Node.js agent release notes
Release date: February 20, 2023
Language versions currently supported:14,16, and 18 LTS
Bug fixes:
This release fixed a bug when receiving the
nosql-injection
rule settings from Contrast and the agent not respecting that setting.
Release date: February 9, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
security_logger
is getting the correct default values.
Release date: February 9, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
NoSQL Injection Mongo - added support for
$accumulator
operator.The RegExp now detects a vulnerable string with single and double quotes around the URI of the targeted file.
Bumped agent-lib version in Node agent v5 to v5.3.0.
Release date: January 31, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
NoSQL Injection Mongo - added support for
$function
operator.Migrated shared hooks to instrumentation layer: http, https, http2, spdy.
Reduced code duplication in existing Protect hooks.
CVE-2022-46175 node-require-hook Prototype Pollution in JSON5 via Parse Method.
Bug fixes:
NODE_OPTIONS
envrionment forpino
worker-thread does not get cleared of--require @contrast/...
. (NODE-2882)
Release date: January 17, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
Provided npx command to config-diagnostics and output results.
Bug fixes:
Fixed issue where
@contrast/protect-agent
does not install. (NODE-2803)
Release date: January 10, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
CVE-2022-46175 Prototype Pollution in JSON5 via Parse Method.
Internal Protect data structure changes.
Release date: December 8, 2022
Language versions currently supported:14,16, and 18 LTS
New and improved:
Performance improvement for capturing stack traces. (NODE 2760)
Release date: December 5, 2022
Language versions currently supported:14,16, and 18 LTS
New and improved:
Contrast Security Node.js Protect-only Agent. See npm: @contrast/protect-agent
Release date: March 16, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
New config option for conditional running the agent when called through
NODE_OPTIONS
.
Release date: March 14, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Bump SpeedRacer for v4
Improved log message for node version compatibility
CVE-2023-22578 (DevDependency) - Sequelize - Default support for “raw attributes” when using parentheses
Enhancements to logging surrounding errors when starting the agent
Bug fixes:
Fixed Hapi implementation for
reflected-xss
detection. (NODE-2757)Fixed Fastify implementation for
reflected-xss
detection. (NODE-2756)Added hardening to
getAllParents
method. (NODE-2931)
Release date: February 27, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Improved support for
Experss.static()
. (SUP-4451)Improved support for XXS detection when using the Fastify framework.
Improved logging surrounding errors when starting the agent.
Release date: January 31, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Instrumented the
serve-static
module to act as a custom sanitizer.
Release date: January 20, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Config-diagnostics fails to create a configuration file if the logger path refers to a file descriptor.
Release date: January 17, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Included the docker container ID in the system-info.json when running system-diagnostics.
CVE-2022-46175 node-agent Prototype Pollution in JSON5 via Parse Method.
Bug fixes:
Prevent crashing when the req is undefined. (NODE-2867)
Release date: December 21, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Fix issues with system-diagnostics reporting under Windows env. (NODE-2780)
Config utility reads the wrong remote value for syslog settings. (NODE-2781)
Release date: December 19, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2022-24999 - qs vulnerable to Prototype Pollution.
Added support for the Microsoft SQL Server database.
Release date: December 9, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
New Contrast Service version - v2.28.23 is now bundled with the v4 agent.
Bug fixes:
Defensive code in system diagnostics when finding package.json. (SUP-4357)
Added defensive code around checking the express router handler's length. (SUP-4314)
System info gets output when running config-diagnostics - this was incorrect behavior.
CVE patch:
CVE-2022-24999 (devDependency). version 4.x agent
Release date: December 2, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Provide npx command to read system info and output results. (NODE-2629)
Release date: November 25, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Made
_contrast_toString
a non-enumerable property ofFunction.prototype
to resolve compatibility issues with@sap/cds
. (NODE-2752)
Release date: November 21, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Removed Fastify2 from NodeTestBenches.
