Node.js agent release notes

Handle TeamServer 4xx error codes according to spec. (NODE-3638)

Protect should use async-hook-domain exclusively. (NODE-3674)

Research deadzoning mssql query serialization (NODE-3579)

Fix release-operator integration. (NODE-3681)

ADR Licensing - Reporting. (NODE-3605)

Implement remaining architecture components for FlowMap. (NODE-2793)

Publish hostname and container detection - server inventory. (NODE-3639)

Patching: audit package version ranges to not break on new versions. (NODE-3642)

Update Protect sources to instrument router. (NODE-3648)

Update Protect error handler to instrument router. (NODE-3649)

Remove argument from protect.getSourceContext() calls. (NODE-3660)

Raise the log level to WARN for API tokens overridden by legacy keys. (NODE-3661)

Fix the log-file overwriting problem. (NODE-3667)

Report headers for Protect events as object not array. (NODE-3662)

Syslog metadata string is malformed. (NODE-3668)

Preview functionality for Express 5 for Assess mode. (NODE-3644,NODE-3645,NODE-3646)

Do not report unsampled requests as missing source context for Assess in production. (NODE-3659)

Research Assess sampling as function of routes observed. (NODE-3597)

Improved support for mongodb 6 driver aggregate functions. (NODE-3614)

Programmatic deadzones for the bunyan logging module. (NODE-3427)

Research/Implement - Replace use of npm ls in library reporting. (NODE-3599)

Replace npm for library reporting - Distroless support. (NODE-3619)

Programmatic deadzones for log4js logging module. (NODE-3636)

Add max version for Express instrumentation. (NODE-3641)

Add perf to all entrypoints. (NODE-3602)

The agent now uses the new v1.0 Agent Startup endpoint. (NODE-3390)

Added trace-level logging to route coverage. (NODE-3566)

Updated safe hash libraries to include cookie-signature. (NODE-3558)

Fixed an issue where the rewriter throws an error when a .swcrc file specifies jsc.target. (NODE-3640)

Added support for Node.js LTS 22.

Added Mongoose query parameter sanitization and validation. (NODE-3565)

Increased event count on core.messages. (NODE-3627)

Updated the Audit agent readme file on npm to make sure it's accurate. (NODE-3548)

Fixed audit and extraneous dependencies. (NODE-3601)

The Node.js agent now supports the use of CONTRAST__API__TOKEN instead of  CONTRAST__API__URL,  CONTRAST__API__API_KEY, CONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (NODE-3522)

Added a new Assess stacktraces configuration option for SINK. (NODE-3591)

This release includes a preview of Node 22 LTS support.

This feature is not yet officially supported

Added support for crypto.createCipher. (NODE-3533)

Added fs.glob and fs.globSync to FS_METHODS. (NODE-3541)

Refactored Fastify route coverage to avoid dep-hooks ESM bug. (NODE-3563)

Fixed rewrite-is-deadzoned.js. (NODE-3572)

Updated the CSP rule. (NODE-3582)

Fixed an issue with semver v7.6 that broke range deadzoning. (NODE-3585)

Remediated CVE-2024-39338 by bumping the Axios package.

Fixed a path-traversal false positive that @fastify/static@7 reported. (NODE-3549)

Remediated CVE-2024-39338 by bumping the Axios package. (NODE-3567)

Implemented Phase 1 of support for Node.js v5 deadzones. (NODE-3360)

A deadzone is a mechanism that lets the agent skip instrumentation of a specific mode module or function.

Added logging for the inappropriate use of the node -r preload flag. (NODE-3481)

Fixed a duplication issue in preflight messages. (NODE-3476)

Fixed an issue where the agent did not report routes that were not exercised. (NODE-3548)

Fixed an issue with telemetry reporting. (NODE-3554)

Updated the agent to use programmatic deadzones for bcrypt modules. (NODE-3424)

This release introduces a new process for releasing the Contrast agent to npm. The new process releases the artifact to npm with the <next> tag. Using the <next> tag prevents you from automatically installing the next agent version unless you explicitly use this command: npm install @contrast/agent@next

Shortly after Contrast publishes the agent release notes for the next agent version, the tag for the version changes to <latest> . This new process lets you preview and test new features as well let you review the release notes for what will soon be tagged as <latest>.

