fix(node): Avoid duplicated sentry-trace and baggage headers on fetch requests

[Lms24]

This PR fixes a bunch of issues within our node fetch integration for tracing header edge cases.

• mergeBaggageHeaders would mix up sentry- entries from both headers creating completely inconsistent baggage entries. We must not mix up entries as otherwise the propagated DSC values would be inconsistent. This would interfere with dynamic sampling.
• addTracePropagationHeadersToFetchRequest would correctly avoid setting a sentry-trace header if a previous one existed but happily still add new baggage and optionally traceparent headers. Again causing inconsistent data between sentry-trace and the other two values (e.g. distinct trace ids across the headers in one request). I'd argue that as soon as a sentry-trace header is found, we should no longer add any new headers.
• manually adding baggage headers with sentry- entries would cause multiple baggage headers to be present. This was due to insufficient deduplication in our own header adding logic. What makes this much worse though is that we cannot stop OTel's UndiciInstrumentation from injecting headers.

Open issue: If users manually add a baggage header, we have to deal with 3 competing entries:

1. user-added
2. OTel Undici-added
3. Sentry-added (in our own fetch instrumentation)

Right now, this PR correctly dedupes BUT prefers 2 over 1 and 3. There's a case to be made that 1 should be preferred. Also according to a comment in the code, 3 should be preferred over 2. Still need to fix that. Therefore setting this to draft.

closes #19158

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

Deps

• Bump mongodb-memory-server-global from 10.1.4 to 11.0.1 by dependabot in #19888
• Bump stacktrace-parser from 0.1.10 to 0.1.11 by dependabot in #19887

Bug Fixes 🐛

Cloudflare

• Send correct events in local development by JPeer264 in #19900
• Forward ctx argument to Workflow.do user callback by Lms24 in #19891

Core

• Preserve .withResponse() on Anthropic instrumentation by nicohrubec in #19935
• Truncate content array format in Vercel by nicohrubec in #19911
• Send internal_error as span status for Vercel error spans by nicohrubec in #19921
• Do not overwrite user provided conversation id in Vercel by nicohrubec in #19903
• Return same value from startSpan as callback returns by s1gr1d in #19300

Deps

• Update lockfile to resolve [email protected] by chargome in #19933
• Bump fast-xml-parser to 5.5.8 in @azure/core-xml chain by chargome in #19918
• Bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps by chargome in #19917
• Bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 by chargome in #19880

Other

• (craft) Add missing mainDocsUrl for @sentry/effect SDK by bc-sentry in #19860
• (nestjs) Add node to nest metadata by chargome in #19875

• (node) Avoid duplicated sentry-trace and baggage headers on fetch requests by Lms24 in #19960

• (serverless) Add node to metadata by nicohrubec in #19878

Internal Changes 🔧

Deps Dev

• Bump effect from 3.19.19 to 3.20.0 by dependabot in #19926
• Bump qunit-dom from 3.2.1 to 3.5.0 by dependabot in #19546
• Bump @react-router/node from 7.13.0 to 7.13.1 by dependabot in #19544

Nuxt

• Extract core logic for storage/database to prepare for Nuxt v5 by s1gr1d in #19920
• Extract handler patching to extra plugin for Nitro v2/v3 by s1gr1d in #19915

Other

• (astro) Re-enable server island tracing e2e test in Astro 6 by Lms24 in #19872
• (ci) Fix "Gatbsy" typo in issue package label workflow by chargome in #19905
• (claude) Enable Claude Code Intelligence (LSP) by s1gr1d in #19930
• (lint) Resolve oxlint warnings by isaacs in #19893
• (node-integration-tests) Remove unnecessary file-type dependency by Lms24 in #19824
• (remix) Replace glob with native recursive fs walk by roli-lpci in #19531
• (sveltekit) Replace recast + @babel/parser with acorn by roli-lpci in #19533
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19925
• Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19909

---

_{🤖 This preview updates automatically when you update the PR.}

[sentry]

Bug: The mergeBaggageHeaders function is called with arguments in the wrong order, causing user-defined non-Sentry baggage values to be overwritten by automatically-appended OTel baggage.
_{Severity: HIGH}

Suggested Fix

Swap the arguments in the mergeBaggageHeaders call within _deduplicateArrayHeader. The initial, user-set header (headers[firstIndex + 1]) should be the first argument, and the later, OTel-appended header (headers[i + 1]) should be the second. This will ensure that the user's non-Sentry baggage values are preserved.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: packages/node-core/src/utils/outgoingFetchRequest.ts#L154

