sentry-cli

v3.4.3 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 13d Error & Performance Tracking

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

cli crash-reporting rust sentry sentry-cli tag-production

+1 more

team-web-backend

Affected surfaces

rce_ssrf deps breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 13d

sentry-cli 3.4.3 disables Xcode Info.plist preprocessing by default for several commands and adds multiple security hardenings, while also improving snapshot upload performance.

Why it matters: Patch to 3.4.3 immediately if you use sentry‑cli releases, send‑event, bash‑hook, or react‑native xcode; the change blocks compiler‑setting injection via Info.plist and introduces stricter security defaults.

Summary

AI summary

Updates Security Fixes, Performance, and snapshots across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Ensures restrictive file permissions maintained when login updates config files. Ensures restrictive file permissions maintained when login updates config files. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Disables TLS verification only when http.verify_ssl explicitly set false. Disables TLS verification only when http.verify_ssl explicitly set false. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Shell-escapes all bash-hook arguments to prevent injection attacks. Shell-escapes all bash-hook arguments to prevent injection attacks. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Stops sending environment variables in bash-hook events. Stops sending environment variables in bash-hook events. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Verifies downloaded binary checksum before update execution. Verifies downloaded binary checksum before update execution. Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	High	Disables Xcode Info.plist preprocessing by default for certain sentry-cli commands. Disables Xcode Info.plist preprocessing by default for certain sentry-cli commands. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Breaking	Medium	Disables Xcode Info.plist preprocessing by default to prevent compiler settings injection. Disables Xcode Info.plist preprocessing by default to prevent compiler settings injection. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Skips image upload if already exists in objectstore via batch HEAD checks. Skips image upload if already exists in objectstore via batch HEAD checks. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Rejects snapshot uploads with PR number but missing base SHA. Rejects snapshot uploads with PR number but missing base SHA. Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

Security Fixes

Behavior-breaking: Disable Xcode Info.plist preprocessing by default to avoid passing project-controlled compiler settings to cc during release auto-discovery. This affects sentry-cli releases propose-version, sentry-cli send-event and sentry-cli bash-hook --send-event release inference, and sentry-cli react-native xcode auto-release detection. Use --allow-xcode-infoplist-preprocessing only for trusted projects that require preprocessing.
Ensure restrictive file permissions maintained when sentry-cli login updates existing config files.
Disable TLS verification only when http.verify_ssl is set to false, case-insensitively.
Shell-escape generated bash-hook arguments, including paths, tags, release names, and the CLI path.
Stop sending environment variables in sentry-cli bash-hook events.
Verify the downloaded binary checksum before replacing the current executable in sentry-cli update.

Performance

(snapshots) Skip uploading images that already exist in objectstore by batch-checking with HEAD requests first (#3305)

Fixes

(snapshots) Reject snapshot uploads that have a PR number but no base SHA, since comparisons cannot work without a base reference (#3300)

Breaking Changes

Disable Xcode `Info.plist` preprocessing by default; affects `sentry-cli releases propose-version`, `send-event`, `bash-hook --send-event`, and React Native auto-release detection. Use `--allow-xcode-infoplist-preprocessing` for trusted projects.
TLS verification is disabled only when `http.verify_ssl` is set to `false` case‑insensitively.

Security Fixes

Disable Xcode `Info.plist` preprocessing by default to avoid passing project-controlled compiler settings (behavior‑breaking).
Ensure restrictive file permissions when `sentry-cli login` updates config files.
Shell-escape generated `bash-hook` arguments including paths, tags, release names, and CLI path.
Stop sending environment variables in `sentry-cli bash-hook` events.
Verify downloaded binary checksum before replacing the current executable in `sentry-cli update`.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track sentry-cli

Get notified when new releases ship.

About sentry-cli

A command line utility to work with Sentry.

All releases →

Related context

Related tools

Earlier breaking changes

v2.58.6 Disable Xcode Info.plist preprocessing by default in release operations.