Node.js agent release notes
Release date: December 12, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
New and improved:
Handle TeamServer 4xx error codes according to spec. (NODE-3638)
Protect should use
async-hook-domain
exclusively. (NODE-3674)Research deadzoning mssql query serialization (NODE-3579)
Bug fixes:
Fix
release-operator
integration. (NODE-3681)
Release date: November 22, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
New and improved:
ADR Licensing - Reporting. (NODE-3605)
Implement remaining architecture components for FlowMap. (NODE-2793)
Publish hostname and container detection - server inventory. (NODE-3639)
Patching: audit package version ranges to not break on new versions. (NODE-3642)
Update Protect sources to instrument
router
. (NODE-3648)Update Protect error handler to instrument
router
. (NODE-3649)Remove argument from
protect.getSourceContext()
calls. (NODE-3660)Raise the log level to WARN for API tokens overridden by legacy keys. (NODE-3661)
Fix the log-file overwriting problem. (NODE-3667)
Bug fixes:
Report headers for Protect events as object not array. (NODE-3662)
Syslog metadata string is malformed. (NODE-3668)
Release date: November 6, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
New and improved:
Preview functionality for Express 5 for Assess mode. (NODE-3644,NODE-3645,NODE-3646)
Bug fixes:
Do not report unsampled requests as missing source context for Assess in production. (NODE-3659)
Release date: October 30, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
New and improved:
Research Assess sampling as function of routes observed. (NODE-3597)
Improved support for mongodb 6 driver aggregate functions. (NODE-3614)
Release date: October 22, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
New and improved:
Programmatic deadzones for the bunyan logging module. (NODE-3427)
Research/Implement - Replace use of
npm ls
in library reporting. (NODE-3599)Replace npm for library reporting - Distroless support. (NODE-3619)
Programmatic deadzones for log4js logging module. (NODE-3636)
Add max version for Express instrumentation. (NODE-3641)
Release date: October 17, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
Note
Node.js 5.18.0 is deprecated. Node.js 5.18.1 contains all the features released in Node.js 5.18.0.
New and improved:
Add perf to all entrypoints. (NODE-3602)
Release date: October 16, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
Note
Node.js 5.18.0 is deprecated. Node.js 5.18.1 contains all the features released in Node.js 5.18.0.
New and improved:
The agent now uses the new v1.0 Agent Startup endpoint. (NODE-3390)
Added trace-level logging to route coverage. (NODE-3566)
Updated safe hash libraries to include
cookie-signature
. (NODE-3558)
Bug fixes:
Fixed an issue where the rewriter throws an error when a
.swcrc
file specifiesjsc.target
. (NODE-3640)
Release date: September 27, 2024
Language versions currently supported: 16, 18, 20, and 22 LTS
New and improved:
Added support for Node.js LTS 22.
Added Mongoose query parameter sanitization and validation. (NODE-3565)
Increased event count on
core.messages
. (NODE-3627)
Release date: September 26, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Updated the Audit agent
readme
file on npm to make sure it's accurate. (NODE-3548)
Bug fixes:
Fixed audit and extraneous dependencies. (NODE-3601)
Release date: September 16, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
The Node.js agent now supports the use of
CONTRAST__API__TOKEN
instead ofCONTRAST__API__URL
,CONTRAST__API__API_KEY
,CONTRAST__API__SERVICE_KEY
, andCONTRAST__API__USER_NAME
for communication with Contrast. (NODE-3522)Note
Contrast TeamServer is not yet adding the token to the downloadable agent configuration file.
Added a new Assess stacktraces configuration option for SINK. (NODE-3591)
Release date: August 27, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
This release includes a preview of Node 22 LTS support.
This feature is not yet officially supported
Added support for
crypto.createCipher
. (NODE-3533)Added
fs.glob
andfs.globSync
to FS_METHODS. (NODE-3541)
Bug fixes:
Refactored Fastify route coverage to avoid dep-hooks ESM bug. (NODE-3563)
Fixed
rewrite-is-deadzoned.js
. (NODE-3572)Updated the CSP rule. (NODE-3582)
Fixed an issue with semver v7.6 that broke range deadzoning. (NODE-3585)
Release date: August 15, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixed a path-traversal false positive that
@fastify/static@7
reported. (NODE-3549)Remediated CVE-2024-39338 by bumping the Axios package. (NODE-3567)
Release date: August 1, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Implemented Phase 1 of support for Node.js v5 deadzones. (NODE-3360)
A deadzone is a mechanism that lets the agent skip instrumentation of a specific mode module or function.
