## Summary
Addresses npm security vulnerabilities in transitive dependencies. Prefer direct dependency upgrades over broad resolutions where possible.
## Changes
**Direct upgrade:**
- **`@slack/webhook`**: `^6.1.0` → `^7.0.0` — v7 natively uses axios v1, eliminating the axios@0.21.4 SSRF/redirect vulnerabilities. Only breaking change in v7 is dropping Node <18 (we're on Node 22).
**Resolutions for transitive deps with no direct upgrade path:**
- **`fast-xml-parser`**: `^4.4.0` — fixes prototype pollution (High)
- **`systeminformation`**: `^5.24.0` — fixes command injection (High)
## Removed/Not Done
- `axios` resolution removed — covered by the `@slack/webhook` upgrade instead
- `tar` resolution removed — was a v6→v7 major jump on build-only tools (`cacache`, `node-gyp`); not present in the production image
- `glob` resolution removed — was breaking test coverage tooling (`test-exclude@6` depends on glob@^7)
## Related
Follow-up to #1731 which addressed base image vulnerabilities (Node, Go, ClickHouse).
# Summary
This PR updates the CI (integration tests) docker compose and env file so that the integration tests run on a separate set of ports, so that they can be run locally without interfering with an instance of the app running locally.
## Testing
To test locally
Start the app
```
yarn dev
```
Run the integration tests
```
make ci-int
```
Note that both can run at the same time without docker port conflicts. `make ci-int` can also be run without running the app - it uses its own independent mongo + clickhouse + api.
Dynamically fills available horizontal space in the Event Deltas view by calculating the number of chart columns based on the container width. Also moves pagination to the bottom of the list and hides it when not needed.
Fixes#1769
Generated with [Claude Code](https://claude.ai/code)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
A user reported that they could not use the Notebooks feature due to a random clickhouse connection failure, pointing to a bad password. https://discord.com/channels/1149498480893640706/1149500035403350036/1473446917198315563
The reason it failed was because we weren't selecting the pw in `mongo` prior to using it in a direct `CH` connection.
Before the fix, the call in `getAIMetadata` omitted the `selectPassword` argument:
`const connection = await getConnectionById(source.team.toString(), connectionId); // connection.password === undefined`
So when the ClickhouseClient was constructed immediately after:
```
const clickhouseClient = new ClickhouseClient({ host: connection.host, username: connection.username, password: connection.password, });
```
`connection.password` was undefined, and the ClickHouse client connected with no password — hence the authentication failure.
The fix just adds `true` so the password is actually fetched from MongoDB and present in connection.password when the client is constructed.
## Summary
- Add support for TLS-enabled ClickHouse endpoints in otelcol migrator (`tcps://`, `tls://`, `clickhouse://` schemes)
- Support `?secure=true` query parameter to override TLS setting on any scheme
- Default TLS port to `9440` for `tcps`/`tls` schemes
- Improve error message for unsupported schemes to list valid options
## Test plan
- Added tests for `clickhouse://`, `tcps://`, `tls://` schemes with default and custom ports
- Added tests for `?secure=true` query param on `tcp` and `http` schemes
- Added test verifying `?secure=false` is a no-op
Docs: https://clickhouse.com/docs/guides/sre/network-ports
Ref: HDX-3490
Fixes https://github.com/hyperdxio/hyperdx/issues/983
This issue was closed as not planned, but I think the solution is simple enough that it should be considered for merging.
row data has `__hdx_resource_attributes` (which is `ROW_DATA_ALIASES.RESOURCE_ATTRIBUTES`) and it is flattened so that it could be used for both map and json type.
Closes HDX-3479
# Summary
This PR makes a number of improvements to new pie chart implementation (#1704)
1. Pie charts are now limited to 1 series. Previously, the pie chart summed the values of each series by group, and used the sum as the slice value. This is non-obvious and probably not what users expect. With a one-series limit, this problem is eliminated. Further, the logic for formatting the pie chart data from the clickhouse response is dramatically simpler.
2. Slices are now ordered by value decreasing, to avoid randomly changing slice order on refresh
3. Instead of being randomly generated, slice colors are now consistent with the theme colors and auto-detect log and trace severity levels, matching line/bar chart behavior
4. The external dashboards API now supports reading and writing pie charts. The transformation code has been updated so that there will be a type error if any new chart types are added in the future without updating the external API code.
5. The pie chart's tooltip now matches the style of the line chart tooltip, and is updated appropriately based on the app theme and light/dark mode.
6. The chart's number format is now applied to values in the pie chart tooltip
7. Slice labels are now correctly populated when a map is accessed in the Group By (eg. when grouping by `ResourceAttributes['app']`, the slice labels include the `app` value instead of being empty).
8. Also, added some unit tests for the pie chart data transformation, and moved it to ChartUtils with the other similar chart data transformation code.
## Summary
- Fix external API `POST /api/v2/charts/series` returning `"no query support for metric type=gauge"` when `field` is passed without `metricName`
- When querying metric sources, the API now falls back to using `field` as the `metricName` and defaults `valueExpression` to `'Value'` (the ClickHouse column), matching how the dashboard UI builds chart configs
- Backward compatible: when both `metricName` and `field` are provided, behavior is unchanged
## Root Cause
`buildChartConfigFromRequest()` mapped `field` to `valueExpression` but never populated `metricName` from it. Downstream, `translateMetricChartConfig()` requires both `metricType` AND `metricName` to be truthy — when `metricName` was undefined, it fell through to the catch-all error.
