feat(core, node): portable Express integration

[isaacs]

This extracts the functionality from the OTel Express intstrumentation,
replacing it with a portable standalone integration in @sentry/core,
which can be extended and applied to patch any Express module import in
whatever way makes sense for the platform in question.

Currently in node, that is still an OpenTelemetry intstrumentation, but
just handling the automatic module load instrumentation, not the entire
tracing integration.

This is somewhat a proof of concept, to see what it takes to port a
fairly invovled OTel integration into a state where it can support all
of the platforms that we care about, but it does impose a bit less of a
translation layer between OTel and Sentry semantics (for example, no
need to use the no-op span.recordException()).

User-visible changes (beyond the added export in @sentry/core):

• Express router spans have an origin of auto.http.express rather than
  auto.http.otel.express, since it's no longer technically an otel
  integration.
• The empty measurements: {} object is no longer attached to span
  data, as that was an artifact of otel's span.recordError, which is a
  no-op anyway, and no longer executed.

Obviously this is not a full clean-room reimplementation, and relies on
the fact that the opentelemetry-js-contrib project is Apache 2.0
licensed. I included the link to the upstream license in the index file
for the Express integration, but there may be a more appropriate way to
ensure that the license is respected properly. It was arguably a
derivative work already, but simple redistribution is somewhat different
than re-implementation with subtly different context.

This reduces the node overhead and makes the Express instrumentation
portable to other SDKs, but it of course increases the bundle size of
@sentry/core considerably. It would be a good idea to explore
splitting out integrations from core, so that they're bundled and
analyzed separately, rather than shipping to all SDKs that extend core.

Closes #19929 (added automatically)

[github-actions]

Semver Impact of This PR

🟡 Minor (new features)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

Deps

• Bump mongodb-memory-server-global from 10.1.4 to 11.0.1 by dependabot in #19888
• Bump stacktrace-parser from 0.1.10 to 0.1.11 by dependabot in #19887

Other

• (core, node) Portable Express integration by isaacs in #19928

• (elysia) Elysia SDK by logaretm in #19509

Bug Fixes 🐛

Cloudflare

• Send correct events in local development by JPeer264 in #19900
• Forward ctx argument to Workflow.do user callback by Lms24 in #19891

Core

• Preserve .withResponse() on Anthropic instrumentation by nicohrubec in #19935
• Truncate content array format in Vercel by nicohrubec in #19911
• Send internal_error as span status for Vercel error spans by nicohrubec in #19921
• Do not overwrite user provided conversation id in Vercel by nicohrubec in #19903
• Return same value from startSpan as callback returns by s1gr1d in #19300

Deps

• Update lockfile to resolve [email protected] by chargome in #19933
• Bump fast-xml-parser to 5.5.8 in @azure/core-xml chain by chargome in #19918
• Bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps by chargome in #19917
• Bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 by chargome in #19880

Other

• (craft) Add missing mainDocsUrl for @sentry/effect SDK by bc-sentry in #19860
• (nestjs) Add node to nest metadata by chargome in #19875
• (serverless) Add node to metadata by nicohrubec in #19878

Internal Changes 🔧

Deps Dev

• Bump effect from 3.19.19 to 3.20.0 by dependabot in #19926
• Bump qunit-dom from 3.2.1 to 3.5.0 by dependabot in #19546
• Bump @react-router/node from 7.13.0 to 7.13.1 by dependabot in #19544

Nuxt

• Extract core logic for storage/database to prepare for Nuxt v5 by s1gr1d in #19920
• Extract handler patching to extra plugin for Nitro v2/v3 by s1gr1d in #19915

Other

• (astro) Re-enable server island tracing e2e test in Astro 6 by Lms24 in #19872
• (ci) Fix "Gatbsy" typo in issue package label workflow by chargome in #19905
• (claude) Enable Claude Code Intelligence (LSP) by s1gr1d in #19930
• (cloudflare) Enable multi-worker tests for CF integration tests by JPeer264 in #19938
• (lint) Resolve oxlint warnings by isaacs in #19893
• (node-integration-tests) Remove unnecessary file-type dependency by Lms24 in #19824
• (remix) Replace glob with native recursive fs walk by roli-lpci in #19531
• (sveltekit) Replace recast + @babel/parser with acorn by roli-lpci in #19533
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19925
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19909

