Node.js microagent release notes¶ 1.55.0 - 8 October 2020¶ Backward-compatible typo fix in agent options: strip_sentitive_regex -> strip_sensitive_regex Update Sqreen In-App WAF 1.54.2 - 30 September 2020¶ Prevent writing track events outside of an HTTP context 1.54.1 - 28 September 2020¶ Fix an issue with depencies check not using workspace options 1.54.0 - 22 September 2020¶ Introduce new In-App WAF Full http 1 and Expressjs instrumentation 1.53.0 - 18 September 2020¶ Update In-App WAF to install only from npm Fix SQREEN_DISABLE environment variable 1.52.2 - 15 September 2020¶ Fix an exception thrown when the agent is disabled 1.52.1 - 15 September 2020¶ Fix AMQP instrumentation 1.52.0 - 18 August 2020¶ Log files to be created at agent startup Enabling of more accurate request tracing 1.51.1 - 14 August 2020¶ Make synchronous blocking resilient to other handlers on process 1.51.0 - 11 August 2020¶ Fix instrumentation issue when pm2 prevents modules loading Change logfiles basename to a UTC date Introduce synchronous blocking of attacks Introduce better introspection of WAF attacks when performing PII sanitization 1.50.1 - 5 August 2020¶ Add support for proxy on install of sq-native 1.49.0 - 22 July 2020¶ Add support for kafka-node and AWS SQS in flowmap 1.48.0 - 15 July 2020¶ Add support for Expressjs 2.x 1.47.0 - 13 July 2020¶ Add support for MySQL, Postgres, MongoDB and Sqlite in flowmap 1.46.0 - 6 July 2020¶ Update Sqreen In-App WAF Change default blocking page Sqreen to warn users if Sqreen backend can't be reached Fix user-agent handling in IAST 1.45.0 - 22 June 2020¶ User tracking is IAST aware PII is scrubbed in reported URL Support for Redis in flowmap 1.44.0 - 16 June 2020¶ Introduce workspace_depth configuration key 1.43.0 - 9 June 2020¶ Sqreen for Node.js now rely on sq-ecosystem package Introduce tracing feature for HTTP incoming and outgoing requests 1.42.0 - 3 June 2020¶ Introduce use_workspace configuration key 1.41.0 - 28 April 2020¶ Remove dependency to node-pre-gyp Update IAST rule handling 1.40.1 - 15 April 2020¶ Bind req.sqreen.signup_track when used with Express Fix Circular dependency issue when require-in-the-middle impacts module resolution 1.40.0 - 9 April 2020¶ Enable support for the "md5" library Update IAST in agent 1.39.0 - 20 March 2020¶ Agent to use signal API New Reveal interface Agent does not pins SSL certificates and relies on Node.js ones 1.38.4 - 4 March 2020¶ Fix issue preventing the In-App WAF from decoding URLs properly 1.38.3 - 14 January 2020¶ Reduce the CPU needs for enabling instrumentation 1.38.2 - 9 January 2020¶ Fix a bug where agent tried to attach properties to exceptions even when strings were thrown 1.38.1 - 19 December 2019¶ Fix a bug where agent did not report In-App WAF attacks anymore 1.38.0 - 19 December 2019¶ Apply data scrubbing to In-App WAF attacks Improve performances of RASP calls Fix issue in Express.js endpoint detection 1.37.2 - 3 December 2019¶ Fix issue in Express.js endpoint detection 1.37.1 - 18 November 2019¶ Optimize speed of In-App WAF feature 1.37.0 - 30 October 2019¶ Vendor some dependencies 1.36.1 - 21 October 2019¶ Update https-proxy-agent to 3.0 1.36.0 - 9 October 2019¶ Reveal beta Enable In-App WAF to work with URL encoded parameters 1.35.1 - 9 October 2019¶ Fix In-App WAF reset issue 1.35.0 - 8 October 2019¶ Enable In-App WAF to access requests' body 1.34.0 - 18 September 2019¶ In-app WAF support for Alpine Linux and Windows Sqreen to collect scoped packages in dependencies list 1.33.0 - 5 September 2019¶ Introduce support for the In-app WAF 1.32.0 - 29 July 2019¶ Agent to report Express endpoint with