@contrast/agent 4.9.1 → 4.10.0

package/lib/assess/propagators/joi/any.js

@@ -0,0 +1,48 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/any.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object._definition.rules.custom, 'validate', {
+      name: 'joi.any.custom.validate',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (data.result && typeof data.result === 'string') {
+          tracker.untrack(data.result);
+        }
+
+        if (data.args[0] && typeof data.args[0] === 'string') {
+          tracker.untrack(data.args[0]);
+        }
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/index.js

@@ -21,4 +21,6 @@ module.exports.handle = function() {
   require('./string-schema');
   require('./string-base');
   require('./expression');
+  require('./object');
+  require('./any');
 };

package/lib/assess/propagators/joi/object.js

@@ -0,0 +1,61 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+const requireHook = require('../../../hooks/require');
+const patcher = require('../../../hooks/patcher');
+const {
+  PATCH_TYPES: { ASSESS_PROPAGATOR }
+} = require('../../../constants');
+const tracker = require('../../../tracker');
+const agent = require('../../../agent');
+
+const traverseObjectAndUntrack = (object, incomingInput, result) => {
+  if (object.type === 'object' && object.$_terms.keys) {
+    object.$_terms.keys.forEach(({ key, schema }) => {
+      traverseObjectAndUntrack(schema, incomingInput[key], result[key]);
+    });
+  }
+
+  if (
+    object.type === 'string' &&
+    Array.isArray(object.$_terms.externals) &&
+    object.$_terms.externals.length
+  ) {
+    tracker.untrack(incomingInput);
+    tracker.untrack(result);
+  }
+};
+
+requireHook.resolve(
+  { name: 'joi', file: 'lib/types/object.js', version: '>=17.0.0' },
+  (object) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
+    patcher.patch(object.__proto__, 'validateAsync', {
+      name: 'joi.object.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        data.result.then((result) =>
+          traverseObjectAndUntrack(data.obj, data.args[0], result)
+        );
+      }
+    });
+  }
+);

package/lib/assess/propagators/joi/string-base.js

@@ -24,6 +24,7 @@ const tracker = require('../../../tracker');
 const { PropagationEvent, Signature, CallContext } = require('../../models');
 const TagRange = require('../../models/tag-range');
 const tagRangeUtil = require('../../models/tag-range/util');
+const agent = require('../../../agent');
 
 /**
  * Patch joi.string.validate so that it tags input with string-type-checked if validated
@@ -54,6 +55,21 @@ function instrumentJoiString(string) {
         }
       }
     });
+
+  if (agent.config.agent.trust_custom_validators) {
+    patcher.patch(string.__proto__, 'validateAsync', {
+      name: 'joi.string.validateAsync',
+      patchType: ASSESS_PROPAGATOR,
+      alwaysRun: true,
+      post(data) {
+        if (!data.obj.$_terms.externals.length) return;
+        data.result.then((result) => {
+          tracker.untrack(data.args[0]);
+          tracker.untrack(result);
+        });
+      }
+    });
+  }
 }
 
 requireHook.resolve(

package/lib/assess/propagators/mongoose/string.js

@@ -24,6 +24,7 @@ const {
 const TagRange = require('../../models/tag-range');
 const { CallContext, PropagationEvent, Signature } = require('../../models');
 const { hasUserDefinedValidator } = require('./helpers');
+const agent = require('../../../agent');
 
 const enumPatcher = (SchemaString) => {
   patcher.patch(SchemaString.prototype, 'enum', {
@@ -98,6 +99,13 @@ const doValidateSyncPatcher = (SchemaString) => {
 requireHook.resolve(
   { name: 'mongoose', file: 'lib/schema/string.js', version: '>=5.0.0' },
   (SchemaString) => {
+    if (
+      !agent.config ||
+      (agent.config && !agent.config.agent.trust_custom_validators)
+    ) {
+      return;
+    }
+
     enumPatcher(SchemaString);
     doValidateSyncPatcher(SchemaString);
   }

package/lib/core/config/options.js

@@ -487,6 +487,12 @@ const agent = [
     desc:
       'set limit for stack trace size (larger limits will improve accuracy but increase memory usage)'
   },
+  {
+    name: 'agent.trust_custom_validators',
+    arg: '<trust-custom-validators>',
+    default: false,
+    desc: `trust incoming strings when they pass custom validators (Mongoose, Joi)`
+  },
   {
     name: 'agent.traverse_and_track',
     arg: '<traverse-and-track>',
@@ -977,11 +983,11 @@ if (process.env.CONTRAST_DEV) {
 const sails = [
   {
     name: 'pathToSails',
-    arg: '<path>',
+    arg: '<path>'
   },
   {
     name: 'gdsrc',
-    arg: '<path>',
+    arg: '<path>'
   }
 ];
 