Bug fixes:
Fixed contrast-diagnostics script that did not support running when not adjacent to the agent installation location. (NODE-2748)
Release date: November 9, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
New troubleshooting functionality to write to a file the effective configuration seen by the agent. (NODE-2632)
Release date: October 27, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Memory-leak surfaced for apps running with the agent for over 12 hours. (NODE-2715)
CVE remediation:
CVE-2022-3517 upgrade dependencies with minimatch so use v3.0.5 or greater. (NODE-2717)
Release date: October 19, 2022
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Memory leak introduced in 4.25.0. (NODE-2698)
Release date: October 13, 2022
Language versions currently supported: 12, 14 ,16, and 18 LTS
Bug fixes:
"TypeError: undefined is not a function" when spawning a child process with Assess. (NODE-2694)
Release date: October 11, 2022
Language versions currently supported: 12, 14 ,16, and 18 LTS
Bug fixes:
Memory leak being caused by Assess CallContext stacktraces. (NODE-2681)
npm
not found and library not reported when the Node.js runtime is installed in the Program Files directory on Windows OS. (NODE-2691)
Release date: October 7, 2022
Language versions currently supported: 12, 14 ,16, and 18 LTS
Bug fixes:
NPM commands used in the agent for library reporting/listing will now work on Windows machines. (NODE-2676)
Release date: September 30, 2022
Language versions currently supported: 12, 14 ,16, and 18 LTS
Bug fixes:
Fixed an issue where the agent was not starting the Contrast Service when running on Windows OS. (NODE-2677)
Release date: September 27, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Updated v4 and v5 agents to be compatible with Node 18.
The
originalUrl
property is now tagged in Express.
Bug fixes:
Corrected issue where
req.path
was not tracked and not considered untrusted data. (NODE-2637)
Release date: September 7, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
CVE-no-CVE-ID - Bump moment-timezone from 0.5.34 to 0.5.37.
Bug fixes:
Node agent only instruments MongoDB API methods that are susceptible to expansion or injections. (NODE-2040)
Release date: August 31, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fix:
For agent v16.17 and above, we now explicitly signal a short circuit in our load hook for ESM support (NODE-2620).
Release date: August 26, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Added instrumentation for the
DynamoDB.scan()
command and theFilterExpression
key AWS v2.Added support for MongoDB NoSQL Injection highlighting in Contrast UI when multiple arguments are present.
Release date: August 17, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Improved express instrumentation by having the body-parser library and all its parsing methods directly patched/instrumented.
Added support for the
mongodb
v4.x driver for the agent in Protect mode.
Bug fixes:
The
JSON.stringify()
propagator handles when the argument (or subset of argument) is a deserialization membrane. (NODE-2598)Autocomplete missing rule data is serialized properly into protobuf message. (NODE-2589)
Release date: August 8, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
CVE-2022-2564 - Bump Mongoose version to 6.4.6.
Bug fix:
The JSON.stringify() propagator handles when the argument (or subset of argument) is a deserialization membrane. (NODE-2598)
Release date: August 1, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fix:
Aws-sdk version 2 for DynamoDB does not respect abstract attribute types. (NODE-2532)
Release date: July 25, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
When processing large strings in docker and using node crypto module to encrypt data, the calls
distringuish.getProperties
were causing segmentation fault issues. (NODE-2564)
Release date: July 18, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Added support for
isEmail
andisDate
validators in ValidatorJS.
Bug fixes:
Joi validation not recognized if the schema specified in "options" for a hapi route. (NODE-2544)
Release date: July 12, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Remediated CVE-2022-31129 for inefficient regular expression complexity in moment.
Add hardening to prevent app crash if NPM is not installed.
Release date: July 4, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
When a MongoDB update method has multiple attack vectors, the Node.js Agent accurately reports NoSQL Injections that were previously false negatives.
Archive
Release date: June 28, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Remediated CVE-2020-7596 by removing the
codecov
dependency from node-agent (DEV Dependency).
Release date: June 25, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Added improved logging when an unsupported version of npm is installed in the app being instrumented.
Bug fixes:
Decrease highlighting to just tainted string when reported sink argument is a query object. (SUP-3889)
Release date: June 13, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Added improved logging when an unsupported version of npm is installed in the app being instrumented.
Bug fixes:
When Protect mode is enabled, multipart/form-data throws exception when headers are removed. (SUP-3817)
Release date: June 3, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Remediated CVE-2021-43138 by updating
ejs
to a safe version in node-agent, this was a DEV Dependency and was not a true vulnerability. (NODE - 2352)
Release date: June 1, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Removed
winston-syslog
from the agent's bundled dependencies, this was being flagged as having a CVE.
Bug fixes:
Fixed false-negative of Server-Side Request Forgery (SSRF) for request npm package. (SUP-3829)
Release date: May 27, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
Incorrect highlighting displayed for Node.js vulnerabilities under Overview in the Contrast web interface. (SUP-3717, 2927)
Release date: May 19, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
When running an application with pm2 on cluster mode and the
CONTRAST_CONFIG_PATH
provided as an environment variable, the agent reads theCONTRAST_CONFIG_PATH
value fromcontrast_security.yaml
instead of the environment variable.
