Node.js agent release notes


1.32.0 - 29 July 2019

  • Agent to report Express endpoint with tracked events
  • Sqreen is now able to hook on callback methods and promise resolution
  • Introduce a dedicated performance cap for monitoring actions

1.31.0 - 2 July 2019

  • Sqreen uses Async Hooks by default on Node.js >= 8.2 (can be disabled with environment variable SQREEN_USE_CLS)
  • Sqreen will instrument http and https servers even if other tools change their loading behavior

1.30.3 - 24 May 2019

  • Allow ts-node as first required module
  • Introduce SQREEN_CUSTOM_PKG_SUBSTRING_IGNORE to ignore a given first required packags
  • Fix bug in collection of HTTP response code
  • Use the main module path to detect the root of the project
  • Fix bug in extension of security responses

1.30.2 - 2 May 2019

  • Cleanup contexts when using Async Hooks when HTTP request of over

1.30.1 - 17 April 2019

  • Attacks will not be reported twice if there are two request handlers
  • Vendored continuation-local-storage to prevent interactions with cls-hooked
  • Auto-instrumentation of passport-local works reliably

1.30.0 - 11 April 2019

  • Update README.md to point to new domain
  • Better detection of project root directory
  • Enhancements in performance cap and performance monitoring
  • Agent's communications with Sqreen back-end is more robust
  • Remove marginal issue in server's port detection

1.29.5 - 28 March 2019

  • Prevent the agent from writing twice in a request if there are multiple request listeners on a server

1.29.4 - 19 March 2019

1.29.3 - 27 February 2019

  • Agent to collect value of SQREEN_BETA_ASYNC_HOOKS env variable for debug purpose

1.29.2 - 22 February 2019

  • Agent is more resilient to support malformed IP addresses

1.29.0 - 21 January 2019

  • Agent does not report performance metrics when disabled
  • Support of organization tokens

1.28.2 - 15 January 2019

  • Fix knex issue that happen when cleaning up connections

1.28.1 - 19 December 2018

  • Specifying app root will also change where Sqreen looks up for package.json

1.28.0 - 18 December 2018

  • Better performance for whitelist and blacklist
  • Agent now collect data regarding HTTP responses (code and content type)
  • Environment variable SQREEN_DISABLE_STARTUP_WARNING=1 can be used to hide first-require checks from logs

1.27.3 - 9 November 2018

  • Authentication actions tracking are not limited by performance cap anymore

1.27.2 - 8 November 2018

  • Fixed occasional memory leak that can happen when using knex

1.27.1 - 8 November 2018

  • Fully tested with Node.js 11
  • Reduce number of IOs at startup

1.27.0 - 6 November 2018

  • Add performance monitoring to the agent

1.26.2 - 18 October 2018

  • Move the IP addresses management of security responses to a radix tree

1.26.1 - 16 October 2018

  • Fix an issue when the performance budget is too low and the vm module rejects its value

1.26.0 - 3 October 2018

  • Agent will not collect HTTP payload anymore when tracking events except when asked to do differently

1.25.2 - 1 October 2018

  • Weak database configuration playbook (no password sent to Sqreen servers)

1.25.0 - 28 September 2018

  • Added binary sqreen-check-network to check if Sqreen servers are reachable

1.24.1 - 26 September 2018

  • Fix playbook signature issue that prevented the use of newer playbooks
  • When Sqreen is disabled, the agent delete all current security responses

1.24.0 - 18 September 2018

  • The pmx module can now be required before Sqreen without triggering warnings
  • Performance cap features to limit the impact of Sqreen on an application
  • Instrumentation was broken and has been fixed on Windows

1.23.0 - 27 August 2018

  • INFO level logs added to log tracked events reporting
  • Sqreen can instrument methods on global classes

1.22.0 - 13 July 2018

  • Sqreen configuration file parsing now compatible with all encoding
  • Add SQREEN_APP_ROOT environment variable and app_root configuration key to Decemberlare project root directory

1.21.0 - 13 July 2018

  • Sqreen to collect HTTP request context (query string, body) when recording attacks or tracking custom events
  • PII scrubbing

1.20.2 - 6 July 2018

  • SDK auth_track method: use the request parameter as the HTTP context

1.20.1 - 25 June 2018

  • Report events (sq.action.[action_name]) when a user is blocked by a security automation playbook.

