Release HyperDX

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@hyperdx/cli@0.4.1

Patch Changes

• f6a1d02: Add support for event patterns in MCP server, reduce code duplication

• 253cf5b: Fix CLI version flag reporting hardcoded 0.1.0 instead of the actual package version

• 4104364: feat: support multiple teams and kubectx-style team switching in the CLI

  Adds three new commands for users that belong to multiple teams (HyperDX Cloud /
  EE):

  • hdx team list — list every team the authenticated user belongs to, marking
    the active one
  • hdx team current — print the currently active team
  • hdx team use <name-or-id> — switch the active team (matched by team ID or
    case-insensitive name)

  The active team is persisted to ~/.config/hyperdx/cli/session.json so the
  choice survives across CLI invocations, and the CLI now sends an x-hdx-team
  header on every API and ClickHouse-proxy request so the server scopes data to
  the chosen team. hdx auth status also surfaces the active team.

  On single-team OSS deployments these commands are effectively no-ops.

@hyperdx/api@2.25.0

Minor Changes

• eb16df4: Add ability to disable data sources with improved UX

• 143f7a7: feat: Add per-series number formats

• f6a1d02: Add support for event patterns in MCP server, reduce code duplication

• 4d22d4b: feat(api): support heatmap tiles in external dashboards API

  Heatmap is the only builder-mode display type that did not round-trip
  through the external dashboards API. The serializer dropped it into the
  "unsupported" fall-through, so creating, fetching, and updating heatmap
  tiles via /api/v2/dashboards lost the config. Heatmap now serializes
  and parses on both directions, with valueExpression,
  countExpression, heatmapScaleType, and numberFormat preserved
  across save/get. The heatmap select item does not expose aggFn or
  alias: the chart-level displayType: "heatmap" is the discriminator,
  the heatmap aggregation function is fixed internally, and
  HeatmapSeriesEditor does not render an alias input. Raw-SQL heatmap
  remains unsupported (heatmap rendering requires builder mode).

• 7d7269a: feat: introducing rollup and source support for full autocomplete

• 4cc5eb3: Add support for increase aggFn on sum counter metrics and rewrite sum metric rate computation to fix correctness issues.

• 41395ca: External Dashboards API now round-trips the new dashboard organization
  layer added in refactor: Unify section/group into single Group with collapsible/bordered options #2015: containers on the dashboard, optional tabs on each
  container, and containerId / tabId on each tile. Create, get, list, and
  update all preserve the structure. The body validates that tile
  containerId references resolve to a real container, that tile tabId
  references resolve to a tab inside that container, and that tab ids are
  unique within a container. Container id uniqueness is already enforced by
  the shared schema. Dashboards saved without containers round-trip
  unchanged.

• 41eefec: MCP hyperdx_save_dashboard now accepts the dashboard organization layer
  added in feat(external-api): round-trip dashboard containers, tabs, and tile container/tab refs #2201: an optional containers array on the dashboard, plus
  containerId and tabId on each tile. The same five cross-field rules
  the external API enforces fire on the MCP path: container ids unique,
  tab ids unique within a container, tile.containerId resolves, tile.tabId
  resolves to a tab on that container, and tile.tabId requires
  tile.containerId. The MCP buildQueryGuidePrompt documents the new
  shape under a CONTAINERS AND TABS section.

• d3a5a57: feat: add optional note field to alerts

  Adds a freeform note/reason field to alerts that supports markdown formatting,
  allowing on-call responders to document why an alert exists, threshold decision
  history, and links to runbooks.

  • New note field on the Alert model (optional, max 4096 chars, supports
    markdown)
  • Note textarea in both the saved-search alert modal and the dashboard tile
    alert editor
  • Notes displayed on the /alerts page in a collapsible section (hidden by
    default) with full markdown rendering
  • Alert tabs in the saved-search modal show a red bell firing indicator
    alongside the webhook channel icon, matching the AlertStatusIcon pattern
    used on dashboard tiles and the app nav
  • The Alerts button on the search page shows a red bell icon when at least one
    alert in the saved search is firing
  • External API v2 updated with note field in OpenAPI docs

• 5c6da48: refactor(alerts/search): consolidate the saved-search → chart-config builder
  into a single shared helper, buildSearchChartConfig, in
  @hyperdx/common-utils/core/searchChartConfig.ts. The app search page, the
  alert preview chart, and the scheduled alert task's SAVED_SEARCH branch now
  all route through it, so tableFilterExpression, implicitColumnExpression,
  sample-weight expressions, SELECT precedence, and the count() default
  SELECT shape are applied identically by construction.