Release date: May 17, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Implemented support for the
ref()
function when Joi validation is unknown because of untracked targetThe hooks for
mongodb-core
are “replicated” to hookmongodb
from version 3.3.0 and later
Release date: May 12, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Added support for PM2 running in both fork and cluster modes.
New config option
assess.enable_lazy_tracking
for Contrast Node.js 4.X. The default istrue
and must be set tofalse
to use Fastify http/2.
Release date: April 29, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
Rewriter not wrapping file contents in "module wrap" IIFE. (SUP-3732)
The
lib/util/trace-util
getRequest
always returns undefined if sampling is disabled. (NODE-2351)
Release date: April 21, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Custom fastify-static allowedPath path-traversal validator.
Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).
Bug fixes:
__import
methods can cause an error when the imported module is not yet resolved. (NODE-2341)ESM loader hooks still operate when agent is disabled. (NODE-2340)
Release date: April 14, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).
Release date: April 11, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).
Release date: April 8, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Added support for DyanmoDB PartiQL (Assess only).
Bug fixes:
Fixed deadlinks in NPM agent readme. (Node-2297)
Release date: March 31, 2022
Language versions currently supported: 12, 14 and 16 LTS
Release date: March 29, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Contrast Service updated to 2.28.19. This resolves CVE-2021-38561.
Remediated CVE-2021-44906 (for minimalist npm library).
Added support for
validator.matches()
as a custom validator.Upgraded to agent-lib 2.2.4.
Release date: March 23, 2022
Language versions currently supported: 12, 14 and 16 LTS
Important
As part of a recent bug fix a setting name has changed. If you are using agent.trust_custom_validator
, please update to assess.trust_custom_validator
.
New and improved:
Added support for MySQL2 library 2.0.0 and later.
Bug fixes:
False negative occurs when SQL query template contains untrusted data. (SUP-3568)
Release date: March 29, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022. You can upgrade to the latest version 4.x of the Node.js agent available from npm.
New and improved:
Remediated CVE-2021-44906 (for minimalist npm library).
Release date: March 25, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
New and improved:
Contrast Service updated to 2.28.17.
Remediated CVE-2021-44906 (for minimalist npm library).
Release date: March 17, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
Path traversal false negative. (SUP-3558)
Agent tries to rewrite ESM files twice. (NODE-2217)
Release date: March 14, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Remediated CVE-2022-0536 (follow-redirects to a safe version in node-agent)
Remediated CVE-2022-0686 (url-parse to a safe version in node-agent)
Added warning message to CLI-rewriter logging (or stdout)
Added support for hardcoded-key and hardcoded-password vulnerabilities when using CLI-rewriter feature.
Support for ESM syntax (import statements) for Node.js 14 and 16 LTS
New Protect native input analysis processing with:
YAML:
agent.node.native_input_analysis: true
Environment variable:
CONTRAST__AGENT__NODE__NATIVE_INPUT_ANALYSIS=TRUE
Release date: March 14, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
Agent is ocassionally throwing error:
TypeError: Cannot read property 'getAllParents' of null
. (SUP-3611)
Release date: March 10, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
Rewrite cache path is built incorrectly when mode isn't explicitly set in config. (NODE-2180)
Proxy authentication information showing in logs. (SPEED-1056)
Release date: February 25, 2022
Language versions currently supported: 12, 14 and 16 LTS
Release date: February 22, 2022
Language versions currently supported: 12, 14 and 16 LTS
Release date: February 17, 2022
Language versions currently supported: 12, 14 and 16 LTS
Important
You can no longer download the Node.js agent from Contrast. You should use these instructions to download and install the agent from npm.
Bug fixes:
ReThinkDB results in SQLi false negative due to failed instrumentation during propagation. (NODE-2150)
Release date: February 15, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
False negative causing Server Side Request Forgery. (NODE-2130)
Release date: February 15, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
When parsing the body on the Sails framework, the agent occasionally hangs indefinitely on post requests. (NODE-2125)
Release date: February 7, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Upgraded Contrast service 2.28.12 is bundled with this agent version.
Added support for custom Assess data validation using Mongoose or Joi.
Added support for MongoDB key object expansion Protect rule.
Bug fixes:
During CLI transpilation, the Node agent no longer logs data if there is no network connectivity or connection to Contrast. (NODE-2083)
Release date: February 1, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes:
When working with large JSON objects, users experience significant Assess performance regressions introduced in Node.js agent 4.9.1. (NODE-2086)
Release date: January 31, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Contrast Service version 2.28.9 is now bundled with the Node.js agent.
