fix(core): Resolve expo CLI directly instead of using npx in sourcemap upload

[antonis]

📢 Type of change

• Bugfix
• New feature
• Enhancement
• Refactoring

📜 Description

Replaces spawnSync('npx', ['expo', 'config', '--json']) in @sentry/expo-upload-sourcemaps with direct module resolution via require.resolve('expo/package.json'), reading the bin.expo field from it, and spawning the resolved CLI path with process.execPath.

This avoids going through npm/npx entirely, which prevents npm's devEngines.packageManager enforcement from rejecting the call when the project restricts its package manager to pnpm.

The resolution tries two paths:

1. Standard require.resolve from the script's location (works with hoisted layouts — npm, yarn classic)
2. Falls back to require.resolve with paths: [process.cwd()] (works with strict isolation — pnpm)

If neither resolves, the existing fallback chain (sentry.properties → env vars) kicks in unchanged.

💡 Motivation and Context

Projects using npm v11+'s devEngines.packageManager field to enforce pnpm get EBADDEVENGINES when the sourcemap upload script internally calls npx expo config --json, because npm detects the package manager mismatch and refuses to run.

Fixes #6152

💚 How did you test it?

• Reproduced the issue: created a project with devEngines.packageManager: pnpm, confirmed npx expo config --json fails with EBADDEVENGINES
• Verified the fix resolves and runs expo directly, bypassing the error
• Verified the happy path against the real samples/expo project — identical behavior to the old approach
• All 20 tests pass (19 existing + 1 new for the cwd resolution fallback)

📝 Checklist

• I added tests to verify changes
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
• I updated the docs if needed.
• I updated the wizard if needed.
• All tests passing
• No breaking changes

🔮 Next steps

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

• fix(core): Resolve expo CLI directly instead of using npx in sourcemap upload by antonis in #6155

• feat(core): Surface textComponentNames option in Metro config by antonis in #6169
• chore(deps): update Sentry Android Gradle Plugin to v6.7.0 by github-actions in #6153
• Filter ExceptionsManager.reportException duplicates in app-start init by alwx in #6145
• chore(deps): update JavaScript SDK to v10.53.1 by github-actions in #6139
• feat(core): Enable autoInjectSentryLabel by default in Metro config by antonis in #6141
• feat(core): Respect Mask boundaries when reading sentry-label by antonis in #6142
• fix(android): Handle boolean values in JSON options converter by antonis in #6130
• Multi-instance <TimeToInitialDisplay> / <TimeToFullDisplay> coordination; a multi-signal TTID/TTFD system by alwx in #6090
• chore(deps): update Bundler Plugins to v5.3.0 by github-actions in #6138
• chore: Merge 8.11.1 back to main by antonis in #6135
• chore: Update warning regarding iOS crash in sentry-cocoa 9.12.0 by antonis in #6136
• chore(deps): update CLI to v3.4.2 by github-actions in #6129
• chore(deps): bump getsentry/craft/.github/workflows/changelog-preview.yml from 2.26.2 to 2.26.3 by dependabot in #6126
• chore(deps): bump getsentry/craft from 2.26.2 to 2.26.3 by dependabot in #6127
• chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by dependabot in #6128
• feat(core): Extract text from children of touched components for breadcrumb labels by antonis in #6106
• chore(deps): bump @babel/plugin-transform-modules-systemjs from 7.25.0 to 7.29.4 by dependabot in #6124
• chore(deps): bump fast-uri from 3.0.1 to 3.1.2 by dependabot in #6121
• chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 by dependabot in #6120
• chore(deps): bump socks to ^2.8.8 to fix ip-address vulnerability by antonis in #6117
• chore(deps): bump uuid to ^13.0.1 to fix buffer bounds check vulnerability by antonis in #6118
• test(replay): Add passthrough tests for device-state replay breadcrumbs by antonis in #6115
• chore(deps): update JavaScript SDK to v10.52.0 by github-actions in #6108

Plus 1 more

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

	Warnings
⚠️	⚠️ Auth token handling changes detected This PR modifies code related to Sentry auth token handling. Please ensure no auth tokens are accidentally exposed or mishandled. See GHSA-68c2-4mpx-qh95 for context. Files with auth token changes: packages/core/test/scripts/expo-upload-sourcemaps.test.ts

Generated by 🚫 dangerJS against 6ba2bfe

[alwx]

q: the auto-generated PR description has the claim that yarn PnP works but how could it be since the whole PR depends on the existance of node_modules?

[alwx]

expo/bin/cli is not a public API — ok, it works today but if Expo renames/relocates it, sourcemap upload will silently fall back to sentry.properties/env vars

[alwx]

what I'm saying is that it's probably better to resolve expo/package.json and read its bin.expo field

[antonis]

Good idea @alwx 👍 Update with 6ba2bfe

[antonis]

q: the auto-generated PR description has the claim that yarn PnP works but how could it be since the whole PR depends on the existance of node_modules?

Good point @alwx 👍 I've updated the PR description. Ready for another pass

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
Sentry RN	io.sentry.reactnative.sample	8.11.1 (88)	Release

⚙️ sentry-react-native Build Distribution Settings