tracked events Sqreen is now able to hook on callback methods and promise resolution Introduce a dedicated performance cap for monitoring actions 1.31.0 - 2 July 2019¶ Sqreen uses Async Hooks by default on Node.js >= 8.2 (can be disabled with environment variable SQREEN_USE_CLS) Sqreen will instrument http and https servers even if other tools change their loading behavior 1.30.3 - 24 May 2019¶ Allow ts-node as first required module Introduce SQREEN_CUSTOM_PKG_SUBSTRING_IGNORE to ignore a given first required packags Fix bug in collection of HTTP response code Use the main module path to detect the root of the project Fix bug in extension of security responses 1.30.2 - 2 May 2019¶ Cleanup contexts when using Async Hooks when HTTP request of over 1.30.1 - 17 April 2019¶ Attacks will not be reported twice if there are two request handlers Vendored continuation-local-storage to prevent interactions with cls-hooked Auto-instrumentation of passport-local works reliably 1.30.0 - 11 April 2019¶ Update README.md to point to new domain Better detection of project root directory Enhancements in performance cap and performance monitoring Agent's communications with Sqreen back-end is more robust Remove marginal issue in server's port detection 1.29.5 - 28 March 2019¶ Prevent the agent from writing twice in a request if there are multiple request listeners on a server 1.29.4 - 19 March 2019¶ Introduce PII scrubbing. Learn more about this: configuration 1.29.3 - 27 February 2019¶ Agent to collect value of SQREEN_BETA_ASYNC_HOOKS env variable for debug purpose 1.29.2 - 22 February 2019¶ Agent is more resilient to support malformed IP addresses 1.29.0 - 21 January 2019¶ Agent does not report performance metrics when disabled Support of organization tokens 1.28.2 - 15 January 2019¶ Fix knex issue that happen when cleaning up connections 1.28.1 - 19 December 2018¶ Specifying app root will also change where Sqreen looks up for package.json 1.28.0 - 18 December 2018¶ Better performance for passlist and denylist Agent now collect data regarding HTTP responses (code and content type) Environment variable SQREEN_DISABLE_STARTUP_WARNING=1 can be used to hide first-require checks from logs 1.27.3 - 9 November 2018¶ Authentication actions tracking are not limited by performance cap anymore 1.27.2 - 8 November 2018¶ Fixed occasional memory leak that can happen when using knex 1.27.1 - 8 November 2018¶ Fully tested with Node.js 11 Reduce number of IOs at startup 1.27.0 - 6 November 2018¶ Add performance monitoring to the agent 1.26.2 - 18 October 2018¶ Move the IP addresses management of security responses to a radix tree 1.26.1 - 16 October 2018¶ Fix an issue when the performance budget is too low and the vm module rejects its value 1.26.0 - 3 October 2018¶ Agent will not collect HTTP payload anymore when tracking events except when asked to do differently 1.25.2 - 1 October 2018¶ Weak database configuration playbook (no password sent to Sqreen servers) 1.25.0 - 28 September 2018¶ Added binary sqreen-check-network to check if Sqreen servers are reachable 1.24.1 - 26 September 2018¶ Fix playbook signature issue that prevented the use of newer playbooks When Sqreen is disabled, the agent delete all current security responses 1.24.0 - 18 September 2018¶ The pmx module can now be required before Sqreen without triggering warnings Performance cap features to limit the impact of Sqreen on an application Instrumentation was broken and has been fixed on Windows 1.23.0 - 27 August 2018¶ INFO level logs added to log tracked events reporting Sqreen can instrument methods on global classes 1.22.0 - 13 July 2018¶ Sqreen configuration file parsing now compatible with all encoding Add SQREEN_APP_ROOT environment variable and app_root configuration key to Decemberlare project root directory 1.21.0 - 13 July 2018¶ Sqreen to collect HTTP request context (query string, body) when recording attacks or tracking custom events PII scrubbing 1.20.2 - 6 July 2018¶ SDK auth_track method: use the request parameter as the HTTP context 1.20.1 - 25 June 2018¶ Report events (sq.action.