Skip to main content

Node.js agent release notes

Release date: July 15, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Improved the npm README documentation for @contrast/distringuish. (NODE-3587)

  • The reported text for routes was changed to be more consistent and idiomatic. Affected frameworks include Koa, Hapi, Fastify and Restify.

    This change may cause orphaned routes that you can delete manually or by using the route expiration feature. If you are using session metadata or session ID, this change has no impact. Customers using the Express framework are not affected by this release.

    • Refactored route coverage for Fastify. (NODE-3483)

    • Added route coverage support for Koa nested routers. (NODE-3484)

    • Refactored route coverage integration tests. (NODE-3443)

    • Audited and refactored route signatures. (NODE - 3444)

  • When an application is running on AWS or Azure Cloud, resource identifiers are now reported to the log.

    • The agent now retrieves the AWS Resource Identifier when you configure it to do so. (NODE-3491, NODE-3492)

    • Added the X-Contrast-Reporting-Instance to Contrast communication. (NODE-3502)

    • Added a feature flag to disable resource identification. (NODE-3513)

    • The agent now auto-detects the cloud provider for resource identifier detection. (NODE-3518)

Bug fixes:

  • Library usage requests sent to Contrast are now batched to reduce HTTP pressure. The default batch size is 100. (NODE-3492)

Release date: July 8, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed an issue where an error was thrown when the import binding name matched the rewrite injection name. (NODE-3486)

Release date: June 27, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed an issue where a deadzone bson require hook threw an error with bson 1.1.6. (NODE-3479)

Release date: June 21, 2024

Language versions currently supported: 16, 18, and 20 LTS

Important

This release now provides official support for HTTP/2.

New and improved:

  • Implemented HTTP/2 instrumentation for Reflected-XSS in Assess mode.

  • Implemented HTTP/2 instrumentation for the spdy library for Response Scanning rules.

  • Fixed node-require-hook on Windows.

Bug fixes:

  • HTTP2 response-scanning instrumentation causes uncaught exceptions. (NODE-3468)

  • Blocking requests caused metrics to report that the request exceeded the duration. (NODE-3475)

  • MJS files loaded from the rewrite cache can break relative path file reading. (NODE-3485)

  • Reduced event listeners from pg arch-component instrumentation. (NODE-3489)

  • crypto-analysis did not ignore case when checking algorithms. (NODE-3495)

  • npm detection fails with a space in path. (NODE-3497)

Release date: June 21, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

Bug fixes:

  • npm detection fails with a space in path (NODE-3497)

Release date: June 17, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

Bug fixes:

  • Fixed a new CVE associated with @grpc/grpc-js, which is a library used by the agent to communicate with the Contrast Service. (NODE-3487)

Release date: June 12, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implemented HTTP/2 instrumentation for Reflected-XSS in Protect mode.

  • Implemented support for Restify 8, 9, 10, and 11 (Assess and Protect).

  • Installed modules should throw errors when needed and not accumulate in _errors[].

  • Implemented validation logic in the module where the validation is required to correctly function.

  • Updated security logger escaping to match updated CEF guide specification.

  • Implemented Framework reporting during route discovery (also known as Compatibility check for route coverage).

Bug fixes:

  • Fixed URLSearchParams.toString(). (NODE-3332)

  • Added source map chaining. (NODE-3442)

Release date: May 31, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Deprecated Node 14 for v5.

  • The existing @contrast/common functions have been replaced with more performant and self-documenting functions.

Release date: May 22, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Teamserver associates all vulnerabilities with a single non-existent endpoint. (NODE-3457)

Release date: May 22, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • API keys are not redacted when the reporter throws an error. (NODE-3458)

Release date: May 21, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • The use of inspect during event creation was causing problems. (NODE-3451)

  • Check if isSafeContentType is in all reflected-xss sinks. (NODE-3452)

Release date: May 21, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed express route observation bug. (NODE-3453)

Release date: May 20, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Express route coverage will handle middleware defined in an array.

Release date: May 15, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Removed effective configuration enable flag so that agent always reports it to Teamserver.

  • Added warning when the agent detects users attempting to set config file location with  -c command line flag. Agent configuration via CLI flags has been deprecated in v5 agents.

  • Implemented Restify route discovery and observation.

  • Adding initial support for programmatic deadzones to allow the agent to turn off instrumentation within restricted functions.

Release date: May 7, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Incoming message header handling is not correct. (NODE-3396)

  • Express route coverage does not discover routes defined by app.use() and router.use(). (NODE-3402)

  • TypeError: undefined is not a function at StacktraceFactory.makeFrame. (NODE-3420)

Release date: May 1, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Add timer.unref() to code-events setCodeEventListener() for v4.

