@contrast/agent 4.10.0 → 4.10.4

package/bin/VERSION

@@ -1 +1 @@
-2.28.5
+2.28.12

package/bootstrap.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 /**
 Copyright: 2022 Contrast Security, Inc
   Contact: support@contrastsecurity.com
@@ -13,6 +12,7 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+'use strict';
 
 const startTime = process.hrtime();
 
@@ -25,7 +25,7 @@ const orig = Module.runMain;
  * process before invoking the main
  * script from cli
  */
-Module.runMain = async function(...args) {
+Module.runMain = async function (...args) {
   const { isMainThread } = require('worker_threads');
 
   try {

package/lib/assess/propagators/mongoose/helpers.js

@@ -12,9 +12,44 @@ Copyright: 2022 Contrast Security, Inc
   engineered, modified, repackaged, sold, redistributed or otherwise used in a
   way not consistent with the End User License Agreement.
 */
+const TagRange = require('../../models/tag-range');
+const { CallContext, PropagationEvent, Signature } = require('../../models');
+
 const hasUserDefinedValidator = (data) =>
   data.obj.validators.some((validator) => validator.type === 'user defined');
 
+const tagCustomValidatedValues = (values, data, tracker, tagRangeUtil) => {
+  for (const value of values) {
+    if (typeof value !== 'string') continue;
+
+    const trackingData = tracker.track(value);
+
+    if (!trackingData) return;
+
+    const { props } = trackingData;
+    const stringLength = value.length - 1;
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'custom-validated-nosql-injection')
+    );
+
+    props.tagRanges = tagRangeUtil.add(
+      props.tagRanges,
+      new TagRange(0, stringLength, 'string-type-checked')
+    );
+
+    props.event = new PropagationEvent({
+      context: new CallContext(data),
+      signature: new Signature('mongoose.mixed.doValidateSync'),
+      tagRanges: props.tagRanges,
+      source: 'P',
+      target: 'A',
+      parents: [props.event]
+    });
+  }
+};
 module.exports = {
-  hasUserDefinedValidator
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
 };

package/lib/assess/propagators/mongoose/index.js

@@ -15,4 +15,5 @@ Copyright: 2022 Contrast Security, Inc
 module.exports.handle = () => {
   require('./map');
   require('./string');
+  require('./mixed');
 };

package/lib/assess/propagators/mongoose/map.js

@@ -21,9 +21,11 @@ const tagRangeUtil = require('../../models/tag-range/util');
 const {
   PATCH_TYPES: { ASSESS_PROPAGATOR }
 } = require('../../../constants');
-const TagRange = require('../../models/tag-range');
-const { CallContext, PropagationEvent, Signature } = require('../../models');
-const { hasUserDefinedValidator } = require('./helpers');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
 
 const doValidateSyncPatcher = (SchemaMap) => {
   patcher.patch(SchemaMap.prototype, 'doValidateSync', {
@@ -31,37 +33,16 @@ const doValidateSyncPatcher = (SchemaMap) => {
     name: 'mongoose.map.doValidateSync',
     patchType: ASSESS_PROPAGATOR,
     post(data) {
-      if (data.result || data.obj.options.of.name !== 'String') return;
+      if (data.result) return;
 
       if (!hasUserDefinedValidator(data)) return;
 
-      for (const value of data.args[0].values()) {
-        const trackingData = tracker.track(value);
-
-        if (!trackingData) return;
-
-        const { props } = trackingData;
-        const stringLength = value.length - 1;
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'custom-validated-nosql-injection')
-        );
-
-        props.tagRanges = tagRangeUtil.add(
-          props.tagRanges,
-          new TagRange(0, stringLength, 'string-type-checked')
-        );
-
-        props.event = new PropagationEvent({
-          context: new CallContext(data),
-          signature: new Signature('mongoose.map.doValidateSync'),
-          tagRanges: props.tagRanges,
-          source: 'P',
-          target: 'A',
-          parents: [props.event]
-        });
-      }
+      tagCustomValidatedValues(
+        data.args[0].values(),
+        data,
+        tracker,
+        tagRangeUtil
+      );
     }
   });
 };
@@ -69,6 +50,13 @@ const doValidateSyncPatcher = (SchemaMap) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/map.js', version: '>=5.0.0' },
   (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     doValidateSyncPatcher(SchemaMap);
   }
 );

