Skip to main content

Node.js agent release notes

Release date: December 12, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

New and improved:

  • Handle TeamServer 4xx error codes according to spec. (NODE-3638)

  • Protect should use async-hook-domain exclusively. (NODE-3674)

  • Research deadzoning mssql query serialization (NODE-3579)

Bug fixes:

  • Fix release-operator integration. (NODE-3681)

Release date: November 22, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

New and improved:

  • ADR Licensing - Reporting. (NODE-3605)

  • Implement remaining architecture components for FlowMap. (NODE-2793)

  • Publish hostname and container detection - server inventory. (NODE-3639)

  • Patching: audit package version ranges to not break on new versions. (NODE-3642)

  • Update Protect sources to instrument router. (NODE-3648)

  • Update Protect error handler to instrument router. (NODE-3649)

  • Remove argument from protect.getSourceContext() calls. (NODE-3660)

  • Raise the log level to WARN for API tokens overridden by legacy keys. (NODE-3661)

  • Fix the log-file overwriting problem. (NODE-3667)

Bug fixes:

  • Report headers for Protect events as object not array. (NODE-3662)

  • Syslog metadata string is malformed. (NODE-3668)

Release date: November 6, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

New and improved:

  • Preview functionality for Express 5 for Assess mode. (NODE-3644,NODE-3645,NODE-3646)

Bug fixes:

  • Do not report unsampled requests as missing source context for Assess in production. (NODE-3659)

Release date: October 30, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

New and improved:

  • Research Assess sampling as function of routes observed. (NODE-3597)

  • Improved support for mongodb 6 driver aggregate functions. (NODE-3614)

Release date: October 22, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

New and improved:

  • Programmatic deadzones for the bunyan logging module. (NODE-3427)

  • Research/Implement - Replace use of npm ls in library reporting. (NODE-3599)

  • Replace npm for library reporting - Distroless support. (NODE-3619)

  • Programmatic deadzones for log4js logging module. (NODE-3636)

  • Add max version for Express instrumentation. (NODE-3641)

Release date: October 17, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

Note

Node.js 5.18.0 is deprecated. Node.js 5.18.1 contains all the features released in Node.js 5.18.0.

New and improved:

  • Add perf to all entrypoints. (NODE-3602)

Release date: October 16, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

Note

Node.js 5.18.0 is deprecated. Node.js 5.18.1 contains all the features released in Node.js 5.18.0.

New and improved:

  • The agent now uses the new v1.0 Agent Startup endpoint. (NODE-3390)

  • Added trace-level logging to route coverage. (NODE-3566)

  • Updated safe hash libraries to include cookie-signature. (NODE-3558)

Bug fixes:

  • Fixed an issue where the rewriter throws an error when a .swcrc file specifies jsc.target. (NODE-3640)

Release date: September 27, 2024

Language versions currently supported: 16, 18, 20, and 22 LTS

New and improved:

  • Added support for Node.js LTS 22.

  • Added Mongoose query parameter sanitization and validation. (NODE-3565)

  • Increased event count on core.messages. (NODE-3627)

Release date: September 26, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Updated the Audit agent readme file on npm to make sure it's accurate. (NODE-3548)

Bug fixes:

  • Fixed audit and extraneous dependencies. (NODE-3601)

Release date: September 16, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • The Node.js agent now supports the use of CONTRAST__API__TOKEN instead of  CONTRAST__API__URLCONTRAST__API__API_KEYCONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (NODE-3522)

    Note

    Contrast TeamServer is not yet adding the token to the downloadable agent configuration file.

  • Added a new Assess stacktraces configuration option for SINK. (NODE-3591)

Release date: August 27, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • This release includes a preview of Node 22 LTS support.

    This feature is not yet officially supported

  • Added support for crypto.createCipher. (NODE-3533)

  • Added fs.glob and fs.globSync to FS_METHODS. (NODE-3541)

Bug fixes:

  • Refactored Fastify route coverage to avoid dep-hooks ESM bug. (NODE-3563)

  • Fixed rewrite-is-deadzoned.js. (NODE-3572)

  • Updated the CSP rule. (NODE-3582)

  • Fixed an issue with semver v7.6 that broke range deadzoning. (NODE-3585)

Release date: August 15, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed a path-traversal false positive that @fastify/static@7 reported. (NODE-3549)

  • Remediated CVE-2024-39338 by bumping the Axios package. (NODE-3567)

Release date: August 1, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implemented Phase 1 of support for Node.js v5 deadzones. (NODE-3360)

    A deadzone is a mechanism that lets the agent skip instrumentation of a specific mode module or function.

