Skip to content

Releases: AikidoSec/firewall-node

1.8.25

24 Apr 09:02
@hansott hansott
Immutable release. Only release title and notes can be modified.
1.8.25
e063d1a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.25 Latest
Latest
  • Fix SSRF protection not working for outgoing http and https requests in ESM mode
Assets 3
Loading

1.8.24

23 Apr 12:41
@hansott hansott
Immutable release. Only release title and notes can be modified.
1.8.24
547141f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.24
  • Add Retry-After header to rate-limited responses (HTTP and GraphQL)

Note: If you use a custom middleware, you can access result.retryAfterSeconds to set the header yourself.

Loading

1.8.23

17 Apr 08:52
@hansott hansott
Immutable release. Only release title and notes can be modified.
1.8.23
1b55ee9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.23
  • Support undici v8
  • Support Next.js 16 via ESM mode
  • Support @mistralai/mistralai v2
  • Support Prisma v7 on Postgres via @prisma/adapter-pg
  • Extend Prisma SQL injection detection to $queryRaw / $executeRaw tagged templates
  • Allow excluding specific users from rate limiting
Loading

1.8.22

02 Apr 14:11
@hansott hansott
1.8.22
6fa6cda
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.22
  • Remove startup warning recommending AIKIDO_BLOCK_INVALID_SQL=true
  • Fix edge case where startup logs showed a package as "supported" when Zen wasn't actually instrumenting it
Loading

1.8.21

01 Apr 15:10
@hansott hansott
1.8.21
4efc168
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.21
  • AIKIDO_BLOCK_INVALID_SQL now defaults to off instead of on, see docs
Loading

1.8.20

01 Apr 12:44
@hansott hansott
1.8.20
c48befe
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.20
  • Strip devDependencies and scripts from the published package.json
  • Fix potential IDOR detection issue when the same query is used with different SQL dialects
  • Fix undici hostname not being lowercased when passed as an options object
  • Block SQL queries that fail to tokenize when they contain user input (prevents SQL injection through malformed queries in databases like ClickHouse and SQLite), see docs.
Loading

1.8.19

24 Mar 08:24
@hansott hansott
1.8.19
7ea38a5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.19
  • Improve NoSQL injection detection (objects containing a constructor key)
  • Add support for sqlite3 v6
  • Add IDOR protection for node:sqlite
  • Fix crash caused by deeply nested arrays in request body
  • Improve SQL injection detection performance (comma-separated number lists)
  • Improve tsx warning message clarity
Loading

1.8.18

25 Feb 14:33
@hansott hansott
1.8.18
80bfe48
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.18
  • Improve NoSQL injection detection (when user input is an array)
  • Fix instrumentation bug when AIKIDO_DISABLE is set and the new hook-based instrumentation is used
  • Add warning when using --require @aikidosec/firewall with an app that uses import/export syntax (use --require @aikidosec/firewall/instrument instead)
  • Add warning when using tsx (tsx may interfere with Zen's instrumentation, use node in production)
  • Fix pg pool losing request context under high concurrency
Loading

1.8.17

18 Feb 14:14
@hansott hansott
1.8.17
72b8625
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.17
  • Improve IDOR protection: throw error when placeholder value can't be resolved
  • Improve IDOR support for better-sqlite3 placeholders (:name, @name, $name)
Loading

1.8.16

16 Feb 11:24
@hansott hansott
1.8.16
cef4b35
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
1.8.16
  • Add IDOR protection for better-sqlite3
  • Improve SSRF protection (reduce false positives for URLs inside JWT payloads)
  • Improve shell injection detection (carriage return and form feed characters)
Loading