package/lib/assess/propagators/mongoose/mixed.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const tracker = require('../../../tracker');
+const patcher = require('../../../hooks/patcher');
+const requireHook = require('../../../hooks/require');
+const tagRangeUtil = require('../../models/tag-range/util');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const {
+  hasUserDefinedValidator,
+  tagCustomValidatedValues
+} = require('./helpers');
+const agent = require('../../../agent');
+
+const doValidateSyncPatcher = (SchemaMap) => {
+  patcher.patch(SchemaMap.prototype, 'doValidateSync', {
+    alwaysRun: true,
+    name: 'mongoose.mixed.doValidateSync',
+    patchType: ASSESS_PROPAGATOR,
+    post(data) {
+      if (data.result || !hasUserDefinedValidator(data)) return;
+
+      const input = data.args[0];
+      const inputType = typeof input;
+
+      if (inputType !== 'string' && inputType !== 'object') return;
+
+      let values;
+      if (inputType === 'string') {
+        values = [input];
+      } else if (Array.isArray(input)) {
+        values = input;
+      } else if (input instanceof Map) {
+        values = input.values();
+      } else {
+        values = Object.values(input);
+      }
+
+      tagCustomValidatedValues(values, data, tracker, tagRangeUtil);
+    }
+  });
+};
+
+requireHook.resolve(
+  { name: 'mongoose', file: 'lib/schema/mixed.js', version: '>=5.0.0' },
+  (SchemaMap) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    doValidateSyncPatcher(SchemaMap);
+  }
+);

package/lib/core/arch-components/mysql.js

@@ -19,6 +19,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve(
   { name: 'mysql', file: 'lib/Connection.js' },
@@ -28,22 +29,31 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(wrapCtx) {
-        try {
-          let url = 'mysql://';
-          if (this.config.socketPath) {
-            url += this.config.socketPath;
-          } else {
-            url += `${this.config.host}`;
-          }
-          agentEmitter.emit('architectureComponent', {
-            vendor: 'MySQL',
-            url: new URL(url).toString(),
-            remoteHost: '',
-            remotePort: !this.config.socketPath ? this.config.port : -1
+        waitToConnect(wrapCtx)
+          .then(() => {
+            try {
+              let url = 'mysql://';
+              if (this.config.socketPath) {
+                url += this.config.socketPath;
+              } else {
+                url += `${this.config.host}`;
+              }
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MySQL',
+                url: new URL(url).toString(),
+                remoteHost: '',
+                remotePort: !this.config.socketPath ? this.config.port : -1
+              });
+            } catch (err) {
+              logger.warn(
+                'unable to report MySQL architecture component\n',
+                err
+              );
+            }
+          })
+          .catch((err) => {
+            logger.warn('unable to report MySQL architecture component\n', err);
           });
-        } catch (err) {
-          logger.warn('unable to report MySQL architecture component\n', err);
-        }
       }
     });
   }

package/lib/core/arch-components/postgres.js

@@ -18,6 +18,7 @@ const ModuleHook = require('../../hooks/require');
 const agentEmitter = require('../../agent-emitter');
 const { PATCH_TYPES } = require('../../constants');
 const logger = require('../logger')('contrast:arch-component');
+const waitToConnect = require('./util');
 
 ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
   patcher.patch(pgClient, {
@@ -25,37 +26,46 @@ ModuleHook.resolve({ name: 'pg', file: 'lib/client.js' }, (pgClient) =>
     patchType: PATCH_TYPES.ARCH_COMPONENT,
     alwaysRun: true,
     post(wrapCtx) {
-      try {
-        const {
-          host = process.env.PGHOST,
-          port = process.env.PGPORT
-        } = wrapCtx.result;
+      waitToConnect(wrapCtx)
+        .then(() => {
+          try {
+            const {
+              host = process.env.PGHOST,
+              port = process.env.PGPORT
+            } = wrapCtx.result;
 
