@contrast/agent-bundle 5.41.0 → 5.42.0

package/node_modules/@contrast/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "5.41.0",
+  "version": "5.42.0",
   "description": "Assess and Protect agents for Node.js",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -19,6 +19,7 @@
     "./lib/index.js": "./lib/index.js",
     "./lib/start-agent.js": "./lib/start-agent.js"
   },
+  "main": "./lib/index.js",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
     "node": ">=16.9.1 <17 || >=18.7.0 <19 || >=20.6.0 <21 || >= 22.5.1 <23"
@@ -27,14 +28,14 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agentify": "1.53.0",
+    "@contrast/agentify": "1.54.0",
     "@contrast/architecture-components": "1.43.0",
-    "@contrast/assess": "1.59.0",
+    "@contrast/assess": "1.60.0",
     "@contrast/common": "1.35.0",
     "@contrast/core": "1.55.0",
     "@contrast/library-analysis": "1.45.0",
     "@contrast/protect": "1.65.0",
-    "@contrast/route-coverage": "1.46.0",
+    "@contrast/route-coverage": "1.47.0",
     "@contrast/sec-obs": "1.0.0-alpha.9",
     "@contrast/telemetry": "1.30.0"
   }

package/node_modules/@contrast/agentify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agentify",
-  "version": "1.53.0",
+  "version": "1.54.0",
   "description": "Configures Contrast agent services and instrumentation within an application",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -32,7 +32,7 @@
     "@contrast/metrics": "1.32.0",
     "@contrast/patcher": "1.27.0",
     "@contrast/perf": "1.3.1",
-    "@contrast/reporter": "1.52.0",
+    "@contrast/reporter": "1.53.0",
     "@contrast/rewriter": "1.31.0",
     "@contrast/scopes": "1.25.0",
     "@contrast/sources": "1.1.0",

package/node_modules/@contrast/assess/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.59.0",
+  "version": "1.60.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -29,7 +29,7 @@
     "@contrast/logger": "1.28.0",
     "@contrast/patcher": "1.27.0",
     "@contrast/rewriter": "1.31.0",
-    "@contrast/route-coverage": "1.46.0",
+    "@contrast/route-coverage": "1.47.0",
     "@contrast/scopes": "1.25.0",
     "@contrast/sources": "1.1.0",
     "semver": "^7.6.0"

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/traces/index.d.ts

@@ -2,21 +2,22 @@ import { AxiosInstance } from 'axios';
 import { RequestStore } from '@contrast/common';
 import BaseReporter, { Core } from '../../../base';
 import NgEndpoint from '../ng-endpoint';
-export declare enum States {
-    INCOMPLETE = "INCOMPLETE",
-    COMPLETE = "COMPLETE"
-}
-export type Accum = {
-    messages: any[];
-    request?: any;
+export type AbstractFinding = {
+    events?: any[];
+    properties?: any;
+    ruleId: string;
+    time: number;
     routes?: any[];
-    state: States;
+};
+export type SourceFindingsAccum = {
+    findings: AbstractFinding[];
+    request?: any;
     store: RequestStore;
     timestamp: number;
 };
 export default class Traces extends NgEndpoint {
     hashSet: Set<any>;
-    accumMap: Map<RequestStore, Accum>;
+    findingsAccum: Map<RequestStore, SourceFindingsAccum>;
     reporter: BaseReporter;
     inProd: boolean;
     eventDetail: string;
@@ -26,8 +27,7 @@ export default class Traces extends NgEndpoint {
     initMessageListeners(): void;
     initIntervals(): void;
     getStore(msg: any): RequestStore | null;
-    getAccum(store: RequestStore): Accum;
-    initiateCompletenessCondition(accum: Accum): void;
+    getFindingsAccum(msg: any): SourceFindingsAccum | null;
     put(): Promise<void>;
     filter(): Promise<null | any[]>;
 }

package/node_modules/@contrast/reporter/lib/reporters/contrast-ui/endpoints/traces/index.js