@@ -1030,16 +1036,12 @@ options.forEach((option) => {
 // The agent doesn't need to do anything with these options. It just needs to not
 // throw an error when it encounters them but we also don't need them displayed on
 // the agent's config option list. The newest version of Commander lets us do exactly this.
-// This is structured so that if anything like this is discovered again, they can be 
+// This is structured so that if anything like this is discovered again, they can be
 // added in easily.
-const hiddenOptions = [].concat(
-  sails
-)
+const hiddenOptions = [].concat(sails);
 
 hiddenOptions.forEach((option) => {
-  program.addOption(
-    new Option(`--${option.name} ${option.arg}`).hideHelp()
-  )
+  program.addOption(new Option(`--${option.name} ${option.arg}`).hideHelp());
 });
 
 function getDefault(optionName) {

package/lib/core/express/index.js

@@ -397,6 +397,9 @@ class ExpressFramework {
               req[LAYER_STACK].pop();
             }
           });
+          if (req.query) {
+            decorateRequest({ query: req.query });
+          }
           const params = new Object(this.params);
           if (Object.keys(params).length) {
             agentEmitter.emit(

package/lib/core/fastify/index.js

@@ -154,7 +154,8 @@ class FastifyCore {
     agentEmitter.emit(constants.EVENTS.PRE_VALIDATION, ...data);
     decorateRequest({
       body: request.body,
-      parameters: request.params
+      parameters: request.params,
+      query: request.query
     });
     done();
   }

package/lib/core/hapi/index.js

@@ -173,7 +173,8 @@ class HapiCore {
       decorateRequest({
         normalizedUri: get(request, 'route.path'),
         body: request.payload,
-        parameters: request.params
+        parameters: request.params,
+        query: request.query
       });
       return h.continue;
     });

package/lib/core/koa/index.js

@@ -216,13 +216,21 @@ class KoaCore {
    */
   registerRequestHandler(ctx) {
     ctx.req.request = ctx.request;
+    const { query } = ctx.request;
     ctx.request = new Proxy(ctx.request, {
       set(...args) {
         const [obj, prop] = args;
         const result = Reflect.set(...args);
+        if (query) {
+          decorateRequest({
+            query
+          });
+        }
         switch (prop) {
           case 'body':
-            decorateRequest({ body: obj[prop] });
+            decorateRequest({
+              body: obj[prop]
+            });
             agentEmitter.emit(constants.EVENTS.CTX_REQUEST_BODY, {
               request: obj,
               ctx

package/lib/core/rewrite/callees.js

@@ -67,6 +67,22 @@ const specs = [
     token: 'eval',
     modes: { assess: true, protect: true }
   },
+  // Import Declaration
+  {
+    name: '__importDefault',
+    type: 'ImportDefaultSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__importNamespace',
+    type: 'ImportNamespaceSpecifier',
+    modes: { assess: true, protect: true }
+  },
+  {
+    name: '__import',
+    type: 'ImportSpecifier',
+    modes: { assess: true, protect: true }
+  },
   // Member Expression
   {
     name: '__forceCopy',