The agent now extracts and reports cloud resource identifiers to Contrast for AWS, Azure, and GCP (NODE-2932).

This functionality collects resource identifiers when running on cloud providers and reports the IDs to the log and the Contrast web interface.

Fixed an Express.response.push error shown in the log. (NODE-3532)

Improved the npm README documentation for @contrast/distringuish. (NODE-3517)

The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.

This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.

When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.

Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3509)

Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)

Fixed an issue where a deadzone bson require hook threw an error with bson 1.1.6. (NODE-3479)

Implemented HTTP/2 instrumentation for Reflected-XSS in Assess mode.

Implemented HTTP/2 instrumentation for the spdy library for Response Scanning rules.

Fixed node-require-hook on Windows.

HTTP2 response-scanning instrumentation causes uncaught exceptions. (NODE-3468)

Blocking requests caused metrics to report that the request exceeded the duration. (NODE-3475)

MJS files loaded from the rewrite cache can break relative path file reading. (NODE-3485)

Reduced event listeners from pg arch-component instrumentation. (NODE-3489)

crypto-analysis did not ignore case when checking algorithms. (NODE-3495)

npm detection fails with a space in path. (NODE-3497)

npm detection fails with a space in path (NODE-3497)

Fixed a new CVE associated with @grpc/grpc-js, which is a library used by the agent to communicate with the Contrast Service. (NODE-3487)

Implemented HTTP/2 instrumentation for Reflected-XSS in Protect mode.

Implemented support for Restify 8, 9, 10, and 11 (Assess and Protect).

Installed modules should throw errors when needed and not accumulate in _errors[].

Implemented validation logic in the module where the validation is required to correctly function.

Updated security logger escaping to match updated CEF guide specification.

Implemented Framework reporting during route discovery (also known as Compatibility check for route coverage).

Fixed URLSearchParams.toString(). (NODE-3332)

Added source map chaining. (NODE-3442)

Deprecated Node 14 for v5.

The existing @contrast/common functions have been replaced with more performant and self-documenting functions.

Teamserver associates all vulnerabilities with a single non-existent endpoint. (NODE-3457)

API keys are not redacted when the reporter throws an error. (NODE-3458)

The use of inspect during event creation was causing problems. (NODE-3451)

Check if isSafeContentType is in all reflected-xss sinks. (NODE-3452)

Fixed express route observation bug. (NODE-3453)

Express route coverage will handle middleware defined in an array.

Removed effective configuration enable flag so that agent always reports it to Teamserver.

Added warning when the agent detects users attempting to set config file location with  -c command line flag. Agent configuration via CLI flags has been deprecated in v5 agents.

Implemented Restify route discovery and observation.

Adding initial support for programmatic deadzones to allow the agent to turn off instrumentation within restricted functions.

Incoming message header handling is not correct. (NODE-3396)

Express route coverage does not discover routes defined by app.use() and router.use(). (NODE-3402)

TypeError: undefined is not a function at StacktraceFactory.makeFrame. (NODE-3420)

Add timer.unref() to code-events setCodeEventListener() for v4.

Support for Input and URL exclusions when running version 5.x agent.

Provided Protect specific CLI Rewriter option.

Route coverage error when express route registered with array of paths. (NODE-3380)

v5 agent does not properly handle archived apps. (NODE-3384)

Fix Fastify route coverage prefix bug. (NODE-3403)

Unwriting anonymous classes fails. (NODE-3406)

The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.

Implement rewriter cache for ESM loader hooks.

Add additional rewrite-deadzones.

Updated v4 and v5 pipelines for K8s agent-operator.

Deprecated @contrast/protect-agent.

Added v4 section to README.

UI reporter v1 routes do not respect proxy configuration. (NODE-3338)

Update test bench Dockerfiles. (NODE-3350)

Implemented improvements to string.prototype.split() tracking.

Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).

Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)

Initial support for application code rewrites caching for version 5.x agent.

Added hapi 21 framework support for Assess and Protect.

Stopped reporting of the library manifest on application updates.

Componentized ESM hooks and have them follow normal compose/install patterns.

Updated agent README for modern Node versions.

Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)

JSON.parse will throw exception if captured key/value indices are inaccurate. (NODE-3344)

URL parse propagator doesn't support parseQueryString flag. (NODE-3340)

string.replace not handling some special character replacements properly. (NODE-3341)

Dot entrypoint syntax no longer works. (NODE-3343)

Replaced parent-package-json in deps.

Some configuration fields not redacted in configuration logging. (NODE-3339)

Updated logger's cleanEnv to account for --loader in NODE_OPTIONS.

UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)

Reflected-XSS not reporting when res.send is called. (NODE-3334)

Added runner-tap usability fixes.

Setting the server or application name in a non-English language causes errors. (NODE-3333)

Minimized new agent's ESM dual initialization costs.

Updated Axios client.

Fix to Juice Shop 16 not working with the new agent. (NODE-3323)

Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)

Removal of the Contrast Service (SpeedRacer).

Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

Support for running Assess and Protect concurrently.

Ability to toggle the mode of Protect rules without a restart.

Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.

Library reporting with ECU/ELU when running Protect (library reporting in production).

Effective configuration reporting to ContrastUI.

devDependencies not published to npm - reduced FP CVE findings.

Structured logging using pino.

Ability to change the agent logging level from the ContrastUI without an application restart.

Log request latency (ns) at DEBUG level for every request.

Route observability/coverage with normalized URI for deduplication.

Faster rewrite at startup using SWC.

Supports SuperTest API Testing framework npm: supertest.

Supports Frisby API testing framework npm: frisby.

Support for String.prototype.matchAll() propagation.

Observed routes are reported to ContrastUI on application startup without requiring exercising a route.

ESM applications supported.  Support for loading/running the agent using:

The new --import directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)

See npm for more.

Updated Axios.

Tweaks for the build.

Improved logging when there are npm failures.

Updated copywrite text in files to reflect the new year.

Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)

Fix TS reporting of xss-protection-header-disabled rule in v4. (NODE-3174)

TypeError: Cannot read property length of undefined in String.prototype.split. (NODE-3272)

All fs methods used by i18n have updated stackTrustedLibs policy.

The i18n library should not report path-traversal Assess vulnerabilities.

The i18n library does not report path-traversal when openSync gets called.

QueryBuilder subclasses have relevant methods patched as sql-encoded propagators.

The i18n library does not report path-traversal Assess vulnerabilities.

CVE-2023-45857 Axios XSRF-TOKEN value is disclosed to an unauthorised actor Upgrade to ~> 1.6.0.

Bump Speedracer to 2.28.33.

CVE-2023-45133 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code.

Added support for Node.js 20.5.0 and later.

Fixed issue when running Swagger with Fastify by providing code hardening. (NODE-3156)

Fixed TypeError ERR_INVALID_URL that was causing requests to fail. (NODE-3131)

Fixed RedisClient methods in order to preserve async context. (NODE-3106)

This release bundles a new Contrast Service artifact v2.28.32 which was compiled with the latest Go StdLib

Bump Speedracer to 2.28.29 and released new v4 agent

CVE-2022-25883 Replace find-cache-dir library in @contrast/agent v4 (NODE-3078)

CVE-2022-25883 - semver from cls-hooked dependency

cls-hooked dependency does not get reported by npm audit for a vulnerable version of semver

CVE-2022-25883 Bump semver from 7.3.8 to 7.5.3 (require-hook)

V4 Node agent should read YAML from /etc/contrast/node/ directory (NODE-3058)

CVE-2022-25883 Bump semver from 7.3.4 to 7.5.2

Updated the Contrast Service bundled with the agent to use the latest Go Std library v 1.20.5.

Tweaked some mock dependencies so they would not be flagged by npm audit.

Updated CEF logger to use levels defined in common config spec (v4) (NODE-2972)

Fixed issue with the agent not recognizing the CONTRAST_CONFIG_PATH environment variable.

Fixed issue with Node.js Assess TypeError: result.startsWith is not a function in Windows. (SUP-4799)

Bundled the latest SpeedRacer 2.28.27 with the v4 agent.

CVE-2023-2251 node-agent: Bump YAML.

CVE-2023-24538 Bump SpeedRacer to v 2.28.26 for v4.

Fixed the RegExp for detecting XXE vulnerabilities in Protect mode. (NODE-2887)

CVE-2023-0842 (DevDependency) - xml2js is vulnerable to prototype pollution.

