@contrast/agent-bundle 5.46.0 → 5.47.0

package/node_modules/@contrast/assess/lib/dataflow/sources/install/http.js

@@ -36,63 +36,68 @@ module.exports = function (core) {
   const logger = core.logger.child({ name: 'contrast:assess' });
 
   /**
-   * The around hook for `emit` that
-   * invokes the protect service to do analysis when appropriate.
+   * The around hook for `emit` that handles tracking URL and header values.
+   * We track those when the event is 'request' or 'upgrade'. Also, for when
+   * event is 'request', we will also patch some ServerResponse methods. We
+   * currentl don't patch the raw socket for tracking when event is 'upgrade',
+   * sources instrumentation for websocket events happens per framework.
    */
   function around(next, data) {
     const [type] = data.args;
 
-    if (type !== 'request') return next();
+    if (type !== 'request' && type !== 'upgrade') return next();
 
     try {
-      const [, req, res] = data.args;
+      const [, req, resOrSocket] = data.args;
       const sourceContext = getSourceContext();
 
       if (!sourceContext?.policy) {
         return next();
       }
 
-      patcher.patch(res, 'writeHead', {
-        name: 'write-head',
-        patchType,
-        pre(data) {
-          const obj = data.args[data.args.length - 1];
-          if (!obj) return;
+      if (type == 'request') {
+        patcher.patch(resOrSocket, 'writeHead', {
+          name: 'write-head',
+          patchType,
+          pre(data) {
+            const obj = data.args[data.args.length - 1];
+            if (!obj) return;
 
-          if (Array.isArray(obj)) {
-            for (let i = 0; i < obj.length; i += 2) {
-              const key = obj[i];
-              const value = obj[i + 1];
+            if (Array.isArray(obj)) {
+              for (let i = 0; i < obj.length; i += 2) {
+                const key = obj[i];
+                const value = obj[i + 1];
 
-              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                sourceContext.responseData.contentType = value;
+                if (StringPrototypeToLowerCase.call(key) === 'content-type') {
+                  sourceContext.responseData.contentType = value;
+                }
               }
-            }
-          } else if (typeof obj === 'object') {
-            for (const [key, value] of Object.entries(obj)) {
-              if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                sourceContext.responseData.contentType = value;
+            } else if (typeof obj === 'object') {
+              for (const [key, value] of Object.entries(obj)) {
+                if (StringPrototypeToLowerCase.call(key) === 'content-type') {
+                  sourceContext.responseData.contentType = value;
+                }
               }
             }
           }
-        }
-      });
+        });
 
-      if (!patcher.hooks.get(res?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
-        patcher.patch(res, 'setHeader', {
-          name: 'set-header',
-          patchType,
-          pre(data) {
-            const [name = '', value] = data.args;
-            if (
-              value &&
-              StringPrototypeToLowerCase.call(name) === 'content-type' &&
-              getSourceContext()
-            ) {
-              sourceContext.responseData.contentType = value;
+        if (!patcher.hooks.get(resOrSocket?.setHeader)?.funcKeys.has(`${patchType}:set-header`)) {
+          patcher.patch(resOrSocket, 'setHeader', {
+            name: 'set-header',
+            patchType,
+            pre(data) {
+              const [name = '', value] = data.args;
+              if (
+                value &&
+                StringPrototypeToLowerCase.call(name) === 'content-type' &&
+                getSourceContext()
+              ) {
+                sourceContext.responseData.contentType = value;
+              }
             }
-          }
-        });
+          });
+        }
       }
 
       const sourceName = 'ClientRequest';
@@ -143,7 +148,6 @@ module.exports = function (core) {
         }
       });
 
-
       //
       // now track the rawHeaders. headers are complicated because they appear
       // three times: headers, headersDistinct, and rawHeaders and we want to

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/index.js

@@ -20,7 +20,7 @@ const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function(core) {
   const koaSources = core.assess.dataflow.sources.koaInstrumentation = {};
 
-  require('./koa2')(core);
+  require('./koa')(core);
   require('./koa-bodyparsers')(core);
   require('./koa-multer')(core);
   require('./koa-routers')(core);