1.20.0 - 19 June 2018

  • Add support for block user security response
  • Raise warning messages to Sqreen dashboard when the agent isn't required as first module

1.19.0 - 30 May 2018

  • Add support for knex to SQL injection plugin.

1.18.5 - 22 May 2018

  • Fix usage of continuation-local-storage when current context is lost

1.18.4 - 16 May 2018

  • Fix broken link in README.md

1.18.3 - 16 May 2018

  • Fix dependency loading conflict with request-promise

1.18.2 - 15 May 2018

  • Update communication protocol with Sqreen BackEnd
  • Agent will not call process.exit on 'SIGINT' anymore. It will spread the signal to Node.js if there is no other listener on it.

1.18.1 - 4 May 2018

  • Improved communication with Sqreen BackEnd

1.18.0 - 3 May 2018

  • Limit number of claims in track sdk params to 16
  • Internal performance optimizations

1.17.1 - 19 April 2018

  • Remove very noisy log
  • Consider sdk events as observations in Request Record

1.17.0 - 18 April 2018

  • Support for ip_header config
  • Add tracking SDK and security responses
  • Experimental use of Async Hooks to track context behind a flag

1.16.0 - 4 April 2018

  • HTTP proxy support
  • Remove pm2 from first require checks

1.15.0 - 14 February 2018

  • Support for global methods protection

1.14.2 - 13 February 2018

  • Better memory handling of Request Record

1.14.1 - 18 January 2018

  • SDK to identify methods
  • Request record reporting system
  • Require race fixed in xss

1.13.0 - 11 January 2018

  • Reveal support for XSS in express

1.12.0 - 19 December 2017

  • Reveal support added
  • Error message when login fails fixed

1.11.0 - 27 November 2017

  • Agent to use a Sqreen user agent to connect to BE
  • IP addresses detection updated
  • Node.js 9 added to build targets
  • Logo changes

1.10.4 - 17 October 2017

  • Ensure no infinite recursions when packages are installed with cnpm

1.10.3 - 10 October 2017

  • attachValue cb checks that context exists before running

1.10.2 - 29 September 2017

  • Insert Sqreen header sooner in request lifecycle

1.10.1 - 14 September 2017

  • CRS patterns min_length control
  • Requests are cleaned at response time
  • Reduced usage of setImmediates
  • CLS-patched modules are patchable

1.10.0

  • When Sqreen is not the first required module, a warning message will be displayed in the error output
  • Hook detection uses hasOwnProperty

1.9.9

  • JS rules in strict mode
  • Better Sqreen debug logs

1.9.8

  • Add forgotten promise rejection catch

1.9.7

  • Safeguard at specific hooks

1.9.6

  • Lazy binding accessor

1.9.5

  • Important: lazy build of rules callbacks
  • Moved debug collection of dependencies to command

1.9.4

  • Prevent errors on tentative of pathcing unexisting packages (fix)

1.9.3

  • Prevent errors on tentative of pathcing unexisting packages

1.9.2

  • IP address detection behavior

1.9.1

  • Login v1.5

1.8.8

  • Reduce memory/cpu footprint on login due to packages collection

1.8.7

  • First attacks are pushed to BE immediately

1.8.6

  • Filtered_request_params BA

1.8.5

  • Better handling of network errors
  • node_modules/.bin rpertory not explored at login

1.8.4

  • null rulespack do not fire errors anymore

1.8.3

  • Express middleware to be injected by overriding lazyrouter and not init

1.8.2

  • on-request hook is blocking when skipped

1.8.1

  • IP blacklist support
  • onrequest http/https hook after cls init

1.8.0

  • IP whitelist support
  • Reduced continuity loss in passport-local

1.7.10

  • Express CRS support when no call to use is made
  • Referer header captured in attacks

