This release includes 6 security fixes for security teams reviewing exposed deployments.
Topics
+1 more
Affected surfaces
ReleasePort's take
Light signalsentry-cli 2.58.6 disables Xcode Info.plist preprocessing by default to prevent insecure compiler settings from being passed to builds. The release also hardens credential handling with restrictive file permissions, proper TLS verification, and stops transmitting environment variables in bash-hook events.
Why it matters: Operators using Xcode with sentry-cli must validate builds after upgrading. Review credential file permissions, TLS verification settings, and bash-hook configuration; environment variables will no longer be transmitted.
Summary
AI summaryDisable Xcode Info.plist preprocessing by default to prevent insecure compiler settings from being passed.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Ensure restrictive file permissions maintained when sentry-cli login updates config. Ensure restrictive file permissions maintained when sentry-cli login updates config. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Stop sending environment variables in sentry-cli bash-hook events. Stop sending environment variables in sentry-cli bash-hook events. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Shell-escape bash-hook arguments including paths, tags, release names, CLI path. Shell-escape bash-hook arguments including paths, tags, release names, CLI path. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
Verify downloaded binary checksum before replacing current executable in update. Verify downloaded binary checksum before replacing current executable in update. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Breaking | Medium |
Disable Xcode Info.plist preprocessing by default in release operations. Disable Xcode Info.plist preprocessing by default in release operations. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Disable TLS verification only when http.verify_ssl explicitly set to false. Disable TLS verification only when http.verify_ssl explicitly set to false. Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
Security Fixes
- Behavior-breaking: Disable Xcode
Info.plistpreprocessing by default to avoid passing project-controlled compiler settings toccduring release auto-discovery. This affectssentry-cli releases propose-version,sentry-cli send-eventandsentry-cli bash-hook --send-eventrelease inference, andsentry-cli react-native xcodeauto-release detection. Use--allow-xcode-infoplist-preprocessingonly for trusted projects that require preprocessing. - Ensure restrictive file permissions maintained when
sentry-cli loginupdates existing config files. - Disable TLS verification only when
http.verify_sslis set tofalse, case-insensitively. - Shell-escape generated
bash-hookarguments, including paths, tags, release names, and the CLI path. - Stop sending environment variables in
sentry-cli bash-hookevents. - Verify the downloaded binary checksum before replacing the current executable in
sentry-cli update.
Breaking Changes
- Disabled Xcode `Info.plist` preprocessing by default; use `--allow-xcode-infoplist-preprocessing` for trusted projects.
Security Fixes
- Prevented project-controlled compiler settings from being passed to `cc` via Info.plist preprocessing.
- Enforced restrictive file permissions on config updates from `sentry-cli login`.
- Restricted TLS verification disablement to explicit case‑insensitive `http.verify_ssl=false` configuration.
- Shell‑escaped all arguments in generated `bash-hook` scripts.
- Stopped sending environment variables with `bash-hook` events.
- Verified checksum of downloaded binary before replacing executable in `sentry-cli update`.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]