  Behavior fixes that fall out of consolidation:

  • The alert task and the alert preview now apply source.tableFilterExpression
    on Log sources, matching what the search page already did.
  • A latent bug in the search-page builder is fixed: a non-null filters
    array no longer silently drops the tableFilterExpression SQL filter via
    spread-overwrite.

• a50db92: fix(security): redact sensitive fields from internal webhook API responses

  The GET /api/webhooks endpoint now masks webhook URLs (<origin>/****) and
  redacts header and query parameter values (keys preserved, values replaced with
  ****), preventing team members from retrieving secrets configured by others.

  The PUT handler merges redacted markers back to stored values so editing a
  webhook without re-entering secrets preserves the originals. Changing the URL
  while preserving masked secrets is rejected to prevent exfiltration.

  GET /api/webhooks, POST /api/webhooks, and PUT /api/webhooks/:id
  responses now return masked values for url, headers, and queryParams
  instead of plaintext secrets.

Patch Changes

• fecbfff: fix: flatten MCP query tool schema so SDK serializes inputSchema correctly

• 41395ca: External Dashboards API: tighten validation around container/tab references
  on the v2 dashboards routes.

  • Cap tile containerId and tabId at 256 characters to mirror the
    internal DashboardContainer schema and the DASHBOARD_CONTAINER_ID_MAX
    constant, now exported from @hyperdx/common-utils.
  • Cap a single dashboard payload at 500 tiles via the new
    DASHBOARD_MAX_TILES constant to keep one request from pushing tens of
    MB into Mongo.
  • Treat empty-string containerId / tabId on legacy Mongo docs as
    absent on read, so dashboards predating the containers feature still
    round-trip through the external schema's min(1) cap.
  • Extract the cross-tile container/tab consistency check into a shared
    validateDashboardContainersConsistency helper so the canonical
    schema and the request body schema agree on what a valid payload is.
  • OpenAPI now publishes the matching maxLength and maxItems bounds
    on DashboardContainer.id, DashboardContainerTab.id, the
    containers array, and the request tiles array.

• 41395ca: External Dashboards API: fix PUT round-trip when the request body omits
  containers, and self-heal orphan containerId / tabId references on
  read.

  • Move tile-level container/tab reference resolution out of the request
    body schema and into the POST and PUT handlers, so a PUT whose
    body omits containers validates tile refs against the existing
    dashboard's containers (the documented "preserve on omit" branch)
    rather than against an empty fallback. Without this, a PUT that
    changes only tiles while keeping a tile homed in a real preserved
    container was rejected with Tile references unknown containerId.
  • Split the shared validation helper into a structure-only pass
    (validateDashboardContainersStructure) and a tile-ref pass
    (validateDashboardTileContainerRefs) on
    @hyperdx/common-utils. The composite
    validateDashboardContainersConsistency now wraps both, so existing
    callers keep their current behavior.
  • On read, drop tile.containerId / tile.tabId when the ref does not
    resolve to a container (or tab) in the same dashboard. A pre-existing
    doc with an orphan ref now round-trips on GET as if the ref were
    absent, so the next PUT validates instead of failing with
    Tile references unknown containerId. Each drop is logged with the
    dashboard id, tile id, and the offending ref.
  • Document in the OpenAPI PUT /api/v2/dashboards/{id} description that
    the endpoint does not support optimistic concurrency. Concurrent PUTs
    may silently overwrite each other; clients should serialize edits to
    a given dashboard.

• 41395ca: Internal refactor: move validateDashboardContainersStructure and
  validateDashboardTileContainerRefs (and their two helper types) out
  of @hyperdx/common-utils/dist/types into a new
  @hyperdx/common-utils/dist/dashboardValidation module. The types
  file now only contains types and type guards, matching the rest of the
  codebase. The previously exported validateDashboardContainersConsistency
  composite was only used by its own unit test and is dropped; production
  code in the v2 dashboards router uses the two underlying helpers
  directly. No behaviour change for callers of the external API.