CVE-2019-10790 (DevDependency) - TaffyDB in jsdoc.

Fix bugs in csp-header-insecure rule for both v4 and v5. (NODE-2971)

Fixed issue with Fastify XSS payload check. (NODE-2974)

Implemented improved logging. The agent does not rewrite all files at start-up. (NODE-2944)

Bump SpeedRacer to 2.28.25.

New config option for conditional running the agent when called through NODE_OPTIONS.

Bump SpeedRacer for v4

Improved log message for node version compatibility

CVE-2023-22578 (DevDependency) - Sequelize - Default support for “raw attributes” when using parentheses

Enhancements to logging surrounding errors when starting the agent

Fixed Hapi implementation for reflected-xss detection. (NODE-2757)

Fixed Fastify implementation for reflected-xss detection. (NODE-2756)

Added hardening to getAllParents method. (NODE-2931)

Improved support for Experss.static(). (SUP-4451)

Improved support for XXS detection when using the Fastify framework.

Improved logging surrounding errors when starting the agent.

Instrumented the serve-static module to act as a custom sanitizer.

Config-diagnostics fails to create a configuration file if the logger path refers to a file descriptor.

Included the docker container ID in the system-info.json when running system-diagnostics.

CVE-2022-46175 node-agent Prototype Pollution in JSON5 via Parse Method.

Prevent crashing when the req is undefined. (NODE-2867)

Fix issues with system-diagnostics reporting under Windows env. (NODE-2780)

Config utility reads the wrong remote value for syslog settings. (NODE-2781)

CVE-2022-24999 - qs vulnerable to Prototype Pollution.

Added support for the Microsoft SQL Server database.

New Contrast Service version - v2.28.23 is now bundled with the v4 agent.

Defensive code in system diagnostics when finding package.json. (SUP-4357)

Added defensive code around checking the express router handler's length. (SUP-4314)

System info gets output when running config-diagnostics - this was incorrect behavior.

CVE-2022-24999 (devDependency). version 4.x agent

Provide npx command to read system info and output results. (NODE-2629)

Made _contrast_toString a non-enumerable property of Function.prototype to resolve compatibility issues with @sap/cds. (NODE-2752)

Removed Fastify2 from NodeTestBenches.

Fixed contrast-diagnostics script that did not support running when not adjacent to the agent installation location. (NODE-2748)

New troubleshooting functionality to write to a file the effective configuration seen by the agent. (NODE-2632)

Memory-leak surfaced for apps running with the agent for over 12 hours. (NODE-2715)

CVE-2022-3517 upgrade dependencies with minimatch so use v3.0.5 or greater. (NODE-2717)

Memory leak introduced in 4.25.0. (NODE-2698)

"TypeError: undefined is not a function" when spawning a child process with Assess. (NODE-2694)

Memory leak being caused by Assess CallContext stacktraces. (NODE-2681)

npm not found and library not reported when the Node.js runtime is installed in the Program Files directory on Windows OS. (NODE-2691)

NPM commands used in the agent for library reporting/listing will now work on Windows machines. (NODE-2676)

Fixed an issue where the agent was not starting the Contrast Service when running on Windows OS. (NODE-2677)

Updated v4 and v5 agents to be compatible with Node 18.

The originalUrl property is now tagged in Express.

Corrected issue where req.path was not tracked and not considered untrusted data. (NODE-2637)

CVE-no-CVE-ID - Bump moment-timezone from 0.5.34 to 0.5.37.

Node agent only instruments MongoDB API methods that are susceptible to expansion or injections. (NODE-2040)

For agent v16.17 and above, we now explicitly signal a short circuit in our load hook for ESM support (NODE-2620).

Added instrumentation for the DynamoDB.scan() command and the FilterExpression key AWS v2.

Added support for MongoDB NoSQL Injection highlighting in Contrast UI when multiple arguments are present.

Improved express instrumentation by having the body-parser library and all its parsing methods directly patched/instrumented.

Added support for the mongodb v4.x driver for the agent in Protect mode.

The JSON.stringify() propagator handles when the argument (or subset of argument) is a deserialization membrane. (NODE-2598)

Autocomplete missing rule data is serialized properly into protobuf message. (NODE-2589)

CVE-2022-2564 - Bump Mongoose version to 6.4.6.

