New Features ✨

• Added a dynamic header for dragbar by @MathurAditya724 in #1223
• Better error message display by @MathurAditya724 in #1222

Bug Fixes 🐛

Ui

• Add validation guards to WebVitalsDetail to prevent crashes by @BYK in #1243
• Handle null/undefined span.description safely by @BYK in #1239

Other

• (sentry) Upload and use source maps for all build targets by @BYK in #1241
• Improve EADDRINUSE error handling and UX by @BYK in #1240
• Updated react-router-dom version to latest by @MathurAditya724 in #1245
• Add error handling for base64 decode operations by @BYK in #1237
• Silence non-fixable Sentry errors by @BYK in #1242
• Add null safety to WebVitals comparators by @BYK in #1238
• Add null check for itemHeader in processEnvelope by @BYK in #1233
• Shiki theme in light mode by @MathurAditya724 in #1230

Documentation 📚

Website

• Add feedback note for Spotlight SDK in documentation by @MathurAditya724 in #1228
• Add NextJS guide by @betegon in #1129

Other

• Add section for the spotlight sdk by @MathurAditya724 in #1227

Build / dependencies / internal 🔧

Craft

• Fix Craft traget ids by @BYK in #1248
• Bump craft version to fix releases by @BYK in #1246

Release

• Add npm pack step for Craft npm publishing by @BYK in #1250
• Merge artifacts for Craft release discovery by @BYK in #1249
• Add pnpm and Node.js setup to release workflow by @BYK in #1247
• Migrate to Craft by @betegon in #1232

Other

• (deps) Bump @modelcontextprotocol/sdk from 1.24.3 to 1.25.2 by @dependabot in #1234
• Add workflow to notify issues on release by @betegon in #1236
• Using the param instead of calling a function by @MathurAditya724 in #1224

Other

• Node 24.x support by @BYK in #1235
• Vite windows deny bypass by @BYK in #1229
• Qs security vulnerability fix by @BYK in #1226
• Dependency security updates by @BYK in #1225
• Event origin badges ui by @BYK in #1221

Minor Changes

• Add support for continuous profiling (Profiling V2) (#1202)

• Add self-documenting CLI commands with per-command help support (#1206)

  Each CLI command now provides its own metadata (short description, usage, detailed help, and examples). The main help output is generated dynamically from this metadata, and users can get detailed help for specific commands via spotlight help <command> or spotlight <command> --help.

Patch Changes

• Remove dead code (#1214)

• Fix profile visualization issues in trace views: (#1203)

  • Update frame colors to use vibrant, high-contrast colors for better visibility
  • Add custom nanovis palette for Spotlight's dark theme
  • Fix sunburst center text showing bytes instead of sample counts
  • Fix treemap visibility with proper color contrast

• added support for AI SDK v2 in AI Mode (#1216)

• updated the empty pages of traces and envelopes (#1213)

• open external links in default browser (#1212)

Minor Changes

• Add --open / -o CLI flag to automatically open the Spotlight dashboard in your default browser when starting the sidecar (#1200)

Patch Changes

• Fixed flamechart tree building to iterate from root to leaf frames, resolving fragmented visualization (#1201)

• shifted electron dependencies to dev dependencies as there were getting installed with npx for spotlight run (#1184)

Patch Changes

• Fix ANSI escape code rendering in log viewer. Logs containing ANSI escape sequences (colors, bold, italic, etc.) are now properly styled in the UI instead of showing raw escape characters. (#1187)

Patch Changes

• Report github-ci environment to Sentry when running in GitHub Actions CI (#1178)

• Fix npx @spotlightjs/spotlight fail (#1181)

Minor Changes

• Add --allowed-origin / -A CLI option and allowedOrigins API option for configuring additional CORS origins. Supports both full origins (e.g., https://ngrok.io:443) for strict matching and plain domains (e.g., myapp.local) for permissive matching. Fixes #1171. (#1176)

Patch Changes

• Restore draggable electron app and recover semaphore buttons (#1173)

• Allow any DNS pointing to localhost in CORS (#1175)

Minor Changes

• Added spotlight sdk for helping others to build on top of it (#1140)

• Support COMPOSE_FILE environment variable for Docker Compose projects (#1131)

• Prompt user to choose between docker compose and package.json when both are present (#1120)

Patch Changes

• Refactor docker compose support (#1121)

• disable sentry in development mode (#1143)

• Security: Restrict CORS origins for Sidecar to prevent unauthorized access (#1138)

  The Sidecar now only accepts requests from trusted origins:

  • localhost with any port or protocol (http/https)
  • https://spotlightjs.com and https://*.spotlightjs.com (HTTPS only, default port)

  ⚠️ Potentially Breaking: If you were accessing the Sidecar from other origins (e.g., custom domains, non-HTTPS spotlightjs.com), those connections will now be rejected. This change improves security by preventing malicious websites from connecting to your local Sidecar instance.

• Fix file capture error handling to log errors instead of crashing when SPOTLIGHT_CAPTURE is enabled (#1142)

• Remove console logging integration from Sentry setup (#1146)

Patch Changes

• Fix SDK categorization for Next.js by using User-Agent headers to distinguish browser from server events (#1110)

• Updated dependencies [0942c8a, bce012e, 7624030, 15a7f41, 13da542, b3a654a]:

  • @spotlightjs/[email protected]
  • @spotlightjs/[email protected]

Minor Changes

• Docker compose support for Spotlight run command (#1108)

• Added support for Last-Event-Id in SSE stream (#1104)

• Change tool names: change . for _ and remove spotlight preffix (#1114)

• Improved human formatter readability (#1112)

Patch Changes

• Fix breaking error when event type is not supported (#1111)

• Fix SDK categorization for Next.js by using User-Agent headers to distinguish browser from server events (#1110)

Patch Changes

• Updated dependencies [0942c8a, bce012e, 7624030, 15a7f41, 13da542, b3a654a]:
  • @spotlightjs/[email protected]
  • @spotlightjs/[email protected]