fix: Bugsnag network connections even with errors reporting disabled

[jeanfbrito]

Bugsnag SDK was making network requests to sessions.bugsnag.com even when error reporting was disabled, causing certificate error dialogs in air-gapped networks. This fix adds autoTrackSessions: false to the Bugsnag configuration and includes integration tests that verify no network calls occur when reporting is disabled.

Root Cause Analysis

The Problem

Users in air-gapped or restricted network environments reported certificate error dialogs appearing on application startup, even with telemetry/error reporting disabled in settings. The dialogs referenced sessions.bugsnag.com.

Whys

1. Why did certificate error dialogs appear?
   → Because the application attempted HTTPS connections to sessions.bugsnag.com

2. Why was the application connecting to sessions.bugsnag.com?
   → Because Bugsnag SDK automatically tracks sessions when Bugsnag.start() is called

3. Why was Bugsnag starting session tracking when reporting was disabled?
   → Because autoTrackSessions defaults to true in the Bugsnag SDK, it starts reporting even if never being started by the code

Root Cause

The Bugsnag SDK's default configuration (autoTrackSessions: true) initiates automatic session tracking that makes network requests regardless of the application's reporting preference state.

The Fix

Approach

Add autoTrackSessions: false to the Bugsnag configuration, then explicitly call startSession() only when the user has enabled error reporting. This gives the application full control over when session data is transmitted.

Why not just avoid calling Bugsnag.start() when disabled?
The current architecture already does this, but the fix provides defense-in-depth: even if Bugsnag.start() is called, no automatic network requests will occur without an explicit startSession() call.

Implementation

src/errors.ts:97-105 - Added autoTrackSessions: false to Bugsnag configuration:

const initBugsnag = (apiKey: string, appVersion: string, appType: AppType) =>
  Bugsnag.start({
    apiKey,
    appVersion,
    appType,
    releaseStage: process.env.NODE_ENV,
    redactedKeys: [/\/Users\/[^\/]+/],
    autoTrackSessions: false,  // ← Added
  });

The existing flow at src/errors.ts:123-126 already calls startSession() only when isReportEnabled is true:

if (isReportEnabled && !process.mas) {
  bugsnagInstance = initBugsnag(apiKey, effectiveVersion, appType);
  bugsnagInstance.startSession();
}

Files Changed

File	Change
src/errors.ts	Added autoTrackSessions: false to Bugsnag config
src/errors/main.spec.ts	New integration tests for network behavior
package.json	Added nock dev dependency for HTTP mocking

Verification

Integration Tests

Created src/errors/main.spec.ts with 6 tests that use nock to intercept real HTTP requests from the Bugsnag SDK:

Test	Verifies
isReportEnabled: false	Zero network calls
No BUGSNAG_API_KEY	Zero network calls
Enabled, immediate check	Zero calls (batched)
Enabled, after 12s interval	≥1 session call
Starts disabled	Zero calls
Toggle disabled → enabled	Session calls begin

Running Tests

# Run Bugsnag integration tests
yarn test src/errors/main.spec.ts

# Run full test suite
yarn test

Note: Tests take ~30 seconds due to Bugsnag's 10-second session batching interval.

Manual Verification

1. Build the application with reporting disabled
2. Monitor network traffic (e.g., Wireshark, Charles Proxy)
3. Verify no connections to *.bugsnag.com
4. Enable reporting in settings
5. Verify session calls now occur

References

• Bugsnag Node.js SDK docs: https://docs.bugsnag.com/platforms/javascript/configuration-options/#autotracksessions
• SUP-989

Summary by CodeRabbit

• Chores

  • Upgraded the error-tracking library to a new major version.
  • Added an HTTP-mocking library for testing.
  • Disabled automatic session tracking in the error-reporter configuration.

• Tests

  • Added integration tests validating error-reporting network behavior, timed session batching, and dynamic toggling of reporting (send/no-send scenarios).

[coderabbitai]

Walkthrough

Disables Bugsnag automatic session tracking (autoTrackSessions: false), bumps @bugsnag/js to ~8.8.1, adds nock (~14.0.0) to deps/devDeps, and introduces integration tests (src/errors/main.spec.ts) that exercise session/notify network behavior and reporting toggles.