The JSON.stringify() propagator handles when the argument (or subset of argument) is a deserialization membrane. (NODE-2598)

Aws-sdk version 2 for DynamoDB does not respect abstract attribute types. (NODE-2532)

When processing large strings in docker and using node crypto module to encrypt data, the calls distringuish.getProperties were causing segmentation fault issues. (NODE-2564)

Added support for isEmail and isDate validators in ValidatorJS.

Joi validation not recognized if the schema specified in "options" for a hapi route. (NODE-2544)

Remediated CVE-2022-31129 for inefficient regular expression complexity in moment.

Add hardening to prevent app crash if NPM is not installed.

When a MongoDB update method has multiple attack vectors, the Node.js Agent accurately reports NoSQL Injections that were previously false negatives.

Remediated CVE-2020-7596 by removing the codecov dependency from node-agent (DEV Dependency).

Added improved logging when an unsupported version of npm is installed in the app being instrumented.

Decrease highlighting to just tainted string when reported sink argument is a query object. (SUP-3889)

Added improved logging when an unsupported version of npm is installed in the app being instrumented.

When Protect mode is enabled, multipart/form-data throws exception when headers are removed. (SUP-3817)

Remediated CVE-2021-43138 by updating ejs to a safe version in node-agent, this was a DEV Dependency and was not a true vulnerability. (NODE - 2352)

Removed winston-syslog from the agent's bundled dependencies, this was being flagged as having a CVE.

Fixed false-negative of Server-Side Request Forgery (SSRF) for request npm package. (SUP-3829)

Incorrect highlighting displayed for Node.js vulnerabilities under Overview in the Contrast web interface. (SUP-3717, 2927)

When running an application with pm2 on cluster mode and the CONTRAST_CONFIG_PATH provided as an environment variable, the agent reads the CONTRAST_CONFIG_PATH value from contrast_security.yaml instead of the environment variable.

Implemented support for the ref() function when Joi validation is unknown because of untracked target

The hooks for mongodb-core are “replicated” to hook mongodb from version 3.3.0 and later

Added support for PM2 running in both fork and cluster modes.

New config option assess.enable_lazy_tracking for Contrast Node.js 4.X. The default is true and must be set to false to use Fastify http/2.

Rewriter not wrapping file contents in "module wrap" IIFE. (SUP-3732)

The lib/util/trace-util getRequest always returns undefined if sampling is disabled. (NODE-2351)

Custom fastify-static allowedPath path-traversal validator.

Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).

__import methods can cause an error when the imported module is not yet resolved. (NODE-2341)

ESM loader hooks still operate when agent is disabled. (NODE-2340)

Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).

Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).

Added support for DyanmoDB PartiQL (Assess only).

Fixed deadlinks in NPM agent readme. (Node-2297)

Contrast Service updated to 2.28.19. This resolves CVE-2021-38561.

Remediated CVE-2021-44906 (for minimalist npm library).

Added support for validator.matches() as a custom validator.

Upgraded to  agent-lib 2.2.4.

Added support for MySQL2 library 2.0.0 and later.

False negative occurs when SQL query template contains untrusted data. (SUP-3568)

Remediated CVE-2021-44906 (for minimalist npm library).

Contrast Service updated to 2.28.17.

Remediated CVE-2021-44906 (for minimalist npm library).

Path traversal false negative. (SUP-3558)

Agent tries to rewrite ESM files twice. (NODE-2217)

Remediated CVE-2022-0536 (follow-redirects to a safe version in node-agent)

Remediated CVE-2022-0686 (url-parse to a safe version in node-agent)

Added warning message to CLI-rewriter logging (or stdout)

Added support for hardcoded-key and hardcoded-password vulnerabilities when using CLI-rewriter feature.

Support for ESM syntax (import statements) for Node.js 14 and 16 LTS

New Protect native input analysis processing with:

Agent is ocassionally throwing error: TypeError: Cannot read property 'getAllParents' of null. (SUP-3611)

Rewrite cache path is built incorrectly when mode isn't explicitly set in config. (NODE-2180)

Proxy authentication information showing in logs. (SPEED-1056)

ReThinkDB results in SQLi false negative due to failed instrumentation during propagation. (NODE-2150)

False negative causing Server Side Request Forgery. (NODE-2130)

When parsing the body on the Sails framework, the agent occasionally hangs indefinitely on post requests. (NODE-2125)

Upgraded Contrast service 2.28.12 is bundled with this agent version.