[action_name]) when a user is blocked by a security automation playbook. 1.20.0 - 19 June 2018¶ Add support for block user security response Raise warning messages to Sqreen dashboard when the agent isn't required as first module 1.19.0 - 30 May 2018¶ Add support for knex to SQL injection plugin. 1.18.5 - 22 May 2018¶ Fix usage of continuation-local-storage when current context is lost 1.18.4 - 16 May 2018¶ Fix broken link in README.md 1.18.3 - 16 May 2018¶ Fix dependency loading conflict with request-promise 1.18.2 - 15 May 2018¶ Update communication protocol with Sqreen BackEnd Agent will not call process.exit on 'SIGINT' anymore. It will spread the signal to Node.js if there is no other listener on it. 1.18.1 - 4 May 2018¶ Improved communication with Sqreen BackEnd 1.18.0 - 3 May 2018¶ Limit number of claims in track sdk params to 16 Internal performance optimizations 1.17.1 - 19 April 2018¶ Remove very noisy log Consider sdk events as observations in Request Record 1.17.0 - 18 April 2018¶ Support for ip_header config Add tracking SDK and security responses Experimental use of Async Hooks to track context behind a flag 1.16.0 - 4 April 2018¶ HTTP proxy support Remove pm2 from first require checks 1.15.0 - 14 February 2018¶ Support for global methods protection 1.14.2 - 13 February 2018¶ Better memory handling of Request Record 1.14.1 - 18 January 2018¶ SDK to identify methods Request record reporting system Require race fixed in xss 1.13.0 - 11 January 2018¶ Reveal support for XSS in express 1.12.0 - 19 December 2017¶ Reveal support added Error message when login fails fixed 1.11.0 - 27 November 2017¶ Agent to use a Sqreen user agent to connect to BE IP addresses detection updated Node.js 9 added to build targets Logo changes 1.10.4 - 17 October 2017¶ Ensure no infinite recursions when packages are installed with cnpm 1.10.3 - 10 October 2017¶ attachValue cb checks that context exists before running 1.10.2 - 29 September 2017¶ Insert Sqreen header sooner in request lifecycle 1.10.1 - 14 September 2017¶ CRS patterns min_length control Requests are cleaned at response time Reduced usage of setImmediates CLS-patched modules are patchable 1.10.0¶ When Sqreen is not the first required module, a warning message will be displayed in the error output Hook detection uses hasOwnProperty 1.9.9¶ JS rules in strict mode Better Sqreen debug logs 1.9.8¶ Add forgotten promise rejection catch 1.9.7¶ Safeguard at specific hooks 1.9.6¶ Lazy binding accessor 1.9.5¶ Important: lazy build of rules callbacks Moved debug collection of dependencies to command 1.9.4¶ Prevent errors on tentative of pathcing unexisting packages (fix) 1.9.3¶ Prevent errors on tentative of pathcing unexisting packages 1.9.2¶ IP address detection behavior 1.9.1¶ Login v1.5 1.8.8¶ Reduce memory/cpu footprint on login due to packages collection 1.8.7¶ First attacks are pushed to BE immediately 1.8.6¶ Filtered_request_params BA 1.8.5¶ Better handling of network errors node_modules/.bin rpertory not explored at login 1.8.4¶ null rulespack do not fire errors anymore 1.8.3¶ Express middleware to be injected by overriding lazyrouter and not init 1.8.2¶ on-request hook is blocking when