Release date: April 29, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Support for Input and URL exclusions when running version 5.x agent.

  • Provided Protect specific CLI Rewriter option.

Bug fixes:

  • Route coverage error when express route registered with array of paths. (NODE-3380)

  • v5 agent does not properly handle archived apps. (NODE-3384)

  • Fix Fastify route coverage prefix bug. (NODE-3403)

  • Unwriting anonymous classes fails. (NODE-3406)

Release date: April 17, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.

Release date: April 16, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implement rewriter cache for ESM loader hooks.

  • Add additional rewrite-deadzones.

Release date: March 29, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Implemented improvements to string.prototype.split() tracking.

Release date: March 28, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).

Release date: March 26, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)

Release date: March 25, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Initial support for application code rewrites caching for version 5.x agent.

Release date: March 20, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Added hapi 21 framework support for Assess and Protect.

  • Stopped reporting of the library manifest on application updates.

  • Componentized ESM hooks and have them follow normal compose/install patterns.

  • Updated agent README for modern Node versions.

Bug fixes:

  • Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)

Release date: March 6, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • JSON.parse will throw exception if captured key/value indices are inaccurate. (NODE-3344)

Release date: March 5, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • URL parse propagator doesn't support parseQueryString flag. (NODE-3340)

  • string.replace not handling some special character replacements properly. (NODE-3341)

  • Dot entrypoint syntax no longer works. (NODE-3343)

Release date: February 16, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Replaced parent-package-json in deps.

Bug fixes:

  • Some configuration fields not redacted in configuration logging. (NODE-3339)

Release date: February 13, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Updated logger's cleanEnv to account for --loader in NODE_OPTIONS.

Bug fixes:

  • UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)

Release date: February 8, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Reflected-XSS not reporting when res.send is called. (NODE-3334)

Release date: February 6, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Added runner-tap usability fixes.

Release date: February 2, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Setting the server or application name in a non-English language causes errors. (NODE-3333)

Release date: February 2, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Minimized new agent's ESM dual initialization costs.

  • Updated Axios client.

Bug fixes:

  • Fix to Juice Shop 16 not working with the new agent. (NODE-3323)

Release date: January 29, 2024

Language versions currently supported: 16, 18, and 20 LTS

Bug fixes:

  • Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)

Release date: January 23, 2024

Language versions currently supported: 16, 18, and 20 LTS

New and improved:

  • Removal of the Contrast Service (SpeedRacer).

  • Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

  • Support for running Assess and Protect concurrently.

  • Ability to toggle the mode of Protect rules without a restart.

  • Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.

  • Library reporting with ECU/ELU when running Protect (library reporting in production).

  • Effective configuration reporting to ContrastUI.

  • devDependencies not published to npm - reduced FP CVE findings.

  • Structured logging using pino.

  • Ability to change the agent logging level from the ContrastUI without an application restart.

  • Log request latency (ns) at DEBUG level for every request.

  • Route observability/coverage with normalized URI for deduplication.

  • Faster rewrite at startup using SWC.

  • Supports SuperTest API Testing framework npm: supertest.

  • Supports Frisby API testing framework npm: frisby.

  • Support for String.prototype.matchAll() propagation.

  • Observed routes are reported to ContrastUI on application startup without requiring exercising a route.

  • ESM applications supported.  Support for loading/running the agent using:

    • node --loader @contrast/agent app.mjs for Node.js 16LTS

    • node --import @contrast/agent app.mjs for Node.js 18.9.0, 20.9.0 and later (LTS)

    • node --require @contrast/agent app.js for all versions not using ESM

  • The new --import directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)

    • node --import @contrast/agent app.js

  • See npm for more.

Release date: January 30, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Updated Axios.

  • Tweaks for the build.

Release date: January 5, 2024

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Improved logging when there are npm failures.

  • Updated copywrite text in files to reflect the new year.

Bug fixes:

  • Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)

 

Release date: April 16, 2024

Language versions currently supported: 14, 16, 18, and 20 LTS

Important

Contrast Protect is deprecated as of release 5.20.6.

New and improved:

  • Updated v4 and v5 pipelines for K8s agent-operator.

  • Deprecated @contrast/protect-agent.

  • Added v4 section to README.

Bug fixes:

  • UI reporter v1 routes do not respect proxy configuration. (NODE-3338)

  • Update test bench Dockerfiles. (NODE-3350)

See also

Node.js agent release note archive