Node.js agent release notes

Deadzone @opentelemetry packages. (NODE-3740)

Revise effective_config output to match new standard and other agents. (NODE-3782)

Update Contrast-UI reporter proxy for better compatibility with firewalls. (NODE-3790)

Security bypass semantic rule is not reporting stacktrace or exploit metadata correctly. (NODE-3771)

Fastify instrumentation errors when using @fastify/websocket. (NODE-3794)

String replace bug with regex and $n special patterns. (NODE-3788)

Support Assess sampling event_detail config option. (NODE-3752)

Update workspaces to use empty immutable objects from @contrast/common. (NODE-3754)

Update rewriter to lessen the size of generated code artifacts. (NODE-3767)

Refactor nested propagators out of url propagatorsBug. (NODE-3770)

Masked attack vectors should be masked in HTTP request details. (NODE-3774)

Assess Fastify preValidation handler does not call done callback if source context missingTask. (NODE-3787)

Added support for the Fastify 5 framework. (NODE-3622)

Refactored string.prototype.replace to lock instrumentation when it calls through to regexp.exec. (NODE-3766)

Assess in production environments now changes the assess.stacktraces configuration to SINK. (NODE-3768)

Implemented the option to instrument all modes for ADR. (NODE-3736)

Completed implementation of HTTP spans. (NODE-3744)

Refactored the String.prototype.split propagator so that it doesn't force propagation in order to calculate tag ranges. (NODE-3749)

Updated agent and agentify to ensure the agent is using Inversion of Control (IoC). (NODE-3757)

The agent now handles undefined args in util.format. (NODE-3759)

Configure agent operator to provide a writable cache directory. (NODE-3728)

Added certificate configuration options. (NODE-3738)

Refactor event factory methods with performance improvements. (NODE-3753)

Fix unnecessary propagation that can occur in String.prototype.concat. (NODE-3746)

Do not check for propagation context in send and fastify-send propagators. (NODE-3747)

Programmatic deadzones for winston logging module. (NODE-3437)

Programmatic deadzones for pino logging module. (NODE-3438)

Make Protect response-blocker a class. (NODE-3604)

Protect path-traversal should not report for static file-serving libs. (NODE-3717)

Remediate perf bug - do not flag GUIDs as suspicious (bumped agent-lib to version 9.1.0). (NODE-3739)

Assess source instrumentation for hapi can break onRequest hooks. (NODE-3745)

Research latency performance issue experienced by a customer, fix or create tickets to fix causes. Our test case improved by 50%. (NODE-3731)

get-source-context not checking the propagation count correctly. (NODE-3734)

Some telemetry still enabled when opted out. (NODE-3732)

New @swc/core check does not properly handle nested dependencies. (NODE-3733)

Check for empty strings when determining configuration defaults. (NODE-3725)

Provide a clear error message when the install environment is different from the execution environment. (NODE-3381)

Allow rewrite hooks when either rewrite.enable or rewrite.cache.enable are true. (NODE-3720)

New agent-lib@9.0.0 fixes a Protect CMD injection false positive. (NODE-3721)

Instrument graphql-http as a source. (NODE-3394)

GraphQL Detailed Route Reporting and Coverage. (NODE-3409)

Update licenses to 2025. (NODE-3714)

CLI rewriter should skip rewrite-deadzoned package files. (NODE-3434)

Improve logging to stderr when installation fails with TS error. (NODE-3677)

Augment Perf feature to watch event processing. (NODE-3684)

dep-hooks return value not used when target lib is imported. (NODE-3561)

Clear traces endpoint's hashSet periodically so vulns can properly update last seen. (NODE-3709)

NEW: Build ID / Artifact Hash generation and reporting to Contrast. (NODE-3314)

NEW: Support for Express 5 Framework has been added. (NODE-3623)

NEW: Preview Release of the Contrast Node agent's GraphQL support.