  • Added logging for the inappropriate use of the node -r preload flag. (NODE-3481)

Bug fixes:

  • Fixed a duplication issue in preflight messages. (NODE-3476)

  • Fixed an issue where the agent did not report routes that were not exercised. (NODE-3548)

  • Fixed an issue with telemetry reporting. (NODE-3554)

Release date: July 30, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Updated the agent to use programmatic deadzones for bcrypt modules. (NODE-3424)

Release date: July 18, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • This release introduces a new process for releasing the Contrast agent to npm. The new process releases the artifact to npm with the <next> tag. Using the <next> tag prevents you from automatically installing the next agent version unless you explicitly use this command: npm install @contrast/agent@next

    NodeNpmList.png

    Shortly after Contrast publishes the agent release notes for the next agent version, the tag for the version changes to <latest> . This new process lets you preview and test new features as well let you review the release notes for what will soon be tagged as <latest>.

    • Improved the release process to push the agent with the <next> tag to npm (NODE-3507)

  • The agent now extracts and reports cloud resource identifiers to Contrast for AWS, Azure, and GCP (NODE-2932).

    This functionality collects resource identifiers when running on cloud providers and reports the IDs to the log and the Contrast web interface.

    • The agent now sends cloud resource identifiers to Contrast. (NODE-3493)

    • The agent now retrieves GCP resource identifiers. (NODE-3503)

Bug fixes:

  • Fixed an Express.response.push error shown in the log. (NODE-3532)

Release date: July 15, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Improved the npm README documentation for @contrast/distringuish. (NODE-3517)

  • The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.

    This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.

    • Refactored route coverage for Fastify. (NODE-3483)

    • Added route coverage support for Koa nested routers. (NODE-3484)

    • Refactored route coverage integration tests. (NODE-3443)

    • Audited and refactored route signatures. (NODE - 3444)

  • When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.

    • The agent now retrieves the AWS Resource Identifier when you configure it to do so. (NODE-3491, NODE-3492)

    • Added the X-Contrast-Reporting-Instance to Contrast communication. (NODE-3502)

    • Added a feature flag to disable resource identification. (NODE-3513)

    • The agent now auto-detects the cloud provider for resource identifier detection. (NODE-3518)

Bug fixes:

  • Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3509)

Release date: July 8, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)

Release date: June 27, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed an issue where a deadzone bson require hook threw an error with bson 1.1.6. (NODE-3479)

Release date: June 21, 2024

Language versions currently supported: 16, 18, and 20 LTS

Important

This release now provides official support for HTTP/2.

New and improved:

  • Implemented HTTP/2 instrumentation for Reflected-XSS in Assess mode.

  • Implemented HTTP/2 instrumentation for the spdy library for Response Scanning rules.

  • Fixed node-require-hook on Windows.

Bug fixes:

  • HTTP2 response-scanning instrumentation causes uncaught exceptions. (NODE-3468)

  • Blocking requests caused metrics to report that the request exceeded the duration. (NODE-3475)

  • MJS files loaded from the rewrite cache can break relative path file reading. (NODE-3485)

  • Reduced event listeners from pg arch-component instrumentation. (NODE-3489)

  • crypto-analysis did not ignore case when checking algorithms. (NODE-3495)

  • npm detection fails with a space in path. (NODE-3497)

Release date: August 20, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

Bug fixes:

  • Remediated CVE-2024-39338 by bumping the Axios package.

Release date: June 21, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

Bug fixes:

  • npm detection fails with a space in path (NODE-3497)

Release date: June 17, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

Bug fixes:

  • Fixed a new CVE associated with @grpc/grpc-js, which is a library used by the agent to communicate with the Contrast Service. (NODE-3487)

Release date: June 12, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implemented HTTP/2 instrumentation for Reflected-XSS in Protect mode.

  • Implemented support for Restify 8, 9, 10, and 11 (Assess and Protect).

  • Installed modules should throw errors when needed and not accumulate in _errors[].

  • Implemented validation logic in the module where the validation is required to correctly function.

  • Updated security logger escaping to match updated CEF guide specification.

  • Implemented Framework reporting during route discovery (also known as Compatibility check for route coverage).

Bug fixes:

  • Fixed URLSearchParams.toString(). (NODE-3332)

  • Added source map chaining. (NODE-3442)

Release date: May 31, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Deprecated Node 14 for v5.

  • The existing @contrast/common functions have been replaced with more performant and self-documenting functions.

Release date: May 22, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Teamserver associates all vulnerabilities with a single non-existent endpoint. (NODE-3457)

Release date: May 22, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • API keys are not redacted when the reporter throws an error. (NODE-3458)

Release date: May 21, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • The use of inspect during event creation was causing problems. (NODE-3451)

  • Check if isSafeContentType is in all reflected-xss sinks. (NODE-3452)

Release date: May 21, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed express route observation bug. (NODE-3453)

Release date: May 20, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Express route coverage will handle middleware defined in an array.

Release date: May 15, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Removed effective configuration enable flag so that agent always reports it to Teamserver.

