Skip to main content

Node.js release notes 2021

Release date: December 23, 2021

Language versions currently supported: 12, 14 and 16 LTS

Release date: December 3, 2021

Language versions currently supported: 12, 14

Important

As of Node 3.11.15, the agent will be bundled with Contrast Service version 2.28.0

New and improved:

  • Added Joi support for ref() where reference target is an object.

Release date: December 3, 2021

Language versions currently supported: 12, 14 and 16 LTS

Important

As of Node 4.7.0, the agent will be bundled with Contrast Service version 2.28.0

New and improved:

  • The stacktrace limit default was set to 10 (previously it was set to 25).

  • Added Joi support for ref() where reference target is an object.

  • Added support for Dust.js template engine.

Bug fixes:

  • Implicit tagging of numeric input causes false negatives. (Node-2005)

  • Refactored logic around sanitizers that causes wrong tags.

Release date: November 18, 2021

Language versions currently supported: 12, 14, 16 LTS

Bug fixes:

  • When an application has been rewritten with Babel and the @babel/runtime helpers have been injected, the application fails to start. (Node-1956)

Release date: November 10, 2021

Language versions currently supported: 12, 14, 16 LTS

New and improved:

  • Added AWS-SDK version 3 DynamoDB to the flow map.

  • Improved tracking of vulnerabilities through path functions.

Release date: November 2, 2021

Language versions currently supported: 12, 14, 16 LTS

Important

As of Node 4.5.1, the agent will be bundled with Contrast Service version 2.27.3

Bug fixes:

  • Bluebird is causing vulnerabilities to be attributed to the incorrect route. (NODE-1892)

Release date: October 21, 2021

Language versions currently supported: 12, 14, 16 LTS

New and improved:

  • Support for Mustache template engine version 4.x. (version 3 and version 4 of agent)

  • Specify module supported versions explicitly as a WARN in logs.

Bug fixes:

  • Fixes to the path.normalize Assess functionality. (NODE-1830)

Release date: October 13, 2021

Language versions currently supported: 12, 14, 16 LTS

New and improved:

  • Node 16 LTS support.

  • New configuration flag for “turbo” protect performance.

Bug fixes:

  • When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

  • "Propagator micro-optimizations" causes performance issue. (NODE-1913)

Release date: September 29, 2021

Language versions currently supported: 12 and 14 LTS

New and improved:

  • CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

  • CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

  • CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

  • CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

Bug fixes:

  • XXE Assess causes false negatives with the DVNA application. (NODE-1810)

Release date: September 23, 2021

Language versions currently supported: 12 and 14 LTS

Known issue:

There may be some message loss between the agent and the Contrast service if you are NOT using the optional gRPC protocol. This version will be deprecated once a fix is provided in the 4.2.1 release.

New and improved:

  • Significant Assess performance improvements for use cases where there is a large JSON body in the inbound request.

  • Improved reporting/UX to Contrast where there is a vulnerability identified in large JSON body in the inbound request.

  • The MongoDB 4.X driver is now supported along with versions 3.5.0 and later.

  • CVE-2021-3749 - node-agent - bump 'axios' from 0.21.1 to 0.21.2

  • CVE-2021-37713 bump tar dependency in 'distringuish' repo from 4.4.15 to 4.4.19

  • CVE-2021-37713 bump tar dependency in 'node-fn-inspect' repo from 4.4.15 to 4.4.19

Release date: August 28, 2021

Language versions currently supported: 12 and 14 LTS

Note

As of Node.js 4.1.0, we no longer support Contrast Node.js agent versions 2.X.

New and improved:

  • CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

  • CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

  • SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

  • CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Bug fixes:

  • Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

  • When reporting libraries "_requiredBy" or "dependents" field not populated. (NODE-1718)

  • Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

Release date: July 28, 2021

Language versions currently supported: 12 and 14 LTS

Release date: July 8, 2021

Language versions currently supported: 12 and 14 LTS

New and improved:

  • Significant performance refactoring completed for both Protect and Assess functionality.

  • CLI rewriter for startup performance improvements.

  • Set Babel as sole rewriter - removed Esprima.

