Node.js agent release notesRSS

Fixes

• BREAKING: Updated the version of https-proxy-agent to v2.x - Dropped support for v0.10 and v0.12 of node.

  The version of https-proxy-agent used in the agent has a known security issue you can read about here: https://snyk.io/vuln/npm:https-proxy-agent:20180402 In order to resolve this issue, the dependency had to be updated to at least v2.2.0, which only supported node versions >=4. The update to this dependency forces the incompatibility of the agent with versions 0.10 and 0.12 of node.

  In order to use use the Node.js agent, please upgrade node to version >=4, or you can continue to use the agent on node versions 0.10 and 0.12 by pinning the agent to v3.

  You can read more about the issue here: https://docs.newrelic.com/docs/using-new-relic/new-relic-security/securi...

Fixes

• Added a type check to attribute validation, restricting values to primitive types (but not undefined).

  Previously the agent was only enforcing byte limits on string values, resulting in overly large arrays being collected. This brings the agent in line with other language agents.

• The DatastoreShim will now respect specified after handlers.

  Previously on methods like DatastoreShim#recordQuery the after handler would be dropped. The property is now correctly propagated to the underlying Shim#record call.

• The agent will now check that a specified parent segment is part of an active segment before running a method under instrumentation.

  Previously the agent would unconditionally run a method under a specified parent. The shim expects the parent to exist and be active, and will throw errors in the case where the parent belongs to an inactive transaction.

New features

• Added newrelic.startSegment(), which replaces newrelic.createTracer().

  This new API method allows you to create custom segments using either callbacks or promises.

Bug fixes

• Fixed bug in pre route config option in Hapi instrumentation.

  Only applies to Hapi v16 and below. The pre handler wrapping was not properly returning in cases when the element was a string referring to a registered server method, and as a result these elements would be replaced with undefined.

New features

• Added @newrelic/koa as a dependency.

  This introduces instrumentation for Koa v2.0.0 or higher. It will be treated as first-party instrumentation within the agent, but publishing it as a separate module allows it to be installed independently according to users' needs.

Improvements

• Refactored instrumentation hooks to work with modules.

  With this change it is now possible to link against external instrumentation modules.

Improvements

• Promise based web framework middleware instrumentation now supports callback based sequencing.

  Previously, a promise based middleware was assumed to continue to the next middleware once the promise it returned resolved. This assumption has been relaxed to allow for a callback to be supplied to the middleware to invoke the next middleware.

Improvements

• Removed the ssl configuration option.

  TLS is now always used in communication with New Relic Servers. The ssl configuration value and NEW_RELIC_USE_SSL environment value are no longer used. Setting either value to anything other than true will result in a warning.

• Security bulletin NR18-05:

  Fixes issue introduced in 2.8.0 where the agent may have captured all transaction attributes, even with High-security mode enabled on the account. This may have included sensitive data attached to transactions.

• All request parameters now prefixed with request.parameters..

  Previously request parameters such as route and query parameters were added as attributes without any name changes. For example /foo?bar=value would add the attribute bar to the transaction. Now this attribute would be named request.parameters.bar.

  Any Insights dashboards, alerts, or other NRQL queries using these attributes must be updated to use the new attribute names.

• Adds support for EU Datacenter

Bug fixes

• Security bulletin NR18-06:

  Fixes issue introduced in 2.8.0 where the agent may have captured all transaction attributes, even with High-security mode enabled on the account. This may have included sensitive data attached to transactions.

• Removed support for agent attributes include/exclude rules.

  These will be coming back in Node Agent v3.0.0. The fix for the above security bulletin required a backwards incompatible change to our attributes.

• Fixed bug in Bluebird instrumentation.

  Some methods were not instrumented correctly. This would cause a problem if a function was passed to these methods.

  Special thanks to Andreas Lind (@papandreou) for helping us find this bug.

Note

This release is deprecated due to an issue where the agent may capture transaction attributes regardless of agent settings. If you are using this release, upgrade your agent to agent version 2.9.1 or higher. For more information, see Security Bulletin NR18-06.

Improvements

• Added the WebFrameworkShim#savePossibleTransactionName method.

  This method may be used to mark the current running middleware as a potential responder. savePossibleTransactionName should be used if a middleware can't be determined to be a terminal middleware while it executes, but may be responsible for responding after execution has finished.

• Fixed dns.resolve results assertion.

• Expanded async_hooks tests around maintain transaction context.

• Added Koa to metric naming objects.

• Added callback prop to middlewareWithPromiseRecorder return spec.

  While we aren't actually wrapping any callback, this is a workaround that gives us access to the active segment. This ensures that all segments inside Koa transaction traces are named correctly, particularly in cases when transaction context may be lost.

• Updated after prop in middlewareWithPromiseRecorder return spec to set txInfo.errorHandled = true in cases when there is no error.

  Because Koa has no concept of errorware in the same sense as Express or Connect ((err, req, res, next)), the agent now assumes if a middleware resolves, any error that may have occurred can be marked as handled.

Fixes

• Added check for parentSegment in async_hooks instrumentation, to help ensure that transaction context is maintained.

Note

This release is deprecated due to an issue where the agent may capture transaction attributes regardless of agent settings. If you are using this release, upgrade your agent to agent version 2.9.1 or higher. For more information, see Security Bulletin NR18-06.

New features

• Added instrumentation support for MongoDB version 3.

  Version 3 of mongodb is now supported. Previously datastore host information (instance metrics) was incorrectly captured by the agent with mongodb v3. This has been fixed and all features should be functional now.

Improvements

• Updated documentation for apdex_t setting and removed environment variable.

  This was never configurable on client side and the documentation was misleading.

• Documented environment variables for slow_sql configurations.

  Thanks to Olivier Tassinari (@oliviertassinari) for the update!

• Updated hapi/hapi-pre-17/package.json to run errors.tap.js in more versions.

• Added internal cache to unwrapped core modules for agent use.

• Improved logging around environment facts gathering.

Bug fixes

• Enable certain agent attributes when high-security mode is enabled.

  During the switch from the old capture_params/ignored_params to the new attribute include/exclude rules, high-security mode was over-zealous in what attributes it disallowed. This has been trimmed back to be in line with other agents.