chore(deps): update CLI to v3.0.1

[github-actions]

Bumps scripts/update-cli.sh from 2.52.0 to 3.0.1.

Auto-generated by a dependency updater.

Changelog

3.0.1

Performance Improvements

• We switch to a faster compression algorithm (zstd) for uploading size analysis builds (sentry build upload) in preparation for this week's beta release! (#3038)

Versioning Policy Update

Our versioning policy has reclassified the minimum supported self-hosted Sentry version as being part of the public API. Therefore, we will only increase this minimum supported self-hosted Sentry version in a major release of Sentry CLI.

3.0.0

New Sentry Support Policy

sentry-cli 3.0.0 and above only officially supports Sentry SaaS and Sentry self-hosted versions 25.11.1 and higher. While many Sentry CLI features may, in practice, continue working with some older Sentry versions, continued support for Sentry versions older than 25.11.1 is not guaranteed. Changes which break support for Sentry versions below 25.11.1 may occur in minor or patch releases.

New Versioning Policy

Sentry CLI now defines a semantic versioning policy. We did not explicitly define a versioning policy previously, and this new policy should give more clarity about what can change in minor or patch releases versus what requires a major version bump.

Breaking Changes

• Removed all sentry-cli files ... and sentry-cli releases files ... subcommands (#2956). These commands provided functionality for managing release files, a feature that has been deprecated in Sentry. Users still using sentry-cli files upload to upload source maps should migrate to sentry-cli sourcemaps upload.
• Removed the sentry-cli sourcemaps explain command (#2947). The command had been deprecated for some time, since Sentry now has a better in-product debugging flow for source map problems via the "Unminify Code" button, which is displayed on any JavaScript issues which could not be unminified.
• Removed the sentry-cli send-metric ... subcommands (#3006). These commands have been deprecated, and the data they send is no longer accepted by Sentry.
• Removed support for the legacy API key authentication method (#2935). Sentry CLI now only supports authenticating with Auth Tokens. If you are using API key authentication via any of the following methods, you need to generate and use an Auth Token, instead:
  • --api-key CLI flag
  • SENTRY_API_KEY environment variable
  • api_key configuration file field
  • apiKey option in the JavaScript API
• Removed the upload-proguard subcommand's --app-id, --version, --version-code, --android-manifest, and --platform arguments (#2876, #2940, #2948). Users using these arguments should stop using them, as they are unnecessary. The information passed to these arguments is no longer visible in Sentry.
• Removed the --started argument from the sentry-cli releases finalize command (#2972). This argument is a no-op, so any users using it should simply stop using it.
• Removed the --use-artifact-bundle flag from sentry-cli sourcemaps upload (#3002). The flag was a no-op that only emitted a deprecation warning.

Node.js Wrapper Breakages

The following changes only apply when using sentry-cli via the npm package sentry/cli:

• The SentryCli.execute method's live parameter now only takes boolean values (#2971). Setting live to true now behaves like 'rejectOnError' did previously, with a zero exit status resolving the returned promise with "success (live mode)" and a non-zero status rejecting the promise with an error message.

• The option parameter to Releases.uploadSourceMaps no longer takes a live property (#2971). We now always execute the command with live set to true.

• Removed the apiKey option from SentryCliOptions (#2935). If you are using apiKey, you need to generate and use an Auth Token via the authToken option, instead.

• Removed the useArtifactBundle option from SentryCliUploadSourceMapsOptions (#3002). This deprecated option was a no-op that users should simply stop passing.

• Drop support for Node.js <18. The minimum required Node.js version is now 18.0.0 (#2985).

• The type export SentryCliReleases has been removed.

