Node.js microagent release notes¶

1.42.0 - 3 June 2020¶

introduce use_workspace configuration key

1.41.0 - 28 April 2020¶

Remove dependency to node-pre-gyp
update IAST rule handling

1.40.1 - 15 April 2020¶

Bind req.sqreen.signup_track when used with Express
Fix Circular dependency issue when require-in-the-middle impacts module resolution

1.40.0 - 9 April 2020¶

Enable support for the "md5" library
Update IAST in agent

1.39.0 - 20 March 2020¶

Agent to use signal API
New Reveal interface
Agent does not pins SSL certificates and relies on Node.js ones

1.38.4 - 4 March 2020¶

Fix issue preventing the In-App WAF from decoding URLs properly

1.38.3 - 14 January 2020¶

Reduce the CPU needs for enabling instrumentation

1.38.2 - 9 January 2020¶

Fix a bug where agent tried to attach properties to exceptions even when strings were thrown

1.38.1 - 19 December 2019¶

Fix a bug where agent did not report In-App WAF attacks anymore

1.38.0 - 19 December 2019¶

Apply data scrubbing to In-App WAF attacks
Improve performances of RASP calls
Fix issue in Express.js endpoint detection

1.37.2 - 3 December 2019¶

Fix issue in Express.js endpoint detection

1.37.1 - 18 November 2019¶

Optimize speed of In-App WAF feature

1.37.0 - 30 October 2019¶

Vendor some dependencies

1.36.1 - 21 October 2019¶

Update https-proxy-agent to 3.0

1.36.0 - 9 October 2019¶

Reveal beta
Enable In-App WAF to work with URL encoded parameters

1.35.1 - 9 October 2019¶

Fix In-App WAF reset issue

1.35.0 - 8 October 2019¶

Enable In-App WAF to access requests' body

1.34.0 - 18 September 2019¶

In-app WAF support for Alpine Linux and Windows
Sqreen to collect scoped packages in dependencies list

1.33.0 - 5 September 2019¶

Introduce support for the In-app WAF

1.32.0 - 29 July 2019¶

Agent to report Express endpoint with tracked events
Sqreen is now able to hook on callback methods and promise resolution
Introduce a dedicated performance cap for monitoring actions

1.31.0 - 2 July 2019¶

Sqreen uses Async Hooks by default on Node.js >= 8.2 (can be disabled with environment variable SQREEN_USE_CLS)
Sqreen will instrument http and https servers even if other tools change their loading behavior

1.30.3 - 24 May 2019¶

Allow ts-node as first required module
Introduce SQREEN_CUSTOM_PKG_SUBSTRING_IGNORE to ignore a given first required packags
Fix bug in collection of HTTP response code
Use the main module path to detect the root of the project
Fix bug in extension of security responses

1.30.2 - 2 May 2019¶

Cleanup contexts when using Async Hooks when HTTP request of over

1.30.1 - 17 April 2019¶

Attacks will not be reported twice if there are two request handlers
Vendored continuation-local-storage to prevent interactions with cls-hooked
Auto-instrumentation of passport-local works reliably

1.30.0 - 11 April 2019¶

Update README.md to point to new domain
Better detection of project root directory
Enhancements in performance cap and performance monitoring
Agent's communications with Sqreen back-end is more robust
Remove marginal issue in server's port detection

1.29.5 - 28 March 2019¶

Prevent the agent from writing twice in a request if there are multiple request listeners on a server

1.29.4 - 19 March 2019¶

Introduce PII scrubbing. Learn more about this: configuration

1.29.3 - 27 February 2019¶

Agent to collect value of SQREEN_BETA_ASYNC_HOOKS env variable for debug purpose

1.29.2 - 22 February 2019¶

Agent is more resilient to support malformed IP addresses

1.29.0 - 21 January 2019¶

Agent does not report performance metrics when disabled
Support of organization tokens

1.28.2 - 15 January 2019¶

Fix knex issue that happen when cleaning up connections

1.28.1 - 19 December 2018¶

Specifying app root will also change where Sqreen looks up for package.json

1.28.0 - 18 December 2018¶

Better performance for whitelist and blacklist
Agent now collect data regarding HTTP responses (code and content type)
Environment variable SQREEN_DISABLE_STARTUP_WARNING=1 can be used to hide first-require checks from logs

1.27.3 - 9 November 2018¶

Authentication actions tracking are not limited by performance cap anymore

1.27.2 - 8 November 2018¶

Fixed occasional memory leak that can happen when using knex

1.27.1 - 8 November 2018¶

Fully tested with Node.js 11
Reduce number of IOs at startup

1.27.0 - 6 November 2018¶

Add performance monitoring to the agent

1.26.2 - 18 October 2018¶

Move the IP addresses management of security responses to a radix tree

1.26.1 - 16 October 2018¶

Fix an issue when the performance budget is too low and the vm module rejects its value