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.69 kB	+0.2%	+49 B 🔺
@sentry/browser - with treeshaking flags	24.17 kB	+0.14%	+33 B 🔺
@sentry/browser (incl. Tracing)	42.67 kB	+0.13%	+54 B 🔺
@sentry/browser (incl. Tracing, Profiling)	47.33 kB	+0.12%	+55 B 🔺
@sentry/browser (incl. Tracing, Replay)	81.48 kB	+0.08%	+57 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	71.06 kB	+0.1%	+69 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas)	86.17 kB	+0.06%	+50 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback)	98.41 kB	+0.04%	+36 B 🔺
@sentry/browser (incl. Feedback)	42.48 kB	+0.08%	+30 B 🔺
@sentry/browser (incl. sendFeedback)	30.35 kB	+0.15%	+43 B 🔺
@sentry/browser (incl. FeedbackAsync)	35.4 kB	+0.12%	+39 B 🔺
@sentry/browser (incl. Metrics)	26.96 kB	+0.15%	+38 B 🔺
@sentry/browser (incl. Logs)	27.1 kB	+0.12%	+32 B 🔺
@sentry/browser (incl. Metrics & Logs)	27.78 kB	+0.15%	+39 B 🔺
@sentry/react	27.45 kB	+0.22%	+58 B 🔺
@sentry/react (incl. Tracing)	45.01 kB	+0.14%	+60 B 🔺
@sentry/vue	30.13 kB	+0.16%	+46 B 🔺
@sentry/vue (incl. Tracing)	44.52 kB	+0.09%	+39 B 🔺
@sentry/svelte	25.7 kB	+0.16%	+40 B 🔺
CDN Bundle	28.35 kB	+0.27%	+75 B 🔺
CDN Bundle (incl. Tracing)	43.57 kB	+0.15%	+62 B 🔺
CDN Bundle (incl. Logs, Metrics)	29.22 kB	+0.27%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics)	44.43 kB	+0.17%	+75 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics)	68.29 kB	+0.13%	+85 B 🔺
CDN Bundle (incl. Tracing, Replay)	80.41 kB	+0.1%	+73 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.31 kB	+0.1%	+76 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback)	85.97 kB	+0.12%	+103 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.86 kB	+0.1%	+86 B 🔺
CDN Bundle - uncompressed	82.7 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing) - uncompressed	128.62 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.57 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	131.49 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.22 kB	+0.05%	+102 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed	245.5 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.35 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	258.41 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	261.26 kB	+0.04%	+89 B 🔺
@sentry/nextjs (client)	47.4 kB	+0.08%	+37 B 🔺
@sentry/sveltekit (client)	43.12 kB	+0.12%	+51 B 🔺
@sentry/node-core	56.43 kB	+0.15%	+81 B 🔺
@sentry/node	170.51 kB	-1.54%	-2.65 kB 🔽
@sentry/node - without tracing	96.47 kB	+0.13%	+122 B 🔺
@sentry/aws-serverless	113.56 kB	+0.2%	+217 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	9,444	-	9,359	+1%
GET With Sentry	1,719	18%	1,696	+1%
GET With Sentry (error only)	6,035	64%	6,065	-0%
POST Baseline	1,176	-	1,192	-1%
POST With Sentry	577	49%	567	+2%
POST With Sentry (error only)	1,035	88%	1,017	+2%
MYSQL Baseline	3,182	-	3,183	-0%
MYSQL With Sentry	437	14%	418	+5%
MYSQL With Sentry (error only)	2,601	82%	2,558	+2%

View base workflow run

[cursor]

Express integration adds to @sentry/core bundle size

Low Severity

Exporting the Express integration (~700 lines across five new files) from @sentry/core increases the core package size that ships to all platforms, including browsers where Express is never used. While tree-shaking can eliminate unused exports, not all bundler configurations guarantee it. The PR author acknowledges this and suggests exploring splitting integrations out of core. Flagged because this was mentioned in the rules file.

 

^{Triggered by project rule: PR Review Guidelines for Cursor Bot}

[Lms24]

Fwiw, I don't think bundle size is directly a concern here, as long as this instrumentation isn't actually used in browser code. We should assume tree shaking being the standard these days for browser builds and more generally also for platforms where size is an issue (AWS/vercel, Cloudflare). We use tree shaking extensively when we build our own CDN bundles and everyone using relatively modern versions of Webpack, Turbopack, Rollup/-down, Vite, etc benefits from good tree shaking default configurations.

We haven't heard recent complaints about bundle size increases coming directly from adding exports to @sentry/code. The complaints usually relate to already tree-shaken browser code (which is fair but there's relatively little we can do without and maybe a bit more with breaking changes).

There are other reasons though for a better separation, such as import resolving, module parsing and build time performance (see #19885 as an example). So I think long-term, better separating exports from core sounds reasonable but I wonder if we can achieve this via subpath exports rather than separate packages.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Patched layer.handle becomes non-writable unintentionally
  • Added writable: true to the Object.defineProperty descriptor so patched layer.handle preserves Express's original writability for direct reassignment.

Or push these changes by commenting:

@cursor push 6524f61f18

Preview (6524f61f18)

diff --git a/packages/core/src/integrations/express/patch-layer.ts b/packages/core/src/integrations/express/patch-layer.ts
--- a/packages/core/src/integrations/express/patch-layer.ts
+++ b/packages/core/src/integrations/express/patch-layer.ts
@@ -46,6 +46,7 @@
   Object.defineProperty(layer, 'handle', {
     enumerable: true,
     configurable: true,
+    writable: true,
     value: function layerHandlePatched(
       this: ExpressLayer,
       req: ExpressRequest,

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

Patched layer.handle becomes non-writable unintentionally

Medium Severity

The Object.defineProperty call sets value but omits writable, which defaults to false. Express originally creates layer.handle as a writable property (this.handle = fn). After patching, direct assignment like layer.handle = otherFn silently fails in sloppy mode or throws a TypeError in strict mode. This could break other instrumentation tools (e.g., shimmer/wrap) that use direct assignment to wrap layer.handle. Adding writable: true to the descriptor would preserve the original property characteristics.