1.7.9

  • passport-SAML auto hook strategy to handle mongoose objects

1.7.8

  • '1' is allowed for env var
  • Escape only certain xss

1.7.7

  • SQREEN_DISABLE env to disable Sqreen
  • Tests in node 8

1.7.6

SKIPPED

1.7.5

  • Agent version not to be tempered with

1.7.4

  • hapijs ext points added for custom ruling

1.7.3

  • Whitepathed attacks are whitepathed

1.7.2

  • Remove an unhandled promise rejection

1.7.1

  • Safeguard to ensure remote IP is a string in utils
  • README.md

1.7.0 - 19 April 2017

  • Attack page and redirection behavior
  • Pre-conditions updates

1.6.0 - 18 April 2017

  • CRS support
  • Request_params BA
  • Beats force metric collection

1.5.0 - 7 April 2017

  • Pre-conditions support
  • BindingAccessorCounter cb

1.4.8 - 27 March 2017

  • Updated wreck to 12.

1.4.7 - 23 March 2017

  • HTTPS support
  • Login metric name

1.4.6 - 17 March 2017

  • Rename hook files names to prevent NR fake warning

1.4.5 - 14 March 2017

  • Reduced error logs

1.4.4 - 3 March 2017

  • Batch is overridden when an event kind is met for the first time

1.4.3 - 3 March 2017

  • Change logs

1.4.2 - 27 February 2017

  • Fast logout when NODE_ENV indicates dev

1.4.1 - 27 February 2017

  • #.cwd in accessors
  • Allow all chars in pkg names
  • Login features issue

1.4.0 - 16 February 2017

  • Ensure preventaion of double call on res.write
  • Shellshock protection
  • Remove patching prevention on native code
  • Lookup space cache removed to prevent reducing the attack space size
  • Matcher case_sensitive management

1.3.5 - 2 February 2017

  • Count status code of dropped requests
  • Do not use a shadow cache for non native modules
  • Remove blind patching

1.3.4 - 27 January 2017

  • Require-dir excluded from patching
  • Do not cache excluded modules

1.3.3 - 25 January 2017

  • Include cls-bluebird

1.3.2 - 25 January 2017

  • Async callback continuity

1.3.1 - 23 January 2017

  • Inlined @vdeturckheim/asjson

1.3.0 - 23 January 2017

  • Support for passport-saml
  • Update lab

1.2.1 - 16 January 2017

  • Request tracking with uuid v4
  • Updated warning when no config is found
  • Attack artifacts should be compliant with BE

1.2.0 - 30 December 2016

  • Initial features
  • (not public) signup sdk part 1
  • Split context in CLS thrown errors
  • Hard coded express continuity
  • Opbeat warnings

1.1.0 - 27 December 2016

  • Force logout command
  • npm keywords
  • Update README
  • Callback call count fixed (bad rulespack, no default enabled)

1.0.0 - 20 December 2016

  • Custom management of response.end to prevent overrides impact
  • Binding accessor will give exceptions
  • Remove feature on metric delay

0.12.1 - 20 December 2016

  • SDK auth fail are not converted to success anymore

0.12.0 - 19 December 2016

  • Metrics key are not a string in a string
  • VersionCheck metric is better
  • Use login/heartbeat API v1
  • Sqreen does not block all depreciation messages anymore

0.11.3 - 16 December 2016

  • Continuity relays on q promises
  • Better reports if a js cb fails
  • Metric flush on logout
  • Better behavior when NR is present

0.11.2 - 13 December 2016

  • Continuity relays on passport

0.11.1 - 8 December 2016

  • Renamed instrumentation/director for preventing NR from thinking that npm package director has been already required.

0.11.0 - 8 December 2016

  • Major perf boost
  • Dynamic patching enabled
  • Call count disabled on default

0.10.0 - 22 November 2016

0.9.0 - 16 November 2016

  • Better IP detection for clients

0.7.0 - 15 September 2016

  • Features change supported
  • Update wreck
  • Batch mode

0.6.5 - 13 September 2016