Changes

Cohort / File(s)	Summary
Package manifest package.json	Bump @bugsnag/js ~7.22.3 → ~8.8.1; add nock ~14.0.0 to dependencies and devDependencies.
Bugsnag init src/errors.ts	Set autoTrackSessions: false in Bugsnag.start configuration to disable automatic session tracking.
Integration tests src/errors/main.spec.ts	New test suite using nock to intercept /sessions and /notify; adds mocks for store and electron.app, env helpers, timing helpers, and scenarios for disabled/enabled reporting and dynamic toggling.

Sequence Diagram(s)

sequenceDiagram
  participant App as App
  participant Store as Store (settings)
  participant Bugsnag as Bugsnag SDK
  participant Server as Bugsnag Endpoint

  App->>Store: read reportingEnabled
  App->>Bugsnag: start(apiKey, autoTrackSessions: false)
  Note right of Bugsnag: Automatic session pings disabled
  Store-->>App: emit SETTINGS_CHANGED (toggle reporting)
  App->>Bugsnag: manual/queued session trigger (batched after interval)
  Bugsnag->>Server: POST /sessions
  Bugsnag->>Server: POST /notify (on errors)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibbled deps and hushed the pings,
I paused the sessions beneath moon rings,
Nock sits quiet at the network gate,
Tests twitch whiskers and check the state,
A tiny hop — telemetry dreams until late.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'fix: Bugsnag network connections even with errors reporting disabled' directly describes the primary change—preventing Bugsnag from making automatic network calls when error reporting is disabled.
Linked Issues check	✅ Passed	The PR fully addresses SUP-989 by adding autoTrackSessions: false to disable automatic session tracking and including integration tests verifying no network calls occur when reporting is disabled.
Out of Scope Changes check	✅ Passed	All changes directly support the core objective: disabling automatic Bugsnag network calls via configuration, adding comprehensive tests, and updating dependencies required for testing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/bugsnag-disable-auto-sessions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/errors/main.spec.ts`:
- Around line 83-101: The tests currently reassign process.env via the
originalEnv constant and directly set/delete keys inside the
beforeEach/afterEach blocks (see beforeEach, afterEach, and originalEnv in
src/errors/main.spec.ts); change this to use Object.defineProperty to mock
specific environment variables (e.g., BUGSNAG_API_KEY and NODE_ENV) and restore
them after each test, and factor the behavior into a small helper (e.g.,
setEnvKey/restoreEnvKey) used by beforeEach/afterEach so you don't reassign
process.env or delete keys directly.

[github-actions]

Linux installer download

• rocketchat-4.12.0-linux-amd64.deb
• rocketchat-4.12.0-linux-amd64.snap
• rocketchat-4.12.0-linux-x86_64.AppImage

[github-actions]

Windows installer download

• rocketchat-4.12.0-win-arm64.exe
• rocketchat-4.12.0-win-ia32.exe
• rocketchat-4.12.0-win-x64.exe
• rocketchat-4.12.0-win.exe

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/errors/main.spec.ts`:
- Line 151: Remove the stray blank line in src/errors/main.spec.ts that was
introduced inside the test file (it's an extra empty line within the test
suite/describe block); open main.spec.ts, locate the empty line around the
failing test area (inside the describe/it test group) and delete that single
blank line so the file has no unintended extra whitespace.

🧹 Nitpick comments (1)

src/errors/main.spec.ts (1)

14-14: Import the action type constant to prevent test drift.

The hardcoded string 'settings/set-bugsnag-opt-in-changed' should be imported as SETTINGS_SET_REPORT_OPT_IN_CHANGED from src/ui/actions, matching how the main process file (src/errors.ts) and other parts of the codebase already use this constant. This prevents silent sync failures if the action type is ever refactored.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/errors/main.spec.ts`:
- Around line 171-181: The test currently only asserts tracker.sessionCalls ===
0 but should also assert that no notify/network error reports were sent; update
the test that uses interceptBugsnagCalls() and
setupRendererErrorHandling('main') to also assert tracker.notifyCalls (or the
notify counter provided by interceptBugsnagCalls) is 0 after
wait(SHORT_WAIT_MS). Locate the test block containing
unsetEnvVar('BUGSNAG_API_KEY'), createMocks(true), const tracker =
interceptBugsnagCalls(); and add a second expectation verifying no notify calls
were made (e.g., expect(tracker.notifyCalls).toBe(0)).

[github-actions]

macOS installer download

• rocketchat-4.12.0-mac.dmg
• rocketchat-4.12.0-mac.pkg