• The JavaScript wrapper now uses named exports instead of default exports (#2989). You need to update your imports:

  // Old (default import)
  const SentryCli = require('sentry/cli');
  
  // New (named import)
  const { SentryCli } = require('sentry/cli');

  For ESM imports:

  // Old
  import SentryCli from 'sentry/cli';
  
  // New
  import { SentryCli } from 'sentry/cli';

Improvements

• The sentry-cli upload-proguard command now uses chunked uploading by default (#2918). Users who previously set the SENTRY_EXPERIMENTAL_PROGUARD_CHUNK_UPLOAD environment variable to opt into this behavior no longer need to set the variable.
• We now place source map debug IDs under the source map's debugId field, per the TC39 Debug ID proposal (#3005). This change affects the sentry-cli sourcemaps inject command and, unless --no-rewrite is passed, the sentry-cli sourcemaps upload command. Sentry CLI can still read the debug_id field, but whenever the CLI writes or rewrites a source map, we always use debugId.
• The sentry-cli build upload command now automatically tracks Sentry plugin versions from the SENTRY_PIPELINE environment variable (#2994). When SENTRY_PIPELINE contains a recognized Sentry plugin (e.g., sentry-gradle-plugin/4.12.0 or sentry-fastlane-plugin/1.2.3), the plugin version is written to the .sentry-cli-metadata.txt file in uploaded build archives, enabling the backend to store metadata for size analysis and build distribution tracking.

Fixes

• Fixed misleading error message claiming the server doesn't support chunk uploading when the actual error was a non-existent organization (#2930).

2.58.4

Fixes

• Use node directly in the postinstall script, instead of using npm run (#3030). This change ensures the postinstall script remains compatible with package managers other than npm.

2.58.3

Improvements

• For the sentry-cli build upload command, we now only auto-detect Git metadata when we detect we are running in a CI environment, unless the user manually overrides this behavior (#2974). This change prevents local development builds from triggiering GitHub status checks for size analysis.
  • We can detect most common CI environments based on the environment variables these set.
  • We introduced two new arguments, --force-git-metadata and --no-git-metadata, which force-enable and force-disable automatic Git data collection, respectively, overriding the default behavior.
• The sentry-cli build upload command now automatically detects the correct branch or tag reference in non-PR GitHub Actions workflows (#2976). Previously, --head-ref was only auto-detected for pull request workflows. Now it works for push, release, and other workflow types by using the GITHUB_REF_NAME environment variable.

Fixes

• Fixed a bug where the sentry-cli sourcemaps inject command could inject JavaScript code into certain incorrectly formatted source map files, corrupting their JSON structure (#3003).

2.58.2

Improvements

• Added validation for the sentry-cli build upload command's --head-sha and --base-sha arguments (#2945). The CLI now validates that these are valid SHA1 sums. Passing an empty string is also allowed; this prevents the default values from being used, causing the values to instead be unset.

Fixes

• Fixed a bug where providing empty-string values for the sentry-cli build upload command's --vcs-provider, --head-repo-name, --head-ref, --base-ref, and --base-repo-name arguments resulted in 400 errors (#2946). Now, setting these to empty strings instead explicitly clears the default value we would set otherwise, as expected.

2.58.1

Deprecations

• Deprecated API key authentication (#2934, #2937). Users who are still using API keys to authenticate Sentry CLI should generate and use an Auth Token instead.

Improvements

• The sentry-cli debug-files bundle-jvm no longer makes any HTTP requests to Sentry, meaning auth tokens are no longer needed, and the command can be run offline (#2926).

Fixes

• Skip setting base_sha and base_ref when they equal head_sha during auto-inference, since comparing a commit to itself provides no meaningful baseline (#2924).
• Improved error message when supplying a non-existent organization to sentry-cli sourcemaps upload. The error now correctly indicates the organization doesn't exist, rather than incorrectly suggesting the Sentry server lacks artifact bundle support (#2931).

2.58.0

New Features

• Removed experimental status from the sentry-cli build upload commands (#2899, #2905). At the time of this release, build uploads are still in closed beta on the server side, so most customers cannot use this functionality quite yet.
• Added CLI version metadata to build upload archives (#2890).