@@ -40,26 +40,19 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.States = void 0;
 const common_1 = require("@contrast/common");
 const ng_endpoint_1 = __importDefault(require("../ng-endpoint"));
 const tx = __importStar(require("./translations"));
 const { StringPrototypeSplit } = common_1.primordials;
-var States;
-(function (States) {
-    States["INCOMPLETE"] = "INCOMPLETE";
-    States["COMPLETE"] = "COMPLETE";
-})(States || (exports.States = States = {}));
-// wait this long after request finishes before reporting in case findings occur in async activity
-const REPORT_WAIT_MS = 3000;
-const PROD = 'PRODUCTION';
+const FINDING_QUEUE_FLUSH_INTERVAL_MS = 2000;
+const DEDUPE_HASH_RESET_INTERVAL = 3000;
 class Traces extends ng_endpoint_1.default {
     constructor(core, uiReporter) {
         super(core, { ...uiReporter, url: '/api/ng/traces' });
         this.hashSet = new Set();
-        this.accumMap = new Map();
+        this.findingsAccum = new Map();
         this.reporter = uiReporter;
-        this.inProd = this.core.config.getEffectiveValue('server.environment') === PROD;
+        this.inProd = this.core.config.getEffectiveValue('server.environment') === common_1.ServerEnvironment.PRODUCTION;
         this.eventDetail = this.core.config.getEffectiveValue('assess.probabilistic_sampling.event_detail');
         this.initMessageListeners();
         this.initIntervals();
@@ -67,80 +60,76 @@ class Traces extends ng_endpoint_1.default {
     initMessageListeners() {
         this.reporter.subscribeWithLock(common_1.Event.SERVER_SETTINGS_UPDATE, (msg) => {
             // reset based on effective value
-            this.inProd = this.core.config.getEffectiveValue('server.environment') === PROD;
+            this.inProd = this.core.config.getEffectiveValue('server.environment') === common_1.ServerEnvironment.PRODUCTION;
         });
         this.reporter.subscribeWithLock(common_1.Event.ASSESS_DATAFLOW_FINDING, (msg) => {
-            const { ruleId, sinkEvent } = msg;
-            const store = this.getStore(msg);
-            if (!store)
+            const accum = this.getFindingsAccum(msg);
+            if (!accum)
                 return;
-            this.getAccum(store).messages.push({
+            const { store: { route } } = accum;
+            const { ruleId, sinkEvent } = msg;
+            accum.findings.push({
                 events: tx.getTraceEvents(sinkEvent, this.inProd, this.eventDetail),
                 properties: sinkEvent.properties,
+                routes: route ? tx.getRoutes(route, this.inProd) : undefined,
                 ruleId: ruleId === common_1.Rule.NOSQL_INJECTION_MONGO ? common_1.Rule.NOSQL_INJECTION : ruleId,
                 time: Date.now(),
             });
         });
         this.reporter.subscribeWithLock(common_1.Event.ASSESS_RESPONSE_SCANNING_FINDING, (msg) => {
-            const { ruleId, vulnerabilityMetadata } = msg;
-            const store = this.getStore(msg);
-            if (!store)
+            const accum = this.getFindingsAccum(msg);
+            if (!accum)
                 return;
-            this.getAccum(store).messages.push({
+            const { store: { route } } = accum;
+            const { ruleId, vulnerabilityMetadata } = msg;
+            accum.findings.push({
                 properties: vulnerabilityMetadata,
+                routes: route ? tx.getRoutes(route, this.inProd) : undefined,
                 ruleId,
                 time: Date.now(),
             });
         });
         this.reporter.subscribeWithLock(common_1.Event.ASSESS_SESSION_CONFIGURATION_FINDING, (msg) => {
-            const { ruleId, sinkEvent, properties } = msg;
-            const store = this.getStore(msg);
-            if (!store)
+            const accum = this.getFindingsAccum(msg);
+            if (!accum)
                 return;
-            this.getAccum(store).messages.push({
+            const { store: { route } } = accum;
+            const { ruleId, sinkEvent, properties } = msg;
+            accum.findings.push({
                 events: tx.getTraceEvents(sinkEvent, this.inProd, this.eventDetail),
                 properties,
+                routes: route ? tx.getRoutes(route, this.inProd) : undefined,
                 ruleId,
                 time: Date.now(),
             });
         });
         this.reporter.subscribeWithLock(common_1.Event.ASSESS_CRYPTO_ANALYSIS_FINDING, (msg) => {
-            const { ruleId, finding } = msg;
-            const store = this.getStore(msg);
-            if (!store)
+            const accum = this.getFindingsAccum(msg);
+            if (!accum)
                 return;
-            this.getAccum(store).messages.push({
+            const { store: { route } } = accum;
+            const { ruleId, finding } = msg;
+            accum.findings.push({
                 events: [tx.getCryptoEvent(finding)],
+                routes: route ? tx.getRoutes(route, this.inProd) : undefined,
                 ruleId,
                 time: Date.now(),
             });
         });
-        this.reporter.subscribeWithLock(common_1.Event.RESPONSE_FINISH, (store) => {
-            const { route, assess } = store;
-            // this event is emitted by agentify and is feature agnostic,
-            // so we need to check if the current request has assess enabled.
-            if (!assess?.policy)
-                return;
-            const accum = this.getAccum(store);
-            if (route) {
