Node.js agent release notes

---

1.32.0 - 29 July 2019

• Agent to report Express endpoint with tracked events
• Sqreen is now able to hook on callback methods and promise resolution
• Introduce a dedicated performance cap for monitoring actions

1.31.0 - 2 July 2019

• Sqreen uses Async Hooks by default on Node.js >= 8.2 (can be disabled with environment variable SQREEN_USE_CLS)
• Sqreen will instrument http and https servers even if other tools change their loading behavior

1.30.3 - 24 May 2019

• Allow ts-node as first required module
• Introduce SQREEN_CUSTOM_PKG_SUBSTRING_IGNORE to ignore a given first required packags
• Fix bug in collection of HTTP response code
• Use the main module path to detect the root of the project
• Fix bug in extension of security responses

1.30.2 - 2 May 2019

• Cleanup contexts when using Async Hooks when HTTP request of over

1.30.1 - 17 April 2019

• Attacks will not be reported twice if there are two request handlers
• Vendored continuation-local-storage to prevent interactions with cls-hooked
• Auto-instrumentation of passport-local works reliably

1.30.0 - 11 April 2019

• Update README.md to point to new domain
• Better detection of project root directory
• Enhancements in performance cap and performance monitoring
• Agent's communications with Sqreen back-end is more robust
• Remove marginal issue in server's port detection

1.29.5 - 28 March 2019

• Prevent the agent from writing twice in a request if there are multiple request listeners on a server

1.29.4 - 19 March 2019

• Introduce PII scrubbing. Learn more about this: configuration

1.29.3 - 27 February 2019

• Agent to collect value of SQREEN_BETA_ASYNC_HOOKS env variable for debug purpose

1.29.2 - 22 February 2019

• Agent is more resilient to support malformed IP addresses

1.29.0 - 21 January 2019

• Agent does not report performance metrics when disabled
• Support of organization tokens

1.28.2 - 15 January 2019

• Fix knex issue that happen when cleaning up connections

1.28.1 - 19 December 2018

• Specifying app root will also change where Sqreen looks up for package.json

1.28.0 - 18 December 2018

• Better performance for whitelist and blacklist
• Agent now collect data regarding HTTP responses (code and content type)
• Environment variable SQREEN_DISABLE_STARTUP_WARNING=1 can be used to hide first-require checks from logs

1.27.3 - 9 November 2018

• Authentication actions tracking are not limited by performance cap anymore

1.27.2 - 8 November 2018

• Fixed occasional memory leak that can happen when using knex

1.27.1 - 8 November 2018

• Fully tested with Node.js 11
• Reduce number of IOs at startup

1.27.0 - 6 November 2018

• Add performance monitoring to the agent

1.26.2 - 18 October 2018

• Move the IP addresses management of security responses to a radix tree

1.26.1 - 16 October 2018

• Fix an issue when the performance budget is too low and the vm module rejects its value

1.26.0 - 3 October 2018

• Agent will not collect HTTP payload anymore when tracking events except when asked to do differently

1.25.2 - 1 October 2018

• Weak database configuration playbook (no password sent to Sqreen servers)

1.25.0 - 28 September 2018

• Added binary sqreen-check-network to check if Sqreen servers are reachable

1.24.1 - 26 September 2018

• Fix playbook signature issue that prevented the use of newer playbooks
• When Sqreen is disabled, the agent delete all current security responses

1.24.0 - 18 September 2018

• The pmx module can now be required before Sqreen without triggering warnings
• Performance cap features to limit the impact of Sqreen on an application
• Instrumentation was broken and has been fixed on Windows

1.23.0 - 27 August 2018

• INFO level logs added to log tracked events reporting
• Sqreen can instrument methods on global classes

1.22.0 - 13 July 2018

• Sqreen configuration file parsing now compatible with all encoding
• Add SQREEN_APP_ROOT environment variable and app_root configuration key to Decemberlare project root directory

1.21.0 - 13 July 2018

• Sqreen to collect HTTP request context (query string, body) when recording attacks or tracking custom events
• PII scrubbing

1.20.2 - 6 July 2018

• SDK auth_track method: use the request parameter as the HTTP context

1.20.1 - 25 June 2018

• Report events (sq.action.[action_name]) when a user is blocked by a security automation playbook.