Investigate automating and reporting sessions and build ID generation. (NODE-3315)

Research and implement the new node --run command incompatible with cmd_ignore_list. (NODE-3540)

Refactor route coverage to support Express 5. (NODE-3650)

Add remainder of architecture component integration tests. (NODE-3666)

Instrument GraphQL for route coverage. (NODE-3671)

Replace pino transport with multi-stream. (NODE-3678)

Fixed memory issue in reporter. (NODE-3705)

Handle TeamServer 4xx error codes according to spec. (NODE-3638)

Protect should use async-hook-domain exclusively. (NODE-3674)

Research deadzoning mssql query serialization (NODE-3579)

Fix release-operator integration. (NODE-3681)

ADR Licensing - Reporting. (NODE-3605)

Implement remaining architecture components for FlowMap. (NODE-2793)

Publish hostname and container detection - server inventory. (NODE-3639)

Patching: audit package version ranges to not break on new versions. (NODE-3642)

Update Protect sources to instrument router. (NODE-3648)

Update Protect error handler to instrument router. (NODE-3649)

Remove argument from protect.getSourceContext() calls. (NODE-3660)

Raise the log level to WARN for API tokens overridden by legacy keys. (NODE-3661)

Fix the log-file overwriting problem. (NODE-3667)

Report headers for Protect events as object not array. (NODE-3662)

Syslog metadata string is malformed. (NODE-3668)

Preview functionality for Express 5 for Assess mode. (NODE-3644,NODE-3645,NODE-3646)

Do not report unsampled requests as missing source context for Assess in production. (NODE-3659)

Research Assess sampling as function of routes observed. (NODE-3597)

Improved support for mongodb 6 driver aggregate functions. (NODE-3614)

Programmatic deadzones for the bunyan logging module. (NODE-3427)

Research/Implement - Replace use of npm ls in library reporting. (NODE-3599)

Replace npm for library reporting - Distroless support. (NODE-3619)

Programmatic deadzones for log4js logging module. (NODE-3636)

Add max version for Express instrumentation. (NODE-3641)

Add perf to all entrypoints. (NODE-3602)

The agent now uses the new v1.0 Agent Startup endpoint. (NODE-3390)

Added trace-level logging to route coverage. (NODE-3566)

Updated safe hash libraries to include cookie-signature. (NODE-3558)

Fixed an issue where the rewriter throws an error when a .swcrc file specifies jsc.target. (NODE-3640)

Added support for Node.js LTS 22.

Added Mongoose query parameter sanitization and validation. (NODE-3565)

Increased event count on core.messages. (NODE-3627)

Updated the Audit agent readme file on npm to make sure it's accurate. (NODE-3548)

Fixed audit and extraneous dependencies. (NODE-3601)

The Node.js agent now supports the use of CONTRAST__API__TOKEN instead of  CONTRAST__API__URL,  CONTRAST__API__API_KEY, CONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (NODE-3522)

Added a new Assess stacktraces configuration option for SINK. (NODE-3591)

This release includes a preview of Node 22 LTS support.

This feature is not yet officially supported

Added support for crypto.createCipher. (NODE-3533)

Added fs.glob and fs.globSync to FS_METHODS. (NODE-3541)

Refactored Fastify route coverage to avoid dep-hooks ESM bug. (NODE-3563)

Fixed rewrite-is-deadzoned.js. (NODE-3572)

Updated the CSP rule. (NODE-3582)

Fixed an issue with semver v7.6 that broke range deadzoning. (NODE-3585)

Remediated CVE-2024-39338 by bumping the Axios package.

Fixed a path-traversal false positive that @fastify/static@7 reported. (NODE-3549)

Remediated CVE-2024-39338 by bumping the Axios package. (NODE-3567)

Implemented Phase 1 of support for Node.js v5 deadzones. (NODE-3360)

A deadzone is a mechanism that lets the agent skip instrumentation of a specific mode module or function.

Added logging for the inappropriate use of the node -r preload flag. (NODE-3481)

Fixed a duplication issue in preflight messages. (NODE-3476)

Fixed an issue where the agent did not report routes that were not exercised. (NODE-3548)

Fixed an issue with telemetry reporting. (NODE-3554)

Updated the agent to use programmatic deadzones for bcrypt modules. (NODE-3424)

This release introduces a new process for releasing the Contrast agent to npm. The new process releases the artifact to npm with the <next> tag. Using the <next> tag prevents you from automatically installing the next agent version unless you explicitly use this command: npm install @contrast/agent@next

Shortly after Contrast publishes the agent release notes for the next agent version, the tag for the version changes to <latest> . This new process lets you preview and test new features as well let you review the release notes for what will soon be tagged as <latest>.

The agent now extracts and reports cloud resource identifiers to Contrast for AWS, Azure, and GCP (NODE-2932).

This functionality collects resource identifiers when running on cloud providers and reports the IDs to the log and the Contrast web interface.

Fixed an Express.response.push error shown in the log. (NODE-3532)

Improved the npm README documentation for @contrast/distringuish. (NODE-3517)

The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.

This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.

When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.

Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3509)

Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)