Bug fixes:
When the local YAML configuration and environment variables are set, the Contrast service does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)
Release date: January 28, 2022
Language versions currently supported: 12, 14 and 16 LTS
Bug fixes
When rewrite caching is enabled, the stack trace no longer repeats and writes the correct filename. (NODE-2065)
Release date: January 19, 2022
Language versions currently supported: 12, 14 and 16 LTS
New and improved:
Contrast Node.js agent version 4.9.0 was non-installable due to a build dependency that requires
package-lock.json
file. Version 4.9.1 is patched not to require that dependency.
Note
This version has been deprecated, please use 4.9.1 or later.
Release date: January 19, 2022
Language versions currently supported: 12, 14 and 16 LTS
Release date: January 6, 2022
Language versions currently supported: 12, 14 and 16 LTS
Release date: June 28, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
This is the last release of 3.x.x
of the Node.js agent - the version 3 branch has reached end-of-life status.
New and improved:
Remediated CVE-2020-7596 by removing codecov dependency from the node-agent (DEV Dependency).
Release date: May 18, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
Release date: April 21, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022. You can upgrade to the latest version 4.x of the Node.js agent available from npm.
New and improved:
Remediated CVE-2021-43138 (Prototype Pollution in async Winston bump).
Release date: April 14, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022. You can upgrade to the latest version 4.x of the Node.js agent available from npm.
New and improved:
Remediated CVE-2021-43138 (update async dev dependency to a safe version in node-agent).
Release date: April 12, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022. You can upgrade to the latest version 4.x of the Node.js agent available from npm.
New and improved:
Remediated CVE-2022-24785 (update moment dependency to a safe version in node-agent, remediating path traversal vulnerability).
Release date: March 29, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022. You can upgrade to the latest version 4.x of the Node.js agent available from npm.
New and improved:
Remediated CVE-2021-44906 (for minimalist npm library).
Release date: March 25, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
New and improved:
Contrast Service updated to 2.28.17.
Remediated CVE-2021-44906 (for minimalist npm library).
Release date: February 25, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
Release date: February 7, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
New and improved:
Upgraded Contrast service 2.28.12 is bundled with this agent version.
Release date: January 31, 2022
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
New and improved:
Contrast service version 2.28.9 is now packaged with the Node.js agent.
Bug fixes:
When the local YAML configuration and environment variables are set, the Node.js agent does not prioritize configuration values as indicated in the order of precedence. (NODE-2084)
Release date: January 19, 2021
Language versions currently supported: 10, 12 and 14 LTS
Important
The Contrast Node.js agent version 3.X will EOL in June 2022.
New and improved:
Contrast service version 2.28.4 packaged with the Node.js agent
Release date: December 23, 2021
Language versions currently supported: 12, 14 and 16 LTS
Release date: December 3, 2021
Language versions currently supported: 12, 14
Important
As of Node 3.11.15, the agent will be bundled with Contrast Service version 2.28.0
New and improved:
Added Joi support for
ref()
where reference target is an object.
Release date: December 3, 2021
Language versions currently supported: 12, 14 and 16 LTS
Important
As of Node 4.7.0, the agent will be bundled with Contrast Service version 2.28.0
New and improved:
The stacktrace limit default was set to 10 (previously it was set to 25).
Added Joi support for
ref()
where reference target is an object.Added support for Dust.js template engine.
Bug fixes:
Implicit tagging of numeric input causes false negatives. (Node-2005)
Refactored logic around sanitizers that causes wrong tags.
Release date: November 18, 2021
Language versions currently supported: 12, 14, 16 LTS
Bug fixes:
When an application has been rewritten with Babel and the
@babel/runtime
helpers have been injected, the application fails to start. (Node-1956)
Release date: November 10, 2021
Language versions currently supported: 12, 14, 16 LTS
New and improved:
Added AWS-SDK version 3 DynamoDB to the flow map.
Improved tracking of vulnerabilities through
path
functions.
Release date: November 2, 2021
Language versions currently supported: 12, 14, 16 LTS
Important
As of Node 4.5.1, the agent will be bundled with Contrast Service version 2.27.3
Bug fixes:
Bluebird is causing vulnerabilities to be attributed to the incorrect route. (NODE-1892)
Release date: October 21, 2021
Language versions currently supported: 12, 14, 16 LTS
New and improved:
Support for Mustache template engine version 4.x. (version 3 and version 4 of agent)
Specify module supported versions explicitly as a WARN in logs.
Bug fixes:
Fixes to the
path.normalize
Assess functionality. (NODE-1830)
Release date: October 13, 2021
Language versions currently supported: 12, 14, 16 LTS
New and improved:
Node 16 LTS support.
New configuration flag for “turbo” protect performance.