1.26.0 - 3 October 2018¶

Agent will not collect HTTP payload anymore when tracking events except when asked to do differently

1.25.2 - 1 October 2018¶

Weak database configuration playbook (no password sent to Sqreen servers)

1.25.0 - 28 September 2018¶

Added binary sqreen-check-network to check if Sqreen servers are reachable

1.24.1 - 26 September 2018¶

Fix playbook signature issue that prevented the use of newer playbooks
When Sqreen is disabled, the agent delete all current security responses

1.24.0 - 18 September 2018¶

The pmx module can now be required before Sqreen without triggering warnings
Performance cap features to limit the impact of Sqreen on an application
Instrumentation was broken and has been fixed on Windows

1.23.0 - 27 August 2018¶

INFO level logs added to log tracked events reporting
Sqreen can instrument methods on global classes

1.22.0 - 13 July 2018¶

Sqreen configuration file parsing now compatible with all encoding
Add SQREEN_APP_ROOT environment variable and app_root configuration key to Decemberlare project root directory

1.21.0 - 13 July 2018¶

Sqreen to collect HTTP request context (query string, body) when recording attacks or tracking custom events
PII scrubbing

1.20.2 - 6 July 2018¶

SDK auth_track method: use the request parameter as the HTTP context

1.20.1 - 25 June 2018¶

Report events (sq.action.[action_name]) when a user is blocked by a security automation playbook.

1.20.0 - 19 June 2018¶

Add support for block user security response
Raise warning messages to Sqreen dashboard when the agent isn't required as first module

1.19.0 - 30 May 2018¶

Add support for knex to SQL injection plugin.

1.18.5 - 22 May 2018¶

Fix usage of continuation-local-storage when current context is lost

1.18.4 - 16 May 2018¶

Fix broken link in README.md

1.18.3 - 16 May 2018¶

Fix dependency loading conflict with request-promise

1.18.2 - 15 May 2018¶

Update communication protocol with Sqreen BackEnd
Agent will not call process.exit on 'SIGINT' anymore. It will spread the signal to Node.js if there is no other listener on it.

1.18.1 - 4 May 2018¶

Improved communication with Sqreen BackEnd

1.18.0 - 3 May 2018¶

Limit number of claims in track sdk params to 16
Internal performance optimizations

1.17.1 - 19 April 2018¶

Remove very noisy log
Consider sdk events as observations in Request Record

1.17.0 - 18 April 2018¶

Support for ip_header config
Add tracking SDK and security responses
Experimental use of Async Hooks to track context behind a flag

1.16.0 - 4 April 2018¶

HTTP proxy support
Remove pm2 from first require checks

1.15.0 - 14 February 2018¶

Support for global methods protection

1.14.2 - 13 February 2018¶

Better memory handling of Request Record

1.14.1 - 18 January 2018¶

SDK to identify methods
Request record reporting system
Require race fixed in xss

1.13.0 - 11 January 2018¶

Reveal support for XSS in express

1.12.0 - 19 December 2017¶

Reveal support added
Error message when login fails fixed

1.11.0 - 27 November 2017¶

Agent to use a Sqreen user agent to connect to BE
IP addresses detection updated
Node.js 9 added to build targets
Logo changes

1.10.4 - 17 October 2017¶

Ensure no infinite recursions when packages are installed with cnpm

1.10.3 - 10 October 2017¶

attachValue cb checks that context exists before running

1.10.2 - 29 September 2017¶

Insert Sqreen header sooner in request lifecycle

1.10.1 - 14 September 2017¶

CRS patterns min_length control
Requests are cleaned at response time
Reduced usage of setImmediates
CLS-patched modules are patchable

1.10.0¶

When Sqreen is not the first required module, a warning message will be displayed in the error output
Hook detection uses hasOwnProperty

1.9.9¶

JS rules in strict mode
Better Sqreen debug logs

1.9.8¶

Add forgotten promise rejection catch

1.9.7¶

Safeguard at specific hooks

1.9.6¶

Lazy binding accessor

1.9.5¶

Important: lazy build of rules callbacks
Moved debug collection of dependencies to command

1.9.4¶

Prevent errors on tentative of pathcing unexisting packages (fix)