package/lib/core/rewrite/import-declaration.js

@@ -0,0 +1,71 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const t = require('@babel/types');
+const _ = require('lodash');
+
+const IMPORT_META_URL_MEMBER_EXPRESSION = t.memberExpression(
+  t.memberExpression(t.identifier('import'), t.identifier('meta')),
+  t.identifier('url')
+);
+
+/**
+ * Appends calls to our own instrumentable import methods, providing access to
+ * the imported modules.
+ * ```
+ * import x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importDefault(x, 'mod', import.meta.url);
+ *
+ * import * as x from 'mod';
+ * // becomes:
+ * import x from 'mod';
+ * ContrastMethods.__importNamespace(x, 'mod', import.meta.url);
+ *
+ * import { foo, bar as baz } from 'mod';;
+ * // becomes
+ * ContrastMethods.__import(foo, 'foo', 'mod', import.meta.url);
+ * ContrastMethods.__import(baz, 'bar', 'mod', import.meta.url);
+ * ```
+ * @param {import('@babel/traverse').NodePath<import('@babel/types').ImportDeclaration>} path
+ * @param {import('.').State} state
+ */
+module.exports = function ImportDeclaration(path, state) {
+  const { source, specifiers } = path.node;
+
+  path.insertAfter(
+    specifiers.map((importSpec) => {
+      const spec = _.find(state.specs, { type: importSpec.type });
+      if (!spec || !state.callees[spec.name]) return;
+
+      const args = [importSpec.local];
+
+      if (t.isImportSpecifier(importSpec)) {
+        args.push(
+          t.isIdentifier(importSpec.imported)
+            ? t.stringLiteral(importSpec.imported.name)
+            : importSpec.imported
+        );
+      }
+
+      args.push(source);
+      args.push(IMPORT_META_URL_MEMBER_EXPRESSION);
+
+      return t.callExpression(state.callees[spec.name], args);
+    })
+  );
+};

package/lib/core/rewrite/index.js

@@ -18,23 +18,24 @@ const { default: generate } = require('@babel/generator');
 const { parse } = require('@babel/parser');
 const { default: traverse } = require('@babel/traverse');
 
+const RewriteDeadzones = require('../../assess/deadzones/rewrite');
+const { util: sourceMapUtility } = require('../../util/source-map');
 const Scopes = require('../async-storage/scopes');
 const logger = require('../logger')('contrast:rewrite');
-const RewriteDeadzones = require('../../assess/deadzones/rewrite');
-const logRewrite = require('./log');
-const RewriteLog = require('./rewrite-log');
-const isContrastMethod = require('./is-contrast-method');
-const functionWrap = require('./function-wrap');
-const prependGlobals = require('./prepend-globals');
 const AssignmentExpression = require('./assignment-expression');
 const BinaryExpression = require('./binary-expression');
 const CallExpression = require('./call-expression');
 const CatchClause = require('./catch-clause');
+const functionWrap = require('./function-wrap');
+const ImportDeclaration = require('./import-declaration');
+const isContrastMethod = require('./is-contrast-method');
+const logRewrite = require('./log');
 const MemberExpression = require('./member-expression');
 const ObjectProperty = require('./object-property');
+const prependGlobals = require('./prepend-globals');
+const RewriteLog = require('./rewrite-log');
 const SwitchStatement = require('./switch-statement');
 const TemplateLiteral = require('./template-literal');
-const sourceMapUtility = require('../../util/source-map').util;
 
 /**
  * @typedef {Object} State
@@ -105,6 +106,7 @@ class Rewriter {
         BinaryExpression,
         CallExpression,
         CatchClause,
+        ImportDeclaration,
         MemberExpression,
         ObjectProperty,
         SwitchStatement,

package/lib/core/rewrite/injections.js

@@ -100,7 +100,11 @@ const ContrastMethods = new Injection(null, 'ContrastMethods', {
   },
   __contrastEval: function __contrastEval(str) {
     return str;
-  }
+  },
+  // TODO: NODE-2020
+  __importDefault(mod, source, url) {},
+  __importNamespace(mod, source, url) {},
+  __import(mod, spec, source, url) {}
 });
 
 ContrastMethods.enable();

package/lib/protect/restify/sources.js

@@ -21,6 +21,8 @@ const {
 } = require('../../constants');
 const { emitSourceEvent } = require('../../hooks/frameworks/common');
 const agentEmitter = require('../../agent-emitter');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
 const {
   utils,
   constants: { EVENTS }
@@ -39,6 +41,39 @@ class RestifyProtectSources {
         EVENTS.CREATE_SERVER,
         this.registerUrlParamsHandler.bind(this)
       );
+      agentEmitter.on(
+        EVENTS.RESTIFY_EXPORT,
+        this.registerQueryParamsHandler.bind(this)
+      );
+    }
+  }
+
+  /**
+   * Patches query parser middleware to wrap the callback argument. Once this
+   * wrapped callback is invoked w/out error we know we can proxy `req.query`.
+   * @param {object} restify
+   */
+  registerQueryParamsHandler(restify) {
+    const {
+      plugins: { queryParser: origQueryParser }
+    } = restify;
+
+    if (origQueryParser) {
+      patcher.patch(restify.plugins, 'queryParser', {
+        name: 'restify.plugins',
+        patchType: PATCH_TYPES.FRAMEWORK,
+        alwaysRun: true,
+        post(data) {
+          patcher.patch(data, 'result', {
+            name: 'restify.plugins.queryParser',
+            patchType: PATCH_TYPES.PROTECT_SOURCE,
+            alwaysRun: true,
+            post(data) {
+              decorateRequest({ query: get(data.args[0], 'query') });
+            }
+          });
+        }
+      });
     }
   }
 

