feat: added spotlight SDK #1140
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
BYK
reviewed
Nov 20, 2025
Member
BYK
left a comment
BYK
left a comment
There was a problem hiding this comment.
The AI reviewers' concerns seem legit
Co-authored-by: Burak Yigit Kaya <[email protected]>
BYK
approved these changes
Nov 20, 2025
packages/spotlight/src/server/sdk.ts
Outdated
Comment on lines
36
to
38
| if (options.query.sentry_client?.startsWith("sentry.javascript.browser") && options.headers.origin) { | ||
| // This is a correction we make as Sentry Browser SDK may send messages with text/plain to avoid CORS issues | ||
| contentType = "application/x-sentry-envelope"; |
Member
There was a problem hiding this comment.
We should move this check outside as it is specific to the server implementation. It has no place in the SDK API.
packages/spotlight/src/server/sdk.ts
Outdated
Comment on lines
31
to
33
| const body = options.overrideBufferDecoding | ||
| ? options.body | ||
| : decompressBody(options.body, options.headers.contentEncoding); |
Member
There was a problem hiding this comment.
Let's just not pass contentEncoding here.
packages/spotlight/src/server/sdk.ts
Outdated
| spotlightBuffer: MessageBuffer<EventContainer>; | ||
| body: Buffer; | ||
| overrideBufferDecoding?: boolean; | ||
| headers: { |
Member
There was a problem hiding this comment.
This API interface should not get server-specific stuff like headers or query. We should not pass them in the first place if possible or pass normalized/derived values to help with anything else. That said I see the value of a simpler interface so I guess it can stay this way. My ideal version would have had source field calculated before being passed to this method, but to calculate that we need both the user agent and the decoded envelope. Still, let's just use userAgent and contentType outside of headers, make userAgent optional, and keep server-specific stuff to a minimum with all of them being optional with sensible defaults.
BYK
requested changes
Nov 21, 2025
BYK
reviewed
Nov 21, 2025
BYK
approved these changes
Nov 21, 2025
betegon
added a commit
that referenced
this pull request
Dec 1, 2025
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or [setup this action to publish automatically](https://github.com/changesets/action#with-publishing). If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @spotlightjs/[email protected] ### Minor Changes - Added spotlight sdk for helping others to build on top of it ([#1140](#1140)) - Support COMPOSE_FILE environment variable for Docker Compose projects ([#1131](#1131)) - Prompt user to choose between docker compose and package.json when both are present ([#1120](#1120)) ### Patch Changes - Refactor docker compose support ([#1121](#1121)) - disable sentry in development mode ([#1143](#1143)) - **Security:** Restrict CORS origins for Sidecar to prevent unauthorized access ([#1138](#1138)) The Sidecar now only accepts requests from trusted origins: - `localhost` with any port or protocol (http/https) - `https://spotlightjs.com` and `https://*.spotlightjs.com` (HTTPS only, default port)⚠️ **Potentially Breaking:** If you were accessing the Sidecar from other origins (e.g., custom domains, non-HTTPS spotlightjs.com), those connections will now be rejected. This change improves security by preventing malicious websites from connecting to your local Sidecar instance. - Fix file capture error handling to log errors instead of crashing when SPOTLIGHT_CAPTURE is enabled ([#1142](#1142)) --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Miguel Betegón <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added new Spotlight SDK for helping others to build on top of Spotlight
Closes #1094.