To be clear, I’m talking about hapi, and not about dropping @hapi/hapi.

Starting with v17.9.0 and v18.2.0 the name changed from ‘hapi’ to ‘@hapi/hapi’. hapi (the old one) is deprecated, obsolete, unmaintained and has known major security issues. IIUC it is coming up on two years being so. https://github.com/hapijs/hapi/issues/4114 provides some details. Anything before @hapi/hapi@20 is in this “deprecated, …” group.

% npm ci
npm WARN deprecated hapi@18.1.0: This version contains severe security issues and defects and should not be used! Please upgrade to the latest version of @hapi/hapi or consider a commercial license (https://github.com/hapijs/hapi/issues/4114)
...

There are maintenance and testing costs to continuing to support it. The monstrous .tav.yml block hints at some of the complexity: https://github.com/elastic/apm-agent-nodejs/blob/a289d4428c2c1ac3a57b0767794cb28e928c1da4/.tav.yml#L408-L464

Also, note there are lingering minor issues:

• https://github.com/npm/cli/issues/2267 is an old unfixed issue with npm install and older versions of hapi (versions that we do currently install and test in our TAV tests)
• The old ‘hapi’ packages used npm-shrinkwrap, which results in “extraneous” package entries in package-lock.json for npm versions before v8.6 (the default in node v16). So ‘hapi’ will be a contributor to noise in our package-lock updates.

open questions

• Do we drop it now, or do we wait for a major version bump of the agent?