Bug fixes:
When there are NoSQL vuln on
GET
requests from two routes, the vulnerability is not reported. (NODE-1900)"Propagator micro-optimizations" causes performance issue. (NODE-1913)
Release date: September 29, 2021
Language versions currently supported: 12 and 14 LTS
New and improved:
CVE-2021-3795 upgrade
semver-regex
to latest (v3.1.3) innode-require-hook
CVE-2021-3795 upgrade
semver-regex
to latest (v3.1.3) innode-fn-inspect
CVE-2021-3807 bump
ansi-regex
dependency innode-agent
repo (from 2.1.1 to 6.0.1)CVE-2020-26301 bump
ssh2
to latest version (v1.4.0) in thenode-agent
repo (v3 and v4)
Bug fixes:
XXE Assess causes false negatives with the DVNA application. (NODE-1810)
Release date: September 23, 2021
Language versions currently supported: 12 and 14 LTS
Known issue:
There may be some message loss between the agent and the Contrast service if you are NOT using the optional gRPC protocol. This version will be deprecated once a fix is provided in the 4.2.1 release.
New and improved:
Significant Assess performance improvements for use cases where there is a large JSON body in the inbound request.
Improved reporting/UX to Contrast where there is a vulnerability identified in large JSON body in the inbound request.
The MongoDB 4.X driver is now supported along with versions 3.5.0 and later.
CVE-2021-3749 - node-agent - bump 'axios' from 0.21.1 to 0.21.2
CVE-2021-37713 bump tar dependency in 'distringuish' repo from 4.4.15 to 4.4.19
CVE-2021-37713 bump tar dependency in 'node-fn-inspect' repo from 4.4.15 to 4.4.19
Release date: August 28, 2021
Language versions currently supported: 12 and 14 LTS
Note
As of Node.js 4.1.0, we no longer support Contrast Node.js agent versions 2.X.
New and improved:
CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.
CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.
SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.
CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).
Bug fixes:
Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)
When reporting libraries "_requiredBy" or "dependents" field not populated. (NODE-1718)
Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)
Release date: July 28, 2021
Language versions currently supported: 12 and 14 LTS
Release date: July 8, 2021
Language versions currently supported: 12 and 14 LTS
New and improved:
Significant performance refactoring completed for both Protect and Assess functionality.
CLI rewriter for startup performance improvements.
Set Babel as sole rewriter - removed Esprima.
Updating Contrast Service is mandatory.
Added support for
agent.logger.backups
andagent.logger.roll_size
properties.
Bug fixes:
Agent unable to detect installed libraries on Windows. (NODE-1622)
Bluebird callbacks run in
NO_INSTRUMENTATION
scope causing accuracy issues. (NODE 1643)Koa:
Router.use
reported asRouter.undefined
. (NODE-1628)Logger not logging all entries to debug file. (NODE-1654)
HTTP body missing for multipart/form-data POST requests. (NODE-1620)
Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)
Screener tests fail because of non-existent rewrite-babel file. (NODE-1682)
Tag ranges off when Array.join is called with empty string. (NODE-1673)
Trim prerelease from reported agent version. (NODE-1693)
Node.js 3.11.14
Release date: November 18, 2021
Language versions currently supported: 12, 14 LTS
New and improved:
Resolved CVEs against these dev dependencies: CVE-2021-3765, CVE-2021-3807.
Node.js 3.11.13
Release date: November 3, 2021
Language versions currently supported: 12, 14 LTS
Important
As of Node.js 3.11.13, the agent will be bundled with Contrast Service version 2.27.3.
Bug fixes:
Bluebird causes vulnerabilities to be attributed to the incorrect route. (Node-1892)
Release date: October 13, 2021
Language versions currently supported: 12 and 14 LTS
Bug fixes:
When there are NoSQL vuln on
GET
requests from two routes, the vulnerability is not reported. (NODE-1900)
Release date: October 7, 2021
Language versions currently supported: 12 and 14 LTS
Bug fixes:
Agent maintenance version 3.x does not ship with prebuilt dependencies for Node 10. (NODE-1905)
Release date: September 29, 2021
Language versions currently supported: 12 and 14 LTS
New and improved:
CVE-2021-3795 upgrade
semver-regex
to latest (v3.1.3) innode-require-hook
CVE-2021-3795 upgrade
semver-regex
to latest (v3.1.3) innode-fn-inspect
CVE-2021-3807 bump
ansi-regex
dependency innode-agent
repo (from 2.1.1 to 6.0.1)CVE-2020-26301 bump
ssh2
to latest version (v1.4.0) in thenode-agent
repo (v3 and v4)
Release date: August 26, 2021
Language versions currently supported: 12 and 14 LTS
New and improved:
CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.
CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.
SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.
CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).
Bug fixes:
Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)
Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)
When reporting libraries, "_requiredBy" or "dependents" fields not populated. (NODE-1718)
Release date: August 13, 2021
Language versions currently supported: 12 and 14 LTS
Bug fixes:
Resolves a breaking change regression and reenables the agent to run on Node.js 10 LTS, even though that Node.js LTS version has reached its end-of-life (EOL). (NODE-1748)
The agent can successfully instrument any application using Bluebird. (NODE-1742)
Resolved an issue where the agent was not correctly tracking data through several Sequelize functions. (NODE-1746)
Release date: July 29, 2021
Language versions currently supported: 12 and 14 LTS
Release date: July 8, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)
Improved the agent's deadzoning ability to correctly skip instrumentation of dependent modules of deadzoned modules. (NODE-1449)
Note
This version has been deprecated, please use 3.11.6 or later.
Release date: July 6, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Addressed bug that prevented logging some entries into debug file. (NODE-1654)
HTTP body missing for multipart/form-data POST requests. (NODE-1620)
Note
This version has been deprecated, please use 3.11.6 or later.
Release date: June 25, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Router.use
reported asRouter.undefined
in Koa. (NODE-1628)
Note
This version has been deprecated, please use 3.11.6 or later.
Release date: June 25, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Agent unable to detect installed libraries on Windows. (NODE-1622)
Bluebird callbacks run in
NO_INSTRUMENTATION
scope causing accuracy issues. (NODE-1643)
Note
This version has been deprecated, please use 3.11.6 or later.
Release date: June 11, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Logger methods called before initialization. (NODE-1625)
Mongodb collection methods not triggering post hooks. (NODE-1603)
Note
This version has been deprecated, please use 3.11.6 or later.
Release date: June 08, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
When user is using express-session middleware,
res.end
does not report cross-site scripting (XSS). (SUP-2796)AsyncStorage
loses context in mysql query operations. (SUP-2861)Fixed an issue where the customer app crashes but does not throw an exception to the Docker container and write to stdout/stderr. (NODE-1511)
Release date: May 21, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
To resolve a ReDoS CVE (CVE-2021-23362) we need to update the
hosted-git-info
library included as a dependency.
Release date: May 17, 2021
Language versions currently supported: 10, 12 and 14 LTS
Release date: April 28, 2021
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Runtime performance improvements by improving JSON stringify tracking capabilities.
Added support for the Joi validator library, version 17+.
Release date: April 19, 2021
Language versions currently supported: 10, 12 and 14 LTS
Release date: April 13, 2021
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Runtime performance improvement by disabling membrane wrapping for certain functions.
Release date: April 2, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
RangeError thrown on startup when traversing a router mounted on itself in Express. (SUP-2723)
Release date: March 31, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
False positive Hardcoded Key finding reported. (SUP-2636)
If the Service is enabled, the
application.path
isn’t reported correctly. (SUP-2669)
Release date: March 26, 2021
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Added support for the Validator library, which can be used to sanitize and validate common vulnerability categories.
Improved logging when an incorrect
package.json
is used.
Bug fixes:
Prevent a catch when an async storage object can’t be parsed. (SUP-2685)
Fixed how the agent contextualizes async data when koa-bodyparser is used (SUP-2627)
Fixed cases where Express vulnerabilities aren’t reported to the UI correctly (SUP-2509, SUP-1558)
Release date: March 18, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
When using a MongoDB SCRAM-SHA-256 authentication configuration, an exception is thrown at server startup. (SUP-2653)
Release date: March 15, 2021
Language versions currently supported: 10, 12 and 14 LTS
Release date: March 9, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Upgraded lodash from 4.17.20 to 4.17.21 due to two known CVEs found in version 4.17.20 (CVE-2020-28500, CVE-2021-23337).
Upgraded amqplib from 0.6.0 to 0.7.1 due to a known CVE found in version 0.6.0 (CVE-2021-27515).
Release date: March 8, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
When a querystring is included in a MongoDB connection string, the agent can’t parse the URL. (SUP-2594)
Release date: March 1, 2021
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Kraken 2.3.0 is now supported.
Bug fixes:
Loading the agent with an ESM loader produces an error. (SUP-2504)
DynamoDB hook for flowmap crashes up without 'endpoint' in config (SUP-2475)
Release date: February 26, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Library usage causes errors on Windows when application loads add-on. (SUP-2536, NODE-1328)
Juice-Shop does not run when Assess in enabled on Windows. (SUP-2521, NODE-1317)
Release date: February 11, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
DynamoDB hook for flowmap crashes agent when
'endpoint'
is not specified in configuration. (SUP-2475, NODE-1286)Users running
esm.mjs
receive an error because it is not being packaged. (SUP-2478, NODE-1288)
Release date: January 29, 2021
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Loopback 4 is now supported.
