Node.js agent release notes

The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.

Implement rewriter cache for ESM loader hooks.

Add additional rewrite-deadzones.

Implemented improvements to string.prototype.split() tracking.

Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).

Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)

Initial support for application code rewrites caching for version 5.x agent.

Added hapi 21 framework support for Assess and Protect.

Stopped reporting of the library manifest on application updates.

Componentized ESM hooks and have them follow normal compose/install patterns.

Updated agent README for modern Node versions.

Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)

JSON.parse will throw exception if captured key/value indices are inaccurate. (NODE-3344)

URL parse propagator doesn't support parseQueryString flag. (NODE-3340)

string.replace not handling some special character replacements properly. (NODE-3341)

Dot entrypoint syntax no longer works. (NODE-3343)

Replaced parent-package-json in deps.

Some configuration fields not redacted in configuration logging. (NODE-3339)

Updated logger's cleanEnv to account for --loader in NODE_OPTIONS.

UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)

Reflected-XSS not reporting when res.send is called. (NODE-3334)

Added runner-tap usability fixes.

Setting the server or application name in a non-English language causes errors. (NODE-3333)

Minimized new agent's ESM dual initialization costs.

Updated Axios client.

Fix to Juice Shop 16 not working with the new agent. (NODE-3323)

Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)

Removal of the Contrast Service (SpeedRacer).

Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

Support for running Assess and Protect concurrently.

Ability to toggle the mode of Protect rules without a restart.

Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.

Library reporting with ECU/ELU when running Protect (library reporting in production).

Effective configuration reporting to ContrastUI.

devDependencies not published to npm - reduced FP CVE findings.

Structured logging using pino.

Ability to change the agent logging level from the ContrastUI without an application restart.

Log request latency (ns) at DEBUG level for every request.

Route observability/coverage with normalized URI for deduplication.

Faster rewrite at startup using SWC.

Supports SuperTest API Testing framework npm: supertest.

Supports Frisby API testing framework npm: frisby.

Support for String.prototype.matchAll() propagation.

Observed routes are reported to ContrastUI on application startup without requiring exercising a route.

ESM applications supported.  Support for loading/running the agent using:

The new --import directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)

See npm for more.

Updated Axios.

Tweaks for the build.

Improved logging when there are npm failures.

Updated copywrite text in files to reflect the new year.

Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)