Ref: HDX-1976
1. Updated release-xxx commands to prevent image tag overrides
2. Updated release workflow so that notify-xxx steps won't be triggered if no new app image was pushed
- Upgrades ClickHouse to 25.6, fixes breaking config change, needed for latest JSON type
- Upgrades OTel Collector to 0.129.1, fixes breaking config change, needed for latest JSON support in exporter
- Upgrades OTel OpAMP Supervisor to 0.128.0
- Fixes features to support JSON type columns in OTel in HyperDX (filtering, searching, graphing, opening rows, etc.)
Requires users to set `BETA_CH_OTEL_JSON_SCHEMA_ENABLED=true` in `ch-server` and `OTEL_AGENT_FEATURE_GATE_ARG='--feature-gates=clickhouse.json'` in `otel-collector` to enable JSON schema. Users must start a new ClickHouse DB or migrate their own table manually to enable as it is not schema compatible and migration is not automatic.
Closes HDX-1849, HDX-1969, HDX-1849, HDX-1966, HDX-1964
Co-authored-by: Tom Alexander <3245235+teeohhem@users.noreply.github.com>
Adds a download icon that allows users to download a csv of results. Note: In v1, this was a gear icon that brought up a modal with a few different search options, including adding additional columns. Since that functionality doesn't exist in v2 yet, I thought it was best to just have a direct icon for now.
Fixes: HDX-1590
Bumps [pbkdf2](https://github.com/crypto-browserify/pbkdf2) from 3.1.2 to 3.1.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md">pbkdf2's changelog</a>.</em></p>
<blockquote>
<h2><a href="https://github.com/browserify/pbkdf2/compare/v3.1.2...v3.1.3">v3.1.3</a> - 2025-06-20</h2>
<h3>Commits</h3>
<ul>
<li>Only apps should have lockfiles <a href="8b067308ee"><code>8b06730</code></a></li>
<li>[lint] fix whitespace <a href="9a76e2f37e"><code>9a76e2f</code></a></li>
<li>[lint] fix parens/curlies/semis/etc <a href="6fd84bf64a"><code>6fd84bf</code></a></li>
<li>[meta] add <code>auto-changelog</code> <a href="796c38d428"><code>796c38d</code></a></li>
<li>[Tests] fix tests in node 17 <a href="3661fb0156"><code>3661fb0</code></a></li>
<li>Revert "[Tests] fix tests in node < 3" <a href="7431b57668"><code>7431b57</code></a></li>
<li>[Tests] fix tests in node < 3 <a href="eb9f97a66e"><code>eb9f97a</code></a></li>
<li>[Fix] ensure unknown algorithms throw + known ones match node <a href="26d4fd391e"><code>26d4fd3</code></a></li>
<li>[Tests] add GHA, always run nyc <a href="513906a735"><code>513906a</code></a></li>
<li>[lint] fix a few more rules <a href="ab04da834a"><code>ab04da8</code></a></li>
<li>[lint] switch to eslint <a href="89694cf7e4"><code>89694cf</code></a></li>
<li>[Tests] add coverage <a href="d0d534bfdc"><code>d0d534b</code></a></li>
<li>[Refactor] use <code>to-buffer</code> <a href="e3102a8cd4"><code>e3102a8</code></a></li>
<li>[readme] improve badges <a href="fca0c9d4c5"><code>fca0c9d</code></a></li>
<li>[Tests] remove unused travis file <a href="a2c7d93bbc"><code>a2c7d93</code></a></li>
<li>[meta] switch from <code>files</code> to <code>npmignore</code> <a href="7f31fbca52"><code>7f31fbc</code></a></li>
<li>[Tests] use .nycrc <a href="8d628e8d55"><code>8d628e8</code></a></li>
<li>[Refactor] minor tweaks <a href="fc61005c8c"><code>fc61005</code></a></li>
<li>[Deps] update <code>create-hmac</code>, <code>safe-buffer</code>, <code>sha.js</code> <a href="ae2a7d051c"><code>ae2a7d0</code></a></li>
<li>[Fix] pin <code>create-hash</code>, <code>ripemd160</code> due to breaking changes <a href="e07996890a"><code>e079968</code></a></li>
<li>[Tests] fix tests in node 3 <a href="45fbcf3043"><code>45fbcf3</code></a></li>
<li>[meta] skip publishing benchmarks <a href="19ea57bf11"><code>19ea57b</code></a></li>
<li>[Dev Deps] add missing peer dep <a href="645e252375"><code>645e252</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="3e40827b18"><code>3e40827</code></a> v3.1.3</li>
<li><a href="e3102a8cd4"><code>e3102a8</code></a> [Refactor] use <code>to-buffer</code></li>
<li><a href="7431b57668"><code>7431b57</code></a> Revert "[Tests] fix tests in node < 3"</li>
<li><a href="19ea57bf11"><code>19ea57b</code></a> [meta] skip publishing benchmarks</li>
<li><a href="a2c7d93bbc"><code>a2c7d93</code></a> [Tests] remove unused travis file</li>
<li><a href="645e252375"><code>645e252</code></a> [Dev Deps] add missing peer dep</li>
<li><a href="796c38d428"><code>796c38d</code></a> [meta] add <code>auto-changelog</code></li>
<li><a href="d0d534bfdc"><code>d0d534b</code></a> [Tests] add coverage</li>
<li><a href="7f31fbca52"><code>7f31fbc</code></a> [meta] switch from <code>files</code> to <code>npmignore</code></li>
<li><a href="fca0c9d4c5"><code>fca0c9d</code></a> [readme] improve badges</li>
<li>Additional commits viewable in <a href="https://github.com/crypto-browserify/pbkdf2/compare/v3.1.2...v3.1.3">compare view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a href="https://www.npmjs.com/~ljharb">ljharb</a>, a new releaser for pbkdf2 since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperdxio/hyperdx/network/alerts).