Added logging for the inappropriate use of the
node -r
preload flag. (NODE-3481)
Bug fixes:
Fixed a duplication issue in preflight messages. (NODE-3476)
Fixed an issue where the agent did not report routes that were not exercised. (NODE-3548)
Fixed an issue with telemetry reporting. (NODE-3554)
Release date: July 30, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Updated the agent to use programmatic deadzones for bcrypt modules. (NODE-3424)
Release date: July 18, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
This release introduces a new process for releasing the Contrast agent to npm. The new process releases the artifact to npm with the
<next>
tag. Using the<next>
tag prevents you from automatically installing the next agent version unless you explicitly use this command:npm install @contrast/agent@next
Shortly after Contrast publishes the agent release notes for the next agent version, the tag for the version changes to
<latest>
. This new process lets you preview and test new features as well let you review the release notes for what will soon be tagged as<latest>
.Improved the release process to push the agent with the
<next>
tag to npm (NODE-3507)
The agent now extracts and reports cloud resource identifiers to Contrast for AWS, Azure, and GCP (NODE-2932).
This functionality collects resource identifiers when running on cloud providers and reports the IDs to the log and the Contrast web interface.
The agent now sends cloud resource identifiers to Contrast. (NODE-3493)
The agent now retrieves GCP resource identifiers. (NODE-3503)
Bug fixes:
Fixed an
Express.response.push
error shown in the log. (NODE-3532)
Release date: July 15, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Improved the npm README documentation for
@contrast/distringuish
. (NODE-3517)The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.
This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.
Refactored route coverage for Fastify. (NODE-3483)
Added route coverage support for Koa nested routers. (NODE-3484)
Refactored route coverage integration tests. (NODE-3443)
Audited and refactored route signatures. (NODE - 3444)
When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.
The agent now retrieves the AWS Resource Identifier when you configure it to do so. (NODE-3491, NODE-3492)
Added the
X-Contrast-Reporting-Instance
to Contrast communication. (NODE-3502)Added a feature flag to disable resource identification. (NODE-3513)
The agent now auto-detects the cloud provider for resource identifier detection. (NODE-3518)
Bug fixes:
Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3509)
Release date: July 8, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)
Release date: June 27, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixed an issue where a deadzone bson require hook threw an error with bson 1.1.6. (NODE-3479)
Release date: June 21, 2024
Language versions currently supported: 16, 18, and 20 LTS
Important
This release now provides official support for HTTP/2.
New and improved:
Implemented HTTP/2 instrumentation for Reflected-XSS in Assess mode.
Implemented HTTP/2 instrumentation for the
spdy
library for Response Scanning rules.Fixed
node-require-hook
on Windows.
Bug fixes:
HTTP2 response-scanning instrumentation causes uncaught exceptions. (NODE-3468)
Blocking requests caused metrics to report that the request exceeded the duration. (NODE-3475)
MJS files loaded from the rewrite cache can break relative path file reading. (NODE-3485)
Reduced event listeners from
pg
arch-component instrumentation. (NODE-3489)crypto-analysis
did not ignore case when checking algorithms. (NODE-3495)npm
detection fails with a space in path. (NODE-3497)
Release date: August 20, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
Bug fixes:
Remediated CVE-2024-39338 by bumping the Axios package.
Release date: June 21, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
Bug fixes:
npm
detection fails with a space in path (NODE-3497)
Release date: June 17, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
Bug fixes:
Fixed a new CVE associated with
@grpc/grpc-js
, which is a library used by the agent to communicate with the Contrast Service. (NODE-3487)
Release date: June 12, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Implemented HTTP/2 instrumentation for Reflected-XSS in Protect mode.
Implemented support for Restify 8, 9, 10, and 11 (Assess and Protect).
Installed modules should throw errors when needed and not accumulate in
_errors[]
.Implemented validation logic in the module where the validation is required to correctly function.
Updated security logger escaping to match updated CEF guide specification.
Implemented Framework reporting during route discovery (also known as Compatibility check for route coverage).
Bug fixes:
Fixed
URLSearchParams.toString()
. (NODE-3332)Added source map chaining. (NODE-3442)
Release date: May 31, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Deprecated Node 14 for v5.
The existing
@contrast/common
functions have been replaced with more performant and self-documenting functions.
Release date: May 22, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Teamserver associates all vulnerabilities with a single non-existent endpoint. (NODE-3457)
Release date: May 22, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
API keys are not redacted when the reporter throws an error. (NODE-3458)
Release date: May 21, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
The use of
inspect
during event creation was causing problems. (NODE-3451)Check if
isSafeContentType
is in allreflected-xss
sinks. (NODE-3452)
Release date: May 21, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixed express route observation bug. (NODE-3453)
Release date: May 20, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Express route coverage will handle middleware defined in an array.