-        if (!host) {
-          return;
-        }
+            if (!host) {
+              return;
+            }
 
-        let url = host;
+            let url = host;
 
-        // build protocol and port into url prior to parsing
-        if (url.indexOf('://') === -1) {
-          url = `postgresql://${url}`;
-        }
-        if (port !== undefined) {
-          url = `${url}:${port}`;
-        }
+            // build protocol and port into url prior to parsing
+            if (url.indexOf('://') === -1) {
+              url = `postgresql://${url}`;
+            }
+            if (port !== undefined) {
+              url = `${url}:${port}`;
+            }
 
-        agentEmitter.emit('architectureComponent', {
-          vendor: 'PostgreSQL',
-          remotePort: port || 0,
-          url: new URL(url).toString()
+            agentEmitter.emit('architectureComponent', {
+              vendor: 'PostgreSQL',
+              remotePort: port || 0,
+              url: new URL(url).toString()
+            });
+          } catch (err) {
+            logger.warn(
+              'unable to report PostgreSQL architecture component\n%o',
+              err
+            );
+          }
+        })
+        .catch((err) => {
+          logger.warn(
+            'unable to report PostgreSQL architecture component\n%o',
+            err
+          );
         });
-      } catch (err) {
-        logger.warn(
-          'unable to report PostgreSQL architecture component\n%o',
-          err
-        );
-      }
     }
   })
 );

package/lib/core/arch-components/util.js

@@ -0,0 +1,49 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const MYSQL = 'mysql.connect.arch_component';
+const POSTGRES = 'pg.Client.arch_component';
+
+module.exports = function waitToConnect(ctx, count = 0) {
+  return new Promise((resolve, reject) => {
+    const maxAttempts = 10 * 60; // i.e., 1 min.
+    const checkConnection = setInterval(
+      function(ctx, resolve, reject) {
+        if (count >= maxAttempts) {
+          clearInterval(checkConnection);
+          reject();
+        }
+        switch (ctx.name) {
+          case MYSQL:
+            if (ctx.obj.state === 'authenticated') {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+          case POSTGRES:
+            if (ctx.result._connected) {
+              clearInterval(checkConnection);
+              resolve();
+            }
+            break;
+        }
+        count++;
+      },
+      100,
+      ctx,
+      resolve,
+      reject
+    );
+  });
+};

package/lib/core/express/index.js

@@ -26,7 +26,7 @@ const { isString } = require('../../util/is-string');
 const { emitSendEvent } = require('../../hooks/frameworks/common');
 const {
   prototype: { decorateRequest },
-  setFrameworkRequest
+  setFrameworkRequest,
 } = require('../../hooks/frameworks/base');
 const ExpressRequest = require('../../reporter/models/frameworks/express-request');
 
@@ -40,7 +40,7 @@ const {
   INPUT_TYPES,
   SINK_TYPES,
   MW_PATH,
-  LAYER_STACK
+  LAYER_STACK,
 } = constants;
 const { EVENTS } = Helpers;
 
@@ -111,14 +111,14 @@ class ExpressFramework {
         agentEmitter.emit(
           EVENTS.REQUEST_SEND,
           data.args[0],
-          SINK_TYPES.RESPONSE_BODY
+          SINK_TYPES.RESPONSE_BODY,
         );
 
-        const body = data.args[0];
+        const [body] = data.args;
         if (isString(body)) {
           emitSendEvent(body.valueOf());
         }
-      }
+      },
     });
 
     patcher.patch(express.response, 'push', {
@@ -128,14 +128,14 @@ class ExpressFramework {
         agentEmitter.emit(
           EVENTS.REQUEST_SEND,
           data.args[0],
-          SINK_TYPES.RESPONSE_BODY
+          SINK_TYPES.RESPONSE_BODY,
         );
 