</details>
Bumps [formidable](https://github.com/node-formidable/formidable) from 2.1.2 to 2.1.5.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a href="https://github.com/node-formidable/formidable/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperdxio/hyperdx/network/alerts).
</details>
Bumps [next](https://github.com/vercel/next.js) from 14.2.29 to 14.2.30.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p>
<blockquote>
<h2>v14.2.30</h2>
<blockquote>
<p>[!NOTE]<br />
This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Backport <code>config.allowedDevOrigins</code> (<a href="https://redirect.github.com/vercel/next.js/issues/80410">#80410</a>) (<a href="https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins">Learn More</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a href="https://github.com/ijjk"><code>@ijjk</code></a> and <a href="https://github.com/ztanner"><code>@ztanner</code></a> for helping!</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="243072b7a8"><code>243072b</code></a> v14.2.30</li>
<li><a href="f523d4a142"><code>f523d4a</code></a> [backport]: config.allowedDevOrigins (<a href="https://redirect.github.com/vercel/next.js/issues/80410">#80410</a>)</li>
<li>See full diff in <a href="https://github.com/vercel/next.js/compare/v14.2.29...v14.2.30">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperdxio/hyperdx/network/alerts).
</details>
Fixes HDX-1835
I tested this by running the main branch first via `cd packages/app && yarn dev:local`, loading localhost:8080 and clicked demo servers, pasting the json from the HDX-1835 linear ticket into the `hdx-local-source` localStorage slot, verified some sources gave that permissions issue, then closed the tab. Then I checked out this branch, opened a new tab with localhost:8080, selected demo servers, and all demo sources work as expected
Adds environment variable to allow for passthrough_logs to be enabled in the supervisor config
Test locally with:
Edit docker-compose.dev.yaml
Add `OTEL_SUPERVISOR_PASSTHROUGH_LOGS: 'true'` under the otel environment variables
```
make dev-up
```
Ref: HDX-1859
Now that the app has some complex queries that leverage CTEs, metrics for example, it's common for the logic in this optimization to throw an exception. When that happens, the query rendering logic continues without a problem but generates a noisy line in the console log. We can just remove this log message to clean up the debugging experience.
Ref: HDX-1763
* Utilizes renderChartConfig and CH client to query for chart data
* Implements API input schema
* Adds lots of tests
Testing Notes:
* To use swagger, go to localhost:8000/api/v2/docs
* Authorize using your access key found in localhost:8000/me
* Under the charts route, click "Try it out"
* Use example payload:
*
```
{
"startTime": <insert valid timestamp ms>,
"endTime": <insert valid timestamp ms>,
"granularity": "1h",
"series": [
{
"sourceId": "<insert valid sourceid>",
"aggFn": "count",
"where": "SeverityText:error",
"groupBy": []
}
]
}
```
It was easiest for me to go to the UI, create a new chart and grab the sourceid and start/end timestamps from the URL, plug it in and profit.
Note: It was apparent to me that we will need to provide at least GET support for sources, otherwise that ID is not easily obtained.