Deprecations

• Deprecated the upload-proguard subcommand's --platform flag (#2863). This flag was a no-op for some time, so we will remove it in the next major.
• Deprecated the upload-proguard subcommand's --android-manifest flag (#2891). This flag was a no-op for some time, so we will remove it in the next major.
• Deprecated the sentry-cli sourcemaps upload command's --no-dedupe flag (#2913). The flag was no longer relevant for sourcemap uploads to modern Sentry servers and was made a no-op.

Fixes

• Fixed autofilled git base metadata (--base-ref, --base-sha) when using the build upload subcommand in git repos. Previously this worked only in the context of GitHub workflows (#2897, #2898).

Performance

• Slightly sped up the sentry-cli sourcemaps upload command by eliminating an HTTP request to the Sentry server, which was not required in most cases (#2913).

Internal changes

• Migrated JavaScript wrapper to TypeScript for better type safety (#2910)

2.57.0

New Features

• (JS API) Add projects field to SentryCliUploadSourceMapsOptions (#2856)

Deprecations

• Deprecated the upload-proguard subcommand's --app-id, --version, and --version-code flags (#2852), as we plan to remove these flags in Sentry CLI 3.x. Users should simply stop using the flags; the values specified there have never had an effect on deobfuscation, and are no longer visible in Sentry.
• Added a deprecation notice for release bundle uploads, a legacy method for uploading source maps (#2844). Release bundle uploads will be removed in Sentry CLI 3.x in favor of artifact bundles, the newer source map upload method introduced in Sentry version 23.6.2. Self-hosted users: You must upgrade to Sentry 23.6.2 or later before upgrading to Sentry CLI 3.x.

Fixes

• Fixed a bug where some log messages would not show up in CI environments or when redirecting stderr to a file (#2830). Specifically, this bug was affecting any subcommand that uses a progress bar, such as sentry-cli debug-files bundle-jvm and sentry-cli sourcemaps upload. Any stderr output during the progress bar was lost if stderr was redirected.

2.56.1

Deprecations

• Added a deprecation notice for legacy uploading methods (#2836, #2837)
  • Support for these legacy uploading methods, required to upload to self-hosted Sentry servers below version 10.0.0, will be removed in the next major release (3.x). If you observe these new deprecation notices, we recommend upgrading your self-hosted Sentry server, or pinning Sentry CLI to a compatible version (2.x).
  • You may encounter these deprecation notices when uploading debug files or sourcemaps.

Fixes & improvements

• Fixed a bug with sourcemap injection (#2764) by szokeasaurusrex
  • This change ensures we do not attempt to associate multiple compiled sources with the same sourcemap. As there should be at most one sourcemap for each compiled source, associating multiple compiled sources with the same sourcemap would lead to an invalid state.
• Updated some outdated dependencies (#2816, #2818, and #2819)

2.56.0

Various fixes & improvements

• feat: auto-fetch head-ref from GitHub Actions in detached HEAD state (#2805) by runningcode
• feat: automatically fetch base SHA in GitHub Actions PR workflows (#2799) by runningcode
• feat(preprod): use deflated compression when creating the zip file (#2800) by trevor-e
• feat(preprod): make sure at least one app bundle is present for upload (#2795) by trevor-e
• feat(preprod): fail upload if app is missing Info.plist (#2793) by trevor-e
• feat: restore GitHub Actions base branch detection (#2792) by runningcode
• fix: lower log level for missing base ref detection (EME-369) (#2813) by runningcode
• fix: simplify debug logging for PR number detection (EME-362) (#2812) by runningcode
• fix: serialize VCS tests to prevent race conditions (EME-368) (#2811) by runningcode
• fix: Validate SENTRY_RELEASE environment variable (#2807) by szokeasaurusrex
• fix: use actual PR head SHA in GitHub Actions instead of merge commit (#2785) by runningcode
• fix: suppress warning messages in failing build upload tests (#2791) by runningcode