Added support for custom Assess data validation using Mongoose or Joi.

Added support for MongoDB key object expansion Protect rule.

During CLI transpilation, the Node agent no longer logs data if there is no network connectivity or connection to Contrast. (NODE-2083)

When working with large JSON objects, users experience significant Assess performance regressions introduced in Node.js agent 4.9.1. (NODE-2086)

Contrast Service version 2.28.9 is now bundled with the Node.js agent.

When the local YAML configuration and environment variables are set, the Contrast service does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)

When rewrite caching is enabled, the stack trace no longer repeats and writes the correct filename. (NODE-2065)

Contrast Node.js agent version 4.9.0 was non-installable due to a build dependency that requires package-lock.json file. Version 4.9.1 is patched not to require that dependency.

Remediated CVE-2020-7596 by removing codecov dependency from the node-agent (DEV Dependency).

Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).

Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).

Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).

Remediated CVE-2021-44906 (for minimalist npm library).

Contrast Service updated to 2.28.17.

Remediated CVE-2021-44906 (for minimalist npm library).

Upgraded Contrast service 2.28.12 is bundled with this agent version.

Contrast service version 2.28.9 is now packaged with the Node.js agent.

When the local YAML configuration and environment variables are set, the Node.js agent does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)

Contrast service version 2.28.4 packaged with the Node.js agent

Added Joi support for ref() where reference target is an object.

The stacktrace limit default was set to 10 (previously it was set to 25).

Added Joi support for ref() where reference target is an object.

Added support for Dust.js template engine.

Implicit tagging of numeric input causes false negatives. (Node-2005)

Refactored logic around sanitizers that causes wrong tags.

When an application has been rewritten with Babel and the @babel/runtime helpers have been injected, the application fails to start. (Node-1956)

Added AWS-SDK version 3 DynamoDB to the flow map.

Improved tracking of vulnerabilities through path functions.

Bluebird is causing vulnerabilities to be attributed to the incorrect route. (NODE-1892)

Support for Mustache template engine version 4.x. (version 3 and version 4 of agent)

Specify module supported versions explicitly as a WARN in logs.

Fixes to the path.normalize Assess functionality. (NODE-1830)

Node 16 LTS support.

New configuration flag for “turbo” protect performance.

When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

"Propagator micro-optimizations" causes performance issue. (NODE-1913)

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

XXE Assess causes false negatives with the DVNA application. (NODE-1810)

Significant Assess performance improvements for use cases where there is a large JSON body in the inbound request.

Improved reporting/UX to Contrast where there is a vulnerability identified in large JSON body in the inbound request.

The MongoDB 4.X driver is now supported along with versions 3.5.0 and later.

CVE-2021-3749 - node-agent - bump 'axios' from 0.21.1 to 0.21.2

CVE-2021-37713 bump tar dependency in 'distringuish' repo from 4.4.15 to 4.4.19

CVE-2021-37713 bump tar dependency in 'node-fn-inspect' repo from 4.4.15 to 4.4.19

CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

When reporting libraries "_requiredBy" or "dependents" field not populated. (NODE-1718)

Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

Significant performance refactoring completed for both Protect and Assess functionality.

CLI rewriter for startup performance improvements.

Set Babel as sole rewriter - removed Esprima.

Updating Contrast Service is mandatory.

Added support for agent.logger.backups and agent.logger.roll_size properties.

Agent unable to detect installed libraries on Windows. (NODE-1622)

Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE 1643)

Koa: Router.use reported as Router.undefined. (NODE-1628)

Logger not logging all entries to debug file. (NODE-1654)

HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

Screener tests fail because of non-existent rewrite-babel file. (NODE-1682)

Tag ranges off when Array.join is called with empty string. (NODE-1673)

Trim prerelease from reported agent version. (NODE-1693)

Resolved CVEs against these dev dependencies: CVE-2021-3765, CVE-2021-3807.

