feat!: update http-proxy-middleware v3, remove bypass and path options

[chenjiahan]

Summary

This PR upgrades http-proxy-middleware to v3 and removes legacy proxy compatibility paths in @rspack/dev-server.

Breaking Changes

1. Removed deprecated proxy[].bypass support

   • The dev-server no longer executes or accepts bypass.
   • Requests now follow standard proxy matching/forwarding only.

2. Removed legacy proxy[].path support

   • The legacy path option is no longer supported in proxy items.
   • Use pathFilter (or context alias) instead.

3. Aligned with http-proxy-middleware v3 API

   • v2-style options/events are no longer supported by this upgrade path (e.g. logLevel, logProvider, top-level proxy event callbacks).
   • Use v3-style logger and on: { ... } event hooks.

Migration Notes

• Replace:
  • bypass -> pathFIlter or router
  • path -> pathFilter.
  • logLevel / logProvider -> logger.
  • onProxyReq, onProxyReqWs, etc. -> on: { proxyReq, proxyReqWs, ... }.

Ref

https://github.com/chimurai/http-proxy-middleware/blob/master/MIGRATION.md

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the http-proxy-middleware dependency to its major version 3, necessitating significant adjustments to how proxy configurations are handled. The changes primarily involve adapting to the new API for defining proxy routes, configuring logging, and structuring event handlers, ensuring compatibility and leveraging the latest features of the updated library.

Highlights

• Dependency Upgrade: The http-proxy-middleware package has been upgraded to version 3.0.5 from 2.0.9, introducing breaking changes and new API patterns.
• Proxy Configuration API Changes: The bypass and path options have been removed from proxy configurations, aligning with the new http-proxy-middleware v3 API. The context option now serves as an alias for pathFilter.
• Logging Configuration Update: The proxy logging mechanism has been updated to use the logger option directly, replacing the previous logLevel and logProvider functions.
• Event Handler Structure: Proxy event handlers like onProxyReqWs and onProxyReq are now nested under an on object within the proxy configuration, reflecting changes in the upstream library.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• package.json
  • Updated http-proxy-middleware dependency to version 3.0.5.
• pnpm-lock.yaml
  • Updated lockfile to reflect http-proxy-middleware version 3.0.5.
  • Adjusted http-proxy dependency resolution to include debug@4.4.3.
  • Removed is-plain-obj@3.0.0 and added is-plain-object@5.0.0.
  • Updated follow-redirects to include debug@4.4.3 as an optional dependency.
• src/server.ts
  • Removed the ByPass type import.
  • Refactored proxy logging logic to use the logger option directly, removing getLogLevelForProxy and logLevel handling.
  • Updated getProxyMiddleware function to remove bypass and path options, utilizing pathFilter and context for route matching.
  • Modified proxy middleware creation to pass proxyOptions directly to createProxyMiddleware.
  • Removed the deprecated bypass function logic from the middleware chain.
  • Updated deprecation message for invalid proxy configurations.
• src/types.ts
  • Removed the ByPass type definition.
  • Removed path and bypass properties from ProxyConfigArrayItem.
  • Added JSDoc documentation for the context property, clarifying its role as an alias for pathFilter.
• tests/e2e/allowed-hosts.test.js
  • Updated proxy configurations in tests to use logger: console instead of logLevel: 'warn'.
  • Modified onProxyReqWs and onProxyReq callbacks to be nested under an on object, aligning with http-proxy-middleware v3 API.
• tests/e2e/web-socket-server-url.test.js
  • Updated proxy configurations in tests to use logger: console instead of logLevel: 'warn'.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

Updates the dev-server’s proxy integration to align with http-proxy-middleware v3, removing deprecated/removed proxy options (bypass, path) and updating affected E2E tests accordingly.

Changes:

• Bump http-proxy-middleware from ^2.0.9 to ^3.0.5 (and lockfile updates).
• Migrate proxy configuration usage from logLevel/onProxyReqWs to logger/on.{...} where required by v3.
• Remove dev-server support/types for legacy bypass and path proxy options; adapt server proxy middleware creation to pathFilter.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/e2e/web-socket-server-url.test.js	Updates proxy middleware options for v3 (logger instead of logLevel).
tests/e2e/allowed-hosts.test.js	Updates proxy middleware options & event hooks to v3-style on + logger.
src/types.ts	Removes bypass/path typing; documents context as an alias for pathFilter.
src/server.ts	Adjusts default proxy logger wiring and proxy middleware instantiation for v3 (pathFilter + logger).
package.json	Updates http-proxy-middleware dependency to ^3.0.5.
pnpm-lock.yaml	Lockfile changes reflecting the dependency upgrade and new transitive deps.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gemini-code-assist]

Code Review

This pull request updates http-proxy-middleware to version 3, refactoring the proxy configuration logic and removing deprecated options like bypass and path. A security vulnerability has been identified in the new deprecation warning logic. Sensitive proxy configuration details, including authentication credentials and headers, could be exposed in console logs due to the stringification of the entire configuration object when an invalid configuration is detected. Please address this potential information leakage.

[gemini-code-assist]

This logic to set a default logger is redundant. A similar check exists in getProxyMiddleware (lines 1900-1902), which handles all proxy configurations (both objects and functions). To centralize the logic and avoid duplication, this block can be removed. In fact, the entire if (typeof options.proxy !== 'undefined') block from line 1167 to 1179 can be removed as this is its only effective operation.