-                accum.routes = tx.getRoutes(route, this.inProd);
-            }
-            if (store?.sourceInfo) {
-                accum.request = tx.getRequest(store, this.inProd);
-            }
-            this.initiateCompletenessCondition(accum);
-        });
         this.reporter.subscribeWithLock(common_1.Event.UNINSTALL, () => {
             // should we log that we're dropping this data?
             this.hashSet.clear();
-            this.accumMap.clear();
+            this.findingsAccum.clear();
         });
     }
     initIntervals() {
+        this.reporter.setInterval(() => {
+            this.put();
+        }, FINDING_QUEUE_FLUSH_INTERVAL_MS);
         this.reporter.setInterval(() => {
             // this will take a little bit of pressure off of TS /preflight if we can dedupe
             this.hashSet.clear();
-        }, 3000);
+        }, DEDUPE_HASH_RESET_INTERVAL);
     }
     getStore(msg) {
         const store = this.core.scopes.sources.getStore();
@@ -151,23 +140,27 @@ class Traces extends ng_endpoint_1.default {
         }, 'skipping traces accumulation - no source info during event handling');
         return null;
     }
-    getAccum(store) {
-        let meta = this.accumMap.get(store);
-        if (!meta) {
-            meta = {
-                messages: [],
-                state: States.INCOMPLETE,
+    getFindingsAccum(msg) {
+        const store = this.getStore(msg);
+        if (!store?.assess?.policy)
+            return null;
+        let accum = this.findingsAccum.get(store);
+        if (!accum) {
+            accum = {
+                findings: [],
+                request: null,
                 store,
-                timestamp: Date.now(),
+                timestamp: Date.now()
             };
-            this.accumMap.set(store, meta);
+            this.findingsAccum.set(store, accum);
         }
-        return meta;
-    }
-    initiateCompletenessCondition(accum) {
-        setTimeout(() => {
-            accum.state = States.COMPLETE;
-        }, REPORT_WAIT_MS).unref();
+        if (accum.request) {
+            // todo: make sure standardNormalizedUri value is up-to-date given latest store data
+        }
+        else {
+            accum.request = tx.getRequest(store, this.inProd);
+        }
+        return accum;
     }
     async put() {
         const filtered = await this.filter();
@@ -201,36 +194,33 @@ class Traces extends ng_endpoint_1.default {
         }
     }
     async filter() {
-        const complete = [];
-        for (const accum of this.accumMap.values()) {
-            if (accum.state === States.COMPLETE) {
-                this.accumMap.delete(accum.store);
-                // flatten
-                accum.messages.forEach(({ ruleId, events, properties, time }) => {
-                    const traceData = {
-                        ruleId,
-                        properties,
-                        events,
-                        routes: accum.routes,
-                        request: accum.request,
-                        time
-                    };
-                    const hash = tx.getEventHash(traceData);
-                    if (!this.hashSet.has(hash)) {
-                        this.hashSet.add(hash);
-                        complete.push({ ...traceData, hash });
-                    }
-                });
-            }
+        const findingsToFilter = [];
+        for (const accum of this.findingsAccum.values()) {
+            accum.findings.forEach(({ events, properties, routes, ruleId, time }) => {
+                const traceData = {
+                    ruleId,
+                    properties,
+                    events,
+                    routes,
+                    request: accum.request,
+                    time
+                };
+                const hash = tx.getEventHash(traceData);
+                if (!this.hashSet.has(hash)) {
+                    this.hashSet.add(hash);
+                    findingsToFilter.push({ ...traceData, hash });
+                }
+            });
         }
-        if (!complete.length)
+        this.findingsAccum.clear();
+        if (!findingsToFilter.length)
             return null;
         try {
             const res = await this.client({
                 method: 'put',
                 url: 'api/ng/preflight',
                 data: {
-                    messages: complete.map((traceData, i) => {
+                    messages: findingsToFilter.map((traceData, i) => {
                         const { ruleId, routes, hash } = traceData;
                         return {
                             appLanguage: 'Node',
@@ -246,14 +236,14 @@ class Traces extends ng_endpoint_1.default {
                     tags: this.core.config.assess.tags || '',
                 }
             });
-            const itemsToReport = [];
+            const findingsToReport = [];
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore
             for (const idx of StringPrototypeSplit.call(res.data, ',')) {
-                const item = complete[Number(idx)];
-                item && itemsToReport.push(item);
+                const item = findingsToFilter[Number(idx)];
+                item && findingsToReport.push(item);
             }
-            return itemsToReport;
+            return findingsToReport;
         }
         catch (err) {
             this.core.logger.error({ err }, 'failed put request to preflight');

