Node.js agent release notes

This release introduces a new process for releasing the Contrast agent to npm. The new process releases the artifact to npm with the <next> tag. Using the <next> tag prevents you from automatically installing the next agent version unless you explicitly use this command: npm install @contrast/agent@next

Shortly after Contrast publishes the agent release notes for the next agent version, the tag for the version changes to <latest> . This new process lets you preview and test new features as well let you review the release notes for what will soon be tagged as <latest>.

The agent now extracts and reports cloud resource identifiers to Contrast for AWS, Azure, and GCP (NODE-2932).

This functionality collects resource identifiers when running on cloud providers and reports the IDs to the log and the Contrast web interface.

Fixed an Express.response.push error shown in the log. (NODE-3532)

Improved the npm README documentation for @contrast/distringuish. (NODE-3517)

The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.

This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.

When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.

Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3509)

Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)

Fixed an issue where a deadzone bson require hook threw an error with bson 1.1.6. (NODE-3479)

Implemented HTTP/2 instrumentation for Reflected-XSS in Assess mode.

Implemented HTTP/2 instrumentation for the spdy library for Response Scanning rules.

Fixed node-require-hook on Windows.

HTTP2 response-scanning instrumentation causes uncaught exceptions. (NODE-3468)

Blocking requests caused metrics to report that the request exceeded the duration. (NODE-3475)

MJS files loaded from the rewrite cache can break relative path file reading. (NODE-3485)

Reduced event listeners from pg arch-component instrumentation. (NODE-3489)

crypto-analysis did not ignore case when checking algorithms. (NODE-3495)

npm detection fails with a space in path. (NODE-3497)

npm detection fails with a space in path (NODE-3497)

Fixed a new CVE associated with @grpc/grpc-js, which is a library used by the agent to communicate with the Contrast Service. (NODE-3487)

Implemented HTTP/2 instrumentation for Reflected-XSS in Protect mode.

Implemented support for Restify 8, 9, 10, and 11 (Assess and Protect).

Installed modules should throw errors when needed and not accumulate in _errors[].

Implemented validation logic in the module where the validation is required to correctly function.

Updated security logger escaping to match updated CEF guide specification.

Implemented Framework reporting during route discovery (also known as Compatibility check for route coverage).

Fixed URLSearchParams.toString(). (NODE-3332)

Added source map chaining. (NODE-3442)

Deprecated Node 14 for v5.

The existing @contrast/common functions have been replaced with more performant and self-documenting functions.

Teamserver associates all vulnerabilities with a single non-existent endpoint. (NODE-3457)

API keys are not redacted when the reporter throws an error. (NODE-3458)

The use of inspect during event creation was causing problems. (NODE-3451)

Check if isSafeContentType is in all reflected-xss sinks. (NODE-3452)

Fixed express route observation bug. (NODE-3453)

Express route coverage will handle middleware defined in an array.

Removed effective configuration enable flag so that agent always reports it to Teamserver.

Added warning when the agent detects users attempting to set config file location with  -c command line flag. Agent configuration via CLI flags has been deprecated in v5 agents.

Implemented Restify route discovery and observation.

Adding initial support for programmatic deadzones to allow the agent to turn off instrumentation within restricted functions.

Incoming message header handling is not correct. (NODE-3396)

Express route coverage does not discover routes defined by app.use() and router.use(). (NODE-3402)

TypeError: undefined is not a function at StacktraceFactory.makeFrame. (NODE-3420)

Add timer.unref() to code-events setCodeEventListener() for v4.

Support for Input and URL exclusions when running version 5.x agent.

Provided Protect specific CLI Rewriter option.

Route coverage error when express route registered with array of paths. (NODE-3380)

v5 agent does not properly handle archived apps. (NODE-3384)

Fix Fastify route coverage prefix bug. (NODE-3403)

Unwriting anonymous classes fails. (NODE-3406)

The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.

Implement rewriter cache for ESM loader hooks.

Add additional rewrite-deadzones.

Implemented improvements to string.prototype.split() tracking.

Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).

Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)

Initial support for application code rewrites caching for version 5.x agent.

Added hapi 21 framework support for Assess and Protect.

Stopped reporting of the library manifest on application updates.

Componentized ESM hooks and have them follow normal compose/install patterns.

Updated agent README for modern Node versions.

Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)

JSON.parse will throw exception if captured key/value indices are inaccurate. (NODE-3344)

URL parse propagator doesn't support parseQueryString flag. (NODE-3340)

string.replace not handling some special character replacements properly. (NODE-3341)

Dot entrypoint syntax no longer works. (NODE-3343)

Replaced parent-package-json in deps.

Some configuration fields not redacted in configuration logging. (NODE-3339)

Updated logger's cleanEnv to account for --loader in NODE_OPTIONS.

UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)

Reflected-XSS not reporting when res.send is called. (NODE-3334)

Added runner-tap usability fixes.

Setting the server or application name in a non-English language causes errors. (NODE-3333)

Minimized new agent's ESM dual initialization costs.

Updated Axios client.

Fix to Juice Shop 16 not working with the new agent. (NODE-3323)

Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)

Removal of the Contrast Service (SpeedRacer).

Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

Support for running Assess and Protect concurrently.

Ability to toggle the mode of Protect rules without a restart.

Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.

Library reporting with ECU/ELU when running Protect (library reporting in production).

Effective configuration reporting to ContrastUI.

devDependencies not published to npm - reduced FP CVE findings.

Structured logging using pino.

Ability to change the agent logging level from the ContrastUI without an application restart.

Log request latency (ns) at DEBUG level for every request.

Route observability/coverage with normalized URI for deduplication.

Faster rewrite at startup using SWC.

Supports SuperTest API Testing framework npm: supertest.

Supports Frisby API testing framework npm: frisby.

Support for String.prototype.matchAll() propagation.

Observed routes are reported to ContrastUI on application startup without requiring exercising a route.

ESM applications supported.  Support for loading/running the agent using:

The new --import directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)

See npm for more.

Updated Axios.

Tweaks for the build.

Improved logging when there are npm failures.

Updated copywrite text in files to reflect the new year.

Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)