1.20.0 - 19 June 2018

• Add support for block user security response
• Raise warning messages to Sqreen dashboard when the agent isn't required as first module

1.19.0 - 30 May 2018

• Add support for knex to SQL injection plugin.

1.18.5 - 22 May 2018

• Fix usage of continuation-local-storage when current context is lost

1.18.4 - 16 May 2018

• Fix broken link in README.md

1.18.3 - 16 May 2018

• Fix dependency loading conflict with request-promise

1.18.2 - 15 May 2018

• Update communication protocol with Sqreen BackEnd
• Agent will not call process.exit on 'SIGINT' anymore. It will spread the signal to Node.js if there is no other listener on it.

1.18.1 - 4 May 2018

• Improved communication with Sqreen BackEnd

1.18.0 - 3 May 2018

• Limit number of claims in track sdk params to 16
• Internal performance optimizations

1.17.1 - 19 April 2018

• Remove very noisy log
• Consider sdk events as observations in Request Record

1.17.0 - 18 April 2018

• Support for ip_header config
• Add tracking SDK and security responses
• Experimental use of Async Hooks to track context behind a flag

1.16.0 - 4 April 2018

• HTTP proxy support
• Remove pm2 from first require checks

1.15.0 - 14 February 2018

• Support for global methods protection

1.14.2 - 13 February 2018

• Better memory handling of Request Record

1.14.1 - 18 January 2018

• SDK to identify methods
• Request record reporting system
• Require race fixed in xss

1.13.0 - 11 January 2018

• Reveal support for XSS in express

1.12.0 - 19 December 2017

• Reveal support added
• Error message when login fails fixed

1.11.0 - 27 November 2017

• Agent to use a Sqreen user agent to connect to BE
• IP addresses detection updated
• Node.js 9 added to build targets
• Logo changes

1.10.4 - 17 October 2017

• Ensure no infinite recursions when packages are installed with cnpm

1.10.3 - 10 October 2017

• attachValue cb checks that context exists before running

1.10.2 - 29 September 2017

• Insert Sqreen header sooner in request lifecycle

1.10.1 - 14 September 2017

• CRS patterns min_length control
• Requests are cleaned at response time
• Reduced usage of setImmediates
• CLS-patched modules are patchable

1.10.0

• When Sqreen is not the first required module, a warning message will be displayed in the error output
• Hook detection uses hasOwnProperty

1.9.9

• JS rules in strict mode
• Better Sqreen debug logs

1.9.8

• Add forgotten promise rejection catch

1.9.7

• Safeguard at specific hooks

1.9.6

• Lazy binding accessor

1.9.5

• Important: lazy build of rules callbacks
• Moved debug collection of dependencies to command

1.9.4

• Prevent errors on tentative of pathcing unexisting packages (fix)

1.9.3

• Prevent errors on tentative of pathcing unexisting packages

1.9.2

• IP address detection behavior

1.9.1

• Login v1.5

1.8.8

• Reduce memory/cpu footprint on login due to packages collection

1.8.7

• First attacks are pushed to BE immediately

1.8.6

• Filtered_request_params BA

1.8.5

• Better handling of network errors
• node_modules/.bin rpertory not explored at login

1.8.4

• null rulespack do not fire errors anymore

1.8.3

• Express middleware to be injected by overriding lazyrouter and not init

1.8.2

• on-request hook is blocking when skipped

1.8.1

• IP blacklist support
• onrequest http/https hook after cls init

1.8.0

• IP whitelist support
• Reduced continuity loss in passport-local

1.7.10

• Express CRS support when no call to use is made
• Referer header captured in attacks

