Node.js agent release notes

CLI rewriter should skip rewrite-deadzoned package files. (NODE-3434)

Improve logging to stderr when installation fails with TS error. (NODE-3677)

Augment Perf feature to watch event processing. (NODE-3684)

dep-hooks return value not used when target lib is imported. (NODE-3561)

Clear traces endpoint's hashSet periodically so vulns can properly update last seen. (NODE-3709)

NEW: Build ID / Artifact Hash generation and reporting to Contrast. (NODE-3314)

NEW: Support for Express 5 Framework has been added. (NODE-3623)

NEW: Preview Release of the Contrast Node agent's GraphQL support.

Investigate automating and reporting sessions and build ID generation. (NODE-3315)

Research and implement the new node --run command incompatible with cmd_ignore_list. (NODE-3540)

Refactor route coverage to support Express 5. (NODE-3650)

Add remainder of architecture component integration tests. (NODE-3666)

Instrument GraphQL for route coverage. (NODE-3671)

Replace pino transport with multi-stream. (NODE-3678)

Fixed memory issue in reporter. (NODE-3705)

Handle TeamServer 4xx error codes according to spec. (NODE-3638)

Protect should use async-hook-domain exclusively. (NODE-3674)

Research deadzoning mssql query serialization (NODE-3579)

Fix release-operator integration. (NODE-3681)

ADR Licensing - Reporting. (NODE-3605)

Implement remaining architecture components for FlowMap. (NODE-2793)

Publish hostname and container detection - server inventory. (NODE-3639)

Patching: audit package version ranges to not break on new versions. (NODE-3642)

Update Protect sources to instrument router. (NODE-3648)

Update Protect error handler to instrument router. (NODE-3649)

Remove argument from protect.getSourceContext() calls. (NODE-3660)

Raise the log level to WARN for API tokens overridden by legacy keys. (NODE-3661)

Fix the log-file overwriting problem. (NODE-3667)

Report headers for Protect events as object not array. (NODE-3662)

Syslog metadata string is malformed. (NODE-3668)

Preview functionality for Express 5 for Assess mode. (NODE-3644,NODE-3645,NODE-3646)

Do not report unsampled requests as missing source context for Assess in production. (NODE-3659)

Research Assess sampling as function of routes observed. (NODE-3597)

Improved support for mongodb 6 driver aggregate functions. (NODE-3614)

Programmatic deadzones for the bunyan logging module. (NODE-3427)

Research/Implement - Replace use of npm ls in library reporting. (NODE-3599)

Replace npm for library reporting - Distroless support. (NODE-3619)

Programmatic deadzones for log4js logging module. (NODE-3636)

Add max version for Express instrumentation. (NODE-3641)

Add perf to all entrypoints. (NODE-3602)

The agent now uses the new v1.0 Agent Startup endpoint. (NODE-3390)

Added trace-level logging to route coverage. (NODE-3566)

Updated safe hash libraries to include cookie-signature. (NODE-3558)

Fixed an issue where the rewriter throws an error when a .swcrc file specifies jsc.target. (NODE-3640)

Added support for Node.js LTS 22.

Added Mongoose query parameter sanitization and validation. (NODE-3565)

Increased event count on core.messages. (NODE-3627)

Updated the Audit agent readme file on npm to make sure it's accurate. (NODE-3548)

Fixed audit and extraneous dependencies. (NODE-3601)

The Node.js agent now supports the use of CONTRAST__API__TOKEN instead of  CONTRAST__API__URL,  CONTRAST__API__API_KEY, CONTRAST__API__SERVICE_KEY, and CONTRAST__API__USER_NAME for communication with Contrast. (NODE-3522)

Added a new Assess stacktraces configuration option for SINK. (NODE-3591)

This release includes a preview of Node 22 LTS support.

This feature is not yet officially supported

Added support for crypto.createCipher. (NODE-3533)

Added fs.glob and fs.globSync to FS_METHODS. (NODE-3541)

Refactored Fastify route coverage to avoid dep-hooks ESM bug. (NODE-3563)

Fixed rewrite-is-deadzoned.js. (NODE-3572)

Updated the CSP rule. (NODE-3582)

Fixed an issue with semver v7.6 that broke range deadzoning. (NODE-3585)

Remediated CVE-2024-39338 by bumping the Axios package.

Fixed a path-traversal false positive that @fastify/static@7 reported. (NODE-3549)

Remediated CVE-2024-39338 by bumping the Axios package. (NODE-3567)

Implemented Phase 1 of support for Node.js v5 deadzones. (NODE-3360)

A deadzone is a mechanism that lets the agent skip instrumentation of a specific mode module or function.

Added logging for the inappropriate use of the node -r preload flag. (NODE-3481)

Fixed a duplication issue in preflight messages. (NODE-3476)

Fixed an issue where the agent did not report routes that were not exercised. (NODE-3548)

Fixed an issue with telemetry reporting. (NODE-3554)

Updated the agent to use programmatic deadzones for bcrypt modules. (NODE-3424)

This release introduces a new process for releasing the Contrast agent to npm. The new process releases the artifact to npm with the <next> tag. Using the <next> tag prevents you from automatically installing the next agent version unless you explicitly use this command: npm install @contrast/agent@next

Shortly after Contrast publishes the agent release notes for the next agent version, the tag for the version changes to <latest> . This new process lets you preview and test new features as well let you review the release notes for what will soon be tagged as <latest>.

The agent now extracts and reports cloud resource identifiers to Contrast for AWS, Azure, and GCP (NODE-2932).

This functionality collects resource identifiers when running on cloud providers and reports the IDs to the log and the Contrast web interface.

Fixed an Express.response.push error shown in the log. (NODE-3532)

Improved the npm README documentation for @contrast/distringuish. (NODE-3517)

The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.

This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.

When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.

Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3509)

Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)