package/node_modules/@contrast/reporter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/reporter",
-  "version": "1.52.0",
+  "version": "1.53.0",
   "description": "Subscribes to agent messages and reports them",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/node_modules/@contrast/route-coverage/lib/install/hapi.js

@@ -62,11 +62,18 @@ module.exports = function init(core) {
                   patcher.patch(data.result.route.settings, 'handler', {
                     name: 'route.settings.handler',
                     patchType,
-                    post({ args }) {
+                    // this needs to be in a pre-hook so that the route
+                    // data is in the store before our dataflow hooks run
+                    pre({ args }) {
                       const [{ method, path: url, route }] = args;
                       //TODO: Will this signature always be associated with an existing route?
                       const signature = createSignature(method, path);
-                      routeCoverage.observe({ signature, url, method: StringPrototypeToLowerCase.call(method), normalizedUrl: route.path });
+                      routeCoverage.observe({
+                        signature,
+                        url,
+                        method: StringPrototypeToLowerCase.call(method),
+                        normalizedUrl: route.path,
+                      });
                     }
                   });
                 }

package/node_modules/@contrast/route-coverage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/route-coverage",
-  "version": "1.46.0",
+  "version": "1.47.0",
   "description": "Handles route discovery and observation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/node_modules/@swc/types/index.d.ts

@@ -396,7 +396,7 @@ export interface Options extends Config {
      */
     sourceRoot?: string;
     plugin?: Plugin;
-    isModule?: boolean | "unknown";
+    isModule?: boolean | "unknown" | "commonjs";
     /**
      * Destination path. Note that this value is used only to fix source path
      * of source map files and swc does not write output to this path.
@@ -640,7 +640,7 @@ export interface EsParserConfig {
      */
     importAssertions?: boolean;
     /**
-     * Defaults to `false`
+     * @deprecated Always true in swc
      */
     importAttributes?: boolean;
     /**
@@ -694,6 +694,7 @@ export interface TransformConfig {
      * https://www.typescriptlang.org/tsconfig#verbatimModuleSyntax
      */
     verbatimModuleSyntax?: boolean;
+    tsEnumIsMutable?: boolean;
 }
 export interface ReactConfig {
     /**

package/node_modules/@swc/types/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@swc/types",
     "packageManager": "yarn@4.0.2",
-    "version": "0.1.23",
+    "version": "0.1.24",
     "description": "Typings for the swc project.",
     "types": "./index.d.ts",
     "sideEffects": false,

package/node_modules/@types/node/README.md

@@ -8,7 +8,7 @@ This package contains type definitions for node (https://nodejs.org/).
 Files were exported from https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node.
 
 ### Additional Details
- * Last updated: Tue, 22 Jul 2025 11:34:36 GMT
+ * Last updated: Fri, 08 Aug 2025 16:38:49 GMT
  * Dependencies: [undici-types](https://npmjs.com/package/undici-types)
 
 # Credits

package/node_modules/@types/node/crypto.d.ts

@@ -3771,7 +3771,23 @@ declare module "crypto" {
          */
         checkIP(ip: string): string | undefined;
         /**
-         * Checks whether this certificate was issued by the given `otherCert`.
+         * Checks whether this certificate was potentially issued by the given `otherCert`
+         * by comparing the certificate metadata.
+         *
+         * This is useful for pruning a list of possible issuer certificates which have been
+         * selected using a more rudimentary filtering routine, i.e. just based on subject
+         * and issuer names.
+         *
+         * Finally, to verify that this certificate's signature was produced by a private key
+         * corresponding to `otherCert`'s public key use `x509.verify(publicKey)`
+         * with `otherCert`'s public key represented as a `KeyObject`
+         * like so
+         *
+         * ```js
+         * if (!x509.verify(otherCert.publicKey)) {
+         *   throw new Error('otherCert did not issue x509');
+         * }
+         * ```
          * @since v15.6.0
          */
         checkIssued(otherCert: X509Certificate): boolean;

