Skip to main content

Node.js agent release notes

Important

This option is in beta. Beta status means the option might change or act unexpectedly. By using this option, you agree to the Contrast Beta Terms and Conditions.

Release date: September 15, 2023

Language versions currently supported: Check the features table.

New and improved:

  • Added support for Node.js 20.5.0 and later.

  • Implemented session-configuration rules for express-session.

  • Track keys and parse different object types passed to URLSearchParams.

  • Improved require-hook logging.

Important

This option is in beta. Beta status means the option might change or act unexpectedly. By using this option, you agree to the Contrast Beta Terms and Conditions.

Release date: September 1, 2023

Language versions and technologies currently supported: Check the features table.

New and improved:

  • Removal of the Contrast Service (SpeedRacer)

  • Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

  • Running Assess and Protect concurrently is supported

  • Library reporting with ECU/ELU when running Protect (library reporting in Production)

  • Effective configuration reporting to TeamServer

  • devDependencies not published to npm - reduced FP CVE findings

  • Structured logging using pino

  • Route observability/coverage with normalized URI for deduplication

  • Faster rewrite at startup using SWC

  • Supports vulnerability detection when API Testing with SuperTest npm: supertest

  • Support for String.prototype.matchAll() propagation (not supported in v4)

Release date: September 15, 2023

Language versions currently supported: 14, 16, 18, and 20 LTS

New and improved:

  • Audit v5 logging of PII.

Release date: August 25, 2023

Language versions currently supported: 14,16, and 18 LTS

New and improved:

  • Synchronization of Assess and Protect implementations when they differ.

  • Added HTTP logging to TeamServer communications.

Bug fixes:

  • Updated the rewriter to inject ContrastMethods.Function and support existing Protect input-tracing patches. (NODE-3100)

  • Agent v5 issues with the effective-config end-point. (NODE-3151)

Release date: August 7, 2023

Language versions currently supported: 14,16, and 18 LTS

New and improved:

  • Implemented propagation for JSON.parse

  • Implemented Session Configuration rules for Assess

  • Added support for the new major version (v 1.x.x.) of the libxmljs library. The library is instrumented to detect XXE vulnerabilities.

Bug fixes:

  • Fixed libxmljs that was not properly instrumented. (NODE-3121)

Release date: August 4, 2023

Language versions currently supported: 14,16, and 18 LTS

New and improved:

  • Fixed rewriter to avoid adding spurious trailing characters

  • Improved swc rewriter to be able to rewrite files with shebang comments

Release date: July 14, 2023

Language versions currently supported: 14,16, and 18 LTS

New and improved:

  • Added support for detecting sleep(x) type of SSJS attacks in MongoDB context

  • Added session_id to the effective configuration options

Release date: May 2, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • Added support for the MS SQL database driver for v5 Protect-only agent.

Release date: April 3, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • Added support for detecting nosql-injection attacks for MarsDB in Protect mode.

Release date: February 20, 2023

Language versions currently supported:14,16, and 18 LTS

Bug fixes:

  • This release fixed a bug when receiving the nosql-injection rule settings from Contrast and the agent not respecting that setting.

Release date: February 9, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • security_logger is getting the correct default values.

Release date: February 9, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • NoSQL Injection Mongo - added support for $accumulator operator.

  • The RegExp now detects a vulnerable string with single and double quotes around the URI of the targeted file.

  • Bumped agent-lib version in Node agent v5 to v5.3.0.

Release date: January 31, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • NoSQL Injection Mongo - added support for $function operator.

  • Migrated shared hooks to instrumentation layer: http, https, http2, spdy.

  • Reduced code duplication in existing Protect hooks.

  • CVE-2022-46175 node-require-hook Prototype Pollution in JSON5 via Parse Method.

Bug fixes:

  • NODE_OPTIONS envrionment for pino worker-thread does not get cleared of --require @contrast/.... (NODE-2882)

Release date: January 17, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • Provided npx command to config-diagnostics and output results.

Bug fixes:

  • Fixed issue where @contrast/protect-agent does not install. (NODE-2803)

Release date: January 10, 2023

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • CVE-2022-46175 Prototype Pollution in JSON5 via Parse Method.

  • Internal Protect data structure changes.