• 29586e7: Enable end-to-end PR testing on Vercel previews by inlining the Express API into the Next.js /api/[...all] serverless function (opt-in via HDX_PREVIEW_INLINE_API=true). Production deploys (Docker fullstack image, standalone Next output) are unchanged — they keep proxying /api/* to the separately-deployed API service.

  Also realigns clickhouseProxy.ts with the upstream EE implementation (modulo CHC and RBAC code paths): query params are now parsed from the request URL via validateAndSanitizePath() + URL.searchParams instead of req.query, which fixes a Setting all is neither a builtin setting nor started with the prefix 'custom_' regression on Vercel previews where Next.js's [...all] catch-all route polluted req.query. Adds path-injection hardening, POST-only enforcement, and exposes X-ClickHouse-Mixed-Response / X-ClickHouse-Service-Unavailable response headers for the browser ClickHouse client.

• 1c73d0c: Add groupByColumnsOnLeft to MCP dashboard table tile schema

• 694e3c9: Increase MCP rate limit to 10 req/s

• eb7fdb4: fix(api): tighten redactSecrets after deep-review on feat(api): redactSecrets util for LLM input from observability data #2188

  Several security/correctness gaps surfaced by deep-review across
  two passes on the original redactSecrets PR.

  • The bearer value alphabet is now \S+. Real-world payloads
    carry plenty of opaque non-JWT bearers with :, %, or quote
    chars in them, and any alphabet narrower than \S+ leaks the
    suffix past [REDACTED]. RFC 6750's b64token alphabet is a
    strict subset of \S+. (Same fix subsumes the earlier change
    that added _ to cover JWT signatures.)
  • The basic-auth-url scheme allowlist now covers
    http(s) / ws(s) / ftp / sftp / ssh / postgres(ql) / mysql /
    mariadb / mongodb(+srv) / mssql / sqlserver / snowflake /
    redis(s) / amqp(s) / kafka(+ssl) / clickhouse / smtp(s) /
    ldap(s) / nats. The match is also case-insensitive (RFC 3986
    declares schemes case-insensitive), so HTTPS://user:pw@host
    no longer bypasses redaction.
  • The llm-vendor-key pattern now catches OpenAI ("sk-..."),
    Anthropic ("sk-ant-..."), and Google Gemini ("AIza..." with 35
    trailing chars). Without Gemini coverage, a Gemini API key in
    an observability payload would be exfiltrated to the very
    provider that issued it.

  Docstring scopes the redactor explicitly to LLM input. Tests
  cover each new shape, the JWT-with-underscore regression, the
  opaque-bearer-with-: / % regressions, the uppercase-scheme
  bypass, and the Gemini key shape.

• 9d5f14f: feat: Add custom onClick field to external dashboards API

• 88b2b64: fix: use block_number/block_offset to uniquely identify log rows

• Updated dependencies [a5294f8]

• Updated dependencies [eb16df4]

• Updated dependencies [24699cd]

• Updated dependencies [143f7a7]

• Updated dependencies [f6a1d02]

• Updated dependencies [aa1a852]

• Updated dependencies [022fe89]

• Updated dependencies [7d7269a]

• Updated dependencies [41395ca]

• Updated dependencies [41395ca]

• Updated dependencies [41395ca]

• Updated dependencies [d3a5a57]

• Updated dependencies [5c6da48]

• Updated dependencies [ef571cc]

• Updated dependencies [c2a9f96]

• Updated dependencies [a36c5b1]

• Updated dependencies [9d5f14f]

• Updated dependencies [401dff5]

  • @hyperdx/common-utils@0.19.0

@hyperdx/app@2.25.0

Minor Changes

• eb16df4: Add ability to disable data sources with improved UX

• 143f7a7: feat: Add per-series number formats

• 7d7269a: feat: introducing rollup and source support for full autocomplete

• 4cc5eb3: Add support for increase aggFn on sum counter metrics and rewrite sum metric rate computation to fix correctness issues.

