fix: limit memory leak to AppSec being enabled

[BridgeAR]

This fixes a memory leak by making sure the exposed req and res of
http are not hold onto strongly.
It does that by skipping adding these to the store, if not needed
as well as creating a WeakRef when it is needed. That way AppSec
still has access to these as long as the request is alive.

This limits a AppSec specific memory leak to only surface in case AppSec
is enabled. That is just a stop gap to limit the impact on our users until we
have a proper fix that needs further rework.

Refs: #6389

Router now correlates the storeStacks to the correct middleware exit.
Before, these were expected to always be in order while multiple parallel
calls could potentially interfere with that and correlate wrong entries.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.35%. Comparing base (e3344ae) to head (8614498).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #7276   +/-   ##
=======================================
  Coverage   80.34%   80.35%           
=======================================
  Files         731      731           
  Lines       31093    31105   +12     
=======================================
+ Hits        24981    24993   +12     
  Misses       6112     6112           

Flag	Coverage Δ
aiguard-macos	39.08% <100.00%> (-0.11%)	⬇️
aiguard-ubuntu	39.12% <100.00%> (-0.11%)	⬇️
aiguard-windows	38.97% <100.00%> (-0.11%)	⬇️
apm-capabilities-tracing-macos	48.80% <35.29%> (-0.06%)	⬇️
apm-capabilities-tracing-ubuntu	48.84% <35.29%> (-0.01%)	⬇️
apm-capabilities-tracing-windows	48.56% <35.29%> (-0.02%)	⬇️
apm-integrations-child-process	38.57% <100.00%> (-0.11%)	⬇️
apm-integrations-couchbase-18	37.33% <100.00%> (-0.25%)	⬇️
apm-integrations-couchbase-eol	37.81% <100.00%> (-0.25%)	⬇️
apm-integrations-oracledb	37.97% <7.69%> (-0.13%)	⬇️
appsec-express	55.41% <97.05%> (-0.04%)	⬇️
appsec-fastify	51.98% <52.94%> (-0.08%)	⬇️
appsec-graphql	52.35% <97.05%> (-0.03%)	⬇️
appsec-kafka	44.64% <100.00%> (-0.09%)	⬇️
appsec-ldapjs	44.33% <100.00%> (-0.06%)	⬇️
appsec-lodash	44.01% <100.00%> (-0.06%)	⬇️
appsec-macos	58.49% <100.00%> (-0.06%)	⬇️
appsec-mongodb-core	49.24% <97.05%> (-0.04%)	⬇️
appsec-mongoose	49.93% <97.05%> (-0.04%)	⬇️
appsec-mysql	51.30% <97.05%> (-0.03%)	⬇️
appsec-node-serialize	43.52% <100.00%> (-0.06%)	⬇️
appsec-passport	48.10% <47.05%> (-0.10%)	⬇️
appsec-postgres	51.07% <97.05%> (-0.06%)	⬇️
appsec-sourcing	42.87% <100.00%> (-0.06%)	⬇️
appsec-template	43.69% <100.00%> (-0.06%)	⬇️
appsec-ubuntu	58.52% <100.00%> (-0.06%)	⬇️
appsec-windows	58.38% <100.00%> (-0.06%)	⬇️
instrumentations-instrumentation-bluebird	32.25% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-body-parser	40.79% <94.11%> (-0.04%)	⬇️
instrumentations-instrumentation-child_process	37.88% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-cookie-parser	34.48% <32.35%> (-0.13%)	⬇️
instrumentations-instrumentation-express	34.82% <32.35%> (-0.13%)	⬇️
instrumentations-instrumentation-express-mongo-sanitize	34.62% <32.35%> (-0.13%)	⬇️
instrumentations-instrumentation-express-session	40.41% <41.17%> (-0.11%)	⬇️
instrumentations-instrumentation-fs	31.85% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-generic-pool	29.81% <100.00%> (ø)
instrumentations-instrumentation-http	39.59% <7.69%> (-0.13%)	⬇️
instrumentations-instrumentation-knex	32.25% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-mongoose	33.59% <7.69%> (-0.12%)	⬇️
instrumentations-instrumentation-multer	40.53% <94.11%> (-0.04%)	⬇️
instrumentations-instrumentation-mysql2	38.27% <100.00%> (-0.10%)	⬇️
instrumentations-instrumentation-passport	44.40% <44.11%> (+3.53%)	⬆️
instrumentations-instrumentation-passport-http	44.05% <47.05%> (+3.21%)	⬆️
instrumentations-instrumentation-passport-local	44.61% <47.05%> (+3.77%)	⬆️
instrumentations-instrumentation-pg	37.79% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-promise	32.18% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-promise-js	32.18% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-q	32.23% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-url	32.15% <100.00%> (-0.11%)	⬇️
instrumentations-instrumentation-when	32.20% <100.00%> (-0.11%)	⬇️
