Node.js Agent Release Notes¶ [1.28.1] 19 December 2018 specifying app root will also change where Sqreen looks up for package.json [1.28.0] 18 December 2018 better performance for whitelist and blacklist agent now collect data regarding HTTP responses (code and content type) env variable SQREEN_DISABLE_STARTUP_WARNING=1 can be used to hide first-require checks from logs [1.27.3] 9 November 2018 authentication actions tracking are not limited by performance cap anymore [1.27.2] 8 November 2018 fixed occasional memory leak that can happen when using knex [1.27.1] 8 November 2018 fully tested with Node.js 11 reduce number of IOs at startup [1.27.0] 6 November 2018 add performance monitoring to the agent [1.26.2] 18 October 2018 move the IP addresses management of security responses to a radix tree [1.26.1] 16 October 2018 fix an issue when the performance budget is too low and the vm module rejects its value [1.26.0] 3 October 2018 Agent will not collect HTTP payload anymore when tracking events except when asked to do differently [1.25.2] 1 October 2018 Weak database configuration playbook (no password sent to Sqreen servers) [1.25.0] 28 September 2018 added binary sqreen-check-network to check if Sqreen servers are reachable [1.24.1] 26 September 2018 fix playbook signature issue that prevented the use of newer playbooks when Sqreen is disabled, the agent delete all current security responses [1.24.0] 18 September 2018 pmx module can now be required before Sqreen without triggering warnings performance cap features to limit the impact of Sqreen on an application instrumentation was broken and has been fixed on Windows [1.23.0] 27 August 2018 INFO level logs added to log tracked events reporting Sqreen can instrument methods on global classes [1.22.0] 13 JULY 2018 Sqreen configuration file parsing now compatible with all encoding add SQREEN_APP_ROOT environment variable and app_root configuration key to declare project root directory [1.21.0] 13 JULY 2018 Sqreen to collect HTTP request context (query string, body) when recording attacks or tracking custom events PII scrubbing [1.20.2] 6 JULY 2018 SDK auth_track method: use the request parameter as the HTTP context [1.20.1] 25 JUNE 2018 report events (sq.action.[action_name]) when a user is blocked by a security automation playbook. [1.20.0] 19 JUNE 2018 add support for block user security response raise warning messages to Sqreen dashboard when the agent isn't required as first module [1.19.0] 30 MAY 2018 add support for knex to SQL injection plugin. [1.18.5] 22 MAY 2018 fix usage of continuation-local-storage when current context is lost [1.18.4] 16 MAY 2018 fix broken link in README.md [1.18.3] 16 MAY 2018 fix dependency loading conflict with request-promise [1.18.2] 15 MAY 2018 update communication protocol with Sqreen BackEnd agent will not call process.exit on 'SIGINT' anymore. It will spread the signal to Node.js if there is no other listener on it. [1.18.1] 4 MAY 2018 improved communication with Sqreen BackEnd [1.18.0] 3 MAY 2018 limit number of claims in track sdk params to 16 internal performance optimizations [1.17.1] 19 APR 2018 remove very noisy log consider sdk events as observations in Request Record [1.17.0] 18 APR 2018 support for ip_header config add tracking SDK and security responses experimental use of Async Hooks to track context behind a flag [1.16.0] 4 APR 2018 HTTP proxy support remove pm2 from first require checks [1.15.0] 14 FEB 2018 support for global methods protection [1.14.2] 13 FEB 2018 better memory handling of Request Record [1.14.1] 18 JAN 2018 SDK to identify methods request record reporting system require race fixed in xss [1.13.0] 11 JAN 2018 reveal support for XSS in express [1.12.0] 19 DEC 2017 reveal support added error message when login fails fixed [1.11.0] 27 NOV 2017 agent to use a Sqreen user agent to connect to BE IP addresses detection updated node.js 9 added to build targets logo changes [1.10.4] 17 OCT 2017 ensure no infinite recursions when packages are installed with cnpm [1.10.3] 10 OCT 2017 attachValue cb checks that context exists before running [1.10.2] 29 SEP 2017 insert Sqreen header sooner in request lifecycle [1.10.1] 14 SEP 2017 CRS patterns min_length control requests are cleaned at response time reduced usage of setImmediates CLS-patched modules are patchable [1.10.0] when Sqreen is not the first required module, a warning message will