• d3a5a57: feat: add optional note field to alerts

  Adds a freeform note/reason field to alerts that supports markdown formatting,
  allowing on-call responders to document why an alert exists, threshold decision
  history, and links to runbooks.

  • New note field on the Alert model (optional, max 4096 chars, supports
    markdown)
  • Note textarea in both the saved-search alert modal and the dashboard tile
    alert editor
  • Notes displayed on the /alerts page in a collapsible section (hidden by
    default) with full markdown rendering
  • Alert tabs in the saved-search modal show a red bell firing indicator
    alongside the webhook channel icon, matching the AlertStatusIcon pattern
    used on dashboard tiles and the app nav
  • The Alerts button on the search page shows a red bell icon when at least one
    alert in the saved search is firing
  • External API v2 updated with note field in OpenAPI docs

• 5c6da48: refactor(alerts/search): consolidate the saved-search → chart-config builder
  into a single shared helper, buildSearchChartConfig, in
  @hyperdx/common-utils/core/searchChartConfig.ts. The app search page, the
  alert preview chart, and the scheduled alert task's SAVED_SEARCH branch now
  all route through it, so tableFilterExpression, implicitColumnExpression,
  sample-weight expressions, SELECT precedence, and the count() default
  SELECT shape are applied identically by construction.

  Behavior fixes that fall out of consolidation:

  • The alert task and the alert preview now apply source.tableFilterExpression
    on Log sources, matching what the search page already did.
  • A latent bug in the search-page builder is fixed: a non-null filters
    array no longer silently drops the tableFilterExpression SQL filter via
    spread-overwrite.

• a50db92: fix(security): redact sensitive fields from internal webhook API responses

  The GET /api/webhooks endpoint now masks webhook URLs (<origin>/****) and
  redacts header and query parameter values (keys preserved, values replaced with
  ****), preventing team members from retrieving secrets configured by others.

  The PUT handler merges redacted markers back to stored values so editing a
  webhook without re-entering secrets preserves the originals. Changing the URL
  while preserving masked secrets is rejected to prevent exfiltration.

  GET /api/webhooks, POST /api/webhooks, and PUT /api/webhooks/:id
  responses now return masked values for url, headers, and queryParams
  instead of plaintext secrets.

• ef571cc: feat: heatmap charts in chart editor and dashboards

  • Heatmap is now a selectable display type in the chart editor tabs
  • Dashboard tiles render heatmaps via the shared DBHeatmapChart component
  • Heatmap source picker restricted to trace sources; value/count expressions auto-populate from the source's duration expression
  • Display Settings drawer (scale, value, count) shared across search Event Deltas, chart editor, and dashboards
  • Click a dashboard heatmap tile to open Event Deltas with source, where clause, filters, and time range preserved
  • Dynamic Y-axis sizing measures formatted tick labels so long labels (e.g. "1.67min") are not clipped

Patch Changes

• a5294f8: fix: prevent false "data source not set" error on markdown dashboard tiles

• 24699cd: fix: Infer singular quantileXXX() from MV quantilesXXXState()

• 4e9caec: Support per-signal OTLP exporter endpoints for Hyperdx internal telemetry

• 32b38c3: fix: ClickStack switch checked-state color not applying theme tokens

• 29586e7: Enable end-to-end PR testing on Vercel previews by inlining the Express API into the Next.js /api/[...all] serverless function (opt-in via HDX_PREVIEW_INLINE_API=true). Production deploys (Docker fullstack image, standalone Next output) are unchanged — they keep proxying /api/* to the separately-deployed API service.

  Also realigns clickhouseProxy.ts with the upstream EE implementation (modulo CHC and RBAC code paths): query params are now parsed from the request URL via validateAndSanitizePath() + URL.searchParams instead of req.query, which fixes a Setting all is neither a builtin setting nor started with the prefix 'custom_' regression on Vercel previews where Next.js's [...all] catch-all route polluted req.query. Adds path-injection hardening, POST-only enforcement, and exposes X-ClickHouse-Mixed-Response / X-ClickHouse-Service-Unavailable response headers for the browser ClickHouse client.