## Test plan
- [ ] Added integration tests for gauge, sum, and histogram metrics using `field` without `metricName`
- [ ] Verify existing metric tests still pass (backward compatible — passing both `metricName` and `field` works as before)
- [ ] Verify non-metric source queries are unaffected
Related: https://github.com/hyperdxio/hyperdx/issues/1418, https://github.com/hyperdxio/hyperdx/issues/1214🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <81847+claude@users.noreply.github.com>
Adds several optimizations that helps immensely with search query duration. On our own data we've seen a 2-3x improvement, for extremely large log tables we've seen a 50x improvement
Closes HDX-3429
## Summary
Replace hardcoded "HyperDX" in user-facing UI with the current theme's display name so deployments using the ClickStack theme show "ClickStack" (e.g. "Welcome to ClickStack", "ClickStack Cloud") instead of "HyperDX".
Closes HDX-3463.
## Changes
### Theme
- **ThemeProvider**: Add `useBrandDisplayName()` hook that returns `theme.displayName` ("HyperDX" or "ClickStack") for use in copy.
### Pages & layout
- **Auth**: Login/register page title and brand label use `useBrandDisplayName()`.
- **AuthLoadingBlocker**: "Loading HyperDX" → "Loading {brandName}".
- **JoinTeamPage**: Document title uses brand name.
- **LandingHeader**: "HyperDX Cloud" → "{brandName} Cloud" (desktop and mobile). Active link color scheme updated for theme consistency.
- **Spotlights**: Cloud action label and description use brand name.
- **Page titles**: All `<Head><title>` now suffix with current brand (Dashboard, Search, Client Sessions, Chart Explorer, My Team, Create a Dashboard, Alerts, DBDashboardImportPage).
### Copy and errors
- **OnboardingModal**: Welcome title and demo server success/error messages use brand name.
- **DBSearchPageAlertModal**, **WebhooksSection**, **TeamMembersSection**, **WebhookForm**: "Please contact HyperDX team" → "Please contact {brandName} team".
- **SessionsPage**: Empty state and setup instructions ("HyperDX integration", "HyperDX Otel Collector", "HyperDX Browser Integration") use brand name.
- **TeamPage**: ClickHouse settings tooltip about windowed queries uses brand name.
- **DBChartPage**: AI Assistant alert text ("on the HyperDX server") and Chart Explorer title use brand name.
- **SourceForm**: All help text that referred to "HyperDX" (materialized view tooltip, correlated source labels, metrics "not yet fully supported") use brand name.
- **HDXMultiSeriesTableChart**: CSV export filename "HyperDX_table_results" → "{brandName}_table_results".
## Testing
- With default/HyperDX theme: all existing strings should still read "HyperDX".
- With ClickStack theme (e.g. `NEXT_PUBLIC_THEME=clickstack` or dev theme override): titles, welcome text, errors, and help text should show "ClickStack" where appropriate.
## Notes
- No changes to SDK imports, type names (e.g. `HyperDXEventType`), or theme definition files.
- Brand is deployment-configured via `NEXT_PUBLIC_THEME`; in dev, theme can be switched for verification.
1. `source` isn't actually required on an alert. It is non-nullable, but has a default value of `saved_search` if omitted.
2. `whereLanguage` is actually a required input.
- Simplified SVG markup for both favicons by removing redundant elements and improving readability.
- Updated clipPath definitions and ensured consistent styling for light and dark modes.
- Enhanced compatibility with modern SVG standards.
For a log line like
```
x-amz-id-2: WxwS/N175wqLyRlzCXLpGZGszCEbQA0f63uFgdQN1qfcPr2IAmwE/P7HF2b1NdZLg18pNLF3ecTw5CrItXJid/uLe+fxh3jMBiJ7UlUxidw=
```
The level will be inferred as fatal because it contains `CrIt`, which is incorrect.
To fix this, we need to add a word boundary at the start
Ref: HDX-3439
CLAUDE: made a mistake.
```
❌ Test expects "ALERTING" to match "alert" keyword → "ALERTING" won't match with word boundary because "alert" is a substring, not at a word boundary. Expected should be "info",9,"ALERTING system engaged" not "fatal",21.
```
-> incorrect statement
Currently users will need to add an extra flag to enable it `HYPERDX_OTEL_EXPORTER_CREATE_LEGACY_SCHEMA`=true. Ideally the JSON schema should be created if feature gate is enable `OTEL_AGENT_FEATURE_GATE_ARG='--feature-gates=clickhouse.json'`
Ref: HDX-3428
Previously it failed because GitHub gives the workflow a read-only GITHUB_TOKEN for forks. Writing a PR comment needs write access. This will skip the comment all together in the PR for forks, but allow the job to finish its processing
Add Hide blank values toggle in HyperJsonMenu to filter out empty strings and null values from the Column Values tab. The option is persisted to localStorage and is off by default.
<img width="1176" height="478" alt="image" src="https://github.com/user-attachments/assets/2df852de-5fd2-4274-aaf3-c8458c01e7a8" />
Resolves#1732
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
