Node.js agent release notes

Added support for Node.js 20.5.0 and later.

Implemented session-configuration rules for express-session.

Track keys and parse different object types passed to URLSearchParams.

Improved require-hook logging.

Removal of the Contrast Service (SpeedRacer)

Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

Running Assess and Protect concurrently is supported

Library reporting with ECU/ELU when running Protect (library reporting in Production)

Effective configuration reporting to TeamServer

devDependencies not published to npm - reduced FP CVE findings

Structured logging using pino

Route observability/coverage with normalized URI for deduplication

Faster rewrite at startup using SWC

Supports vulnerability detection when API Testing with SuperTest npm: supertest

Support for String.prototype.matchAll() propagation (not supported in v4)

Audit v5 logging of PII.

Synchronization of Assess and Protect implementations when they differ.

Added HTTP logging to TeamServer communications.

Updated the rewriter to inject ContrastMethods.Function and support existing Protect input-tracing patches. (NODE-3100)

Agent v5 issues with the effective-config end-point. (NODE-3151)

Implemented propagation for JSON.parse

Implemented Session Configuration rules for Assess

Added support for the new major version (v 1.x.x.) of the libxmljs library. The library is instrumented to detect XXE vulnerabilities.

Fixed libxmljs that was not properly instrumented. (NODE-3121)

Fixed rewriter to avoid adding spurious trailing characters

Improved swc rewriter to be able to rewrite files with shebang comments

Added support for detecting sleep(x) type of SSJS attacks in MongoDB context

Added session_id to the effective configuration options

Added support for the MS SQL database driver for v5 Protect-only agent.

Added support for detecting nosql-injection attacks for MarsDB in Protect mode.

This release fixed a bug when receiving the nosql-injection rule settings from Contrast and the agent not respecting that setting.

security_logger is getting the correct default values.

NoSQL Injection Mongo - added support for $accumulator operator.

The RegExp now detects a vulnerable string with single and double quotes around the URI of the targeted file.

Bumped agent-lib version in Node agent v5 to v5.3.0.

NoSQL Injection Mongo - added support for $function operator.

Migrated shared hooks to instrumentation layer: http, https, http2, spdy.

Reduced code duplication in existing Protect hooks.

CVE-2022-46175 node-require-hook Prototype Pollution in JSON5 via Parse Method.

NODE_OPTIONS envrionment for pino worker-thread does not get cleared of --require @contrast/.... (NODE-2882)

Provided npx command to config-diagnostics and output results.

Fixed issue where @contrast/protect-agent does not install. (NODE-2803)

CVE-2022-46175 Prototype Pollution in JSON5 via Parse Method.

Internal Protect data structure changes.

Performance improvement for capturing stack traces. (NODE 2760)

Contrast Security Node.js Protect-only Agent. See npm: @contrast/protect-agent