Node.js release notes 2021

Added Joi support for ref() where reference target is an object.

The stacktrace limit default was set to 10 (previously it was set to 25).

Added Joi support for ref() where reference target is an object.

Added support for Dust.js template engine.

Implicit tagging of numeric input causes false negatives. (Node-2005)

Refactored logic around sanitizers that causes wrong tags.

When an application has been rewritten with Babel and the @babel/runtime helpers have been injected, the application fails to start. (Node-1956)

Added AWS-SDK version 3 DynamoDB to the flow map.

Improved tracking of vulnerabilities through path functions.

Bluebird is causing vulnerabilities to be attributed to the incorrect route. (NODE-1892)

Support for Mustache template engine version 4.x. (version 3 and version 4 of agent)

Specify module supported versions explicitly as a WARN in logs.

Fixes to the path.normalize Assess functionality. (NODE-1830)

Node 16 LTS support.

New configuration flag for “turbo” protect performance.

When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

"Propagator micro-optimizations" causes performance issue. (NODE-1913)

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

XXE Assess causes false negatives with the DVNA application. (NODE-1810)

Significant Assess performance improvements for use cases where there is a large JSON body in the inbound request.

Improved reporting/UX to Contrast where there is a vulnerability identified in large JSON body in the inbound request.

The MongoDB 4.X driver is now supported along with versions 3.5.0 and later.

CVE-2021-3749 - node-agent - bump 'axios' from 0.21.1 to 0.21.2

CVE-2021-37713 bump tar dependency in 'distringuish' repo from 4.4.15 to 4.4.19

CVE-2021-37713 bump tar dependency in 'node-fn-inspect' repo from 4.4.15 to 4.4.19

CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

When reporting libraries "_requiredBy" or "dependents" field not populated. (NODE-1718)

Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

Significant performance refactoring completed for both Protect and Assess functionality.

CLI rewriter for startup performance improvements.

Set Babel as sole rewriter - removed Esprima.

Updating Contrast Service is mandatory.

Added support for agent.logger.backups and agent.logger.roll_size properties.

Agent unable to detect installed libraries on Windows. (NODE-1622)

Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE 1643)

Koa: Router.use reported as Router.undefined. (NODE-1628)

Logger not logging all entries to debug file. (NODE-1654)

HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

Screener tests fail because of non-existent rewrite-babel file. (NODE-1682)

Tag ranges off when Array.join is called with empty string. (NODE-1673)

Trim prerelease from reported agent version. (NODE-1693)

Resolved CVEs against these dev dependencies: CVE-2021-3765, CVE-2021-3807.

Bluebird causes vulnerabilities to be attributed to the incorrect route. (Node-1892)

When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

Agent maintenance version 3.x does not ship with prebuilt dependencies for Node 10. (NODE-1905)

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

When reporting libraries, "_requiredBy" or "dependents" fields not populated. (NODE-1718)

Resolves a breaking change regression and reenables the agent to run on Node.js 10 LTS, even though that Node.js LTS version has reached its end-of-life (EOL). (NODE-1748)

The agent can successfully instrument any application using Bluebird. (NODE-1742)

Resolved an issue where the agent was not correctly tracking data through several Sequelize functions. (NODE-1746)

Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

Improved the agent's deadzoning ability to correctly skip instrumentation of dependent modules of deadzoned modules. (NODE-1449)

Addressed bug that prevented logging some entries into debug file. (NODE-1654)

HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Router.use reported as Router.undefined in Koa. (NODE-1628)

Agent unable to detect installed libraries on Windows. (NODE-1622)

Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE-1643)

Logger methods called before initialization. (NODE-1625)

Mongodb collection methods not triggering post hooks. (NODE-1603)

When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

AsyncStorage loses context in mysql query operations. (SUP-2861)

Fixed an issue where the customer app crashes but does not throw an exception to the Docker container and write to stdout/stderr. (NODE-1511)

When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

AsyncStorage loses context in mysql query operations. (SUP-2861)

To resolve a ReDoS CVE (CVE-2021-23362) we need to update the hosted-git-info library included as a dependency.

Runtime performance improvements by improving JSON stringify tracking capabilities.

Added support for the Joi validator library, version 17+.

Runtime performance improvement by disabling membrane wrapping for certain functions.

RangeError thrown on startup when traversing a router mounted on itself in Express. (SUP-2723)

False positive Hardcoded Key finding reported. (SUP-2636)

If the Service is enabled, the application.path isn’t reported correctly. (SUP-2669)

Added support for the Validator library, which can be used to sanitize and validate common vulnerability categories.

Improved logging when an incorrect package.json is used.

Prevent a catch when an async storage object can’t be parsed. (SUP-2685)

Fixed how the agent contextualizes async data when koa-bodyparser is used (SUP-2627)

Fixed cases where Express vulnerabilities aren’t reported to the UI correctly (SUP-2509, SUP-1558)

When using a MongoDB SCRAM-SHA-256 authentication configuration, an exception is thrown at server startup. (SUP-2653)

Upgraded lodash from 4.17.20 to 4.17.21 due to two known CVEs found in version 4.17.20 (CVE-2020-28500, CVE-2021-23337).

Upgraded amqplib from 0.6.0 to 0.7.1 due to a known CVE found in version 0.6.0 (CVE-2021-27515).

When a querystring is included in a MongoDB connection string, the agent can’t parse the URL. (SUP-2594)

Kraken 2.3.0 is now supported.

Loading the agent with an ESM loader produces an error. (SUP-2504)

DynamoDB hook for flowmap crashes up without 'endpoint' in config (SUP-2475)

Library usage causes errors on Windows when application loads add-on. (SUP-2536, NODE-1328)

Juice-Shop does not run when Assess in enabled on Windows. (SUP-2521, NODE-1317)

DynamoDB hook for flowmap crashes agent when 'endpoint' is not specified in configuration. (SUP-2475, NODE-1286)

Users running esm.mjs receive an error because it is not being packaged. (SUP-2478, NODE-1288)

Loopback 4 is now supported.

Fastify 3 is now supported.

False negative path traversal finding in Express. (SUP-2412)

Agent not detecting remote code execution (RCE) with certain input values. (SUP-2433)

Highlighted text in the UI is off by one character. (SUP-2384)

The application may throw an error if the cache-controls header is an array. (SUP-2416)

Agent incorrectly exiting on SIGPIPE when the Contrast Service is used. (SUP-2421)