Problem
magic-string is installed in 3 different versions when using @sentry/sveltekit, because different Sentry packages pin different exact versions instead of using semver ranges:
| Package |
Repo |
Declared version |
Resolved |
@sentry/svelte |
sentry-javascript |
"^0.30.0" |
0.30.21 ✅ (dedupes fine) |
@sentry/sveltekit |
sentry-javascript |
"0.30.7" |
0.30.7 ❌ (exact pin) |
@sentry/bundler-plugin-core |
sentry-javascript-bundler-plugins |
"0.30.8" |
0.30.8 ❌ (exact pin) |
Since @sentry/sveltekit depends on both @sentry/svelte and @sentry/bundler-plugin-core (via @sentry/vite-plugin → @sentry/rollup-plugin), consumers always end up with 3 copies of magic-string that cannot be deduplicated by any package manager (pnpm dedupe, npm dedupe, yarn dedupe).
Reproduction
mkdir repro && cd repro
npm init -y
npm install @sentry/sveltekit@10.40.0
npm ls magic-string
Output shows 3 separate versions resolved.
With pnpm:
pnpm why magic-string
# Shows:
# magic-string@0.30.7 <- @sentry/sveltekit (exact pin)
# magic-string@0.30.8 <- @sentry/bundler-plugin-core (exact pin)
# magic-string@0.30.21 <- @sentry/svelte, svelte, @sveltejs/kit (^0.30.0 range)
Expected behavior
All Sentry packages should use a semver range (e.g. "^0.30.7") for magic-string, so package managers can deduplicate to a single version.
Suggested fix
1-line change per package:
packages/sveltekit/package.json: change "magic-string": "0.30.7" → "magic-string": "^0.30.7"- In
sentry-javascript-bundler-plugins repo, packages/bundler-plugin-core/package.json: change "magic-string": "0.30.8" → "magic-string": "^0.30.8"
@sentry/svelte already uses "^0.30.0" — this is the correct pattern.
Context
Related to #19447 (Replace SDK package dependencies) which plans to reduce dependencies overall. However, this fix is a trivial semver range change that can ship immediately without waiting for the larger refactoring effort.
Package + Version
@sentry/sveltekit 10.40.0@sentry/bundler-plugin-core 5.1.0 (via @sentry/vite-plugin)
Environment
- pnpm 10.x (also affects npm and yarn)
- SvelteKit 2.x / Svelte 5.x
Problem
magic-stringis installed in 3 different versions when using@sentry/sveltekit, because different Sentry packages pin different exact versions instead of using semver ranges:@sentry/sveltesentry-javascript"^0.30.0"0.30.21✅ (dedupes fine)@sentry/sveltekitsentry-javascript"0.30.7"0.30.7❌ (exact pin)@sentry/bundler-plugin-coresentry-javascript-bundler-plugins"0.30.8"0.30.8❌ (exact pin)Since
@sentry/sveltekitdepends on both@sentry/svelteand@sentry/bundler-plugin-core(via@sentry/vite-plugin→@sentry/rollup-plugin), consumers always end up with 3 copies ofmagic-stringthat cannot be deduplicated by any package manager (pnpm dedupe,npm dedupe,yarn dedupe).Reproduction
Output shows 3 separate versions resolved.
With pnpm:
Expected behavior
All Sentry packages should use a semver range (e.g.
"^0.30.7") formagic-string, so package managers can deduplicate to a single version.Suggested fix
1-line change per package:
packages/sveltekit/package.json: change"magic-string": "0.30.7"→"magic-string": "^0.30.7"sentry-javascript-bundler-pluginsrepo,packages/bundler-plugin-core/package.json: change"magic-string": "0.30.8"→"magic-string": "^0.30.8"@sentry/sveltealready uses"^0.30.0"— this is the correct pattern.Context
Related to #19447 (Replace SDK package dependencies) which plans to reduce dependencies overall. However, this fix is a trivial semver range change that can ship immediately without waiting for the larger refactoring effort.
Package + Version
@sentry/sveltekit10.40.0@sentry/bundler-plugin-core5.1.0 (via@sentry/vite-plugin)Environment