package/lib/protect/rules/nosqli/nosql-injection-rule.js

@@ -26,9 +26,11 @@ const brackets = /\[(.{1,1024}?)\]/;
 const child = /\[(.{1,1024}?)\]/g;
 
 const MONGODB = 'mongodb';
+const RETHINKDB = 'rethinkdb';
 
 const ScannerKit = new Map([
-  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')]
+  [MONGODB, () => require('../nosqli/nosql-scanner').create('MongoDB')],
+  [RETHINKDB, () => require('../nosqli/nosql-scanner').create('RethinkDB')]
 ]);
 const SubstringFinder = require('../base-scanner/substring-finder');
 
@@ -144,27 +146,14 @@ class NoSqlInjectionRule extends require('../') {
       _documentType === constants.INPUT_TYPES.PARAMETER_NAME &&
       _documentPath.length <= 1024
     ) {
-      let segment = brackets.exec(_documentPath);
-      const parent = segment
-        ? _documentPath.slice(0, segment.index)
-        : _documentPath;
-
-      pathArray.push('query');
-
-      if (parent) {
-        pathArray.push(parent);
-      }
-      while ((segment = child.exec(_documentPath))) {
-        pathArray.push(segment[1]);
-      }
-      pathArray.pop();
+      this.buildPathArray(_documentPath, pathArray);
     } else {
       // only qs params and body are "expandable"
       pathArray.push('body', ..._documentPath.split('.'));
     }
 
     let data;
-    let curr = ctx.req;
+    let curr = ctx.request;
 
     for (const path of pathArray) {
       if (curr) {
@@ -175,6 +164,31 @@ class NoSqlInjectionRule extends require('../') {
     return data;
   }
 
+  buildPathArray(documentPath, pathArray) {
+    const documentPathArray = documentPath.split('.');
+
+    pathArray.push('query');
+    documentPathArray.forEach((dotSegment) => {
+      let lastChar;
+      let bracketSegment = brackets.exec(dotSegment);
+      let parent = bracketSegment
+        ? dotSegment.slice(0, bracketSegment.index)
+        : dotSegment;
+      if (parent) {
+        lastChar = parent.slice(-1);
+        parent = lastChar === ']' ? parent.slice(0, -1) : parent;
+        pathArray.push(parent);
+      }
+      while ((bracketSegment = child.exec(dotSegment))) {
+        lastChar = bracketSegment[1].slice(-1);
+        const segment =
+          lastChar === ']' ? bracketSegment[1].slice(0, -1) : bracketSegment[1];
+        pathArray.push(segment);
+      }
+    });
+    pathArray.pop();
+  }
+
   getScanner(id) {
     if (!ScannerKit.has(id)) {
       throw new Error(`Unknown NoSQL scanner: ${id}`);

package/lib/protect/rules/nosqli/nosql-scanner/index.js

@@ -33,7 +33,7 @@ module.exports = {
 
     const databases = {
       MongoDB: () => new (require('./mongodbscanner'))(options),
-
+      RethinkDB: () => new (require('./rethinkdbscanner'))(options),
       [ERROR_KEY]: () => {
         throw new Error();
       }

package/lib/protect/rules/nosqli/nosql-scanner/rethinkdbscanner.js

@@ -0,0 +1,26 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+/**
+ * RethinkDB scanner module
+ * @module lib/protect/rules/nosql/nosql-scanner/RethinkDBScanner
+ */
+
+'use strict';
+
+const { BaseScanner } = require('../../base-scanner');
+
+class RethinkDBScanner extends BaseScanner {}
+
+module.exports = RethinkDBScanner;