• 6811ea0: fix: numbers from filters bar was always showing 0 instead of the count

• 3af4e92: Standardize query param libraries

• c2a9f96: feat: Add more dashboard onClick linking options

• a36c5b1: feat: Add filter templating to custom dashboard on-click

• 6dc5d01: fix: Ensure search histogram count matches result table count

• 401dff5: feat: Support import/export for dashboard onClicks

• 88b2b64: fix: use block_number/block_offset to uniquely identify log rows

• Updated dependencies [a5294f8]

• Updated dependencies [eb16df4]

• Updated dependencies [24699cd]

• Updated dependencies [143f7a7]

• Updated dependencies [f6a1d02]

• Updated dependencies [aa1a852]

• Updated dependencies [4d22d4b]

• Updated dependencies [fecbfff]

• Updated dependencies [022fe89]

• Updated dependencies [7d7269a]

• Updated dependencies [4cc5eb3]

• Updated dependencies [41395ca]

• Updated dependencies [41395ca]

• Updated dependencies [41395ca]

• Updated dependencies [41395ca]

• Updated dependencies [41eefec]

• Updated dependencies [d3a5a57]

• Updated dependencies [5c6da48]

• Updated dependencies [29586e7]

• Updated dependencies [a50db92]

• Updated dependencies [ef571cc]

• Updated dependencies [1c73d0c]

• Updated dependencies [694e3c9]

• Updated dependencies [eb7fdb4]

• Updated dependencies [c2a9f96]

• Updated dependencies [a36c5b1]

• Updated dependencies [9d5f14f]

• Updated dependencies [401dff5]

• Updated dependencies [88b2b64]

  • @hyperdx/common-utils@0.19.0
  • @hyperdx/api@2.25.0

@hyperdx/common-utils@0.19.0

Minor Changes

• eb16df4: Add ability to disable data sources with improved UX

• 143f7a7: feat: Add per-series number formats

• 7d7269a: feat: introducing rollup and source support for full autocomplete

• d3a5a57: feat: add optional note field to alerts

  Adds a freeform note/reason field to alerts that supports markdown formatting,
  allowing on-call responders to document why an alert exists, threshold decision
  history, and links to runbooks.

  • New note field on the Alert model (optional, max 4096 chars, supports
    markdown)
  • Note textarea in both the saved-search alert modal and the dashboard tile
    alert editor
  • Notes displayed on the /alerts page in a collapsible section (hidden by
    default) with full markdown rendering
  • Alert tabs in the saved-search modal show a red bell firing indicator
    alongside the webhook channel icon, matching the AlertStatusIcon pattern
    used on dashboard tiles and the app nav
  • The Alerts button on the search page shows a red bell icon when at least one
    alert in the saved search is firing
  • External API v2 updated with note field in OpenAPI docs

• 5c6da48: refactor(alerts/search): consolidate the saved-search → chart-config builder
  into a single shared helper, buildSearchChartConfig, in
  @hyperdx/common-utils/core/searchChartConfig.ts. The app search page, the
  alert preview chart, and the scheduled alert task's SAVED_SEARCH branch now
  all route through it, so tableFilterExpression, implicitColumnExpression,
  sample-weight expressions, SELECT precedence, and the count() default
  SELECT shape are applied identically by construction.

  Behavior fixes that fall out of consolidation:

  • The alert task and the alert preview now apply source.tableFilterExpression
    on Log sources, matching what the search page already did.
  • A latent bug in the search-page builder is fixed: a non-null filters
    array no longer silently drops the tableFilterExpression SQL filter via
    spread-overwrite.

Patch Changes

• a5294f8: fix: prevent false "data source not set" error on markdown dashboard tiles

• 24699cd: fix: Infer singular quantileXXX() from MV quantilesXXXState()

• f6a1d02: Add support for event patterns in MCP server, reduce code duplication

• aa1a852: feat: adds optimization for lucene rendering based on a keyvalue concatenated Array(String)

• 022fe89: Fix issue with incorrect cache key being set in settings queries in nodejs

• 41395ca: External Dashboards API: tighten validation around container/tab references
  on the v2 dashboards routes.