package/node_modules/@types/node/fs/promises.d.ts

@@ -88,6 +88,9 @@ declare module "fs/promises" {
         highWaterMark?: number | undefined;
         flush?: boolean | undefined;
     }
+    interface ReadableWebStreamOptions {
+        autoClose?: boolean | undefined;
+    }
     // TODO: Add `EventEmitter` close
     interface FileHandle {
         /**
@@ -261,7 +264,7 @@ declare module "fs/promises" {
          * close the `FileHandle` automatically. User code must still call the`fileHandle.close()` method.
          * @since v17.0.0
          */
-        readableWebStream(): ReadableStream;
+        readableWebStream(options?: ReadableWebStreamOptions): ReadableStream;
         /**
          * Asynchronously reads the entire contents of a file.
          *
@@ -474,8 +477,9 @@ declare module "fs/promises" {
          */
         close(): Promise<void>;
         /**
-         * An alias for {@link FileHandle.close()}.
-         * @since v20.4.0
+         * Calls `filehandle.close()` and returns a promise that fulfills when the
+         * filehandle is closed.
+         * @since v20.4.0, v18.8.0
          */
         [Symbol.asyncDispose](): Promise<void>;
     }

package/node_modules/@types/node/fs.d.ts

@@ -325,13 +325,11 @@ declare module "fs" {
         /**
          * An alias for `dir.close()`.
          * @since v24.1.0
-         * @experimental
          */
         [Symbol.dispose](): void;
         /**
          * An alias for `dir.closeSync()`.
          * @since v24.1.0
-         * @experimental
          */
         [Symbol.asyncDispose](): void;
     }

package/node_modules/@types/node/http2.d.ts

@@ -32,18 +32,14 @@ declare module "http2" {
         ":scheme"?: string | undefined;
     }
     // Http2Stream
-    export interface StreamPriorityOptions {
-        exclusive?: boolean | undefined;
-        parent?: number | undefined;
-        weight?: number | undefined;
-        silent?: boolean | undefined;
-    }
     export interface StreamState {
         localWindowSize?: number | undefined;
         state?: number | undefined;
         localClose?: number | undefined;
         remoteClose?: number | undefined;
+        /** @deprecated */
         sumDependencyWeight?: number | undefined;
+        /** @deprecated */
         weight?: number | undefined;
     }
     export interface ServerStreamResponseOptions {
@@ -151,10 +147,9 @@ declare module "http2" {
          */
         close(code?: number, callback?: () => void): void;
         /**
-         * Updates the priority for this `Http2Stream` instance.
-         * @since v8.4.0
+         * @deprecated Priority signaling is no longer supported in Node.js.
          */
-        priority(options: StreamPriorityOptions): void;
+        priority(options: unknown): void;
         /**
          * ```js
          * import http2 from 'node:http2';
@@ -395,7 +390,7 @@ declare module "http2" {
         ): void;
         pushStream(
             headers: OutgoingHttpHeaders,
-            options?: StreamPriorityOptions,
+            options?: Pick<ClientSessionRequestOptions, "exclusive" | "parent">,
             callback?: (err: Error | null, pushStream: ServerHttp2Stream, headers: OutgoingHttpHeaders) => void,
         ): void;
         /**
@@ -629,7 +624,6 @@ declare module "http2" {
         endStream?: boolean | undefined;
         exclusive?: boolean | undefined;
         parent?: number | undefined;
-        weight?: number | undefined;
         waitForTrailers?: boolean | undefined;
         signal?: AbortSignal | undefined;
     }
@@ -1294,6 +1288,14 @@ declare module "http2" {
          * @default 100000
          */
         unknownProtocolTimeout?: number | undefined;
+        /**
+         * If `true`, it turns on strict leading
+         * and trailing whitespace validation for HTTP/2 header field names and values
+         * as per [RFC-9113](https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.1).
+         * @since v24.2.0
+         * @default true
+         */
+        strictFieldWhitespaceValidation?: boolean | undefined;
     }
     export interface ClientSessionOptions extends SessionOptions {
         /**