-        const body = data.args[0];
+        const [body] = data.args;
         if (isString(body)) {
           emitSendEvent(body.valueOf());
         }
-      }
+      },
     });
 
     patcher.patch(express.response, 'end', {
@@ -145,9 +145,9 @@ class ExpressFramework {
         agentEmitter.emit(
           EVENTS.REQUEST_SEND,
           data.args[0],
-          SINK_TYPES.RESPONSE_BODY
+          SINK_TYPES.RESPONSE_BODY,
         );
-      }
+      },
     });
 
     patcher.patch(express.Router, 'use', {
@@ -157,7 +157,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.ROUTER_USE, self, wrapCtx);
-      }
+      },
     });
 
     patcher.patch(express.Router, 'route', {
@@ -166,7 +166,7 @@ class ExpressFramework {
       alwaysRun: true,
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.ROUTER_ROUTE, self, wrapCtx);
-      }
+      },
     });
 
     LC_HTTP_VERBS.forEach((verb) => {
@@ -177,7 +177,7 @@ class ExpressFramework {
         pre: self.injectContrastMiddleware.bind(self),
         post: (wrapCtx) => {
           agentEmitter.emit(EVENTS.ROUTER_METHOD, self, wrapCtx, verb);
-        }
+        },
       });
     });
 
@@ -188,7 +188,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.ROUTER_METHOD, self, wrapCtx, 'all');
-      }
+      },
     });
 
     patcher.patch(express.application, 'use', {
@@ -198,7 +198,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.APP_USE, self, wrapCtx);
-      }
+      },
     });
 
     LC_HTTP_VERBS.forEach((verb) => {
@@ -209,7 +209,7 @@ class ExpressFramework {
         pre: self.injectContrastMiddleware.bind(self),
         post: (wrapCtx) => {
           agentEmitter.emit(EVENTS.APP_METHOD, self, wrapCtx, verb);
-        }
+        },
       });
     });
 
@@ -220,7 +220,7 @@ class ExpressFramework {
       pre: self.injectContrastMiddleware.bind(self),
       post: (wrapCtx) => {
         agentEmitter.emit(EVENTS.APP_METHOD, self, wrapCtx, 'all');
-      }
+      },
     });
 
     agentEmitter.on(HTTP_EVENTS.SERVER_CREATE, this.onServerCreate.bind(this));
@@ -238,7 +238,7 @@ class ExpressFramework {
     if (!app || !app.defaultConfiguration) {
       logger.error(
         `non-express application mistakenly registered`,
-        new Error().stack
+        new Error().stack,
       );
       return;
     }
@@ -305,7 +305,7 @@ class ExpressFramework {
         EVENTS.REQUEST_READY,
         req,
         res,
-        INPUT_TYPES.QUERYSTRING
+        INPUT_TYPES.QUERYSTRING,
       );
       next();
     }, 'query');
@@ -322,6 +322,14 @@ class ExpressFramework {
       next();
     }, 'rawParser');
 
+    // ... bodyParser in Sails Framework ............................
+    this.useAfter(function ContrastBodyParsed(req, res, next) {
+      if (req._sails && req.body) {
+        agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
+      }
+      next();
+    }, '_parseHTTPBody');
+
     this.useAfter(function ContrastTextBodyParsed(req, res, next) {
       agentEmitter.emit(EVENTS.BODY_PARSED, req, res, INPUT_TYPES.BODY);
       next();
@@ -329,7 +337,7 @@ class ExpressFramework {
 
     this.useAfter(function ContrastBodyParsed(req, res, next) {
       agentEmitter.emit(EVENTS.BODY_PARSED, req, res, {
-        type: INPUT_TYPES.BODY
+        type: INPUT_TYPES.BODY,
       });
       next();
     }, 'urlencodedParser');
@@ -345,7 +353,7 @@ class ExpressFramework {
         EVENTS.COOKIES_PARSED,
         req,
         res,
-        INPUT_TYPES.COOKIE_VALUE
+        INPUT_TYPES.COOKIE_VALUE,
       );
 
