Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The New Relic npm package is a powerful tool for monitoring and managing the performance of your Node.js applications. It provides insights into application performance, error tracking, and user interactions, helping developers to optimize and troubleshoot their applications effectively.
Application Performance Monitoring (APM)
New Relic APM provides detailed insights into the performance of your application, including response times, throughput, and error rates. By simply requiring the New Relic module at the start of your application, it will automatically start monitoring your app's performance.
const newrelic = require('newrelic');
// Your application code here
// New Relic will automatically monitor your app's performance
Custom Instrumentation
Custom instrumentation allows you to monitor specific parts of your application that are not automatically tracked by New Relic. By using the `getTransaction` method, you can create custom transactions and measure their performance.
const newrelic = require('newrelic');
function myCustomFunction() {
const transaction = newrelic.getTransaction();
// Your custom code here
transaction.end();
}
myCustomFunction();
Error Tracking
New Relic provides error tracking capabilities that allow you to capture and report errors that occur in your application. By using the `noticeError` method, you can send error details to New Relic for further analysis.
const newrelic = require('newrelic');
try {
// Your code that might throw an error
} catch (error) {
newrelic.noticeError(error);
}
Custom Events
Custom events allow you to send specific events to New Relic for tracking and analysis. By using the `recordCustomEvent` method, you can create and send custom events with associated data.
const newrelic = require('newrelic');
newrelic.recordCustomEvent('MyCustomEvent', {
key1: 'value1',
key2: 'value2'
});
AppDynamics is a comprehensive application performance management (APM) solution that provides real-time monitoring and analytics for applications. It offers similar functionalities to New Relic, including performance monitoring, error tracking, and custom instrumentation. AppDynamics is known for its robust analytics and detailed transaction tracking.
Datadog is a monitoring and analytics platform for cloud applications. It provides APM, log management, and infrastructure monitoring. Datadog offers similar features to New Relic, such as performance monitoring and error tracking, but it also includes extensive support for infrastructure monitoring and log management, making it a more comprehensive solution for full-stack monitoring.
Elastic APM is part of the Elastic Stack and provides performance monitoring for applications. The `elastic-apm-node` package allows you to monitor Node.js applications with features like transaction tracking, error reporting, and custom instrumentation. It integrates seamlessly with other Elastic Stack components, such as Elasticsearch and Kibana, for powerful data analysis and visualization.
This package instruments your application for performance monitoring with New Relic.
This is a new product. You should try it in your staging or development environment first to verify it works for you.
Make sure you have a New Relic account before starting. To see all the features, such as slow transaction traces, you will need a New Relic Pro subscription (or equivalent).
npm install newrelic
for the application you
want to monitor.newrelic.js
from node_modules/newrelic
into the root directory of
your application.newrelic.js
and replace license_key
's value with the license key
for your account.require('newrelic');
as the first line of the app's main module.If you wish to keep the configuration for the module separate from your
application, the module will look for newrelic.js in the directory referenced
by the environment variable NEW_RELIC_HOME
if it's set.
When you start your app, New Relic should start up with it and start reporting
data that will appear within the New Relic UI
after a few minutes. Because the agent minimizes the amount of bandwidth it
consumes, it only reports data once a minute, so if you require the module in
tests that take less than a minute to run, it won't have time to report data to
New Relic. The module will write its log to a file named newrelic_agent.log
in the application directory. If New Relic doesn't send data or crashes your
app, the log can help New Relic determine what went wrong, so be sure to send
it along with any bug reports or support requests.
New Relic's instrumentation can extend beyond your application into the
client's browser. The newrelic
module can generate <script>
headers which,
when inserted into your HTML templates, will capture client-side page load
times.
Headers must be manually injected, but no extra configuration is necessary to enable browser timings.
newrelic.getBrowserTimingHeader()
into your html page.<head>
tag.
getBrowserTimingHeader()
should be placed after any X-UA-COMPATIBLE HTTP-EQUIV
meta tags.Below is an example using express
and jade
; Express is a popular web
application framework, and jade
is a popular template module. Although the
specifics are different for other frameworks, the general approach described
below should work in most cases.
The simplest way to insert browser timing headers is to pass the newrelic
module into your template, and call newrelic.getBrowserTimingHeader()
from
within the template.
app.js:
var newrelic = require('newrelic');
var app = require('express')();
// In Express, this lets you call newrelic from within a template.
app.locals.newrelic = newrelic;
app.get('/user/:id', function (req, res) {
res.render('user');
});
app.listen(process.env.PORT);
layout.jade:
doctype html
html
head
!= newrelic.getBrowserTimingHeader()
title= title
link(rel='stylesheet', href='/stylesheets/style.css')
body
block content
By defaults calls to newrelic.getBrowserTimingHeader()
should return valid
headers. You can disable header generation without removing your template
code. In your newrelic.js
file, add the following to disable header
generation.
exports.config = {
// ... other config
browser_monitoring : {
enable : false
}
};
You can also set the environment variable NEW_RELIC_BROWSER_MONITOR_ENABLE=false
.
It is safe to leave the header generation code in place even when you're not
using it. If browser timings are disabled, or there is an error such that
working headers cannot be generated, the newrelic
module will generate an
innocuous HTML comment. If the newrelic
module is disabled entirely no
content will be generated.