2.55.0

Various fixes & improvements

• feat(build): preserve repository name case for build upload (#2777) by runningcode
• fix(sourcemaps): Display injection errors (#2775) by szokeasaurusrex
• feat: Normalize VCS provider names to match backend (#2770) by runningcode
• feat: Improve upload error message to show cause (#2765) by runningcode
• fix: Safer asset catalog reader for liquid glass (#2771) by noahsmartin
• fix(releases): handle partial SHAs correctly in commit resolution (#2734) by srest2021

2.54.0

Various fixes & improvements

• Fix: symlinks in normalized upload (#2744) by noahsmartin
• feat(vcs): Prefer upstream remote over origin for base repo name (#2737) by runningcode
• feat(build): Add auto-detection of base_repo_name from git remote (#2735) by runningcode
• feat(build): Add auto-detection of PR number from GitHub Actions (#2722) by runningcode
• feat(build): Auto-detect base_ref from git merge-base (#2720) by runningcode
• feat(logs): support log streaming (#2666) by vgrozdanic

2.53.0

Various fixes & improvements

• feat(mobile-app): Add release notes option (#2712) by noahsmartin

Changes from 2.53.0-alpha

2.53.0-alpha reintroduced the build (previously named mobile-app) commands. 2.53.0 is the first stable release to reintroduce them.

Please note, the build commands are still experimental, and are therefore subject to breaking changes, including removal, in any release, without notice.

• feat(mobile-app): Add default vcs base_ref parsing for mobile-app subcommand (#2706) by rbro112
• chore(mobile-app): Rename mobile-app subcommand to build (#2719) by rbro112
• Revert "feat(mobile-app): Reintroduce mobile-app feature gating (#2643)" (#2670) by noahsmartin
• meta(cursor): Add rule to avoid explicit type annotations (#2717) by szokeasaurusrex
• retry on cloudflare timeout (#2695) by manishrawat1992

2.53.0-alpha

This release reintroduces the build (previously named mobile-app) commands.

Various fixes & improvements

• feat(mobile-app): Add default vcs base_ref parsing for mobile-app subcommand (#2706) by rbro112
• chore(mobile-app): Rename mobile-app subcommand to build (#2719) by rbro112
• Revert "feat(mobile-app): Reintroduce mobile-app feature gating (#2643)" (#2670) by noahsmartin
• meta(cursor): Add rule to avoid explicit type annotations (#2717) by szokeasaurusrex
• retry on cloudflare timeout (#2695) by manishrawat1992

[sentry]

Bug: The plugin uses the files subcommand, which was removed in sentry-cli 3.0.1. This will break builds for users with legacy_web_symbolication: true.
_{Severity: CRITICAL | Confidence: High}

🔍 Detailed Analysis

The PR upgrades the embedded sentry-cli to version 3.0.1, which removes the files subcommand. However, the plugin's _executeCliForLegacySourceMaps() method still constructs commands using this removed subcommand when the legacy_web_symbolication option is enabled. This will cause the build process to fail with an unrecognized command error for any user who has this legacy option enabled, breaking their upgrade path without warning.

💡 Suggested Fix

Update the command generation logic in _executeCliForLegacySourceMaps() to align with the new command structure of sentry-cli 3.0.1. Alternatively, if the feature is no longer supported, add a deprecation warning and prevent its use with the new CLI version to avoid build failures.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: lib/src/cli/_sources.dart#L10

Potential issue: The PR upgrades the embedded `sentry-cli` to version 3.0.1, which
removes the `files` subcommand. However, the plugin's `_executeCliForLegacySourceMaps()`
method still constructs commands using this removed subcommand when the
`legacy_web_symbolication` option is enabled. This will cause the build process to fail
with an unrecognized command error for any user who has this legacy option enabled,
breaking their upgrade path without warning.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7682739}

[cursor]

Bug: Legacy sourcemap upload breaks with removed CLI command

Bumping sentry-cli to v3.0.1 breaks the legacy_web_symbolication feature. The _executeCliForLegacySourceMaps method invokes releases files <release> upload-sourcemaps, but sentry-cli 3.0.0 removed all releases files ... subcommands. Users with legacy_web_symbolication: true configured will get runtime failures because the CLI command they depend on no longer exists.