Bluebird causes vulnerabilities to be attributed to the incorrect route. (Node-1892)

When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

Agent maintenance version 3.x does not ship with prebuilt dependencies for Node 10. (NODE-1905)

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

When reporting libraries, "_requiredBy" or "dependents" fields not populated. (NODE-1718)

Resolves a breaking change regression and reenables the agent to run on Node.js 10 LTS, even though that Node.js LTS version has reached its end-of-life (EOL). (NODE-1748)

The agent can successfully instrument any application using Bluebird. (NODE-1742)

Resolved an issue where the agent was not correctly tracking data through several Sequelize functions. (NODE-1746)

Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

Improved the agent's deadzoning ability to correctly skip instrumentation of dependent modules of deadzoned modules. (NODE-1449)

Addressed bug that prevented logging some entries into debug file. (NODE-1654)

HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Router.use reported as Router.undefined in Koa. (NODE-1628)

Agent unable to detect installed libraries on Windows. (NODE-1622)

Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE-1643)

Logger methods called before initialization. (NODE-1625)

Mongodb collection methods not triggering post hooks. (NODE-1603)

When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

AsyncStorage loses context in mysql query operations. (SUP-2861)

Fixed an issue where the customer app crashes but does not throw an exception to the Docker container and write to stdout/stderr. (NODE-1511)

When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

AsyncStorage loses context in mysql query operations. (SUP-2861)

To resolve a ReDoS CVE (CVE-2021-23362) we need to update the hosted-git-info library included as a dependency.

Runtime performance improvements by improving JSON stringify tracking capabilities.

Added support for the Joi validator library, version 17+.

Runtime performance improvement by disabling membrane wrapping for certain functions.

RangeError thrown on startup when traversing a router mounted on itself in Express. (SUP-2723)

False positive Hardcoded Key finding reported. (SUP-2636)

If the Service is enabled, the application.path isn’t reported correctly. (SUP-2669)

Added support for the Validator library, which can be used to sanitize and validate common vulnerability categories.

Improved logging when an incorrect package.json is used.

Prevent a catch when an async storage object can’t be parsed. (SUP-2685)

Fixed how the agent contextualizes async data when koa-bodyparser is used (SUP-2627)

Fixed cases where Express vulnerabilities aren’t reported to the UI correctly (SUP-2509, SUP-1558)

When using a MongoDB SCRAM-SHA-256 authentication configuration, an exception is thrown at server startup. (SUP-2653)

Upgraded lodash from 4.17.20 to 4.17.21 due to two known CVEs found in version 4.17.20 (CVE-2020-28500, CVE-2021-23337).

Upgraded amqplib from 0.6.0 to 0.7.1 due to a known CVE found in version 0.6.0 (CVE-2021-27515).

When a querystring is included in a MongoDB connection string, the agent can’t parse the URL. (SUP-2594)

Kraken 2.3.0 is now supported.

Loading the agent with an ESM loader produces an error. (SUP-2504)

DynamoDB hook for flowmap crashes up without 'endpoint' in config (SUP-2475)

Library usage causes errors on Windows when application loads add-on. (SUP-2536, NODE-1328)

Juice-Shop does not run when Assess in enabled on Windows. (SUP-2521, NODE-1317)

DynamoDB hook for flowmap crashes agent when 'endpoint' is not specified in configuration. (SUP-2475, NODE-1286)

Users running esm.mjs receive an error because it is not being packaged. (SUP-2478, NODE-1288)

Loopback 4 is now supported.

Fastify 3 is now supported.

False negative path traversal finding in Express. (SUP-2412)

Agent not detecting remote code execution (RCE) with certain input values. (SUP-2433)

Highlighted text in the UI is off by one character. (SUP-2384)

The application may throw an error if the cache-controls header is an array. (SUP-2416)

Agent incorrectly exiting on SIGPIPE when the Contrast Service is used. (SUP-2421)

Certain types of XML uploads result in an XXE false negative. (SUP-2287)

Input exclusions for Assess are supported. You can exclude findings based on input type or name.

Optimized performance when sourcemaps is enabled.

Flowmaps now have better accuracy in reporting architectural components.

Node.js 14 is now supported.

Improved accuracy of line number reporting for vulnerabilities with source mapping.

Agent fails to instrument in Node 14 running on Windows. (SUP-2230)

Added support for sequelize sql-string format methods.

Found false negative with Node.js loopback in Protect mode. (SUP-2009)

Need to add support for fs.createWriteStream as a Protect sink. (SUP-2013)