Potential issue: In `_deduplicateArrayHeader`, the call to `mergeBaggageHeaders`
incorrectly prioritizes non-Sentry values from later baggage headers. The function is
called with the OTel-appended header as the first argument (`existing`) and the
user-defined header as the second (`new`). The merging logic only adds non-Sentry keys
from the `new` header if they don't already exist in the `existing` one. This causes
user-defined non-Sentry baggage values to be silently overwritten by values from the
automatically-appended OTel header, which contradicts the intended behavior of
preserving all user-set values.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[github-actions]

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path	Size	% Change	Change
@sentry/browser	25.69 kB	+0.2%	+49 B 🔺
@sentry/browser - with treeshaking flags	24.17 kB	+0.14%	+33 B 🔺
@sentry/browser (incl. Tracing)	42.67 kB	+0.13%	+54 B 🔺
@sentry/browser (incl. Tracing, Profiling)	47.33 kB	+0.12%	+55 B 🔺
@sentry/browser (incl. Tracing, Replay)	81.48 kB	+0.08%	+57 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	71.06 kB	+0.1%	+69 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas)	86.17 kB	+0.06%	+50 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback)	98.41 kB	+0.04%	+36 B 🔺
@sentry/browser (incl. Feedback)	42.48 kB	+0.08%	+30 B 🔺
@sentry/browser (incl. sendFeedback)	30.35 kB	+0.15%	+43 B 🔺
@sentry/browser (incl. FeedbackAsync)	35.4 kB	+0.12%	+39 B 🔺
@sentry/browser (incl. Metrics)	26.96 kB	+0.15%	+38 B 🔺
@sentry/browser (incl. Logs)	27.1 kB	+0.12%	+32 B 🔺
@sentry/browser (incl. Metrics & Logs)	27.78 kB	+0.15%	+39 B 🔺
@sentry/react	27.45 kB	+0.22%	+58 B 🔺
@sentry/react (incl. Tracing)	45.01 kB	+0.14%	+60 B 🔺
@sentry/vue	30.13 kB	+0.16%	+46 B 🔺
@sentry/vue (incl. Tracing)	44.52 kB	+0.09%	+39 B 🔺
@sentry/svelte	25.7 kB	+0.16%	+40 B 🔺
CDN Bundle	28.35 kB	+0.27%	+75 B 🔺
CDN Bundle (incl. Tracing)	43.57 kB	+0.15%	+62 B 🔺
CDN Bundle (incl. Logs, Metrics)	29.22 kB	+0.27%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics)	44.43 kB	+0.17%	+75 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics)	68.29 kB	+0.13%	+85 B 🔺
CDN Bundle (incl. Tracing, Replay)	80.41 kB	+0.1%	+73 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	81.31 kB	+0.1%	+76 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback)	85.97 kB	+0.12%	+103 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.86 kB	+0.1%	+86 B 🔺
CDN Bundle - uncompressed	82.7 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing) - uncompressed	128.62 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.57 kB	+0.1%	+77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	131.49 kB	+0.05%	+64 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.22 kB	+0.05%	+102 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed	245.5 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.35 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	258.41 kB	+0.04%	+89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	261.26 kB	+0.04%	+89 B 🔺
@sentry/nextjs (client)	47.4 kB	+0.08%	+37 B 🔺
@sentry/sveltekit (client)	43.12 kB	+0.12%	+51 B 🔺
@sentry/node-core	56.65 kB	+0.54%	+301 B 🔺
@sentry/node	173.76 kB	+0.35%	+600 B 🔺
@sentry/node - without tracing	96.66 kB	+0.33%	+317 B 🔺
@sentry/aws-serverless	113.67 kB	+0.3%	+337 B 🔺

View base workflow run

[github-actions]

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	8,926	-	8,837	+1%
GET With Sentry	1,608	18%	1,581	+2%
GET With Sentry (error only)	5,842	65%	5,836	+0%
POST Baseline	1,165	-	1,170	-0%
POST With Sentry	564	48%	561	+1%
POST With Sentry (error only)	1,026	88%	1,019	+1%
MYSQL Baseline	3,194	-	3,195	-0%
MYSQL With Sentry	386	12%	406	-5%
MYSQL With Sentry (error only)	2,559	80%	2,586	-1%

View base workflow run