Ref: HDX-1651
Bumps [smol-toml](https://github.com/squirrelchat/smol-toml) from 1.3.0 to 1.3.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/squirrelchat/smol-toml/releases">smol-toml's releases</a>.</em></p>
<blockquote>
<h2>v1.3.4</h2>
<p>Fixing some bugs that have been surfaced by the latest tests added to toml-test.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: don't attempt to skip until comma if not in a structure by <a href="https://github.com/cyyynthia"><code>@cyyynthia</code></a></li>
<li>fix: get extreme datetime to work by <a href="https://github.com/cyyynthia"><code>@cyyynthia</code></a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/squirrelchat/smol-toml/compare/v1.3.3...v1.3.4">https://github.com/squirrelchat/smol-toml/compare/v1.3.3...v1.3.4</a></p>
<h2>v1.3.3</h2>
<p>Follow up of <a href="https://github.com/squirrelchat/smol-toml/releases/tag/v1.3.2">v1.3.2</a>, where the package is published in JavaScript instead of nocode. 🚀</p>
<p><img src="https://github.com/user-attachments/assets/be30090f-4de0-42e5-91b9-3af6615c489d" alt="image" /></p>
<h2>v1.3.2</h2>
<p>Fixes the issue reported in <a href="https://redirect.github.com/squirrelchat/smol-toml/issues/37">#37</a> -- the library would fail to parse a document containing a one-line string, with an escaped double-quote, preceded by an escaped backslash, such as <code>key = "value \\\" value"</code>.</p>
<p><em>Apologies for the lack of proper v1.3.1 tag; this release addressed GHSA-pqhp-25j4-6hq9 by adding a maximum depth while parsing.</em></p>
<p>Additionally, releases are now published to NPM with <a href="https://docs.npmjs.com/generating-provenance-statements">provenance attestations</a></p>
<h2>What's Changed</h2>
<ul>
<li>fix: improve string end detection when preceded by an escaped backslash by <a href="https://github.com/cyyynthia"><code>@cyyynthia</code></a></li>
<li>fix: enforce maximum depth when parsing/stringifying by <a href="https://github.com/cyyynthia"><code>@cyyynthia</code></a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/squirrelchat/smol-toml/compare/v1.3.0...v1.3.2">https://github.com/squirrelchat/smol-toml/compare/v1.3.0...v1.3.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="467ece4d49"><code>467ece4</code></a> chore: version bumps</li>
<li><a href="dae3ee32da"><code>dae3ee3</code></a> fix: don't attempt to skip until comma if not in a structure</li>
<li><a href="d855ffc311"><code>d855ffc</code></a> fix: get extreme datetime to work</li>
<li><a href="427e7baaa9"><code>427e7ba</code></a> fix: frankly i'm an idiot</li>
<li><a href="7d2d1bb4e1"><code>7d2d1bb</code></a> ci: specify registry url in setup-node, update pnpm</li>
<li><a href="77bf8e7373"><code>77bf8e7</code></a> ci: don't bother downloading artifact in publish script</li>
<li><a href="35c77ea5b7"><code>35c77ea</code></a> chore: bump version</li>
<li><a href="8dcef117b9"><code>8dcef11</code></a> ci: use gha to publish releases, lock actions to sha1</li>
<li><a href="c70208928f"><code>c702089</code></a> fix: improve string end detection when preceded by an escaped backslash</li>
<li><a href="cfdc386481"><code>cfdc386</code></a> ci: don't skip toml-test cases that don't need skipping (<a href="https://redirect.github.com/squirrelchat/smol-toml/issues/36">#36</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/squirrelchat/smol-toml/compare/v1.3.0...v1.3.4">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperdxio/hyperdx/network/alerts).
</details>
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.1 to 2.1.3.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a href="https://github.com/mafintosh/tar-fs/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hyperdxio/hyperdx/network/alerts).
</details>
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
# Releases
## @hyperdx/api@2.0.1
### Patch Changes
- ab3b5cb: perf: merge api + app packages to dedupe node_modules
- ab387e1: fix: missing types in app build
- d1dc2ec: Bumped mongodb driver support to allow for AWS IAM authentication. This drops support for MongoDB 3.6.
- 43edac8: chore: bump @hyperdx/node-opentelemetry to v0.8.2
- fa11fbb: fix: usage stats missing cluster id
- Updated dependencies [ab3b5cb]
- Updated dependencies [ab387e1]
- Updated dependencies [fce5ee5]
- @hyperdx/common-utils@0.2.1
## @hyperdx/app@2.0.1
### Patch Changes
- ab3b5cb: perf: merge api + app packages to dedupe node_modules
- ab387e1: fix: missing types in app build
- fce5ee5: feat: add load more to features and improve querying
- dfdb2d7: Better loading state for events patterns table
- 3eeb530: fix: date range undefined error causing issue loading keyvals for autocomplete
- 8874648: fix: Pollyfill crypto.randomUUID
- 43edac8: chore: bump @hyperdx/node-opentelemetry to v0.8.2
- Updated dependencies [ab3b5cb]
- Updated dependencies [ab387e1]
- Updated dependencies [fce5ee5]
- @hyperdx/common-utils@0.2.1
## @hyperdx/common-utils@0.2.1
### Patch Changes
- ab3b5cb: perf: merge api + app packages to dedupe node_modules
- ab387e1: fix: missing types in app build
- fce5ee5: feat: add load more to features and improve querying
Co-authored-by: Warren <5959690+wrn14897@users.noreply.github.com>
