Node.js agent release notes

Send up memory_metrics to Contrast in the server_inventory payload. (NODE-3819)

Support all Assess-Prod sampling settings. (NODE-3769)

Investigate updating @swc/core to improved minification options. (NODE-3785)

Collect the maximum memory limit for a Node.js app in a container or virtual server and process. (NODE-3797)

Log the agent reporting instance GUID and AppId GUID on startup at the INFO log level. (NODE-3798)

Deadzone @opentelemetry packages. (NODE-3740)

Revise effective_config output to match new standard and other agents. (NODE-3782)

Update Contrast-UI reporter proxy for better compatibility with firewalls. (NODE-3790)

Security bypass semantic rule is not reporting stacktrace or exploit metadata correctly. (NODE-3771)

Fastify instrumentation errors when using @fastify/websocket. (NODE-3794)

String replace bug with regex and $n special patterns. (NODE-3788)

Support Assess sampling event_detail config option. (NODE-3752)

Update workspaces to use empty immutable objects from @contrast/common. (NODE-3754)

Update rewriter to lessen the size of generated code artifacts. (NODE-3767)

Refactor nested propagators out of url propagatorsBug. (NODE-3770)

Masked attack vectors should be masked in HTTP request details. (NODE-3774)

Assess Fastify preValidation handler does not call done callback if source context missingTask. (NODE-3787)

Added support for the Fastify 5 framework. (NODE-3622)

Refactored string.prototype.replace to lock instrumentation when it calls through to regexp.exec. (NODE-3766)

Assess in production environments now changes the assess.stacktraces configuration to SINK. (NODE-3768)

Implemented the option to instrument all modes for ADR. (NODE-3736)

Completed implementation of HTTP spans. (NODE-3744)

Refactored the String.prototype.split propagator so that it doesn't force propagation in order to calculate tag ranges. (NODE-3749)

Updated agent and agentify to ensure the agent is using Inversion of Control (IoC). (NODE-3757)

The agent now handles undefined args in util.format. (NODE-3759)

Configure agent operator to provide a writable cache directory. (NODE-3728)

Added certificate configuration options. (NODE-3738)

Refactor event factory methods with performance improvements. (NODE-3753)

Fix unnecessary propagation that can occur in String.prototype.concat. (NODE-3746)

Do not check for propagation context in send and fastify-send propagators. (NODE-3747)

Programmatic deadzones for winston logging module. (NODE-3437)

Programmatic deadzones for pino logging module. (NODE-3438)

Make Protect response-blocker a class. (NODE-3604)

Protect path-traversal should not report for static file-serving libs. (NODE-3717)

Remediate perf bug - do not flag GUIDs as suspicious (bumped agent-lib to version 9.1.0). (NODE-3739)

Assess source instrumentation for hapi can break onRequest hooks. (NODE-3745)

Research latency performance issue experienced by a customer, fix or create tickets to fix causes. Our test case improved by 50%. (NODE-3731)

get-source-context not checking the propagation count correctly. (NODE-3734)

Some telemetry still enabled when opted out. (NODE-3732)

New @swc/core check does not properly handle nested dependencies. (NODE-3733)

Check for empty strings when determining configuration defaults. (NODE-3725)

Provide a clear error message when the install environment is different from the execution environment. (NODE-3381)

Allow rewrite hooks when either rewrite.enable or rewrite.cache.enable are true. (NODE-3720)

New agent-lib@9.0.0 fixes a Protect CMD injection false positive. (NODE-3721)

Instrument graphql-http as a source. (NODE-3394)

GraphQL Detailed Route Reporting and Coverage. (NODE-3409)

Update licenses to 2025. (NODE-3714)

CLI rewriter should skip rewrite-deadzoned package files. (NODE-3434)

Improve logging to stderr when installation fails with TS error. (NODE-3677)

Augment Perf feature to watch event processing. (NODE-3684)

dep-hooks return value not used when target lib is imported. (NODE-3561)

Clear traces endpoint's hashSet periodically so vulns can properly update last seen. (NODE-3709)

NEW: Build ID / Artifact Hash generation and reporting to Contrast. (NODE-3314)

NEW: Support for Express 5 Framework has been added. (NODE-3623)

NEW: Preview Release of the Contrast Node agent's GraphQL support.

Investigate automating and reporting sessions and build ID generation. (NODE-3315)

Research and implement the new node --run command incompatible with cmd_ignore_list. (NODE-3540)

Refactor route coverage to support Express 5. (NODE-3650)

Add remainder of architecture component integration tests. (NODE-3666)

Instrument GraphQL for route coverage. (NODE-3671)

Replace pino transport with multi-stream. (NODE-3678)

Fixed memory issue in reporter. (NODE-3705)