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/koa-bodyparsers.js

@@ -30,58 +30,86 @@ module.exports = (core) => {
     },
   } = core;
 
-  function install() {
-    [['koa-body', '<7'], ['koa-bodyparser', '<5']].forEach(([name, version]) => {
-      depHooks.resolve({ name, version }, (koaBody) => patcher.patch(koaBody, {
+  function postFn(name) {
+    return function(data) {
+      data.result = patcher.patch(data.result, {
         name,
         patchType,
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name,
-            patchType,
-            pre(data) {
-              const { funcKey } = data;
-              const [ctx, origNext] = data.args;
-              const sourceContext = getSourceContext();
-
-              if (!sourceContext) return;
-
-              if (sourceContext.parsedBody) {
-                logger.trace({ funcKey }, 'values already tracked');
-                return;
-              }
-
-              data.args[1] = async function contrastNext(origErr) {
-                const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
-                const inputType = contentType?.includes?.('/json')
-                  ? InputType.JSON_VALUE
-                  : typeof ctx.request.body == 'object'
-                    ? InputType.PARAMETER_VALUE
-                    : InputType.BODY;
-
-                try {
-                  sources.handle({
-                    context: 'ctx.request.body',
-                    name,
-                    inputType,
-                    stacktraceOpts: {
-                      constructorOpt: contrastNext,
-                    },
-                    data: ctx.request.body,
-                    sourceContext
-                  });
-
-                  sourceContext.parsedBody = !!Object.keys(ctx.request.body).length;
-                } catch (err) {
-                  logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
-                }
-
-                await origNext(origErr);
-              };
+        pre(data) {
+          const { funcKey } = data;
+          const [ctx, origNext] = data.args;
+          const sourceContext = getSourceContext();
+
+          if (!sourceContext) return;
+
+          if (sourceContext.parsedBody) {
+            logger.trace({ funcKey }, 'values already tracked');
+            return;
+          }
+
+          data.args[1] = async function contrastNext(origErr) {
+            const contentType = scopes.sources.getStore()?.sourceInfo?.contentType;
+            const inputType = contentType?.includes?.('/json')
+              ? InputType.JSON_VALUE
+              : typeof ctx.request.body == 'object'
+                ? InputType.PARAMETER_VALUE
+                : InputType.BODY;
+
+            try {
+              sources.handle({
+                context: 'ctx.request.body',
+                name,
+                inputType,
+                stacktraceOpts: {
+                  constructorOpt: contrastNext,
+                },
+                data: ctx.request.body,
+                sourceContext
+              });
+
+              sourceContext.parsedBody = !!Object.keys(ctx.request.body || {}).length;
+            } catch (err) {
+              logger.error({ err, inputType, funcKey }, 'unable to handle Koa source');
             }
-          });
+
+            await origNext(origErr);
+          };
         }
-      }));
+      });
+    };
+  }
+
+  function install() {
+
+    [['koa-body', '>=4 <6'], ['koa-bodyparser', '>=4 <5']].forEach(([name, version]) => {
+      depHooks.resolve({ name, version }, (koaBody) =>
+        patcher.patch(koaBody, {
+          name,
+          patchType,
+          post: postFn(name)
+        })
+      );
+    });
+
+    depHooks.resolve({ name: 'koa-body', version: '>=6 <7' }, (koaBody) =>
+      patcher.patch(koaBody, 'koaBody', {
+        name: 'koaBody',
+        patchType,
+        post: postFn('koa-body')
+      })
+    );
+
+    depHooks.resolve({ name: '@koa/bodyparser', version: '>=5 <7' }, (koaBody) => {
+      const patchedBodyParser = patcher.patch(koaBody.bodyParser, {
+        name: '@koa/bodyparser',
+        patchType,
+        post: postFn('@koa/bodyparser')
+      }
+      );
+      return {
+        default: patchedBodyParser,
+        bodyParser: patchedBodyParser
+      };
     });
   }
 