Release date: May 15, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Removed effective configuration enable flag so that agent always reports it to Teamserver.
Added warning when the agent detects users attempting to set config file location with
-c
command line flag. Agent configuration via CLI flags has been deprecated in v5 agents.Implemented Restify route discovery and observation.
Adding initial support for programmatic deadzones to allow the agent to turn off instrumentation within restricted functions.
Release date: May 7, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Incoming message header handling is not correct. (NODE-3396)
Express route coverage does not discover routes defined by
app.use()
androuter.use()
. (NODE-3402)TypeError: undefined is not a function at
StacktraceFactory.makeFrame
. (NODE-3420)
Release date: May 1, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Add
timer.unref()
tocode-events setCodeEventListener()
for v4.
Release date: April 29, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Support for Input and URL exclusions when running version 5.x agent.
Provided Protect specific CLI Rewriter option.
Bug fixes:
Route coverage error when express route registered with array of paths. (NODE-3380)
v5 agent does not properly handle archived apps. (NODE-3384)
Fix Fastify route coverage prefix bug. (NODE-3403)
Unwriting anonymous classes fails. (NODE-3406)
Release date: April 17, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.
Release date: April 16, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Implement rewriter cache for ESM loader hooks.
Add additional rewrite-deadzones.
Release date: March 29, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Implemented improvements to
string.prototype.split()
tracking.
Release date: March 28, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).
Release date: March 26, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)
Release date: March 25, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Initial support for application code rewrites caching for version 5.x agent.
Release date: March 20, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Added hapi 21 framework support for Assess and Protect.
Stopped reporting of the library manifest on application updates.
Componentized ESM hooks and have them follow normal compose/install patterns.
Updated agent README for modern Node versions.
Bug fixes:
Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)
Release date: March 6, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
JSON.parse
will throw exception if captured key/value indices are inaccurate. (NODE-3344)
Release date: March 5, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
URL parse propagator doesn't support
parseQueryString
flag. (NODE-3340)string.replace
not handling some special character replacements properly. (NODE-3341)Dot entrypoint syntax no longer works. (NODE-3343)
Release date: February 16, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Replaced
parent-package-json
in deps.
Bug fixes:
Some configuration fields not redacted in configuration logging. (NODE-3339)
Release date: February 13, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Updated logger's
cleanEnv
to account for--loader
in NODE_OPTIONS.
Bug fixes:
UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)
Release date: February 8, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Reflected-XSS not reporting when
res.send
is called. (NODE-3334)
Release date: February 6, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Added
runner-tap
usability fixes.
Release date: February 2, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Setting the server or application name in a non-English language causes errors. (NODE-3333)
Release date: February 2, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Minimized new agent's ESM dual initialization costs.
Updated Axios client.
Bug fixes:
Fix to Juice Shop 16 not working with the new agent. (NODE-3323)
Release date: January 29, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)
Release date: January 23, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Removal of the Contrast Service (SpeedRacer).
Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.
Support for running Assess and Protect concurrently.
Ability to toggle the mode of Protect rules without a restart.
Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.
Library reporting with ECU/ELU when running Protect (library reporting in production).
Effective configuration reporting to ContrastUI.
devDependencies
not published to npm - reduced FP CVE findings.Structured logging using pino.
Ability to change the agent logging level from the ContrastUI without an application restart.
Log request latency (ns) at DEBUG level for every request.
Route observability/coverage with normalized URI for deduplication.
Faster rewrite at startup using SWC.
Supports SuperTest API Testing framework npm: supertest.
Supports Frisby API testing framework npm: frisby.
Support for
String.prototype.matchAll()
propagation.Observed routes are reported to ContrastUI on application startup without requiring exercising a route.
ESM applications supported. Support for loading/running the agent using:
node --loader @contrast/agent app.mjs
for Node.js 16LTSnode --import @contrast/agent app.mjs
for Node.js 18.9.0, 20.9.0 and later (LTS)node --require @contrast/agent app.js
for all versions not using ESM
The new
--import
directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)node --import @contrast/agent app.js
See npm for more.
Release date: January 30, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Updated Axios.
Tweaks for the build.
Release date: January 5, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Improved logging when there are npm failures.
Updated copywrite text in files to reflect the new year.
Bug fixes:
Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)
Release date: April 16, 2024
Language versions currently supported: 14, 16, 18, and 20 LTS
Important
Contrast Protect is deprecated as of release 5.20.6.
New and improved:
Updated v4 and v5 pipelines for K8s agent-operator.
Deprecated
@contrast/protect-agent
.Added v4 section to README.
Bug fixes:
UI reporter v1 routes do not respect proxy configuration. (NODE-3338)
Update test bench Dockerfiles. (NODE-3350)