be displayed in the error output hook detection uses hasOwnProperty [1.9.9] JS rules in strict mode better Sqreen debug logs [1.9.8] add forgotten promise rejection catch [1.9.7] safeguard at specific hooks [1.9.6] lazy binding accessor [1.9.5] important: lazy build of rules callbacks moved debug collection of dependencies to command [1.9.4] prevent errors on tentative of pathcing unexisting packages (fix) [1.9.3] prevent errors on tentative of pathcing unexisting packages [1.9.2] ip address detection behavior [1.9.1] login v1.5 [1.8.8] reduce memory/cpu footprint on login due to packages collection [1.8.7] first attacks are pushed to BE immediately [1.8.6] filtered_request_params BA [1.8.5] better handling of network errors node_modules/.bin rpertory not explored at login [1.8.4] null rulespack do not fire errors anymore [1.8.3] Express middleware to be injected by overriding lazyrouter and not init [1.8.2] on-request hook is blocking when skipped [1.8.1] IP blacklist support onrequest http/https hook after cls init [1.8.0] IP whitelist support reduced continuity loss in passport-local [1.7.10] express CRS support when no call to use is made referer header captured in attacks [1.7.9] passport-SAML auto hook strategy to handle mongoose objects [1.7.8] '1' is allowed for env var escape only certain xss [1.7.7] SQREEN_DISABLE env to disable Sqreen tests in node 8 [1.7.6] SKIPPED [1.7.5] agent version not to be tempered with [1.7.4] hapijs ext points added for custom ruling [1.7.3] whitepathed attacks are whitepathed [1.7.2] remove an unhandled promise rejection [1.7.1] safeguard to ensure remote ip is a string in utils README.md [1.7.0] 2017-04-19 attack page and redirection behavior Pre-conditions updates [1.6.0] 2017-04-18 CRS support request_params BA beats force metric collection [1.5.0] 2017-04-07 pre-conditions support BindingAccessorCounter cb [1.4.8] 2017-03-27 updated wreck to 12. [1.4.7] 2017-03-23 https support login metric name [1.4.6] 2017-03-17 rename hook files names to prevent NR fake warning [1.4.5] 2017-03-14 reduced error logs [1.4.4] 2017-03-03 batch is overridden when an event kind is met for the first time [1.4.3] 2017-03-03 change logs [1.4.2] 2017-02-27 fast logout when NODE_ENV indicates dev [1.4.1] 2017-02-27 #.cwd in accessors allow all chars in pkg names login features issue [1.4.0] 2017-02-16 ensure preventaion of double call on res.write shellshock protection remove patching prevention on native code lookup space cache removed to prevent reducing the attack space size matcher case_sensitive management [1.3.5] 2017-02-02 count status code of dropped requests do not use a shadow cache for non native modules remove blind patching [1.3.4] 2017-01-27 require-dir excluded from patching do not cache excluded modules [1.3.3] 2017-01-25 include cls-bluebird [1.3.2] 2017-01-25 Async callback continuity [1.3.1] 2017-01-23 inlined @vdeturckheim/asjson [1.3.0] 2017-01-23 support for passport-saml udpate lab [1.2.1] 2017-01-16 request tracking with uuid v4 updated warning when no config is found attack artifacts should be compliant with BE [1.2.0] 2016-12-30 initial features (not public) signup sdk part 1 split context in CLS thrown errors hard coded express continuity opbeat warnings [1.1.0] 2016-12-27 force logout command npm keywords update README callback call count fixed (bad rulespack, no default enabled) [1.0.0] 2016-12-20 custom management of response.end to prevent overrides impact binding accessor will give exceptions remove feature on metric delay [0.12.1] 2016-12-20 SDK auth fail are not converted to success anymore [0.12.0] 2016-12-19 metrics key are not a string in a string versionCheck metric is better use login/heartbeat API v1 Sqreen does not block all depreciation messages anymore [0.11.3] 2016-12-16 Continuity relays on q promises Better reports if a js cb fails Metric flush on logout Better behavior when NR is present [0.11.2] 2016-12-13 Continuity relays on passport [0.11.1] 2016-12-08 Renamed instrumentation/director for preventing NR from thinking that npm package director has been already required. [0.11.0] 2016-12-08 major perf boost dynamic patching enabled call count disabled on default [0.10.0] 2016-11-22 auth SDK (see Documentation) [0.9.0] 2016-11-16 better ip detection for clients [0.7.0] 2016-09-15 features change supported update wreck batch mode [0.6.5] 2016-09-13 Public release of the Node.js agent.