Fastify 3 is now supported.
Bug fixes:
False negative path traversal finding in Express. (SUP-2412)
Agent not detecting remote code execution (RCE) with certain input values. (SUP-2433)
Highlighted text in the UI is off by one character. (SUP-2384)
Release date: January 28, 2021
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
The application may throw an error if the cache-controls header is an array. (SUP-2416)
Agent incorrectly exiting on SIGPIPE when the Contrast Service is used. (SUP-2421)
Release date: December 18, 2020
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Input exclusions for Assess are supported. You can exclude findings based on input type or name.
Optimized performance when
sourcemaps
is enabled.Flowmaps now have better accuracy in reporting architectural components.
Release date: December 7, 2020
Language versions currently supported: 10, 12 and 14 LTS
Bug fixes:
Certain types of XML uploads result in an XXE false negative. (SUP-2287)
Release date: November 20, 2020
Language versions currently supported: 10, 12 and 14 LTS
New and improved:
Node.js 14 is now supported.
Improved accuracy of line number reporting for vulnerabilities with source mapping.
Bug fixes:
Agent fails to instrument in Node 14 running on Windows. (SUP-2230)
Release date: October 28, 2020
Language versions currently supported: 10 and 12 LTS
Release date: October 23, 2020
Language versions currently supported: 10 LTS and 12 LTS
New and improved:
Added support for sequelize sql-string format methods.
Bug fixes:
Found false negative with Node.js loopback in Protect mode. (SUP-2009)
Release date: September 25, 2020
Language versions currently supported: 10 LTS and 12 LTS
Bug fixes:
Need to add support for
fs.createWriteStream
as a Protect sink. (SUP-2013)
Release date: September 18, 2020
Language versions currently supported: 10 LTS and 12 LTS
New and improved:
Restify 8 framework support is now available.
Bug fixes:
An Insecure Encryption Algorithm finding reports an incorrect code location. (SUP-1852)
FastifyFramework did not emit all headers in 'send' event.
Release date: September 10, 2020
Language versions currently supported: 10 LTS and 12 LTS
New and improved:
The 3.X version of the agent sets the default behavior to communicate and report to Contrast using the Contrast service.
The new
rewrite_cache
property will cache the app code rewritten by Contrast on startup and can improve subsequent startup time. This property is disabled by default but can be enabled.
Important notes:
With the 3.X version of the Node.js agent, the Contrast service is enabled by default but can still be disabled. Because of this, you will need to download the new 3.X agent binary through npm (recommended) or through Contrast.. Please contact Support if you have any questions about this change.
Bug fixes:
Tracking strings which include the + operator create a performance issue. (SUP-1975)
Language versions currently supported:10 LTS and 12 LTS
New and improved:
This release sets default behavior of the Node.js agent to communicate and report to Contrast directly, without using the Contrast Service. This undoes a breaking change that was introduced in the 2.x.x branch back in February of 2020.
New performance diagnostic features are now available for Contrast Customer Success to help diagnose performance issues.
Added the capability to track untrusted data through the
node.js url.domainToASCII
andurl.domainToUnicode
functions.The
agent.node.unsafe.deadzones
option will now trim whitespace around each option.
Important notes:
This version marks the last new release for the 2.x.x branch. Only patch releases will be provided going forward for the 2.18.x branch.
Customers will be required to upgrade to version 3.x.x (available September 2020) to gain additional capabilities in the Node.js agent. Version 3.0.0 of the Contrast Node.js agent will have potentially impactful changes which should be assessed by each customer for their specific application.
Bug fixes:
The
server.path config
option is not being passed to Contrast when using the Contrast service for communication. (SUP-1838)Node agent Lodash dependency updated to 4.17.20 to resolve CVE-2020-8203. (SUP-1883)
Resolve TypeError:
replacer.replace
is not a function. (SUP-1888)
Language versions currently supported:10 LTS and 12 LTS
Bug fixes:
Agent breaks expected express-async-errors behavior. (SUP-1801)
Language versions currently supported:10 LTS and 12 LTS
Language versions currently supported: 10 and 12 LTS
Agent versions released during the past month: 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.17.0
New and improved:
Added multiple architecture changes and fixes that improve Assess performance.
Added support for URL Exclusions when using Assess. In Contrast, you can designate URLs that ignore selected rules or all rules. The agent now respects these settings for Assess rules in the Node.js agent.