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/koa-multer.js

@@ -67,7 +67,7 @@ module.exports = (core) => {
   }
 
   function install() {
-    [['koa-multer', '<2'], ['@koa/multer', '<4']].forEach(([name, version]) => {
+    [['koa-multer', '<2'], ['@koa/multer', '>=3 <5']].forEach(([name, version]) => {
       depHooks.resolve(
         { name, version }, (_export) => {
           const origMulter = _export;

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/koa-routers.js

@@ -31,11 +31,11 @@ module.exports = (core) => {
 
   // Patch `koa-router` and `@koa/router` to handle parsed params
   function install() {
-    [['koa-router', '<14'], ['@koa/router', '<14']].forEach(([router, version]) => {
+    [['koa-router', '>=12 <15'], ['@koa/router', '>=12 <15']].forEach(([router, version]) => {
       depHooks.resolve(
         { name: router, version, file: 'lib/layer.js' },
         (layer) => {
-          layer.prototype = patcher.patch(layer.prototype, 'params', {
+          patcher.patch(layer.prototype, 'params', {
             name: `[${router}].layer.prototype`,
             patchType,
             post({ orig, hooked, result, name, funcKey }) {

package/node_modules/@contrast/assess/lib/dataflow/sources/install/koa/{koa2.js → koa.js}

@@ -40,7 +40,7 @@ module.exports = (core) => {
    * registers a depHook for koa module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <3' }, (Koa) => {
+    depHooks.resolve({ name: 'koa', version: '>=2.3.0 <4' }, (Koa) => {
       const createMiddleware = ({ name, funcKey }) => {
         const contrastStartMiddleware = function contrastStartMiddleware(ctx, next) {
           const sourceContext = getSourceContext();
@@ -101,9 +101,9 @@ module.exports = (core) => {
     });
   }
 
-  const koa2Instrumentation = sources.koaInstrumentation.koa2 = {
+  const koaInstrumentation = sources.koaInstrumentation.koa = {
     install
   };
 
-  return koa2Instrumentation;
+  return koaInstrumentation;
 };

package/node_modules/@contrast/assess/lib/dataflow/sources/install/socket.io.js

@@ -0,0 +1,80 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { InputType, set } = require('@contrast/common');
+const Core = require('@contrast/core/lib/ioc/core');
+const { patchType } = require('../common');
+
+const COMPONENT_NAME = 'assess.dataflow.sources.socketIoInstrumentation';
+
+module.exports = Core.makeComponent({
+  name: COMPONENT_NAME,
+  factory: (core) => new SocketIOAssessSource(core),
+});
+
+class SocketIOAssessSource {
+  constructor(core) {
+    Object.defineProperty(this, 'core', { value: core });
+    set(core, COMPONENT_NAME, this);
+  }
+  /**
+   * Deploys socket.io instrumentation.
+   */
+  install() {
+    const {
+      depHooks,
+      patcher,
+      assess,
+    } = this.core;
+
+    depHooks.resolve(
+      { name: 'socket.io', version: '4' },
+      /**
+       * @param {import('socket.io-4')} xport the exported socket.io module
+       */
+      (xport) => {
+        patcher.patch(xport.Socket.prototype, 'dispatch', {
+          name: 'socket.io.Socket.prototype.dispatch',
+          patchType,
+          pre(data) {
+            if (!Array.isArray(data.args[0])) return;
+
+            const sourceContext = assess.getSourceContext();
+            if (!sourceContext) return;
+
+            const [eventName, ...params] = data.args[0];
+            assess.dataflow.sources.handle({
+              data: params,
+              name: 'socket.io.Socket.prototype.dispatch',
+              inputType: InputType.WEBSOCKET,
+              stacktraceOpts: { constructorOpt: data.hooked },
+              sourceContext,
+              onEvent(event, fieldName, pathName) {
+                event.context = `socket.io Socket.on("${eventName}", ...params)`;
+                event.args = [{
+                  tracked: true,
+                  value: `params.${pathName}`,
+                }];
+              },
+            });
+
+            data.args[0] = [eventName, ...params];
+          }
+        });
+      }
+    );
+  }
+}

