magic-string pinned to exact versions across packages, preventing deduplication

[shimscho]

Problem

magic-string is installed in 3 different versions when using @sentry/sveltekit, because different Sentry packages pin different exact versions instead of using semver ranges:

Package	Repo	Declared version	Resolved
@sentry/svelte	sentry-javascript	"^0.30.0"	0.30.21 ✅ (dedupes fine)
@sentry/sveltekit	sentry-javascript	"0.30.7"	0.30.7 ❌ (exact pin)
@sentry/bundler-plugin-core	sentry-javascript-bundler-plugins	"0.30.8"	0.30.8 ❌ (exact pin)

Since @sentry/sveltekit depends on both @sentry/svelte and @sentry/bundler-plugin-core (via @sentry/vite-plugin → @sentry/rollup-plugin), consumers always end up with 3 copies of magic-string that cannot be deduplicated by any package manager (pnpm dedupe, npm dedupe, yarn dedupe).

Reproduction

mkdir repro && cd repro
npm init -y
npm install @sentry/sveltekit@10.40.0
npm ls magic-string

Output shows 3 separate versions resolved.

With pnpm:

pnpm why magic-string
# Shows:
# magic-string@0.30.7  <- @sentry/sveltekit (exact pin)
# magic-string@0.30.8  <- @sentry/bundler-plugin-core (exact pin)
# magic-string@0.30.21 <- @sentry/svelte, svelte, @sveltejs/kit (^0.30.0 range)

Expected behavior

All Sentry packages should use a semver range (e.g. "^0.30.7") for magic-string, so package managers can deduplicate to a single version.

Suggested fix

1-line change per package:

• packages/sveltekit/package.json: change "magic-string": "0.30.7" → "magic-string": "^0.30.7"
• In sentry-javascript-bundler-plugins repo, packages/bundler-plugin-core/package.json: change "magic-string": "0.30.8" → "magic-string": "^0.30.8"

@sentry/svelte already uses "^0.30.0" — this is the correct pattern.

Context

Related to #19447 (Replace SDK package dependencies) which plans to reduce dependencies overall. However, this fix is a trivial semver range change that can ship immediately without waiting for the larger refactoring effort.

Package + Version

• @sentry/sveltekit 10.40.0
• @sentry/bundler-plugin-core 5.1.0 (via @sentry/vite-plugin)

Environment

• pnpm 10.x (also affects npm and yarn)
• SvelteKit 2.x / Svelte 5.x

[linear]

JS-1801

[JPeer264]

Hey thanks for your issue. I think it would be even better to use the ~ range as it is still in a v0 stage, otherwise it could break in the future easily. I'll take care of using a semver range instead.

[JPeer264]

@shimscho FYI we already released @sentry/bundler-plugin-core@5.1.1 with the fix. Soon we'll also release a new update of @sentry/sveltekit which fixes that entirely.

[shimscho]

@JPeer264
Thank you. That was faster than I thought👌