Protect rule modes now default to OFF for best backward and forward compatibility.
Improved Fastify support to work better with GraphQL and Apollo Server.
Removed support for Protect Cross-site Request Forgery (CSRF).
Updated the version of Lodash used by the Node.js agent to 4.17.19 in response to a CVE for Lodash 4.17.15.
Important notes:
Version 3.0.0 of the Node.js agent will be released at the end of August and will introduce these changes:
The Node.js agent will be required to run with the Contrast service enabled. Currently the service is shipped with the agent but is optional; this change will enable the service by default.
The service will provide multiple functional and performance benefits to the Node.js agent.
The legacy auto-update policy for the Node.js agent will be deprecated when running with the service enabled.
Note
You will need to upgrade to Version 3.0.0, because the legacy auto-update feature does not upgrade to a major version. You can update your agent to 3.x with npm (recommended), the Contrast API or by using the Contrast web interface. Using npm allows version updates by using the customer’s application’s package.json with semantic versioning.
All new features will only be available for 3.0.0 and higher. Version 2.18.0 will also be released at the end of August and will be the final version that doesn't require the Contrast service. This version will continue to be supported for patch releases.
There are two optional features that may be useful to some customers. Contact your Customer Success Representative if you would like to know more about these:
Re-write caching provides faster subsequent start-up times.
Performance may improve when you skip (or deadzone) certain modules. For example, if you have modules passing large strings that are irrelevant to security, like logging, you can choose not to instrument them.
Bug fixes:
Node.js agent failed to initialize. Missing gRPC framework was resolved.
An exception occurred because of a syntax error for Fastify. This was fixed.
Crash when requiring the aws-s3 module was resolved.
Language versions currently supported:10 LTS and 12 LTS
Agent versions released during the past month: 2.15.1 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4
New and improved:
Multiple architecture and performance improvements.
New gRPC communication protocol between the agent service improves performance.
Removed name and value cookie sources for reflected XXS per updated guidance for both Assess and Protect.
Added a sensor for SQLite for Protect.
Added support for Koa version 2.12.
Reflected XSS is now not reported if Content-Type is allowlisted as safe.
Important notes:
A major version release for the Node.js agent is planned for late July or August 2020. Node.js agent version 3.0.0 will introduce breaking changes for customers using the 2.x.x version of the agent and service.
Bug fixes:
Implemented multiple bug fixes due to the introduction of the gRPC communication protocol between the JavaScript agent and the agent service
Implemented fixes to resolve route coverage issues that surface when using graphQL, Apollo Server, and Fastify
Resolved a false positive issue when correctly using Sequelize to escape strings.
Resolved exception when fastify.route is called with an uppercase verb.
Resolved an issue that manifested as reporting duplicate routes when using the Express framework.
Language versions currently supported:10 LTS and 12 LTS
Agent versions released during the past month: 2.15.0
Important notes:
New recommendations for installing and running the Node.js agent have been released.
Bug fixes:
The customer application would fail to start when all Assess rules were disabled. This is fixed now.
The customer application would fail to start because worker threads would hang and generate multiple processes with the same pid. This is fixed now.
The agent would not output the security log to stdout (or stderr). This is fixed now.
Duplicated vulnerabilities were being reported for unique routes. This is fixed so that TeamServer displays distinct findings for each request uri.
An out-of-memory error caused by a regex match resulted in an infinite loop. This has been fixed.
Node.js agent’s migration to npm and incorrectly bundled modules made it seem like the agent was missing two dependencies. This has been resolved.
Language versions currently supported:
Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0
New and improved:
Fastify framework support: Fastify 2.x is now a supported framework for the Contrast Node.js agent.
NPM availability: The Contrast Node.js agent can now be installed directly from the Contrast Security public NPM repository
Pre-load capabilities: The Node.js agent can now be run as a pre-load module using the -r flag. This is also now the recommended method of running the Contrast Node.js agent.
Important notes:
Running the node agent as a runner will now generate a deprecation message. This is the deprecated syntax:
node-contrast<app-main>
The agent will continue to function when executed as a runner. However, we encourage customers to migrate to the new method of running the Contrast Node.js agent as this is no longer recommended.
Bug fixes:
After architecture improvements were made to the agent, some applications were prevented from starting with the agent. This has been resolved and users should no longer receive error messages like these:
cls.run(() => { ^ TypeError: Cannot read property 'run' of undefined OR /usr/src/app/node_modules/node_contrast/lib.asar/AsyncStorage/index.js:188 if (ns.active) { TypeError: Cannot read property 'active' of undefined