       next();
@@ -395,7 +403,7 @@ class ExpressFramework {
             patchType: PATCH_TYPES.SOURCE,
             pre(data) {
               req[LAYER_STACK].pop();
-            }
+            },
           });
           if (req.query) {
             decorateRequest({ query: req.query });
@@ -406,11 +414,11 @@ class ExpressFramework {
               EVENTS.PARAM_PARSED,
               req,
               res,
-              INPUT_TYPES.URL_PARAMETER
+              INPUT_TYPES.URL_PARAMETER,
             );
 
             decorateRequest({
-              parameters: req.params
+              parameters: req.params,
             });
           }
 
@@ -422,21 +430,18 @@ class ExpressFramework {
 
             Whatever the core issue is, it doesn't appear to have any effects
             elsewhere in any of our Express/Kraken framework support.
-
-            BODY_PARSED event is emitted to support Sails framework
            */
           if (req.body) {
             decorateRequest({ body: req.body });
-            agentEmitter.emit(EVENTS.BODY_PARSED, req, res, req.body);
           }
-        }
+        },
       });
     }
   }
 
   useAfter(fn, after) {
     this.handlers[after] = {
-      post: fn
+      post: fn,
     };
   }
 

package/lib/core/logger/debug-logger.js

@@ -108,9 +108,10 @@ class DebugLogFactory {
 
     // We always log to a file, but check whether we should log to stdout
     if (
-      !this.stdout ||
-      !process.env.DEBUG ||
-      !/(^|,\s*)contrast:.+/.test(process.env.DEBUG)
+      this.loggerPath &&
+      (!this.stdout ||
+        !process.env.DEBUG ||
+        !/(^|,\s*)contrast:.+/.test(process.env.DEBUG))
     ) {
       this.mute = true;
     }

package/lib/core/rewrite/binary-expression.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const t = require('@babel/types');
-const _ = require('lodash');
 
 /**
  * Wraps binary expressions in one of the following: `ContrastMethods.__add`,
@@ -30,7 +29,7 @@ const _ = require('lodash');
  * @param {import('.').State} state
  */
 module.exports = function BinaryExpression(path, state) {
-  const spec = _.find(state.specs, { token: path.node.operator });
+  const spec = state.specs.find(({ token }) => token === path.node.operator);
   if (
     !spec ||
     !state.callees[spec.name] ||

package/lib/core/rewrite/callees.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const { expression } = require('@babel/template');
-const _ = require('lodash');
 
 /**
  * @typedef {Object} Spec
@@ -132,7 +131,9 @@ module.exports = function createCallees(agent) {
   const callees = specs.reduce(
     (memo, spec) =>
       (assessMode && spec.modes.assess) || (protectMode && spec.modes.protect)
-        ? _.set(memo, spec.name, calleeBuilder({ name: spec.name }))
+        ? Object.assign(memo, {
+            [spec.name]: calleeBuilder({ name: spec.name })
+          })
         : memo,
     {}
   );

package/lib/core/rewrite/catch-clause.js

@@ -13,7 +13,6 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 const { statement } = require('@babel/template');
-const _ = require('lodash');
 
 const logStatementBuilder = statement(
   `if (global.CONTRAST_LOG) {
@@ -38,7 +37,10 @@ const logStatementBuilder = statement(
  * @param {import('.').State} state
  */
 module.exports = function CatchClause(path, state) {
-  if (!_.get(state.agent, 'config.agent.node.enable_catch_log')) return;
+  const { config } = state.agent;
+  if (!config || !config.agent.node.enable_catch_log) {
+    return;
+  }
 
   path.node.param = path.node.param || path.scope.generateUidIdentifier('err');
   path

package/lib/core/rewrite/import-declaration.js

@@ -15,7 +15,6 @@ Copyright: 2022 Contrast Security, Inc
 'use strict';
 
 const t = require('@babel/types');
-const _ = require('lodash');
 
 const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
   t.memberExpression(t.identifier('import'), t.identifier('meta')),
@@ -49,7 +48,8 @@ module.exports = function ImportDeclaration(path, state) {
 
   path.insertAfter(
     specifiers.map((importSpec) => {
-      const spec = _.find(state.specs, { type: importSpec.type });
+      const spec = state.specs.find(({ type }) => type === importSpec.type);
+
       if (!spec || !state.callees[spec.name]) return;
 
       const args = [importSpec.local];

package/lib/core/rewrite/index.js

@@ -116,6 +116,7 @@ class Rewriter {
       null,
       initialState
     );
+    traverse.cache.clear();
   }
 
