docs(react-native): Use scoped npx call for expo sourcemap upload#17391
Merged
docs(react-native): Use scoped npx call for expo sourcemap upload#17391
Conversation
Invoke sentry-expo-upload-sourcemaps through @sentry/react-native so the registry fallback cannot resolve to an unscoped package held by a third party. In-project behavior is unchanged because the local node_modules/.bin entry is still preferred. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
The `--` was defensive but not needed: the command has no dashed args to protect from npx flag parsing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cleptric
approved these changes
Apr 20, 2026
antonis
requested review from
alwx and
lucas-zimerman
and removed request for
a team
This was referenced Apr 21, 2026
Merged
antonis
added a commit
that referenced
this pull request
Apr 23, 2026
… source maps (#17415) ## DESCRIBE YOUR PR Updates the Expo source-maps upload guide to recommend the new scoped CLI package: ```bash SENTRY_AUTH_TOKEN=<token> \ npx @sentry/expo-upload-sourcemaps dist ``` This is the long-term form of the mitigation we started in #17391. That PR routed the command through `--package=@sentry/react-native` to take the unscoped registry name off the documented happy path; this PR switches to the dedicated scoped package `@sentry/expo-upload-sourcemaps`, which is shorter to type, cannot be squatted (scope-protected), and is published and owned by Sentry. An `<Alert>` block retains the previous `npx --package=@sentry/react-native sentry-expo-upload-sourcemaps dist` form for users on `@sentry/react-native` versions older than 8.9.0, where the new package is not yet available. Both forms produce identical results. ## IS YOUR CHANGE URGENT? - [x] None: Not urgent, can wait up to 1 week+ ##⚠️ Blocked on upstream This PR should only merge **after** `@sentry/expo-upload-sourcemaps` is published to npm. The first release is scheduled to ship with `@sentry/react-native` 8.9.0 via getsentry/sentry-react-native#6027. If this doc lands before the package exists on the registry, users copy-pasting the command will get `npm error 404 Not Found`. ## PRE-MERGE CHECKLIST - [ ] `@sentry/expo-upload-sourcemaps` is live on npm (verify with `npm view @sentry/expo-upload-sourcemaps version`) - [ ] The version gate in the `<Alert>` (`8.9.0`) matches the actual release version of `@sentry/react-native` that introduces the package; update if the number shifts - [ ] Checked Vercel preview for correctness, including links - [ ] PR was reviewed and approved by any necessary SMEs (subject matter experts) - [ ] PR was reviewed and approved by a member of the [Sentry docs team](https://github.com/orgs/getsentry/teams/docs) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DESCRIBE YOUR PR
Changes the documented command for uploading Expo sourcemaps from
npx sentry-expo-upload-sourcemaps disttonpx --package=@sentry/react-native -- sentry-expo-upload-sourcemaps dist.The previous form resolves an unscoped package name on npm. Inside a project that has
@sentry/react-nativeinstalled, npx uses the localnode_modules/.binentry and behaves correctly. But outside such a project (fresh shell, CI step that runs beforeinstall, copy-pasted tutorial command), npx falls through to the public registry — where the name is currently held by a third-party account (sentry-expo-upload-sourcemaps@5.24.1, published 2024-07-02). Its current payload is a benignwrapper.shthat forwards to our real binary, but it's a third-party entry point on the documented happy path.The scoped form routes through
@sentry/react-native, which is a locked npm scope — only Sentry org members can publish to it, so the registry fallback path cannot be intercepted. In-project behavior is unchanged because the local bin is still preferred.A parallel exposure exists for Remix (
sentry-upload-sourcemaps, same squatter); that doc update will be handled separately.IS YOUR CHANGE URGENT?
PRE-MERGE CHECKLIST