package/node_modules/@contrast/assess/lib/index.d.ts

@@ -12,7 +12,7 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-import { Rule, SessionConfigurationRule } from '@contrast/common';
+import { Rule, ConfigurationRule } from '@contrast/common';
 import { Config } from '@contrast/config';
 import { Core as _Core } from '@contrast/core';
 import { Deadzones } from '@contrast/deadzones';
@@ -61,8 +61,9 @@ export interface SessionRuleState {
 }
 
 export interface RuleState {
-  [SessionConfigurationRule.HTTPONLY]?: SessionRuleState,
-  [SessionConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+  [ConfigurationRule.HTTPONLY]?: SessionRuleState,
+  [ConfigurationRule.SECURE_FLAG_MISSING]?: SessionRuleState,
+  [ConfigurationRule.GRAPHQL_INTROSPECTION]?: SessionRuleState,
 }
 
 export interface Assess {

package/node_modules/@contrast/assess/lib/index.js

@@ -70,7 +70,7 @@ module.exports = function assess(core) {
   require('./dataflow')(core);
   require('./crypto-analysis')(core);
   require('./response-scanning')(core);
-  require('./session-configuration')(core);
+  require('./configuration-analysis')(core);
 
   // append async state to sources store when request-scope sources are created
   sources.addHook('onSource', (ctx) => {

package/node_modules/@contrast/assess/lib/policy.js

@@ -21,7 +21,7 @@ const {
   InputType,
   Rule,
   ResponseScanningRule,
-  SessionConfigurationRule,
+  ConfigurationRule,
   set,
   primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
 } = require('@contrast/common');
@@ -30,7 +30,7 @@ const { Core } = require('@contrast/core/lib/ioc/core');
 const ASSESS_RULES = Object.values({
   ...Rule,
   ...ResponseScanningRule,
-  ...SessionConfigurationRule,
+  ...ConfigurationRule,
 });
 const BROAD_INPUT_EXCLUSION_TYPES = [
   ExclusionType.BODY,

package/node_modules/@contrast/assess/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.64.0",
+  "version": "1.65.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,18 +20,18 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/config": "1.53.0",
-    "@contrast/core": "1.58.0",
-    "@contrast/dep-hooks": "1.27.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/config": "1.54.0",
+    "@contrast/core": "1.59.0",
+    "@contrast/dep-hooks": "1.28.0",
     "@contrast/distringuish": "^6.0.2",
-    "@contrast/instrumentation": "1.37.0",
-    "@contrast/logger": "1.31.0",
-    "@contrast/patcher": "1.30.0",
-    "@contrast/rewriter": "1.35.0",
-    "@contrast/route-coverage": "1.50.0",
-    "@contrast/scopes": "1.28.0",
-    "@contrast/sources": "1.4.0",
+    "@contrast/instrumentation": "1.38.0",
+    "@contrast/logger": "1.32.0",
+    "@contrast/patcher": "1.31.0",
+    "@contrast/rewriter": "1.36.0",
+    "@contrast/route-coverage": "1.51.0",
+    "@contrast/scopes": "1.29.0",
+    "@contrast/sources": "1.5.0",
     "semver": "^7.6.0"
   }
 }