   /**

package/lib/core/rewrite/injections.js

@@ -14,7 +14,6 @@ Copyright: 2022 Contrast Security, Inc
 */
 'use strict';
 
-const _ = require('lodash');
 const logger = require('../logger')('contrast:rewrite:injections');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
@@ -161,8 +160,7 @@ module.exports = {
    * @returns {Injection[]}
    */
   getEnabled() {
-    return _.reduce(
-      injections,
+    return Object.values(injections).reduce(
       (enabled, injection) =>
         injection.enabled() ? [...enabled, injection] : enabled,
       []

package/lib/core/rewrite/rewrite-log.js

@@ -13,7 +13,6 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const _ = require('lodash');
 
 /**
  * Helper class that provides some means of optimizing the rewrite process.
@@ -32,11 +31,9 @@ module.exports = class RewriteLog {
     this._tokenMatches = specs.reduce(
       (matches, spec) =>
         callees[spec.name]
-          ? _.set(
-              matches,
-              spec.name,
-              !spec.token || 0 <= codeString.indexOf(spec.token)
-            )
+          ? Object.assign(matches, {
+              [spec.name]: !spec.token || 0 <= codeString.indexOf(spec.token)
+            })
           : matches,
       {}
     );
@@ -60,7 +57,7 @@ module.exports = class RewriteLog {
    * if we need to even rewrite the code at all.
    */
   foundTokens() {
-    return _.some(this._tokenMatches, _.identity);
+    return Object.values(this._tokenMatches).some(Boolean);
   }
 
   /**
@@ -72,6 +69,6 @@ module.exports = class RewriteLog {
    * make changes, we can just return original code.
    */
   rewritesOccurred() {
-    return !this.aborted && _.some(this._tokensRewritten, _.identity);
+    return !this.aborted && Object.values(this._tokensRewritten).some(Boolean);
   }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.10.0",
+  "version": "4.10.4",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -113,12 +113,14 @@
   "devDependencies": {
     "@aws-sdk/client-dynamodb": "^3.39.0",
     "@bmacnaughton/string-generator": "^1.0.0",
-    "@contrast/eslint-config": "^2.0.1",
+    "@contrast/eslint-config": "^2.2.0",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
     "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
+    "@typescript-eslint/eslint-plugin": "^5.10.2",
+    "@typescript-eslint/parser": "^5.10.2",
     "ajv": "^8.5.0",
     "ast-types": "^0.12.4",
     "aws-sdk": "file:test/mock/aws-sdk",
@@ -135,11 +137,11 @@
     "dustjs-linkedin": "^3.0.1",
     "ejs": "^3.1.6",
     "escape-html": "^1.0.3",
-    "eslint": "^8.2.0",
-    "eslint-config-prettier": "^6.11.0",
-    "eslint-plugin-mocha": "^7.0.1",
+    "eslint": "^8.8.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-mocha": "^10.0.3",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-prettier": "^3.1.4",
+    "eslint-plugin-prettier": "^4.0.0",
     "express": "file:test/mock/express",
     "fetch-cookie": "^0.11.0",
     "form-data": "^3.0.0",
@@ -168,7 +170,7 @@
     "nyc": "^15.1.0",
     "pg": "file:test/mock/pg",
     "pino": "^6.7.0",
-    "prettier": "^1.19.1",
+    "prettier": "^2.5.1",
     "proxyquire": "^2.1.0",
     "qs": "^6.9.4",
     "rethinkdb": "file:test/mock/rethinkdb",