Node.js Agent Release Notes


[1.18.5] 22 MAY 2018

  • fix usage of continuation-local-storage when current context is lost

[1.18.4] 16 MAY 2018

  • fix broken link in README.md

[1.18.3] 16 MAY 2018

  • fix dependency loading conflict with request-promise

[1.18.2] 15 MAY 2018

  • update communication protocol with Sqreen BackEnd
  • agent will not call process.exit on 'SIGINT' anymore. It will spread the signal to Node.js if there is no other listener on it.

[1.18.1] 4 MAY 2018

  • improved communication with Sqreen BackEnd

[1.18.0] 3 MAY 2018

  • limit number of claims in track sdk params to 16
  • internal performance optimizations

[1.17.1] 19 APR 2018

  • remove very noisy log
  • consider sdk events as observations in Request Record

[1.17.0] 18 APR 2018

  • support for ip_header config
  • add tracking SDK and security responses
  • experimental use of Async Hooks to track context behind a flag

[1.16.0] 4 APR 2018

  • HTTP proxy support
  • remove pm2 from first require checks

[1.15.0] 14 FEB 2018

  • support for global methods protection

[1.14.2] 13 FEB 2018

  • better memory handling of Request Record

[1.14.1] 18 JAN 2018

  • SDK to identify methods
  • request record reporting system
  • require race fixed in xss

[1.13.0] 11 JAN 2018

  • reveal support for XSS in express

[1.12.0] 19 DEC 2017

  • reveal support added
  • error message when login fails fixed

[1.11.0] 27 NOV 2017

  • agent to use a Sqreen user agent to connect to BE
  • IP addresses detection updated
  • node.js 9 added to build targets
  • logo changes

[1.10.4] 17 OCT 2017

  • ensure no infinite recursions when packages are installed with cnpm

[1.10.3] 10 OCT 2017

  • attachValue cb checks that context exists before running

[1.10.2] 29 SEP 2017

  • insert Sqreen header sooner in request lifecycle

[1.10.1] 14 SEP 2017

  • CRS patterns min_length control
  • requests are cleaned at response time
  • reduced usage of setImmediates
  • CLS-patched modules are patchable

[1.10.0]

  • when Sqreen is not the first required module, a warning message will be displayed in the error output
  • hook detection uses hasOwnProperty

[1.9.9]

  • JS rules in strict mode
  • better Sqreen debug logs

[1.9.8]

  • add forgotten promise rejection catch

[1.9.7]

  • safeguard at specific hooks

[1.9.6]

  • lazy binding accessor

[1.9.5]

  • important: lazy build of rules callbacks
  • moved debug collection of dependencies to command

[1.9.4]

  • prevent errors on tentative of pathcing unexisting packages (fix)

[1.9.3]

  • prevent errors on tentative of pathcing unexisting packages

[1.9.2]

  • ip address detection behavior

[1.9.1]

  • login v1.5

[1.8.8]

  • reduce memory/cpu footprint on login due to packages collection

[1.8.7]

  • first attacks are pushed to BE immediately

[1.8.6]

  • filtered_request_params BA

[1.8.5]

  • better handling of network errors
  • node_modules/.bin rpertory not explored at login

[1.8.4]

  • null rulespack do not fire errors anymore

[1.8.3]

  • Express middleware to be injected by overriding lazyrouter and not init

[1.8.2]

  • on-request hook is blocking when skipped

[1.8.1]

  • IP blacklist support
  • onrequest http/https hook after cls init

[1.8.0]

  • IP whitelist support
  • reduced continuity loss in passport-local

[1.7.10]

  • express CRS support when no call to use is made
  • referer header captured in attacks

[1.7.9]

  • passport-SAML auto hook strategy to handle mongoose objects

[1.7.8]

  • '1' is allowed for env var
  • escape only certain xss

[1.7.7]

  • SQREEN_DISABLE env to disable Sqreen
  • tests in node 8

[1.7.6]

SKIPPED

[1.7.5]

  • agent version not to be tempered with

[1.7.4]

  • hapijs ext points added for custom ruling

[1.7.3]

  • whitepathed attacks are whitepathed

[1.7.2]

  • remove an unhandled promise rejection

[1.7.1]

  • safeguard to ensure remote ip is a string in utils
  • README.md

[1.7.0] 2017-04-19

  • attack page and redirection behavior
  • Pre-conditions updates

[1.6.0] 2017-04-18

  • CRS support
  • request_params BA
  • beats force metric collection

[1.5.0] 2017-04-07

  • pre-conditions support
  • BindingAccessorCounter cb

[1.4.8] 2017-03-27

  • updated wreck to 12.

[1.4.7] 2017-03-23

  • https support
  • login metric name

[1.4.6] 2017-03-17

  • rename hook files names to prevent NR fake warning

[1.4.5] 2017-03-14

  • reduced error logs

[1.4.4] 2017-03-03

  • batch is overridden when an event kind is met for the first time

[1.4.3] 2017-03-03

  • change logs

[1.4.2] 2017-02-27

  • fast logout when NODE_ENV indicates dev

[1.4.1] 2017-02-27

  • #.cwd in accessors

  • allow all chars in pkg names

  • login features issue

[1.4.0] 2017-02-16

  • ensure preventaion of double call on res.write
  • shellshock protection
  • remove patching prevention on native code
  • lookup space cache removed to prevent reducing the attack space size
  • matcher case_sensitive management

[1.3.5] 2017-02-02

  • count status code of dropped requests
  • do not use a shadow cache for non native modules
  • remove blind patching

[1.3.4] 2017-01-27

  • require-dir excluded from patching
  • do not cache excluded modules

[1.3.3] 2017-01-25

  • include cls-bluebird

[1.3.2] 2017-01-25

  • Async callback continuity

[1.3.1] 2017-01-23

  • inlined @vdeturckheim/asjson

[1.3.0] 2017-01-23

  • support for passport-saml
  • udpate lab

[1.2.1] 2017-01-16

  • request tracking with uuid v4
  • updated warning when no config is found
  • attack artifacts should be compliant with BE

[1.2.0] 2016-12-30

  • initial features
  • (not public) signup sdk part 1
  • split context in CLS thrown errors
  • hard coded express continuity
  • opbeat warnings

[1.1.0] 2016-12-27

  • force logout command
  • npm keywords
  • update README
  • callback call count fixed (bad rulespack, no default enabled)

[1.0.0] 2016-12-20

  • custom management of response.end to prevent overrides impact
  • binding accessor will give exceptions
  • remove feature on metric delay

[0.12.1] 2016-12-20

  • SDK auth fail are not converted to success anymore

[0.12.0] 2016-12-19

  • metrics key are not a string in a string
  • versionCheck metric is better
  • use login/heartbeat API v1
  • Sqreen does not block all depreciation messages anymore

[0.11.3] 2016-12-16

  • Continuity relays on q promises
  • Better reports if a js cb fails
  • Metric flush on logout
  • Better behavior when NR is present

[0.11.2] 2016-12-13

  • Continuity relays on passport

[0.11.1] 2016-12-08

  • Renamed instrumentation/director for preventing NR from thinking that npm package director has been already required.

[0.11.0] 2016-12-08

  • major perf boost
  • dynamic patching enabled
  • call count disabled on default

[0.10.0] 2016-11-22

[0.9.0] 2016-11-16

  • better ip detection for clients

[0.7.0] 2016-09-15

  • features change supported
  • update wreck
  • batch mode

[0.6.5] 2016-09-13