fix: use WeakRef for storing req and res for AppSec

[BridgeAR]

This fixes a memory leak by making sure the exposed req and res of
http are not hold onto strongly.
It does that by skipping adding these to the store, if not needed
as well as creating a WeakRef when it is needed. That way AppSec
still has access to these as long as the request is alive.

Router now also uses a WeakMap for the context to prevent any hard
references and the parent store in http server is refactored next
to using private properties and adding some types.

Fixes: #6389

[codecov]

Codecov Report

❌ Patch coverage is 84.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.13%. Comparing base (971bdd5) to head (8ae52ce).

Files with missing lines	Patch %	Lines
packages/dd-trace/src/plugins/plugin.js	0.00%	3 Missing ⚠️
packages/datadog-plugin-router/src/index.js	95.23%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7276      +/-   ##
==========================================
- Coverage   85.14%   77.13%   -8.02%     
==========================================
  Files         532      526       -6     
  Lines       22897    22733     -164     
==========================================
- Hits        19495    17534    -1961     
- Misses       3402     5199    +1797     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Overall package size

Self size: 4.41 MB
Deduped: 5.24 MB
No deduping: 5.24 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 2.0.0 | 68.46 kB | 797.03 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[datadog-datadog-prod-us1]

⚠️ Tests

✨ Fix all issues with Cursor

⚠️ Warnings

🧪 2815 Tests failed

tests.appsec.api_security.test_apisec_sampling.Test_API_Security_Sampling_Different_Endpoints.test_sampling_delay[express4] from system_tests_suite (Datadog) (Fix with Cursor)

assert None is not None

self = <tests.appsec.api_security.test_apisec_sampling.Test_API_Security_Sampling_Different_Endpoints object at 0x7f4d386f6960>

    def test_sampling_delay(self):
        assert self.request1.status_code == 200
        schema1 = get_schema(self.request1, "req.headers")
>       assert schema1 is not None
E       assert None is not None

...

tests.appsec.api_security.test_apisec_sampling.Test_API_Security_Sampling_Different_Endpoints.test_sampling_delay[express4-typescript] from system_tests_suite (Datadog) (Fix with Cursor)

assert None is not None

self = <tests.appsec.api_security.test_apisec_sampling.Test_API_Security_Sampling_Different_Endpoints object at 0x7f11b0550440>

    def test_sampling_delay(self):
        assert self.request1.status_code == 200
        schema1 = get_schema(self.request1, "req.headers")
>       assert schema1 is not None
E       assert None is not None

...

tests.appsec.api_security.test_apisec_sampling.Test_API_Security_Sampling_Different_Endpoints.test_sampling_delay[express5] from system_tests_suite (Datadog) (Fix with Cursor)

assert None is not None

self = <tests.appsec.api_security.test_apisec_sampling.Test_API_Security_Sampling_Different_Endpoints object at 0x7f624ec1c7a0>

    def test_sampling_delay(self):
        assert self.request1.status_code == 200
        schema1 = get_schema(self.request1, "req.headers")
>       assert schema1 is not None
E       assert None is not None

...

View all

ℹ️ Info

❄️ No new flaky tests detected

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8ae52ce | Docs | Datadog PR Page | Was this helpful? Give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-01-20 00:18:25

Comparing candidate commit 8ae52ce in PR branch BridgeAR/2026-01-19-fix-6389 with baseline commit 971bdd5 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 233 metrics, 27 unstable metrics.