Node.js agent release notes
Important
This option is in beta. Beta status means the option might change or act unexpectedly. By using this option, you agree to the Contrast Beta Terms and Conditions.
Release date: September 15, 2023
Language versions currently supported: Check the features table.
New and improved:
Added support for Node.js 20.5.0 and later.
Implemented session-configuration rules for
express-session
.Track keys and parse different object types passed to
URLSearchParams
.Improved
require-hook
logging.
Important
This option is in beta. Beta status means the option might change or act unexpectedly. By using this option, you agree to the Contrast Beta Terms and Conditions.
Release date: September 1, 2023
Language versions and technologies currently supported: Check the features table.
New and improved:
Removal of the Contrast Service (SpeedRacer)
Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.
Running Assess and Protect concurrently is supported
Library reporting with ECU/ELU when running Protect (library reporting in Production)
Effective configuration reporting to TeamServer
devDependencies not published to
npm
- reduced FP CVE findingsStructured logging using
pino
Route observability/coverage with normalized URI for deduplication
Faster rewrite at startup using SWC
Supports vulnerability detection when API Testing with SuperTest npm: supertest
Support for
String.prototype.matchAll()
propagation (not supported in v4)
Release date: September 15, 2023
Language versions currently supported: 14, 16, 18, and 20 LTS
New and improved:
Audit v5 logging of PII.
Release date: August 25, 2023
Language versions currently supported: 14,16, and 18 LTS
New and improved:
Synchronization of Assess and Protect implementations when they differ.
Added HTTP logging to TeamServer communications.
Bug fixes:
Updated the rewriter to inject
ContrastMethods.Function
and support existing Protect input-tracing patches. (NODE-3100)Agent v5 issues with the
effective-config
end-point. (NODE-3151)
Release date: August 7, 2023
Language versions currently supported: 14,16, and 18 LTS
New and improved:
Implemented propagation for JSON.parse
Implemented Session Configuration rules for Assess
Added support for the new major version (v 1.x.x.) of the
libxmljs
library. The library is instrumented to detect XXE vulnerabilities.
Bug fixes:
Fixed
libxmljs
that was not properly instrumented. (NODE-3121)
Release date: August 4, 2023
Language versions currently supported: 14,16, and 18 LTS
New and improved:
Fixed rewriter to avoid adding spurious trailing characters
Improved
swc
rewriter to be able to rewrite files withshebang
comments
Release date: July 14, 2023
Language versions currently supported: 14,16, and 18 LTS
New and improved:
Added support for detecting
sleep(x)
type of SSJS attacks in MongoDB contextAdded
session_id
to the effective configuration options
Release date: May 2, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
Added support for the MS SQL database driver for v5 Protect-only agent.
Release date: April 3, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
Added support for detecting
nosql-injection
attacks for MarsDB in Protect mode.
Release date: February 20, 2023
Language versions currently supported:14,16, and 18 LTS
Bug fixes:
This release fixed a bug when receiving the
nosql-injection
rule settings from Contrast and the agent not respecting that setting.
Release date: February 9, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
security_logger
is getting the correct default values.
Release date: February 9, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
NoSQL Injection Mongo - added support for
$accumulator
operator.The RegExp now detects a vulnerable string with single and double quotes around the URI of the targeted file.
Bumped agent-lib version in Node agent v5 to v5.3.0.
Release date: January 31, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
NoSQL Injection Mongo - added support for
$function
operator.Migrated shared hooks to instrumentation layer: http, https, http2, spdy.
Reduced code duplication in existing Protect hooks.
CVE-2022-46175 node-require-hook Prototype Pollution in JSON5 via Parse Method.
Bug fixes:
NODE_OPTIONS
envrionment forpino
worker-thread does not get cleared of--require @contrast/...
. (NODE-2882)
Release date: January 17, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
Provided npx command to config-diagnostics and output results.
Bug fixes:
Fixed issue where
@contrast/protect-agent
does not install. (NODE-2803)
Release date: January 10, 2023
Language versions currently supported:14,16, and 18 LTS
New and improved:
CVE-2022-46175 Prototype Pollution in JSON5 via Parse Method.
Internal Protect data structure changes.