  • Added warning when the agent detects users attempting to set config file location with  -c command line flag. Agent configuration via CLI flags has been deprecated in v5 agents.

  • Implemented Restify route discovery and observation.

  • Adding initial support for programmatic deadzones to allow the agent to turn off instrumentation within restricted functions.

Release date: May 7, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Incoming message header handling is not correct. (NODE-3396)

  • Express route coverage does not discover routes defined by app.use() and router.use(). (NODE-3402)

  • TypeError: undefined is not a function at StacktraceFactory.makeFrame. (NODE-3420)

Release date: May 1, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Add timer.unref() to code-events setCodeEventListener() for v4.

Release date: April 29, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Support for Input and URL exclusions when running version 5.x agent.

  • Provided Protect specific CLI Rewriter option.

Bug fixes:

  • Route coverage error when express route registered with array of paths. (NODE-3380)

  • v5 agent does not properly handle archived apps. (NODE-3384)

  • Fix Fastify route coverage prefix bug. (NODE-3403)

  • Unwriting anonymous classes fails. (NODE-3406)

Release date: April 17, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.

Release date: April 16, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implement rewriter cache for ESM loader hooks.

  • Add additional rewrite-deadzones.

Release date: March 29, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implemented improvements to string.prototype.split() tracking.

Release date: March 28, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).

Release date: March 26, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)

Release date: March 25, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Initial support for application code rewrites caching for version 5.x agent.

Release date: March 20, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Added hapi 21 framework support for Assess and Protect.

  • Stopped reporting of the library manifest on application updates.

  • Componentized ESM hooks and have them follow normal compose/install patterns.

  • Updated agent README for modern Node versions.

Bug fixes:

  • Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)

Release date: March 6, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • JSON.parse will throw exception if captured key/value indices are inaccurate. (NODE-3344)

Release date: March 5, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • URL parse propagator doesn't support parseQueryString flag. (NODE-3340)

  • string.replace not handling some special character replacements properly. (NODE-3341)

  • Dot entrypoint syntax no longer works. (NODE-3343)

Release date: February 16, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Replaced parent-package-json in deps.

Bug fixes:

  • Some configuration fields not redacted in configuration logging. (NODE-3339)

Release date: February 13, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Updated logger's cleanEnv to account for --loader in NODE_OPTIONS.

Bug fixes:

  • UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)

Release date: February 8, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Reflected-XSS not reporting when res.send is called. (NODE-3334)

Release date: February 6, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Added runner-tap usability fixes.

Release date: February 2, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Setting the server or application name in a non-English language causes errors. (NODE-3333)

Release date: February 2, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Minimized new agent's ESM dual initialization costs.

  • Updated Axios client.

Bug fixes:

  • Fix to Juice Shop 16 not working with the new agent. (NODE-3323)

Release date: January 29, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)

Release date: January 23, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Removal of the Contrast Service (SpeedRacer).

  • Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

  • Support for running Assess and Protect concurrently.

  • Ability to toggle the mode of Protect rules without a restart.

  • Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.

  • Library reporting with ECU/ELU when running Protect (library reporting in production).

  • Effective configuration reporting to ContrastUI.

  • devDependencies not published to npm - reduced FP CVE findings.

  • Structured logging using pino.

  • Ability to change the agent logging level from the ContrastUI without an application restart.

  • Log request latency (ns) at DEBUG level for every request.

  • Route observability/coverage with normalized URI for deduplication.

  • Faster rewrite at startup using SWC.

  • Supports SuperTest API Testing framework npm: supertest.

  • Supports Frisby API testing framework npm: frisby.

  • Support for String.prototype.matchAll() propagation.

  • Observed routes are reported to ContrastUI on application startup without requiring exercising a route.

  • ESM applications supported.  Support for loading/running the agent using:

    • node --loader @contrast/agent app.mjs for Node.js 16LTS

    • node --import @contrast/agent app.mjs for Node.js 18.9.0, 20.9.0 and later (LTS)

    • node --require @contrast/agent app.js for all versions not using ESM

  • The new --import directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)

    • node --import @contrast/agent app.js

  • See npm for more.

Release date: January 30, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Updated Axios.

  • Tweaks for the build.

Release date: January 5, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Improved logging when there are npm failures.

  • Updated copywrite text in files to reflect the new year.

Bug fixes:

  • Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)

 

Release date: April 16, 2024

Language versions currently supported: 14, 16, 18, and 20 LTS

Important

Contrast Protect is deprecated as of release 5.20.6.

New and improved:

  • Updated v4 and v5 pipelines for K8s agent-operator.

  • Deprecated @contrast/protect-agent.

  • Added v4 section to README.

Bug fixes:

  • UI reporter v1 routes do not respect proxy configuration. (NODE-3338)

  • Update test bench Dockerfiles. (NODE-3350)

See also

Node.js agent release note archive