Release date: December 8, 2022

Language versions currently supported:14,16, and 18 LTS

New and improved:

  • Performance improvement for capturing stack traces. (NODE 2760)

Release date: December 5, 2022

Language versions currently supported:14,16, and 18 LTS

New and improved:

Release date: September 13, 2023

Language versions currently supported: 12, 14, 16, 18, and 20 LTS

New and improved:

  • Added support for Node.js 20.5.0 and later.

Release date: September 8, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Fixed issue when running Swagger with Fastify by providing code hardening. (NODE-3156)

Release date: August 10, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Fixed TypeError ERR_INVALID_URL that was causing requests to fail. (NODE-3131)

Release date: August 8, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Fixed RedisClient methods in order to preserve async context. (NODE-3106)

Release date: August 7, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • This release bundles a new Contrast Service artifact v2.28.32 which was compiled with the latest Go StdLib

Release date: July 13, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Bump Speedracer to 2.28.29 and released new v4 agent

Release date: July 12, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

CVE remediation:

  • CVE-2022-25883 Replace find-cache-dir library in @contrast/agent v4 (NODE-3078)

Release date: July 11, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • CVE-2022-25883 - semver from cls-hooked dependency

  • cls-hooked dependency does not get reported by npm audit for a vulnerable version of semver

Release date: July 7, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • CVE-2022-25883 Bump semver from 7.3.8 to 7.5.3 (require-hook)

Bug fixes:

  • V4 Node agent should read YAML from /etc/contrast/node/ directory (NODE-3058)

Release date: June 26, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • CVE-2022-25883 Bump semver from 7.3.4 to 7.5.2

Release date: June 9, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Updated the Contrast Service bundled with the agent to use the latest Go Std library v 1.20.5.

Release date: June 6, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Tweaked some mock dependencies so they would not be flagged by npm audit.

Release date: May 30, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Updated CEF logger to use levels defined in common config spec (v4) (NODE-2972)

  • Fixed issue with the agent not recognizing the CONTRAST_CONFIG_PATH environment variable.

Release date: May 17, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Fixed issue with Node.js Assess TypeError: result.startsWith is not a function in Windows. (SUP-4799)

Release date: May 3, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Bundled the latest SpeedRacer 2.28.27 with the v4 agent.

Release date: April 25, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • CVE-2023-2251 node-agent: Bump YAML.

Release date: April 19, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • CVE-2023-24538 Bump SpeedRacer to v 2.28.26 for v4.

Bug fixes:

  • Fixed the RegExp for detecting XXE vulnerabilities in Protect mode. (NODE-2887)

Release date: April 14, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • CVE-2023-0842 (DevDependency) - xml2js is vulnerable to prototype pollution.

  • CVE-2019-10790 (DevDependency) - TaffyDB in jsdoc.

Bug fixes:

  • Fix bugs in csp-header-insecure rule for both v4 and v5. (NODE-2971)

Release date: April 14, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Fixed issue with Fastify XSS payload check. (NODE-2974)

Release date: April 5, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Implemented improved logging. The agent does not rewrite all files at start-up. (NODE-2944)

Release date: April 3, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Bump SpeedRacer to 2.28.25.

Release date: March 16, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • New config option for conditional running the agent when called through NODE_OPTIONS.

Release date: March 14, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Bump SpeedRacer for v4

  • Improved log message for node version compatibility

  • CVE-2023-22578 (DevDependency) - Sequelize - Default support for “raw attributes” when using parentheses

  • Enhancements to logging surrounding errors when starting the agent

Bug fixes:

  • Fixed Hapi implementation for reflected-xss detection. (NODE-2757)

  • Fixed Fastify implementation for reflected-xss detection. (NODE-2756)

  • Added hardening to getAllParents method. (NODE-2931)

Release date: February 27, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Improved support for Experss.static(). (SUP-4451)

  • Improved support for XXS detection when using the Fastify framework.

  • Improved logging surrounding errors when starting the agent.

Release date: January 31, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Instrumented the serve-static module to act as a custom sanitizer.

Release date: January 20, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

Bug fixes:

  • Config-diagnostics fails to create a configuration file if the logger path refers to a file descriptor.

Release date: January 17, 2023

Language versions currently supported: 12, 14,16, and 18 LTS

New and improved:

  • Included the docker container ID in the system-info.json when running system-diagnostics.

  • CVE-2022-46175 node-agent Prototype Pollution in JSON5 via Parse Method.

Bug fixes:

  • Prevent crashing when the req is undefined. (NODE-2867)

See also

Node.js agent release note archive