fix: bump http-proxy-middleware to v4

[brandon-pereira]

Summary

Removes the util._extend deprecation warning (DEP0060) that http-proxy was triggering at runtime.

Bumps http-proxy-middleware from v3 to v4 in both packages/api and packages/app. v4 swaps the underlying proxy engine from http-proxy to httpxy, which eliminates the deprecated util._extend call and brings many upstream fixes, HTTP/2 support, and better performance. The createProxyMiddleware API surface is unchanged.

Because v4 ships as ESM-only and the API package emits CJS, the static import in clickhouseProxy.ts is replaced with a lazy import() wrapper that initializes once on first request and caches for subsequent calls.

Also removes a stale TODO referencing chimurai/http-proxy-middleware#1102 — the underlying fixRequestBody issues (text/plain support, content-encoding) are resolved in v4.

Note: Currently pinned to ^4.0.0 (resolves to 4.0.0) because v4.1.0 hasn't cleared the repo's 7-day npmMinimalAgeGate. After June 13 we should bump to ^4.1.0 via yarn up http-proxy-middleware.

[changeset-bot]

🦋 Changeset detected

Latest commit: c0d00d5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@hyperdx/api	Patch
@hyperdx/app	Patch
@hyperdx/otel-collector	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	Jun 12, 2026 9:34pm
hyperdx-storybook	Ready	Preview, Comment	Jun 12, 2026 9:34pm

[greptile-apps]

Greptile Summary

Bumps http-proxy-middleware from v3 to v4 in both packages/api and packages/app, replacing the deprecated http-proxy engine with httpxy to eliminate the util._extend (DEP0060) runtime warning. Because v4 ships as ESM-only, both call-sites are migrated from static imports to promise-cached dynamic import() wrappers.

• clickhouseProxy.ts: static createProxyMiddleware import removed; getProxyMiddleware() caches the in-flight import() promise in _proxyPromise so concurrent first-request races are avoided.
• pages/api/[...all].ts: same promise-caching pattern via getProxy(); proxy is now created once rather than on every request, which is a net improvement.
• yarn.lock: transitive cleanup removes http-proxy, follow-redirects, @types/http-proxy, and the older debug range, replacing them with httpxy.

Confidence Score: 5/5

Safe to merge — the ESM interop strategy is sound and both proxy modules correctly prevent concurrent-initialization races.

Changes are narrowly scoped to a dependency bump and its CJS/ESM adapter plumbing. Both files cache the promise rather than the resolved value, correctly addressing the previously noted concurrency concern. No proxy configuration options are altered and no new code paths are introduced that could regress existing behavior.

No files require special attention.

Important Files Changed

Filename	Overview
packages/api/src/routers/api/clickhouseProxy.ts	Replaces static import with promise-cached dynamic import to support ESM-only v4; wraps proxy dispatch in an async RequestHandler with try/catch forwarding to next(e). The previous race-condition concern is correctly addressed by caching the promise itself.
packages/app/pages/api/[...all].ts	Same pattern: lazy dynamic import with promise-caching in getProxy(). Proxy is now created once instead of on every request, which is a net improvement.
packages/api/package.json	Bumps http-proxy-middleware from ^3.0.5 to ^4.0.0.
packages/app/package.json	Bumps http-proxy-middleware from ^3.0.5 to ^4.0.0 in the Next.js app package.
.changeset/bump-http-proxy-middleware.md	Changeset file marking both @hyperdx/api and @hyperdx/app as patch releases for the http-proxy-middleware upgrade.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Express/Next as Express / Next.js
    participant proxyMiddleware as proxyMiddleware (async wrapper)
    participant getProxyMiddleware as getProxyMiddleware()
    participant hpm as http-proxy-middleware v4 (ESM)

    Note over getProxyMiddleware,hpm: Module cached as _proxyPromise on first call

    Client->>Express/Next: HTTP request
    Express/Next->>proxyMiddleware: req, res, next
    proxyMiddleware->>getProxyMiddleware: await getProxyMiddleware()
    alt _proxyPromise already set
        getProxyMiddleware-->>proxyMiddleware: return existing promise
    else first call
        getProxyMiddleware->>hpm: dynamic import('http-proxy-middleware')
        hpm-->>getProxyMiddleware: "{ createProxyMiddleware }"
        getProxyMiddleware->>hpm: createProxyMiddleware(options)
        hpm-->>getProxyMiddleware: RequestHandler
        getProxyMiddleware-->>proxyMiddleware: resolved RequestHandler
    end
    proxyMiddleware->>hpm: middleware(req, res, next)
    hpm->>hpm: rewrite path, select router target
    hpm-->>Client: proxied response

Loading

_{Reviews (2): Last reviewed commit: "fix: use dynamic import for http-proxy-m..." | Re-trigger Greptile}

[github-actions]

E2E Test Results

✅ All tests passed • 201 passed • 3 skipped • 1307s

Status	Count
✅ Passed	201
❌ Failed	0
⚠️ Flaky	2
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →

[github-actions]

🟡 Tier 3 — Standard

Introduces new logic, modifies core functionality, or touches areas with non-trivial risk.

Why this tier:

• Diff size: 275 production lines changed (Tier 2 max: < 250)
• Cross-layer change: touches frontend (packages/app) + backend (packages/api)
• Touches API routes or data models — hidden complexity risk

Review process: Full human review — logic, architecture, edge cases.
SLA: First-pass feedback within 1 business day.

Stats

• Production files changed: 4
• Production lines changed: 275
• Branch: brandon/brandon-bump-proxy
• Author: brandon-pereira

To override this classification, remove the review/tier-3 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.