fix(deps): bump fast-xml-parser to 5.5.8 in @azure/core-xml chain

[chargome]

Partially fixes Dependabot alert #1224. Updates the @azure/core-xml transitive dependency chain to fast-xml-parser 5.5.8 (patched for CVE-2026-33349). AWS SDK and Langchain chains require upstream updates.

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

Deps

• Bump mongodb-memory-server-global from 10.1.4 to 11.0.1 by dependabot in #19888
• Bump stacktrace-parser from 0.1.10 to 0.1.11 by dependabot in #19887

Bug Fixes 🐛

Cloudflare

• Send correct events in local development by JPeer264 in #19900
• Forward ctx argument to Workflow.do user callback by Lms24 in #19891

Core

• Do not overwrite user provided conversation id in Vercel by nicohrubec in #19903
• Return same value from startSpan as callback returns by s1gr1d in #19300

Deps

• Bump fast-xml-parser to 5.5.8 in @azure/core-xml chain by chargome in #19918

• Bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps by chargome in #19917
• Bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 by chargome in #19880

Other

• (craft) Add missing mainDocsUrl for @sentry/effect SDK by bc-sentry in #19860
• (nestjs) Add node to nest metadata by chargome in #19875
• (serverless) Add node to metadata by nicohrubec in #19878

Internal Changes 🔧

Deps Dev

• Bump qunit-dom from 3.2.1 to 3.5.0 by dependabot in #19546
• Bump @react-router/node from 7.13.0 to 7.13.1 by dependabot in #19544

Other

• (astro) Re-enable server island tracing e2e test in Astro 6 by Lms24 in #19872
• (ci) Fix "Gatbsy" typo in issue package label workflow by chargome in #19905
• (lint) Resolve oxlint warnings by isaacs in #19893
• (node-integration-tests) Remove unnecessary file-type dependency by Lms24 in #19824
• (remix) Replace glob with native recursive fs walk by roli-lpci in #19531
• (sveltekit) Replace recast + @babel/parser with acorn by roli-lpci in #19533
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19925
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19909

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,015	-	8,614	+5%
GET With Sentry	1,682	19%	1,584	+6%
GET With Sentry (error only)	6,046	67%	6,004	+1%
POST Baseline	1,203	-	1,172	+3%
POST With Sentry	573	48%	583	-2%
POST With Sentry (error only)	1,050	87%	1,061	-1%
MYSQL Baseline	3,218	-	3,210	+0%
MYSQL With Sentry	428	13%	462	-7%
MYSQL With Sentry (error only)	2,641	82%	2,588	+2%

View base workflow run

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Lockfile inconsistency: unresolved debug@~4.4.1 specifier

Medium Severity

The socket.io-parser@4.2.6 dependency declaration for debug was changed from "~4.3.1" to "~4.4.1", but no lockfile resolution entry includes the debug@~4.4.1 specifier. The existing entries cover debug@~4.3.1, ~4.3.2, ~4.3.4 (→ 4.3.7) and debug@^4.4.1 (caret, → 4.4.3), but not debug@~4.4.1 (tilde). This unresolved specifier can cause yarn install --frozen-lockfile to fail in CI.

 

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.69 kB	+0.2%	+49 B 🔺
@sentry/browser - with treeshaking flags	24.17 kB	+0.14%	+33 B 🔺
@sentry/browser (incl. Tracing)	42.67 kB	+0.13%	+54 B 🔺
@sentry/browser (incl. Tracing, Profiling)	47.33 kB	+0.12%	+55 B 🔺
@sentry/browser (incl. Tracing, Replay)	81.48 kB	+0.08%	+57 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	71.06 kB	+0.1%	+69 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas)	86.17 kB	+0.06%	+50 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback)	98.41 kB	+0.04%	+36 B 🔺
@sentry/browser (incl. Feedback)	42.48 kB	+0.08%	+30 B 🔺
@sentry/browser (incl. sendFeedback)	30.35 kB	+0.15%	+43 B 🔺
@sentry/browser (incl. FeedbackAsync)	35.4 kB	+0.12%	+39 B 🔺
@sentry/browser (incl. Metrics)	26.96 kB	+0.15%	+38 B 🔺
@sentry/browser (incl. Logs)	27.1 kB	+0.12%	+32 B 🔺
@sentry/browser (incl. Metrics & Logs)	27.78 kB	+0.15%	+39 B 🔺
@sentry/react	27.45 kB	+0.22%	+58 B 🔺
@sentry/react (incl. Tracing)	45.01 kB	+0.14%	+60 B 🔺
@sentry/vue	30.13 kB	+0.16%	+46 B 🔺
@sentry/vue (incl. Tracing)	44.52 kB	+0.09%	+39 B 🔺
@sentry/svelte	25.7 kB	+0.16%	+40 B 🔺
CDN Bundle	28.35 kB	+0.27%	+75 B 🔺
CDN Bundle (incl. Tracing)	43.57 kB	+0.15%	+62 B 🔺
CDN Bundle (incl. Logs, Metrics)	29.22 kB	+0.27%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics)	44.43 kB	+0.17%	+75 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics)	68.29 kB	+0.13%	+85 B 🔺
CDN Bundle (incl. Tracing, Replay)	80.41 kB	+0.1%	+73 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.31 kB	+0.1%	+76 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback)	85.97 kB	+0.12%	+103 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.86 kB	+0.1%	+86 B 🔺
CDN Bundle - uncompressed	82.7 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing) - uncompressed	128.62 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.57 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	131.49 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.22 kB	+0.05%	+102 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed	245.5 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.35 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	258.41 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	261.26 kB	+0.04%	+89 B 🔺
@sentry/nextjs (client)	47.4 kB	+0.08%	+37 B 🔺
@sentry/sveltekit (client)	43.12 kB	+0.12%	+51 B 🔺
@sentry/node-core	56.42 kB	+0.14%	+74 B 🔺
@sentry/node	173.38 kB	+0.13%	+221 B 🔺
@sentry/node - without tracing	96.43 kB	+0.1%	+87 B 🔺
@sentry/aws-serverless	113.44 kB	+0.09%	+100 B 🔺

View base workflow run

[sentry]

Bug: The yarn.lock file incorrectly specifies debug@~4.4.1 for socket.io-parser, but no matching entry exists, which will cause the installation to fail.
_{Severity: CRITICAL}

Suggested Fix

The change to the debug dependency for socket.io-parser appears accidental. Revert the dependency requirement for socket.io-parser back to debug "~4.3.1" in the yarn.lock file to match the correct version and ensure the build passes.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: yarn.lock#L27502

Potential issue: The `yarn.lock` file has been modified to change the `debug` dependency
for `socket.io-parser` to `~4.4.1`. However, the lockfile does not contain a
corresponding entry for `debug@~4.4.1`. The existing `debug@4` entries use caret ranges
(e.g., `^4.4.1`), which Yarn cannot use to resolve the tilde range `~4.4.1`. This
mismatch will cause `yarn install --frozen-lockfile` to fail, breaking any CI/CD
pipeline that relies on it and preventing the application from being built or deployed.
This change appears unrelated to the PR's goal of updating `fast-xml-parser`.

_{Did we get this right? 👍 / 👎 to inform future reviews.}