Node.js agent release notes
Release date: April 17, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.
Release date: April 16, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Implement rewriter cache for ESM loader hooks.
Add additional rewrite-deadzones.
Release date: March 29, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Implemented improvements to
string.prototype.split()
tracking.
Release date: March 28, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).
Release date: March 26, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)
Release date: March 25, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Initial support for application code rewrites caching for version 5.x agent.
Release date: March 20, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Added hapi 21 framework support for Assess and Protect.
Stopped reporting of the library manifest on application updates.
Componentized ESM hooks and have them follow normal compose/install patterns.
Updated agent README for modern Node versions.
Bug fixes:
Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)
Release date: March 6, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
JSON.parse
will throw exception if captured key/value indices are inaccurate. (NODE-3344)
Release date: March 5, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
URL parse propagator doesn't support
parseQueryString
flag. (NODE-3340)string.replace
not handling some special character replacements properly. (NODE-3341)Dot entrypoint syntax no longer works. (NODE-3343)
Release date: February 16, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Replaced
parent-package-json
in deps.
Bug fixes:
Some configuration fields not redacted in configuration logging. (NODE-3339)
Release date: February 13, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Updated logger's
cleanEnv
to account for--loader
in NODE_OPTIONS.
Bug fixes:
UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)
Release date: February 8, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Reflected-XSS not reporting when
res.send
is called. (NODE-3334)
Release date: February 6, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Added
runner-tap
usability fixes.
Release date: February 2, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Setting the server or application name in a non-English language causes errors. (NODE-3333)
Release date: February 2, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Minimized new agent's ESM dual initialization costs.
Updated Axios client.
Bug fixes:
Fix to Juice Shop 16 not working with the new agent. (NODE-3323)
Release date: January 29, 2024
Language versions currently supported: 16, 18, and 20 LTS
Bug fixes:
Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)
Release date: January 23, 2024
Language versions currently supported: 16, 18, and 20 LTS
New and improved:
Removal of the Contrast Service (SpeedRacer).
Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.
Support for running Assess and Protect concurrently.
Ability to toggle the mode of Protect rules without a restart.
Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.
Library reporting with ECU/ELU when running Protect (library reporting in production).
Effective configuration reporting to ContrastUI.
devDependencies
not published to npm - reduced FP CVE findings.Structured logging using pino.
Ability to change the agent logging level from the ContrastUI without an application restart.
Log request latency (ns) at DEBUG level for every request.
Route observability/coverage with normalized URI for deduplication.
Faster rewrite at startup using SWC.
Supports SuperTest API Testing framework npm: supertest.
Supports Frisby API testing framework npm: frisby.
Support for
String.prototype.matchAll()
propagation.Observed routes are reported to ContrastUI on application startup without requiring exercising a route.
ESM applications supported. Support for loading/running the agent using:
node --loader @contrast/agent app.mjs
for Node.js 16LTSnode --import @contrast/agent app.mjs
for Node.js 18.9.0, 20.9.0 and later (LTS)node --require @contrast/agent app.js
for all versions not using ESM
The new
--import
directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)node --import @contrast/agent app.js
See npm for more.
Release date: January 30, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Updated Axios.
Tweaks for the build.
Release date: January 5, 2024
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Improved logging when there are npm failures.
Updated copywrite text in files to reflect the new year.
Bug fixes:
Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)
Release date: April 16, 2024
Language versions currently supported: 14, 16, 18, and 20 LTS
Important
Contrast Protect is deprecated as of release 5.20.6.
New and improved:
Updated v4 and v5 pipelines for K8s agent-operator.
Deprecated
@contrast/protect-agent
.Added v4 section to README.
Bug fixes:
UI reporter v1 routes do not respect proxy configuration. (NODE-3338)
Update test bench Dockerfiles. (NODE-3350)