Release date: December 8, 2022
Language versions currently supported:14,16, and 18 LTS
New and improved:
Performance improvement for capturing stack traces. (NODE 2760)
Release date: December 5, 2022
Language versions currently supported:14,16, and 18 LTS
New and improved:
Contrast Security Node.js Protect-only Agent. See npm: @contrast/protect-agent
Release date: September 13, 2023
Language versions currently supported: 12, 14, 16, 18, and 20 LTS
New and improved:
Added support for Node.js 20.5.0 and later.
Release date: September 8, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Fixed issue when running Swagger with Fastify by providing code hardening. (NODE-3156)
Release date: August 10, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Fixed TypeError
ERR_INVALID_URL
that was causing requests to fail. (NODE-3131)
Release date: August 8, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Fixed
RedisClient
methods in order to preserve async context. (NODE-3106)
Release date: August 7, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
This release bundles a new Contrast Service artifact v2.28.32 which was compiled with the latest Go StdLib
Release date: July 13, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Bump Speedracer to 2.28.29 and released new v4 agent
Release date: July 12, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
CVE remediation:
CVE-2022-25883 Replace
find-cache-dir
library in@contrast/agent
v4 (NODE-3078)
Release date: July 11, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2022-25883 -
semver
from cls-hooked dependencycls-hooked dependency does not get reported by npm audit for a vulnerable version of
semver
Release date: July 7, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2022-25883 Bump
semver
from 7.3.8 to 7.5.3 (require-hook)
Bug fixes:
V4 Node agent should read YAML from /etc/contrast/node/ directory (NODE-3058)
Release date: June 26, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2022-25883 Bump
semver
from 7.3.4 to 7.5.2
Release date: June 9, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Updated the Contrast Service bundled with the agent to use the latest Go Std library v 1.20.5.
Release date: June 6, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Tweaked some mock dependencies so they would not be flagged by npm audit.
Release date: May 30, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Updated CEF logger to use levels defined in common config spec (v4) (NODE-2972)
Fixed issue with the agent not recognizing the
CONTRAST_CONFIG_PATH
environment variable.
Release date: May 17, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Fixed issue with Node.js Assess
TypeError: result.startsWith is not a function
in Windows. (SUP-4799)
Release date: May 3, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Bundled the latest SpeedRacer 2.28.27 with the v4 agent.
Release date: April 25, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2023-2251 node-agent: Bump YAML.
Release date: April 19, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2023-24538 Bump SpeedRacer to v 2.28.26 for v4.
Bug fixes:
Fixed the RegExp for detecting XXE vulnerabilities in Protect mode. (NODE-2887)
Release date: April 14, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
CVE-2023-0842 (DevDependency) - xml2js is vulnerable to prototype pollution.
CVE-2019-10790 (DevDependency) - TaffyDB in jsdoc.
Bug fixes:
Fix bugs in csp-header-insecure rule for both v4 and v5. (NODE-2971)
Release date: April 14, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Fixed issue with Fastify XSS payload check. (NODE-2974)
Release date: April 5, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Implemented improved logging. The agent does not rewrite all files at start-up. (NODE-2944)
Release date: April 3, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Bump SpeedRacer to 2.28.25.
Release date: March 16, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
New config option for conditional running the agent when called through
NODE_OPTIONS
.
Release date: March 14, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Bump SpeedRacer for v4
Improved log message for node version compatibility
CVE-2023-22578 (DevDependency) - Sequelize - Default support for “raw attributes” when using parentheses
Enhancements to logging surrounding errors when starting the agent
Bug fixes:
Fixed Hapi implementation for
reflected-xss
detection. (NODE-2757)Fixed Fastify implementation for
reflected-xss
detection. (NODE-2756)Added hardening to
getAllParents
method. (NODE-2931)
Release date: February 27, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Improved support for
Experss.static()
. (SUP-4451)Improved support for XXS detection when using the Fastify framework.
Improved logging surrounding errors when starting the agent.
Release date: January 31, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Instrumented the
serve-static
module to act as a custom sanitizer.
Release date: January 20, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
Bug fixes:
Config-diagnostics fails to create a configuration file if the logger path refers to a file descriptor.
Release date: January 17, 2023
Language versions currently supported: 12, 14,16, and 18 LTS
New and improved:
Included the docker container ID in the system-info.json when running system-diagnostics.
CVE-2022-46175 node-agent Prototype Pollution in JSON5 via Parse Method.
Bug fixes:
Prevent crashing when the req is undefined. (NODE-2867)