package/node_modules/@contrast/common/lib/constants.d.ts

@@ -6,7 +6,7 @@ export declare enum Event {
     ASSESS_DATAFLOW_FINDING = "assess-dataflow-findings",
     ASSESS_DATAFLOW_SAFE_POSITIVE = "assess-dataflow-safe-positive",
     ASSESS_RESPONSE_SCANNING_FINDING = "assess-response-scanning-findings",
-    ASSESS_SESSION_CONFIGURATION_FINDING = "assess-session-configuration-findings",
+    ASSESS_CONFIGURATION_FINDING = "assess-configuration-findings",
     ASSESS_CRYPTO_ANALYSIS_FINDING = "assess-crypto-analysis-finding",
     LIBRARY = "library",
     LIBRARY_USAGE = "library-usage",
@@ -60,9 +60,10 @@ export declare enum ResponseScanningRule {
     XCONTENTTYPE_HEADER_MISSING = "xcontenttype-header-missing",
     XXSPROTECTION_HEADER_DISABLED = "xxssprotection-header-disabled"
 }
-export declare enum SessionConfigurationRule {
+export declare enum ConfigurationRule {
     HTTPONLY = "httponly",
-    SECURE_FLAG_MISSING = "secure-flag-missing"
+    SECURE_FLAG_MISSING = "secure-flag-missing",
+    GRAPHQL_INTROSPECTION = "graphql-introspection"
 }
 export declare enum InputType {
     UNDEFINED_TYPE = "UNDEFINED_TYPE",
@@ -86,7 +87,8 @@ export declare enum InputType {
     METHOD = "METHOD",
     REQUEST = "REQUEST",
     URL_PARAMETER = "URL_PARAMETER",
-    UNKNOWN = "UNKNOWN"
+    UNKNOWN = "UNKNOWN",
+    WEBSOCKET = "WEBSOCKET"
 }
 export declare enum ExclusionType {
     BODY = "BODY",
@@ -96,6 +98,12 @@ export declare enum ExclusionType {
     QUERYSTRING = "QUERYSTRING",
     URL = "URL"
 }
+export declare enum RouteType {
+    HTTP = "HTTP",
+    MESSAGE_BROKER = "MESSAGE_BROKER",
+    MIDDLEWARE = "MIDDLEWARE",
+    RPC = "RPC"
+}
 export declare enum DataflowTag {
     XML_ENCODED = "XML_ENCODED",
     XML_DECODED = "XML_DECODED",

package/node_modules/@contrast/common/lib/constants.js

@@ -14,7 +14,7 @@
  * way not consistent with the End User License Agreement.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.URI_REGEXES = exports.symbols = exports.agentLibIDListTypes = exports.FS_METHODS = exports.BLOCKING_MODES = exports.ServerEnvironment = exports.DataflowTag = exports.ExclusionType = exports.InputType = exports.SessionConfigurationRule = exports.ResponseScanningRule = exports.Rule = exports.ProtectRuleMode = exports.Event = void 0;
+exports.URI_REGEXES = exports.symbols = exports.agentLibIDListTypes = exports.FS_METHODS = exports.BLOCKING_MODES = exports.ServerEnvironment = exports.DataflowTag = exports.RouteType = exports.ExclusionType = exports.InputType = exports.ConfigurationRule = exports.ResponseScanningRule = exports.Rule = exports.ProtectRuleMode = exports.Event = void 0;
 var Event;
 (function (Event) {
     // lifecycle
@@ -26,7 +26,7 @@ var Event;
     Event["ASSESS_DATAFLOW_FINDING"] = "assess-dataflow-findings";
     Event["ASSESS_DATAFLOW_SAFE_POSITIVE"] = "assess-dataflow-safe-positive";
     Event["ASSESS_RESPONSE_SCANNING_FINDING"] = "assess-response-scanning-findings";
-    Event["ASSESS_SESSION_CONFIGURATION_FINDING"] = "assess-session-configuration-findings";
+    Event["ASSESS_CONFIGURATION_FINDING"] = "assess-configuration-findings";
     Event["ASSESS_CRYPTO_ANALYSIS_FINDING"] = "assess-crypto-analysis-finding";
     Event["LIBRARY"] = "library";
     Event["LIBRARY_USAGE"] = "library-usage";
@@ -85,11 +85,12 @@ var ResponseScanningRule;
     ResponseScanningRule["XCONTENTTYPE_HEADER_MISSING"] = "xcontenttype-header-missing";
     ResponseScanningRule["XXSPROTECTION_HEADER_DISABLED"] = "xxssprotection-header-disabled";
 })(ResponseScanningRule || (exports.ResponseScanningRule = ResponseScanningRule = {}));
-var SessionConfigurationRule;
-(function (SessionConfigurationRule) {
-    SessionConfigurationRule["HTTPONLY"] = "httponly";
-    SessionConfigurationRule["SECURE_FLAG_MISSING"] = "secure-flag-missing";
-})(SessionConfigurationRule || (exports.SessionConfigurationRule = SessionConfigurationRule = {}));
+var ConfigurationRule;
+(function (ConfigurationRule) {
+    ConfigurationRule["HTTPONLY"] = "httponly";
+    ConfigurationRule["SECURE_FLAG_MISSING"] = "secure-flag-missing";
+    ConfigurationRule["GRAPHQL_INTROSPECTION"] = "graphql-introspection";
+})(ConfigurationRule || (exports.ConfigurationRule = ConfigurationRule = {}));
 var InputType;
 (function (InputType) {
     InputType["UNDEFINED_TYPE"] = "UNDEFINED_TYPE";
@@ -114,6 +115,7 @@ var InputType;
     InputType["REQUEST"] = "REQUEST";
     InputType["URL_PARAMETER"] = "URL_PARAMETER";
     InputType["UNKNOWN"] = "UNKNOWN";
+    InputType["WEBSOCKET"] = "WEBSOCKET";
 })(InputType || (exports.InputType = InputType = {}));
 var ExclusionType;
 (function (ExclusionType) {
@@ -124,6 +126,13 @@ var ExclusionType;
     ExclusionType["QUERYSTRING"] = "QUERYSTRING";
     ExclusionType["URL"] = "URL";
 })(ExclusionType || (exports.ExclusionType = ExclusionType = {}));
+var RouteType;
+(function (RouteType) {
+    RouteType["HTTP"] = "HTTP";
+    RouteType["MESSAGE_BROKER"] = "MESSAGE_BROKER";
+    RouteType["MIDDLEWARE"] = "MIDDLEWARE";
+    RouteType["RPC"] = "RPC";
+})(RouteType || (exports.RouteType = RouteType = {}));
 var DataflowTag;
 (function (DataflowTag) {
     DataflowTag["XML_ENCODED"] = "XML_ENCODED";

