Skip to main content

Supported technologies for v4 Node.js (Legacy)


The Contrast Node.js agent may not function with versions of modules tagged as deprecated on Deprecated modules present a high security risk and may negatively impact the function of the agent.

It also does not support applications that use bundlers like webpack, parcel, or esbuild to package or compress the server-side JavaScript code.

Language version

  • JavaScript ECMAScript 5 

  • JavaScript ECMAScript 6

  • ECMAScript modules (ESM)

  • TypeScript


Contrast supports even numbered Node.js versions in "active LTS" or "maintenance" status.

The Node.js LTS versions support these features for JavaScript ECMAScript5 and 6.

The Contrast Node.js agent provides limited support for working with user apps that use ESM.

TypeScript is only supported if the agent is configured to point to the compiled entry point for your application.

Node.js Long-Term Support (LTS)

All versions in Active and Maintenance LTS status, currently:

  • 12* and 14*

  • 16* (only for agent version 4.5.0 and later)

  • 18 (only for agent version 4.25.0 and later)


You should always use Node.js LTS versions that are active or in maintenance status.

*Although the Contrast agent should function when running 12 LTS, 14 LTS, or 16 LTS they reached EOL at the end of April 2022, April 2023 and September 11, 2023, respectively. These EOL versions present serious security risks since they are no longer patched.

The Node.js agent doesn't guarantee support for Node.js features classified as Experimental (Stability: 1). It also doesn't instrument the native net module. It only provides functionality for HTTP(S) application servers built using the supported application frameworks in this table.

HTTP/2 is supported for the Node.js agent when using the Node.js core HTTP/2 or spdy library.

For customer applications using HTTP/2 with Contrast Node.js agent, you must configure the agent to use assess.enable_lazy_tracking: false.

Node.js version status is shown in Node.js Long-Term Support Release Schedule.

  • 20 (only for agent version 4.33.0 and later)

The agent does not support the feature that allows applications to run with the --experimental-permission flag and with reduced permissions. Reduced permissions inactivate native modules, and if the agent is instrumented with reduced permissions, it will immediately crash.

Node package manager (npm)

npm versions:

  • >=6.13.7

  • >=7.11.0

  • >= 8.5.5

The Node.js agent requires access to one of these npm versions to reliably report libraries to the Contrast UI. Versions 6 or 8 are preferred over version 7.

Application frameworks


*Deprecated by the maintainer, these libraries could present a security risk.

Database drivers and object-relational mapping (ORM)

  • DynamoDB (Assess only) AWS SDK for JavaScript: 2.X and 3.X

  • MongoDB 2.2.36*, 3.3.0 and later, 4.X. Compatible with database versions 3.6, 4.X, 5.X)

  • MySQL2 2.0.0 and later. Compatible with MySQL database versions 5.6.51, 5.7.X and 8.0.X.

  • Mongoose 5.X, 6.X

  • MSSQL 6.4.0 and later

  • Postgres driver 7.5.0 and later, 8.X

  • RethinkDB driver version 2.4.0 and later

  • Sequelize 5.X and 6.X

  • SQLite3 driver 4.X. Compatible with database versions 3.26.0 and later).


*Deprecated by the maintainer, the agent will still function but these libraries/versions present a security risk.

Validation modules

Templating engines

Other technologies

Test suite

Node Test Benches

When changes are made to the Node.js agent, Contrast runs this battery of automated tests to ensure that it detects findings in supported technologies across all supported versions of Node. The Node Test Benches include tests that exercise the agent with all of our supported frameworks. Each framework within the monorepo is updated as Contrast adds more third-party library support to the agent.