skipped 1.8.1¶ IP denylist support onrequest http/https hook after cls init 1.8.0¶ IP passlist support Reduced continuity loss in passport-local 1.7.10¶ Express CRS support when no call to use is made Referer header captured in attacks 1.7.9¶ passport-SAML auto hook strategy to handle mongoose objects 1.7.8¶ '1' is allowed for env var Escape only certain xss 1.7.7¶ SQREEN_DISABLE env to disable Sqreen Tests in node 8 1.7.6¶ SKIPPED 1.7.5¶ Agent version not to be tempered with 1.7.4¶ hapijs ext points added for custom ruling 1.7.3¶ Whitepathed attacks are whitepathed 1.7.2¶ Remove an unhandled promise rejection 1.7.1¶ Safeguard to ensure remote IP is a string in utils README.md 1.7.0 - 19 April 2017¶ Attack page and redirection behavior Pre-conditions updates 1.6.0 - 18 April 2017¶ CRS support Request_params BA Beats force metric collection 1.5.0 - 7 April 2017¶ Pre-conditions support BindingAccessorCounter cb 1.4.8 - 27 March 2017¶ Updated wreck to 12. 1.4.7 - 23 March 2017¶ HTTPS support Login metric name 1.4.6 - 17 March 2017¶ Rename hook files names to prevent NR fake warning 1.4.5 - 14 March 2017¶ Reduced error logs 1.4.4 - 3 March 2017¶ Batch is overridden when an event kind is met for the first time 1.4.3 - 3 March 2017¶ Change logs 1.4.2 - 27 February 2017¶ Fast logout when NODE_ENV indicates dev 1.4.1 - 27 February 2017¶ #.cwd in accessors Allow all chars in pkg names Login features issue 1.4.0 - 16 February 2017¶ Ensure preventaion of double call on res.write Shellshock protection Remove patching prevention on native code Lookup space cache removed to prevent reducing the attack space size Matcher case_sensitive management 1.3.5 - 2 February 2017¶ Count status code of dropped requests Do not use a shadow cache for non native modules Remove blind patching 1.3.4 - 27 January 2017¶ Require-dir excluded from patching Do not cache excluded modules 1.3.3 - 25 January 2017¶ Include cls-bluebird 1.3.2 - 25 January 2017¶ Async callback continuity 1.3.1 - 23 January 2017¶ Inlined @vdeturckheim/asjson 1.3.0 - 23 January 2017¶ Support for passport-saml Update lab 1.2.1 - 16 January 2017¶ Request tracking with uuid v4 Updated warning when no config is found Attack artifacts should be compliant with BE 1.2.0 - 30 December 2016¶ Initial features (not public) signup sdk part 1 Split context in CLS thrown errors Hard coded express continuity Opbeat warnings 1.1.0 - 27 December 2016¶ Force logout command npm keywords Update README Callback call count fixed (bad rulespack, no default enabled) 1.0.0 - 20 December 2016¶ Custom management of response.end to prevent overrides impact Binding accessor will give exceptions Remove feature on metric delay 0.12.1 - 20 December 2016¶ SDK auth fail are not converted to success anymore 0.12.0 - 19 December 2016¶ Metrics key are not a string in a string VersionCheck metric is better Use login/heartbeat API v1 Sqreen does not block all depreciation messages anymore 0.11.3 - 16 December 2016¶ Continuity relays on q promises Better reports if a js cb fails Metric flush on logout Better behavior when NR is present 0.11.2 - 13 December 2016¶ Continuity relays on passport 0.11.1 - 8 December 2016¶ Renamed instrumentation/director for preventing NR from thinking that npm package director has been already required. 0.11.0 - 8 December 2016¶ Major perf boost Dynamic patching enabled Call count disabled on default 0.10.0 - 22 November 2016¶ Auth SDK (see Documentation) 0.9.0 - 16 November 2016¶ Better IP detection for clients 0.7.0 - 15 September 2016¶ Features change supported Update wreck Batch mode 0.6.5 - 13 September 2016¶ Public release of the Node.js agent.