Node.js release notes 2023

Remediated axios CVE-2023-45857.

All components use a single event emitter.

Implemented koa-multer as an Assess dataflow source.

Added more response-scanning rules.

The new standardNormalizedUri field is populated correctly when sending /traces data to TS.

Implemented Assess cryptographic rules.

Implemented propagation for ejs.Template.prototype.generateSource in v5.

Telemetry is reported by the v5 agent and config settings to disable telemetry are respected.

TypeError: Cannot read properties of undefined (reading 'path'). (NODE-3292)

Fixed Protect nosql-injection reporting. (NODE-3216)

Implemented propagation for util.format.

Added support for the untrusted-deserialization rule.

QueryBuilder subclasses have relevant methods patched as sql-encoded propagators.

Implemented propagation for:

Implemented propagation for several escape methods.

Output request-response metrics to logs at DEBUG level.

The app/agent will crash an app using a distroless container. Cannot write logs. (NODE-3225)

UI reporter does not use effective configuration values in the application create body. (NODE-3243)

Fixed TS reporting of xxssprotecttion-header-disabled rule in v5.

JSON.parse propagator causes tracker error when called with null or empty string. (NODE 3230)

Implemented propagation for path.relative.

Implemented propagation for path.dirname.

Added Assess xxe support.

Fix to issue where Koa apps were reporting route discovery twice. (NODE-3199)

Fix to issue where the application did not onboard if Assess or Protect was not enabled locally. (NODE-3221)

Fix to issue where Docker version of juice-shop fails to run - npm not found. (NODE-3223)

Improved logging for Contrast communication troubleshooting.

Implemented a more friendly mechanism for capturing heap dump snapshots.

Implemented fixes for where the agent was incorrectly reporting juice-shop findings.

v1-endpoint will now respect the configuration option when building serverType path parameter.

Implemented instrumentation for Joi boolean and number coercing methods.

Implemented instrumentation for Joi .allow(), .valid(), and .equal() value methods.

Implemented instrumentation for Joi object, expression, and any types.

The context for the eval sink now reports as eval(...), and does not contain Contrast methods text.

Every call to track is preceded by a check for successful event creation.

Fixed effective configuration only updating once. (NODE-3204)

Fixed an issue associated with a memory leak when running Assess. (NODE-3198)

Updated all components to manage local policies through effective configuration.

Refactored the usage of all string manipulation and Array.prototype.join methods.

Agent does not report path traversals when files are served using serve-static in safe way. (NODE-3157)

Added support for Node.js 20.5.0 and later.

Implemented session-configuration rules for express-session.

Track keys and parse different object types passed to URLSearchParams.

Improved require-hook logging.

Removal of the Contrast Service (SpeedRacer).

Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

Running Assess and Protect concurrently is supported.

Library reporting with ECU/ELU when running Protect (library reporting in Production).

Effective configuration reporting to Contrast.

devDependencies not published to npm - reduced FP CVE findings.

Structured logging using pino.

Route observability/coverage with normalized URI for deduplication.

Faster rewrite at startup using SWC.

Supports vulnerability detection when API Testing with SuperTest npm: supertest.

Support for String.prototype.matchAll() propagation (not supported in v4).

Remediated axios CVE-2023-45857.

All components use a single event emitter.

The security logger handles path: /dev/null to disable logging in all supported operating systems.

Telemetry is reported by the v5 agent and config settings to disable telemetry are respected.

TypeError: Cannot read properties of undefined (reading 'path'). (NODE-3292)

Fixed Protect nosql-injection reporting. (NODE-3216)

Fixed vm module instrumentation. (NODE-3004)

Output request-response metrics to logs at DEBUG level.

The app/agent will crash an app using a distroless container. Cannot write logs. (NODE-3225)

UI reporter does not use effective configuration values in application create body. (NODE-3243)

Added support for changing Protect policies and logging level from Contrast without requiring a restart.

Audit v5 logging of PII.

Synchronization of Assess and Protect implementations when they differ.

Added HTTP logging to Contrast communications.

Updated the rewriter to inject ContrastMethods.Function and support existing Protect input-tracing patches. (NODE-3100)

Agent v5 issues with the effective-config end-point. (NODE-3151)

Implemented propagation for JSON.parse.

Implemented Session Configuration rules for Assess.

Added support for the new major version (v 1.x.x.) of the libxmljs library. The library is instrumented to detect XXE vulnerabilities.

Fixed libxmljs that was not properly instrumented. (NODE-3121)

Fixed rewriter to avoid adding spurious trailing characters.

Improved swc rewriter to be able to rewrite files with shebang comments.

Added support for detecting sleep(x) type of SSJS attacks in MongoDB context.

Added session_id to the effective configuration options.

Added support for the MS SQL database driver for v5 Protect-only agent.

Added support for detecting nosql-injection attacks for MarsDB in Protect mode.

Fixed a bug when receiving the nosql-injection rule settings from Contrast and the agent not respecting that setting.

security_logger receives the correct default values.

NoSQL Injection Mongo - added support for $accumulator operator.

The RegExp now detects a vulnerable string with single and double quotes around the URI of the targeted file.

Bumped agent-lib version in Node agent v5 to v5.3.0.

NoSQL Injection Mongo - added support for $function operator.

Migrated shared hooks to instrumentation layer: http, https, http2, spdy.

Reduced code duplication in existing Protect hooks.

CVE-2022-46175 node-require-hook Prototype Pollution in JSON5 via Parse Method.

NODE_OPTIONS envrionment for pino worker-thread does not get cleared of --require @contrast/.... (NODE-2882)

Provided npx command to config-diagnostics and output results.

Fixed issue where @contrast/protect-agent does not install. (NODE-2803)

CVE-2022-46175 Prototype Pollution in JSON5 via Parse Method.

Internal Protect data structure changes.

Performance improvement for capturing stack traces. (NODE 2760)

Contrast Security Node.js Protect-only Agent. See npm: @contrast/protect-agent