information instead of rejecting them (#3192).

Experimental Feature 🧑‍🔬 (internal-only)

• Pipe snapshot sidecar metadata into upload as part of sentry-cli build snapshots command (#3163).

New Features

• Added sentry-cli proguard uuid <PATH> to compute and print the UUID for a ProGuard mapping file (#3176).

Improvements

• Moved sentry-cli upload-proguard to sentry-cli proguard upload, aligning the API with similar upload commands like debug-files upload and sourcemaps upload (#3174). sentry-cli upload-proguard remains supported as an alias, so no migration is required.

Experimental Feature 🧑‍🔬 (internal-only)

• Print snapshot URL after successful upload (#3167).

Experimental Feature 🧑‍🔬 (internal-only)

• Added experimental sentry-cli build snapshots command to upload build snapshots to a project (#3110).
  • This command uploads files from a specified directory to Sentry's Objectstore, associating them with a snapshot identifier.
  • The command is experimental and subject to breaking changes or removal in future releases.

Fixes

• Updated minimatch dependency to fix a vulnerability (#3153)

Fixes

• Updated minimatch dependency to fix a vulnerability (#3152)

Fixes

• The dart-symbol-map upload command now correctly resolves the organization from the auth token payload (#3065).
• Retry DNS resolution failures for sentry.io requests to reduce intermittent failures for some users (#3085)

Features

• Add sourceMaps.inject() for injecting debug IDs (#3088)
• Add --install-group parameter to sentry-cli build upload for controlling update visibility between builds (#3094)

Fixes

• Recognize *.ghe.com URLs as github_enterprise VCS provider (#3127).
• Fixed a bug where the dart-symbol-map command did not accept the --url argument (#3108).
• Add timeout to build upload polling loop to prevent infinite loop when server returns unexpected state (#3118).

New Features

• In the JavaScript API, added multi-project support to releases.newDeploy() method. This method now accept a projects option (array of project slugs), aligning them with the Rust CLI's multi-project capabilities and matching the existing behavior of releases.new() and releases.uploadSourceMaps() (#3001).

Improvements

• This release includes some changes to enable support for older self-hosted Sentry versions. With these changes, Sentry CLI now officially self-hosted Sentry versions 24.11.1 and above (#3070)

Fixes

• Fixed a bug that prevented project IDs from being used with the sentry-cli releases new command for users with self-hosted Sentry instances on versions older than 25.12.1 (#3068).
• Fixed a bug, introduced in version 3.0.0, where the sentry-cli releases list command ignored the --project option (#3048). The command now correctly can filter releases by a single project when supplied via --project. This change does not enable filtering by multiple projects, which has never been supported.

Fixes

• Fixed a bug on Intel-based macOS systems that prevented Sentry CLI from respecting self-signed certificates trusted in the macOS keychain (#3059).

Fixes

• Fixed a bug on ARM-based macOS systems that prevented Sentry CLI from respecting self-signed certificates trusted in the macOS keychain (#3057).

Versioning Policy Update

Our versioning policy has reclassified the minimum supported self-hosted Sentry version as being part of the public API. Therefore, we will only increase this minimum supported self-hosted Sentry version in a major release of Sentry CLI.