llmobs-ai	41.41% <100.00%> (-0.10%)	⬇️
llmobs-anthropic	40.60% <7.69%> (-0.13%)	⬇️
llmobs-bedrock	39.49% <7.69%> (-0.11%)	⬇️
llmobs-google-genai	40.22% <7.69%> (+0.01%)	⬆️
llmobs-langchain	39.64% <7.69%> (-0.10%)	⬇️
llmobs-openai	44.46% <7.69%> (-0.12%)	⬇️
llmobs-vertex-ai	40.31% <7.69%> (-0.20%)	⬇️
platform-core	28.09% <100.00%> (ø)
platform-esbuild	31.49% <100.00%> (ø)
platform-instrumentations-misc	39.62% <100.00%> (ø)
platform-shimmer	34.83% <100.00%> (ø)
platform-unit-guardrails	30.37% <100.00%> (ø)
plugins-azure-event-hubs	22.64% <100.00%> (ø)
plugins-azure-service-bus	22.08% <100.00%> (ø)
plugins-bullmq	43.71% <100.00%> (-0.10%)	⬇️
plugins-cassandra	38.01% <7.69%> (-0.13%)	⬇️
plugins-cookie	23.69% <100.00%> (ø)
plugins-cookie-parser	23.50% <100.00%> (ø)
plugins-crypto	22.88% <100.00%> (ø)
plugins-dd-trace-api	38.42% <100.00%> (-0.11%)	⬇️
plugins-express-mongo-sanitize	23.67% <100.00%> (ø)
plugins-express-session	23.46% <100.00%> (ø)
plugins-fastify	42.52% <50.00%> (-0.11%)	⬇️
plugins-fetch	38.57% <7.69%> (-0.13%)	⬇️
plugins-fs	38.67% <100.00%> (-0.11%)	⬇️
plugins-generic-pool	22.68% <100.00%> (ø)
plugins-google-cloud-pubsub	45.72% <92.30%> (-0.10%)	⬇️
plugins-grpc	41.27% <7.69%> (-0.13%)	⬇️
plugins-handlebars	23.71% <100.00%> (ø)
plugins-hapi	40.42% <44.11%> (-0.11%)	⬇️
plugins-hono	40.69% <94.11%> (-0.04%)	⬇️
plugins-ioredis	38.47% <100.00%> (-0.11%)	⬇️
plugins-knex	23.51% <100.00%> (ø)
plugins-ldapjs	21.28% <100.00%> (ø)
plugins-light-my-request	23.15% <100.00%> (ø)
plugins-limitd-client	32.55% <100.00%> (-0.11%)	⬇️
plugins-lodash	22.74% <100.00%> (ø)
plugins-mariadb	39.61% <100.00%> (-0.10%)	⬇️
plugins-memcached	38.20% <100.00%> (-0.11%)	⬇️
plugins-microgateway-core	39.44% <44.11%> (-0.11%)	⬇️
plugins-moleculer	40.81% <7.69%> (-0.13%)	⬇️
plugins-mongodb	39.53% <7.69%> (-0.13%)	⬇️
plugins-mongodb-core	39.13% <100.00%> (-0.10%)	⬇️
plugins-mongoose	39.15% <7.69%> (-0.13%)	⬇️
plugins-multer	23.46% <100.00%> (ø)
plugins-mysql	39.26% <100.00%> (-0.11%)	⬇️
plugins-mysql2	39.31% <100.00%> (-0.10%)	⬇️
plugins-node-serialize	23.73% <100.00%> (ø)
plugins-opensearch	37.85% <7.69%> (-0.13%)	⬇️
plugins-passport-http	23.56% <100.00%> (ø)
plugins-postgres	35.71% <100.00%> (-0.09%)	⬇️
plugins-process	22.88% <100.00%> (ø)
plugins-pug	23.69% <100.00%> (ø)
plugins-redis	38.95% <100.00%> (-0.11%)	⬇️
plugins-router	43.30% <94.11%> (-0.04%)	⬇️
plugins-sequelize	22.27% <100.00%> (ø)
plugins-test-and-upstream-amqp10	38.39% <100.00%> (-0.26%)	⬇️
plugins-test-and-upstream-amqplib	43.90% <100.00%> (-0.10%)	⬇️
plugins-test-and-upstream-apollo	39.27% <8.82%> (-0.14%)	⬇️
plugins-test-and-upstream-avsc	38.81% <100.00%> (-0.11%)	⬇️
plugins-test-and-upstream-bunyan	33.86% <100.00%> (-0.11%)	⬇️
plugins-test-and-upstream-connect	41.10% <97.05%> (-0.04%)	⬇️
plugins-test-and-upstream-graphql	40.23% <100.00%> (-0.10%)	⬇️
plugins-test-and-upstream-koa	40.69% <97.05%> (-0.04%)	⬇️
plugins-test-and-upstream-protobufjs	39.05% <100.00%> (-0.11%)	⬇️
plugins-test-and-upstream-rhea	44.15% <100.00%> (-0.13%)	⬇️
plugins-undici	39.37% <7.69%> (-0.12%)	⬇️
plugins-url	22.88% <100.00%> (ø)
plugins-valkey	38.13% <100.00%> (-0.11%)	⬇️
plugins-vm	22.88% <100.00%> (ø)
plugins-winston	34.24% <7.69%> (-0.13%)	⬇️
plugins-ws	42.18% <7.69%> (-0.13%)	⬇️
profiling-macos	40.06% <100.00%> (-0.10%)	⬇️
profiling-ubuntu	40.11% <100.00%> (-0.10%)	⬇️
profiling-windows	41.47% <100.00%> (-0.46%)	⬇️
serverless-azure-functions-client	22.38% <100.00%> (ø)
serverless-azure-functions-eventhubs	22.38% <100.00%> (ø)
serverless-azure-functions-servicebus	22.38% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Overall package size

Self size: 4.58 MB
Deduped: 5.42 MB
No deduping: 5.42 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 2.0.6 | 81.92 kB | 813.08 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-02-09 00:53:19

Comparing candidate commit 8614498 in PR branch BridgeAR/2026-01-19-fix-6389 with baseline commit e3344ae in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 231 metrics, 29 unstable metrics.

[rochdev]

These changes are a nice to have, but unrelated to this PR and in the future it would be best to make those unrelated changes in another PR to avoid unnecessary noise.