  • Updating Contrast Service is mandatory.

  • Added support for agent.logger.backups and agent.logger.roll_size properties.

Bug fixes:

  • Agent unable to detect installed libraries on Windows. (NODE-1622)

  • Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE 1643)

  • Koa: Router.use reported as Router.undefined. (NODE-1628)

  • Logger not logging all entries to debug file. (NODE-1654)

  • HTTP body missing for multipart/form-data POST requests. (NODE-1620)

  • Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

  • Screener tests fail because of non-existent rewrite-babel file. (NODE-1682)

  • Tag ranges off when Array.join is called with empty string. (NODE-1673)

  • Trim prerelease from reported agent version. (NODE-1693)

Release date: November 18, 2021

Language versions currently supported: 12, 14 LTS

New and improved:

  • Resolved CVEs against these dev dependencies: CVE-2021-3765, CVE-2021-3807.

Release date: November 3, 2021

Language versions currently supported: 12, 14 LTS

Important

As of Node.js 3.11.13, the agent will be bundled with Contrast Service version 2.27.3.

Bug fixes:

  • Bluebird causes vulnerabilities to be attributed to the incorrect route. (Node-1892)

Release date: October 13, 2021

Language versions currently supported: 12 and 14 LTS

Bug fixes:

  • When there are NoSQL vuln on GET requests from two routes, the vulnerability is not reported. (NODE-1900)

Release date: October 7, 2021

Language versions currently supported: 12 and 14 LTS

Bug fixes:

  • Agent maintenance version 3.x does not ship with prebuilt dependencies for Node 10. (NODE-1905)

Release date: September 29, 2021

Language versions currently supported: 12 and 14 LTS

New and improved:

  • CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-require-hook

  • CVE-2021-3795 upgrade semver-regex to latest (v3.1.3) in node-fn-inspect

  • CVE-2021-3807 bump ansi-regex dependency in node-agent repo (from 2.1.1 to 6.0.1)

  • CVE-2020-26301 bump ssh2 to latest version (v1.4.0) in the node-agent repo (v3 and v4)

Release date: August 26, 2021

Language versions currently supported: 12 and 14 LTS

New and improved:

  • CVE-2021-3664 - node-agent - Bump url-parse from 1.5.1 to 1.5.3.

  • CVE-2021-23343 - node-agent - Bump path-parse from 1.0.6 to 1.0.7.

  • SNYK-JS-TAR-1536758 - node-agent - Bump tar from 6.1.4 to 6.1.10.

  • CVE-2021-32803 - contrast-protobuf-api - Bump tar from 4.4.13 to 4.4.15 (or 4.4.19).

Bug fixes:

  • Node.js agent failing silently in Protect mode if unsupported Node.js LTS version. (NODE-1757)

  • Sequelize propagators do not add Propagation events to dataflow history, causing possible NoSQL injection false positives. (NODE-1746)

  • When reporting libraries, "_requiredBy" or "dependents" fields not populated. (NODE-1718)

Release date: August 13, 2021

Language versions currently supported: 12 and 14 LTS

Bug fixes:

  • Resolves a breaking change regression and reenables the agent to run on Node.js 10 LTS, even though that Node.js LTS version has reached its end-of-life (EOL). (NODE-1748)

  • The agent can successfully instrument any application using Bluebird. (NODE-1742)

  • Resolved an issue where the agent was not correctly tracking data through several Sequelize functions. (NODE-1746)

Release date: July 29, 2021

Language versions currently supported: 12 and 14 LTS

Release date: July 8, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Agent fails to start with infinite loop when unable to write contrast-service socket file. (NODE-1657)

  • Improved the agent's deadzoning ability to correctly skip instrumentation of dependent modules of deadzoned modules. (NODE-1449)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: July 6, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Addressed bug that prevented logging some entries into debug file. (NODE-1654)

  • HTTP body missing for multipart/form-data POST requests. (NODE-1620)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 25, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Router.use reported as Router.undefined in Koa. (NODE-1628)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 25, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Agent unable to detect installed libraries on Windows. (NODE-1622)

  • Bluebird callbacks run in NO_INSTRUMENTATION scope causing accuracy issues. (NODE-1643)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 11, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Logger methods called before initialization. (NODE-1625)

  • Mongodb collection methods not triggering post hooks. (NODE-1603)

Note

This version has been deprecated, please use 3.11.6 or later.

