Node.js release notes 2024

Fixed an issue where a deadzone bson require hook threw an error with bson 1.1.6. (NODE-3479)

Implemented HTTP/2 instrumentation for Reflected-XSS in Assess mode.

Implemented HTTP/2 instrumentation for the spdy library for Response Scanning rules.

Fixed node-require-hook on Windows.

HTTP2 response-scanning instrumentation causes uncaught exceptions. (NODE-3468)

Blocking requests caused metrics to report that the request exceeded the duration. (NODE-3475)

MJS files loaded from the rewrite cache can break relative path file reading. (NODE-3485)

Reduced event listeners from pg arch-component instrumentation. (NODE-3489)

crypto-analysis did not ignore case when checking algorithms. (NODE-3495)

npm detection fails with a space in path. (NODE-3497)

npm detection fails with a space in path (NODE-3497)

Fixed a new CVE associated with @grpc/grpc-js, which is a library used by the agent to communicate with the Contrast Service. (NODE-3487)

Implemented HTTP/2 instrumentation for Reflected-XSS in Protect mode.

Implemented support for Restify 8, 9, 10, and 11 (Assess and Protect).

Installed modules should throw errors when needed and not accumulate in _errors[].

Implemented validation logic in the module where the validation is required to correctly function.

Updated security logger escaping to match updated CEF guide specification.

Implemented Framework reporting during route discovery (also known as Compatibility check for route coverage).

Fixed URLSearchParams.toString(). (NODE-3332)

Added source map chaining. (NODE-3442)

Deprecated Node 14 for v5.

The existing @contrast/common functions have been replaced with more performant and self-documenting functions.

Teamserver associates all vulnerabilities with a single non-existent endpoint. (NODE-3457)

API keys are not redacted when the reporter throws an error. (NODE-3458)

The use of inspect during event creation was causing problems. (NODE-3451)

Check if isSafeContentType is in all reflected-xss sinks. (NODE-3452)

Fixed express route observation bug. (NODE-3453)

Express route coverage will handle middleware defined in an array.

Removed effective configuration enable flag so that agent always reports it to Teamserver.

Added warning when the agent detects users attempting to set config file location with  -c command line flag. Agent configuration via CLI flags has been deprecated in v5 agents.

Implemented Restify route discovery and observation.

Adding initial support for programmatic deadzones to allow the agent to turn off instrumentation within restricted functions.

Incoming message header handling is not correct. (NODE-3396)

Express route coverage does not discover routes defined by app.use() and router.use(). (NODE-3402)

TypeError: undefined is not a function at StacktraceFactory.makeFrame. (NODE-3420)

Add timer.unref() to code-events setCodeEventListener() for v4.

Support for Input and URL exclusions when running version 5.x agent.

Provided Protect specific CLI Rewriter option.

Route coverage error when express route registered with array of paths. (NODE-3380)

v5 agent does not properly handle archived apps. (NODE-3384)

Fix Fastify route coverage prefix bug. (NODE-3403)

Unwriting anonymous classes fails. (NODE-3406)

The rewriter can now be executed as a CLI command to allow rewriting of source code at container image creation. This lowers startup memory consumption and can speed up app start-up.

Implement rewriter cache for ESM loader hooks.

Add additional rewrite-deadzones.

Implemented improvements to string.prototype.split() tracking.

Resolves CVE-2024-24786 associated with the Contrast Service (updates to version 2.28.34).

Fixes a bug with the rewriter cache and deprecates version 5.4.0. (NODE-3367)

Initial support for application code rewrites caching for version 5.x agent.

Added hapi 21 framework support for Assess and Protect.

Stopped reporting of the library manifest on application updates.

Componentized ESM hooks and have them follow normal compose/install patterns.

Updated agent README for modern Node versions.

Fixed "Cannot find module 'file:/...'" in Library Analysis. (NODE-3358)

JSON.parse will throw exception if captured key/value indices are inaccurate. (NODE-3344)

URL parse propagator doesn't support parseQueryString flag. (NODE-3340)

string.replace not handling some special character replacements properly. (NODE-3341)

Dot entrypoint syntax no longer works. (NODE-3343)

Replaced parent-package-json in deps.

Some configuration fields not redacted in configuration logging. (NODE-3339)

Updated logger's cleanEnv to account for --loader in NODE_OPTIONS.

UI reporter v1 routes are not respecting proxy configuration. (NODE-3338)

Reflected-XSS not reporting when res.send is called. (NODE-3334)

Added runner-tap usability fixes.

Setting the server or application name in a non-English language causes errors. (NODE-3333)

Minimized new agent's ESM dual initialization costs.

Updated Axios client.

Fix to Juice Shop 16 not working with the new agent. (NODE-3323)

Fixed a bug with the new agent’s ESM loader functionality. (NODE-3320)

Removal of the Contrast Service (SpeedRacer).

Removal of command line options for configuring the agent. Only YAML and environment variables are supported to align with Python, Ruby, and Go agents.

Support for running Assess and Protect concurrently.

Ability to toggle the mode of Protect rules without a restart.

Toggling mode (Assess, Protect, Both) still requires an application/agent restart to take effect.

Library reporting with ECU/ELU when running Protect (library reporting in production).

Effective configuration reporting to ContrastUI.

devDependencies not published to npm - reduced FP CVE findings.

Structured logging using pino.

Ability to change the agent logging level from the ContrastUI without an application restart.

Log request latency (ns) at DEBUG level for every request.

Route observability/coverage with normalized URI for deduplication.

Faster rewrite at startup using SWC.

Supports SuperTest API Testing framework npm: supertest.

Supports Frisby API testing framework npm: frisby.

Support for String.prototype.matchAll() propagation.

Observed routes are reported to ContrastUI on application startup without requiring exercising a route.

ESM applications supported.  Support for loading/running the agent using:

The new --import directive is supported for all applications, both ESM and CJS, running on Node.js 18.9.0, 20.9.0 and later (LTS)

See npm for more.

Updated Axios.

Tweaks for the build.

Improved logging when there are npm failures.

Updated copywrite text in files to reflect the new year.

Express route-coverage utils throws exceptions when route has a missing stack. (NODE-3301)