package/node_modules/@contrast/common/lib/types.d.ts

@@ -1,6 +1,6 @@
 import { EventEmitter } from 'events';
 import { ServerResponse } from 'node:http';
-import { Event, ProtectRuleMode, Rule } from './constants';
+import { Event, ProtectRuleMode, RouteType, Rule } from './constants';
 export interface Installable {
     install(...args: any[]): void | Promise<void>;
     uninstall?(): void | Promise<void>;
@@ -335,6 +335,10 @@ export interface RouteInfo {
      * @example "get"
      */
     method?: string;
+    /**
+     * The type of route that is being reported. Default should be RouteType.HTTP.
+     */
+    type: RouteType;
     /**
      * URL for a route.
      * @example "prefix/route/path"

package/node_modules/@contrast/common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/common",
-  "version": "1.37.0",
+  "version": "1.38.0",
   "description": "Shared constants and utilities for all Contrast Agent modules",
   "license": "UNLICENSED",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",

package/node_modules/@contrast/config/lib/common.js

@@ -106,6 +106,7 @@ const mappings = {
     }
   },
   'assess.probabilistic_sampling.window_ms': (remoteData) => remoteData.assess?.sampling?.window_ms,
+  'assess.report_middleware_routes': (remoteData) => remoteData.assess?.report_middleware_routes,
   'assess.stacktraces': (remoteData) => remoteData.assess?.report_stacktraces,
   'agent.logger.level': coerceLowerCase('logger.level'),
   'agent.logger.path': (remoteData) => remoteData.logger?.path,

package/node_modules/@contrast/config/lib/options.js

@@ -699,7 +699,13 @@ Example - \`label1, label2, label3\``,
     fn: split,
     desc: 'Define a list of Protect rules to disable in the agent. The rules must be formatted as a comma-delimited list.',
   },
-
+  {
+    name: 'assess.report_middleware_routes',
+    arg: '[false]',
+    default: false,
+    fn: castBoolean,
+    desc: 'Set to `true` to report both discovered and observed routes for middleware to the Contrast backend.',
+  },
   {
     name: 'assess.safe_positives.enable',
     arg: '[false]',

package/node_modules/@contrast/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.53.0",
+  "version": "1.54.0",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,8 +20,8 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.37.0",
-    "@contrast/core": "1.58.0",
+    "@contrast/common": "1.38.0",
+    "@contrast/core": "1.59.0",
     "deepmerge": "^4.3.1",
     "yaml": "^2.2.2"
   }