1.9.3¶

Prevent errors on tentative of pathcing unexisting packages

1.9.2¶

IP address detection behavior

1.9.1¶

Login v1.5

1.8.8¶

Reduce memory/cpu footprint on login due to packages collection

1.8.7¶

First attacks are pushed to BE immediately

1.8.6¶

Filtered_request_params BA

1.8.5¶

Better handling of network errors
node_modules/.bin rpertory not explored at login

1.8.4¶

null rulespack do not fire errors anymore

1.8.3¶

Express middleware to be injected by overriding lazyrouter and not init

1.8.2¶

on-request hook is blocking when skipped

1.8.1¶

IP blacklist support
onrequest http/https hook after cls init

1.8.0¶

IP whitelist support
Reduced continuity loss in passport-local

1.7.10¶

Express CRS support when no call to use is made
Referer header captured in attacks

1.7.9¶

passport-SAML auto hook strategy to handle mongoose objects

1.7.8¶

'1' is allowed for env var
Escape only certain xss

1.7.7¶

SQREEN_DISABLE env to disable Sqreen
Tests in node 8

1.7.6¶

SKIPPED

1.7.5¶

Agent version not to be tempered with

1.7.4¶

hapijs ext points added for custom ruling

1.7.3¶

Whitepathed attacks are whitepathed

1.7.2¶

Remove an unhandled promise rejection

1.7.1¶

Safeguard to ensure remote IP is a string in utils
README.md

1.7.0 - 19 April 2017¶

Attack page and redirection behavior
Pre-conditions updates

1.6.0 - 18 April 2017¶

CRS support
Request_params BA
Beats force metric collection

1.5.0 - 7 April 2017¶

Pre-conditions support
BindingAccessorCounter cb

1.4.8 - 27 March 2017¶

Updated wreck to 12.

1.4.7 - 23 March 2017¶

HTTPS support
Login metric name

1.4.6 - 17 March 2017¶

Rename hook files names to prevent NR fake warning

1.4.5 - 14 March 2017¶

Reduced error logs

1.4.4 - 3 March 2017¶

Batch is overridden when an event kind is met for the first time

1.4.3 - 3 March 2017¶

Change logs

1.4.2 - 27 February 2017¶

Fast logout when NODE_ENV indicates dev

1.4.1 - 27 February 2017¶

#.cwd in accessors
Allow all chars in pkg names
Login features issue

1.4.0 - 16 February 2017¶

Ensure preventaion of double call on res.write
Shellshock protection
Remove patching prevention on native code
Lookup space cache removed to prevent reducing the attack space size
Matcher case_sensitive management

1.3.5 - 2 February 2017¶

Count status code of dropped requests
Do not use a shadow cache for non native modules
Remove blind patching

1.3.4 - 27 January 2017¶

Require-dir excluded from patching
Do not cache excluded modules

1.3.3 - 25 January 2017¶

Include cls-bluebird

1.3.2 - 25 January 2017¶

Async callback continuity

1.3.1 - 23 January 2017¶

Inlined @vdeturckheim/asjson

1.3.0 - 23 January 2017¶

Support for passport-saml
Update lab

1.2.1 - 16 January 2017¶

Request tracking with uuid v4
Updated warning when no config is found
Attack artifacts should be compliant with BE

1.2.0 - 30 December 2016¶

Initial features
(not public) signup sdk part 1
Split context in CLS thrown errors
Hard coded express continuity
Opbeat warnings

1.1.0 - 27 December 2016¶

Force logout command
npm keywords
Update README
Callback call count fixed (bad rulespack, no default enabled)

1.0.0 - 20 December 2016¶

Custom management of response.end to prevent overrides impact
Binding accessor will give exceptions
Remove feature on metric delay

0.12.1 - 20 December 2016¶

SDK auth fail are not converted to success anymore

0.12.0 - 19 December 2016¶

Metrics key are not a string in a string
VersionCheck metric is better
Use login/heartbeat API v1
Sqreen does not block all depreciation messages anymore

0.11.3 - 16 December 2016¶

Continuity relays on q promises
Better reports if a js cb fails
Metric flush on logout
Better behavior when NR is present

0.11.2 - 13 December 2016¶

Continuity relays on passport

0.11.1 - 8 December 2016¶

Renamed instrumentation/director for preventing NR from thinking that npm package director has been already required.

0.11.0 - 8 December 2016¶

Major perf boost
Dynamic patching enabled
Call count disabled on default

0.10.0 - 22 November 2016¶

Auth SDK (see Documentation)

0.9.0 - 16 November 2016¶

Better IP detection for clients

0.7.0 - 15 September 2016¶

Features change supported
Update wreck
Batch mode

0.6.5 - 13 September 2016¶

Public release of the Node.js agent.