Release date: June 08, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

  • AsyncStorage loses context in mysql query operations. (SUP-2861)

  • Fixed an issue where the customer app crashes but does not throw an exception to the Docker container and write to stdout/stderr. (NODE-1511)

Release date: May 27, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When user is using express-session middleware, res.end does not report cross-site scripting (XSS). (SUP-2796)

  • AsyncStorage loses context in mysql query operations. (SUP-2861)

Release date: May 21, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • To resolve a ReDoS CVE (CVE-2021-23362) we need to update the hosted-git-info library included as a dependency.

Release date: May 17, 2021

Language versions currently supported: 10, 12 and 14 LTS

Release date: April 28, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Runtime performance improvements by improving JSON stringify tracking capabilities.

  • Added support for the Joi validator library, version 17+.

Release date: April 19, 2021

Language versions currently supported: 10, 12 and 14 LTS

Release date: April 13, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Runtime performance improvement by disabling membrane wrapping for certain functions.

Release date: April 2, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • RangeError thrown on startup when traversing a router mounted on itself in Express. (SUP-2723)

Release date: March 31, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • False positive Hardcoded Key finding reported. (SUP-2636)

  • If the Service is enabled, the application.path isn’t reported correctly. (SUP-2669)

Release date: March 26, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Added support for the Validator library, which can be used to sanitize and validate common vulnerability categories.

  • Improved logging when an incorrect package.json is used.

Bug fixes:

  • Prevent a catch when an async storage object can’t be parsed. (SUP-2685)

  • Fixed how the agent contextualizes async data when koa-bodyparser is used (SUP-2627)

  • Fixed cases where Express vulnerabilities aren’t reported to the UI correctly (SUP-2509, SUP-1558)

Release date: March 18, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When using a MongoDB SCRAM-SHA-256 authentication configuration, an exception is thrown at server startup. (SUP-2653)

Release date: March 15, 2021

Language versions currently supported: 10, 12 and 14 LTS

Release date: March 9, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Upgraded lodash from 4.17.20 to 4.17.21 due to two known CVEs found in version 4.17.20 (CVE-2020-28500, CVE-2021-23337).

  • Upgraded amqplib from 0.6.0 to 0.7.1 due to a known CVE found in version 0.6.0 (CVE-2021-27515).

Release date: March 8, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • When a querystring is included in a MongoDB connection string, the agent can’t parse the URL. (SUP-2594)

Release date: March 1, 2021

Language versions currently supported: 10, 12 and 14 LTS

New features and improvements:

  • Kraken 2.3.0 is now supported.

Bug fixes:

  • Loading the agent with an ESM loader produces an error. (SUP-2504)

  • DynamoDB hook for flowmap crashes up without 'endpoint' in config (SUP-2475)

Release date: February 26, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • Library usage causes errors on Windows when application loads add-on. (SUP-2536, NODE-1328)

  • Juice-Shop does not run when Assess in enabled on Windows. (SUP-2521, NODE-1317)

Release date: February 11, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • DynamoDB hook for flowmap crashes agent when 'endpoint' is not specified in configuration. (SUP-2475, NODE-1286)

  • Users running esm.mjs receive an error because it is not being packaged. (SUP-2478, NODE-1288)

Release date: January 29, 2021

Language versions currently supported: 10, 12 and 14 LTS

New and improved:

  • Loopback 4 is now supported.

  • Fastify 3 is now supported.

Bug fixes:

  • False negative path traversal finding in Express. (SUP-2412)

  • Agent not detecting remote code execution (RCE) with certain input values. (SUP-2433)

  • Highlighted text in the UI is off by one character. (SUP-2384)

Release date: January 28, 2021

Language versions currently supported: 10, 12 and 14 LTS

Bug fixes:

  • The application may throw an error if the cache-controls header is an array. (SUP-2416)

  • Agent incorrectly exiting on SIGPIPE when the Contrast Service is used. (SUP-2421)