package/lib/protect/sinks/index.js

@@ -29,6 +29,7 @@ const MongoDBSink = require('./mongodb');
 const MySQLSink = require('./mysql');
 const NodeSerializeSink = require('./node-serialize');
 const PostgresSink = require('./postgres');
+const RethinkDBSink = require('./rethinkdb');
 const SequelizeSink = require('./sequelize');
 const Sqlite3Sink = require('./sqlite3');
 const VMSink = require('./vm');
@@ -46,6 +47,7 @@ module.exports = function init(agent) {
   new MySQLSink(agent).install({ ModuleHook });
   new NodeSerializeSink(agent).install({ ModuleHook });
   new PostgresSink(agent).install({ ModuleHook });
+  new RethinkDBSink(agent).install({ ModuleHook });
   new SequelizeSink(agent).install({ ModuleHook });
   new VMSink(agent).install({ ModuleHook });
   new Sqlite3Sink(agent).install({ ModuleHook });

package/lib/protect/sinks/mongodb.js

@@ -21,8 +21,6 @@ const BaseSensor = require('../../hooks/frameworks/base');
 const patcher = require('../../hooks/patcher');
 const { PATCH_TYPES } = require('../../constants');
 const { emitSinkEvent } = require('../../hooks/frameworks/common');
-const agentEmitter = require('../../agent-emitter');
-const SinkEvent = require('../models/sink-event');
 
 const { SINK_TYPES } = constants;
 const ID = 'mongodb';
@@ -37,7 +35,7 @@ function getCursorQueryData(args, version) {
   }
 
   if (_.isString(query)) {
-    return query.toString()
+    return query.toString();
   }
 
   if (query['$where']) {

package/lib/protect/sinks/rethinkdb.js

@@ -0,0 +1,47 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const constants = require('../../constants');
+const BaseSensor = require('../../hooks/frameworks/base');
+const patcher = require('../../hooks/patcher');
+const { PATCH_TYPES } = require('../../constants');
+const { emitSinkEvent } = require('../../hooks/frameworks/common');
+
+const { SINK_TYPES } = constants;
+const ID = 'rethinkdb';
+
+class RethinkDBSensor extends BaseSensor {
+  constructor(agent) {
+    super({ id: ID, agent });
+  }
+
+  install({ ModuleHook }) {
+    ModuleHook.resolve({ name: 'rethinkdb' }, (rethinkdb) => {
+      patcher.patch(rethinkdb, 'js', {
+        alwaysRun: true,
+        name: 'rethinkdb',
+        patchType: PATCH_TYPES.PROTECT_SINK,
+        pre: (data) => {
+          emitSinkEvent(data.args[0], SINK_TYPES.NOSQL_QUERY, ID);
+        }
+      });
+    });
+
+    return this;
+  }
+}
+
+module.exports = RethinkDBSensor;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.9.1",
+  "version": "4.10.0",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -19,7 +19,13 @@
     "Griffin Yourick",
     "Ati Ok",
     "Pat McClory",
-    "Michael Woytowitz"
+    "Michael Woytowitz",
+    "Jacob Kaplan",
+    "Yulia Tenincheva",
+    "Bruce MacNaughton",
+    "Krasen Penchev",
+    "Ivaylo Grahlyov",
+    "Yavor Stoychev"
   ],
   "scripts": {
     "docs": "jsdoc -c ../.jsdoc.json",
@@ -72,10 +78,10 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.3",
+    "@contrast/fn-inspect": "^2.4.4",
     "@contrast/heapdump": "^1.1.0",
-    "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.6",
+    "@contrast/protobuf-api": "^3.2.3",
+    "@contrast/require-hook": "^2.0.8",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
     "amqplib": "^0.8.0",
@@ -109,7 +115,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.8",
+    "@contrast/screener-service": "^1.12.9",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -142,13 +148,13 @@
     "husky": "^6.0.0",
     "inquirer": "^8.1.2",
     "joi": "^17.4.0",
-    "jsdoc": "^3.6.7",
+    "jsdoc": "^3.6.10",
     "libxmljs": "file:test/mock/libxmljs",
     "libxmljs2": "file:test/mock/libxmljs2",
     "lint-staged": "^12.0.2",
     "madge": "^4.0.1",
     "marsdb": "file:test/mock/marsdb",
-    "mocha": "^9.1.3",
+    "mocha": "^9.2.0",
     "mochawesome": "^7.0.1",
     "mongodb": "file:test/mock/mongodb",
     "mongodb-npm": "npm:mongodb@^3.6.5",
@@ -156,7 +162,7 @@
     "mustache": "^3.0.1",
     "mysql": "file:test/mock/mysql",
     "nock": "^12.0.3",
-    "node-fetch": "^2.6.1",
+    "node-fetch": "^2.6.7",
     "node-serialize": "file:test/mock/node-serialize",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",