  • Cap tile containerId and tabId at 256 characters to mirror the
    internal DashboardContainer schema and the DASHBOARD_CONTAINER_ID_MAX
    constant, now exported from @hyperdx/common-utils.
  • Cap a single dashboard payload at 500 tiles via the new
    DASHBOARD_MAX_TILES constant to keep one request from pushing tens of
    MB into Mongo.
  • Treat empty-string containerId / tabId on legacy Mongo docs as
    absent on read, so dashboards predating the containers feature still
    round-trip through the external schema's min(1) cap.
  • Extract the cross-tile container/tab consistency check into a shared
    validateDashboardContainersConsistency helper so the canonical
    schema and the request body schema agree on what a valid payload is.
  • OpenAPI now publishes the matching maxLength and maxItems bounds
    on DashboardContainer.id, DashboardContainerTab.id, the
    containers array, and the request tiles array.

• 41395ca: External Dashboards API: fix PUT round-trip when the request body omits
  containers, and self-heal orphan containerId / tabId references on
  read.

  • Move tile-level container/tab reference resolution out of the request
    body schema and into the POST and PUT handlers, so a PUT whose
    body omits containers validates tile refs against the existing
    dashboard's containers (the documented "preserve on omit" branch)
    rather than against an empty fallback. Without this, a PUT that
    changes only tiles while keeping a tile homed in a real preserved
    container was rejected with Tile references unknown containerId.
  • Split the shared validation helper into a structure-only pass
    (validateDashboardContainersStructure) and a tile-ref pass
    (validateDashboardTileContainerRefs) on
    @hyperdx/common-utils. The composite
    validateDashboardContainersConsistency now wraps both, so existing
    callers keep their current behavior.
  • On read, drop tile.containerId / tile.tabId when the ref does not
    resolve to a container (or tab) in the same dashboard. A pre-existing
    doc with an orphan ref now round-trips on GET as if the ref were
    absent, so the next PUT validates instead of failing with
    Tile references unknown containerId. Each drop is logged with the
    dashboard id, tile id, and the offending ref.
  • Document in the OpenAPI PUT /api/v2/dashboards/{id} description that
    the endpoint does not support optimistic concurrency. Concurrent PUTs
    may silently overwrite each other; clients should serialize edits to
    a given dashboard.

• 41395ca: Internal refactor: move validateDashboardContainersStructure and
  validateDashboardTileContainerRefs (and their two helper types) out
  of @hyperdx/common-utils/dist/types into a new
  @hyperdx/common-utils/dist/dashboardValidation module. The types
  file now only contains types and type guards, matching the rest of the
  codebase. The previously exported validateDashboardContainersConsistency
  composite was only used by its own unit test and is dropped; production
  code in the v2 dashboards router uses the two underlying helpers
  directly. No behaviour change for callers of the external API.

• ef571cc: feat: heatmap charts in chart editor and dashboards

  • Heatmap is now a selectable display type in the chart editor tabs
  • Dashboard tiles render heatmaps via the shared DBHeatmapChart component
  • Heatmap source picker restricted to trace sources; value/count expressions auto-populate from the source's duration expression
  • Display Settings drawer (scale, value, count) shared across search Event Deltas, chart editor, and dashboards
  • Click a dashboard heatmap tile to open Event Deltas with source, where clause, filters, and time range preserved
  • Dynamic Y-axis sizing measures formatted tick labels so long labels (e.g. "1.67min") are not clipped

• c2a9f96: feat: Add more dashboard onClick linking options

• a36c5b1: feat: Add filter templating to custom dashboard on-click

• 9d5f14f: feat: Add custom onClick field to external dashboards API

• 401dff5: feat: Support import/export for dashboard onClicks

@hyperdx/otel-collector@2.25.0

Minor Changes

• aaba3e9: feat: new optimized otel schema based on weeks of benchmarks.

  The Primary Key is now grouped by toStartOfFiveMinutes. At extremely large
  data sizes, it may be helpful to reduce granularity to 1 minute instead of 5.
  Bloom Filter indexes can be used instead, but full text search performs better
  across the board. Additionally, tests show that TimestampTime is effectively
  not necessary, which is especially true with data grouped by 5 minute
  boundaries by default.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	May 13, 2026 8:40pm