1.7.9

• passport-SAML auto hook strategy to handle mongoose objects

1.7.8

• '1' is allowed for env var
• Escape only certain xss

1.7.7

• SQREEN_DISABLE env to disable Sqreen
• Tests in node 8

1.7.6

SKIPPED

1.7.5

• Agent version not to be tempered with

1.7.4

• hapijs ext points added for custom ruling

1.7.3

• Whitepathed attacks are whitepathed

1.7.2

• Remove an unhandled promise rejection

1.7.1

• Safeguard to ensure remote IP is a string in utils
• README.md

1.7.0 - 19 April 2017

• Attack page and redirection behavior
• Pre-conditions updates

1.6.0 - 18 April 2017

• CRS support
• Request_params BA
• Beats force metric collection

1.5.0 - 7 April 2017

• Pre-conditions support
• BindingAccessorCounter cb

1.4.8 - 27 March 2017

• Updated wreck to 12.

1.4.7 - 23 March 2017

• HTTPS support
• Login metric name

1.4.6 - 17 March 2017

• Rename hook files names to prevent NR fake warning

1.4.5 - 14 March 2017

• Reduced error logs

1.4.4 - 3 March 2017

• Batch is overridden when an event kind is met for the first time

1.4.3 - 3 March 2017

• Change logs

1.4.2 - 27 February 2017

• Fast logout when NODE_ENV indicates dev

1.4.1 - 27 February 2017

• #.cwd in accessors
• Allow all chars in pkg names
• Login features issue

1.4.0 - 16 February 2017

• Ensure preventaion of double call on res.write
• Shellshock protection
• Remove patching prevention on native code
• Lookup space cache removed to prevent reducing the attack space size
• Matcher case_sensitive management

1.3.5 - 2 February 2017

• Count status code of dropped requests
• Do not use a shadow cache for non native modules
• Remove blind patching

1.3.4 - 27 January 2017

• Require-dir excluded from patching
• Do not cache excluded modules

1.3.3 - 25 January 2017

• Include cls-bluebird

1.3.2 - 25 January 2017

• Async callback continuity

1.3.1 - 23 January 2017

• Inlined @vdeturckheim/asjson

1.3.0 - 23 January 2017

• Support for passport-saml
• Update lab

1.2.1 - 16 January 2017

• Request tracking with uuid v4
• Updated warning when no config is found
• Attack artifacts should be compliant with BE

1.2.0 - 30 December 2016

• Initial features
• (not public) signup sdk part 1
• Split context in CLS thrown errors
• Hard coded express continuity
• Opbeat warnings

1.1.0 - 27 December 2016

• Force logout command
• npm keywords
• Update README
• Callback call count fixed (bad rulespack, no default enabled)

1.0.0 - 20 December 2016

• Custom management of response.end to prevent overrides impact
• Binding accessor will give exceptions
• Remove feature on metric delay

0.12.1 - 20 December 2016

• SDK auth fail are not converted to success anymore

0.12.0 - 19 December 2016

• Metrics key are not a string in a string
• VersionCheck metric is better
• Use login/heartbeat API v1
• Sqreen does not block all depreciation messages anymore

0.11.3 - 16 December 2016

• Continuity relays on q promises
• Better reports if a js cb fails
• Metric flush on logout
• Better behavior when NR is present

0.11.2 - 13 December 2016

• Continuity relays on passport

0.11.1 - 8 December 2016

• Renamed instrumentation/director for preventing NR from thinking that npm package director has been already required.

0.11.0 - 8 December 2016

• Major perf boost
• Dynamic patching enabled
• Call count disabled on default

0.10.0 - 22 November 2016

• Auth SDK (see Documentation)

0.9.0 - 16 November 2016

• Better IP detection for clients

0.7.0 - 15 September 2016

• Features change supported
• Update wreck
• Batch mode

0.6.5 - 13 September 2016

• Public release of the Node.js agent.