drop support for obsolete `hapi` package

[trentm]

To be clear, I'm talking about hapi, and not about dropping @hapi/hapi.

Starting with v17.9.0 and v18.2.0 the name changed from 'hapi' to '@hapi/hapi'.
hapi (the old one) is deprecated, obsolete, unmaintained and has known major security issues. IIUC it is coming up on two years being so. hapijs/hapi#4114 provides some details. Anything before @hapi/hapi@20 is in this "deprecated, ..." group.

% npm ci
npm WARN deprecated hapi@18.1.0: This version contains severe security issues and defects and should not be used! Please upgrade to the latest version of @hapi/hapi or consider a commercial license (https://github.com/hapijs/hapi/issues/4114)
...

There are maintenance and testing costs to continuing to support it. The monstrous .tav.yml block hints at some of the complexity:

apm-agent-nodejs/.tav.yml

Lines 408 to 464 in a289d44

	# hapi and @hapi/hapi
	# - Package name: Starting with v17.9.0 and v18.2.0 the name changed from
	# 'hapi' to '@hapi/hapi'.
	# - Node version compat:
	# - hapi@15: supports node >=v4; breaks on node v14 (usage of `os.tmpDir()`)
	# - hapi@16: supports node >=v4
	# - hapi@17, @hapi/hapi@17: supports node >=v8.12.0 (per its README);
	# the instrumentation changed significantly for this version
	# - hapi@18, @hapi/hapi@18: supports node >=v8.12.0 (per its README)
	# - @hapi/hapi@19: supports node >=v12 (judging from commit 50d8d7d)
	# - @hapi/hapi@20: appears (from travis template refs) to support node >=v12
	hapi-v9-v15:
	name: hapi
	versions: '>=9.0.1 <16.0.0'
	node: '>=4 <14'
	commands:
	- node test/instrumentation/modules/hapi/basic-legacy-path.test.js
	- node test/instrumentation/modules/hapi/set-framework-hapi.test.js
	hapi-v16:
	name: hapi
	versions: '>=16.0.0 <17.0.0'
	node: '>=4'
	commands:
	- node test/instrumentation/modules/hapi/basic-legacy-path.test.js
	- node test/instrumentation/modules/hapi/set-framework-hapi.test.js
	hapi-prenodev15:
	name: hapi
	versions: '>=17.0.0'
	node: '>=8.12.0 <15.0.0'
	commands:
	- node test/instrumentation/modules/hapi/basic-legacy-path.test.js
	- node test/instrumentation/modules/hapi/set-framework-hapi.test.js
	hapi:
	name: hapi
	# Work around https://github.com/npm/cli/issues/2267 in npm@7.
	# Note: An alternative might be to just not test the "hapi" package with
	# node >= 15, given that "hapi" was deprecated before node v16.
	preinstall: rm -rf node_modules/hapi
	node: '>=15.0.0'
	versions: '>=17.0.0'
	commands:
	- node test/instrumentation/modules/hapi/basic-legacy-path.test.js
	- node test/instrumentation/modules/hapi/set-framework-hapi.test.js
	'@hapi/hapi-v17-v18':
	name: '@hapi/hapi'
	versions: '>=17.0.0 <19.0.0'
	node: '>=8.12.0'
	commands:
	- node test/instrumentation/modules/hapi/basic.test.js
	- node test/instrumentation/modules/hapi/set-framework-hapihapi.test.js
	'@hapi/hapi':
	name: '@hapi/hapi'
	versions: '>=19.0.0'
	node: '>=12'
	commands:
	- node test/instrumentation/modules/hapi/basic.test.js
	- node test/instrumentation/modules/hapi/set-framework-hapihapi.test.js

Also, note there are lingering minor issues:

• [BUG] 'npm install hapi@18.1.0' after 'npm install hapi@17.8.5' leads to broken hapi install npm/cli#2267 is an old unfixed issue with npm install and older versions of hapi (versions that we do currently install and test in our TAV tests)
• The old 'hapi' packages used npm-shrinkwrap, which results in "extraneous" package entries in package-lock.json for npm versions before v8.6 (the default in node v16). So 'hapi' will be a contributor to noise in our package-lock updates.

open questions

• Do we drop it now, or do we wait for a major version bump of the agent?

[trentm]

• which results in "extraneous" package entries in package-lock.json for npm versions before v8.6

I'm wrong about this being a "npm v8.6" difference. Using npm 8.10.0 locally I sometimes get the "extraneous" entries and sometimes not... depending on the exact npm install ... command used. Sigh.

[trentm]

Dependabot package-lock.json updates remove “extraneous” entries. Removing those entries results in npm install (with node v14’s npm v6) failing to install the ‘hapi’ package’s deps and tests fail. I think this is now the main motivator for dropping hapi. In a trade-off between testing old/obsolete 'hapi' vs. using dependabot for security and dep updates, I'll take dependabot.

[trentm]

In the team meeting, @estolfo suggested dropping testing of the obsolete "hapi" package for now, and defer dropping actual support for it until the next major. I think that sounds good. I will work on a PR to try that. If that works, I'll put this issue on the "next-major" milestone.

[estolfo]

And just make sure you document that the obsolete hapi package support is untested and deprecated so that users know they are using its instrumentation it at their own risk.

[trentm]

And just make sure you document that the obsolete hapi package support is untested and deprecated so that users know they are using its instrumentation it at their own risk.

Yup, that was done both in the changelog (https://github.com/elastic/apm-agent-nodejs/pull/2698/files#diff-cb0601935fcaac3fea29b215282428b964b8b6e1bd5a6b8c68e84d651633c9e3) and supported-technologies doc page (https://github.com/elastic/apm-agent-nodejs/pull/2698/files#diff-d2a92236665ca681fc14a4b85cb60e74bf3d25b42328ca2390fca53156100d25) of #2698