In order to get the most value out of New Relic for Node.js, you may have to do a little work to help us figure out how your application is structured. New Relic works on the assumption that it can group requests to your application into transactions, which are defined by giving one or more request paths a name. These names are used to visualize where your app is spending its time (in transaction breakdowns), to identify slow requests, and to group scoped metrics. For example, this can identify slow database queries by showing which requests are spending a long time waiting on the database.
If you're using Express or Restify with their default routers and are satisfied with your application being represented by those frameworks' route matchers, you may not need to do anything. However, if you want more specific names than are provided by your framework, you may want to use one or more of the tools described further on.
The simplest way to tell that you need to read further in this document is if
you feel too many of your requests are being lumped together under the
catch-all name /*
. All requests that aren't otherwise named by the module
will end up grouped under /*
.
If you've been working with Node for a while, you're probably accustomed to thinking of your application's requests in terms of raw URLs. One of the great things about Node is that it makes it so easy and simple to work with HTTP, and that extends to things like parsing URLs and creating your own strategies for naming and routing requests for services like RESTful APIs. This presents a challenge for New Relic, because we need to keep the number of names we're tracking small enough that we can keep the New Relic user experience snappy, and also so we don't overwhelm you with so much data that it's difficult for you to see the problem spots in your applications. URLs are not a good fit for how New Relic sees performance.
Another of Node's great strengths is that it provides a lot of tools that build
on top of the http
module to simplify writing web services. Unfortunately,
that variety greatly complicates things for us, with our limited resources, and
so we offer a few different tools to help you give us the information we need
to provide you useful metrics about your application:
Requests are mapped to transaction names using a deterministic process:
/*
, which puts that request in the undifferentiated, default bucket
for requests. This will typically only happen in situations where your
application uses either no framework, or a framework with a router that
isn't currently supported by New Relic.Let's go through the naming tools one at a time.
Express is the most popular web framework in use within the Node community, and
a number of important services are also using Restify. Both frameworks map
routes to handlers, and both use a similar pattern to do so: they match one or
more HTTP methods (e.g. GET
or the ever-popular OPTIONS
– let's hear it for
CORS) along with a potentially parameterized path (e.g. /user/:id
) or a
regular expression (e.g. /^/user/([-0-9a-f]+)$/
). New Relic will capture
both those pieces of information in the request name. If you have support for
slow transaction traces and have enabled capture_params
, the transaction
trace will also have the request's parameters and their values attached to it.
The only important thing to know about New Relic's support for Express and Restify is that if you're dissatisfied with the names it comes up with, you can use the API calls described below to come up with more descriptive names. Also, if you use a different web framework or router and would like to see support for it added, please let us know.
The API is what's handed back from require('newrelic')
, so
var newrelic = require('newrelic');
is all you need. Please note that you still need to ensure that loading the New Relic module is the first thing your application does, as it needs to bootstrap itself before the rest of your application loads, but you can safely require the module from multiple modules in your application – it will only initialize itself once.
Name the current request. You can call this function anywhere within the context of an HTTP request handler, at any time after handling of the request has started, but before the request has finished. A good rule of thumb is that if the request and response objects are in scope, you can set the name.
Explicitly calling newrelic.setTransactionName()
will override any names set
by Express or Restify routes. Calls to newrelic.setTransactionName()
and
newrelic.setControllerName()
will overwrite each other. The last call made
before the request ends wins.
VERY IMPORTANT NOTE: Do not include highly variable information like GUIDs, numerical IDs, or timestamps in the request names you create. If your request is slow enough to generate a transaction trace, that trace will contain the original URL. If you enable parameter capture, the parameters will also be attached to the trace. The request names are used to group requests for New Relic's many charts and tables, and those visualizations' value drops as the number of different request names increases. If you have 50 or so different transaction names, you're probably pushing it. If you have more than a couple hundred, you need to rethink your naming strategy.
Name the current request using a controller-style pattern, optionally including
the current controller action. If the action is omitted, New Relic will include
the HTTP method (e.g. GET
, POST
) as the action. The rules for when you can
call newrelic.setControllerName()
are the same as they are for
newrelic.setTransactionName()
.
Explicitly calling newrelic.setControllerName()
will override any names set
by Express or Restify routes. Calls to newrelic.setTransactionName()
and
newrelic.setControllerName()
will overwrite each other. The last one to run
before the request ends wins.
See the above note on newrelic.setTransactionName()
, which also applies to
this function.
If you don't feel like putting calls to the New Relic module directly into your application code, you can use pattern-based rules to name requests. There are two sets of rules: one for renaming requests, and one to mark requests to be ignored by New Relic.
If you're using socket.io, you will have a use case for ignoring rules right out of the box. You'll probably want to add a rule like the following:
// newrelic.js
exports.config = {
// other configuration
rules : {
ignore : [
'^/socket.io/.*/xhr-polling'
]
}
};
This will keep socket.io long-polling from dominating your response-time metrics and blowing out the apdex metrics for your application.
A list of rules of the format {pattern : "pattern", name : "name"}
for
matching incoming request URLs to pattern
and naming the matching New Relic
transactions name
. When automatically naming rules from the router
configuration, the patterns are still applied to the URL path, and not the name
returned by the router. The pattern can be set as either a string or a
JavaScript regular expression literal. Both pattern and name are required.
Additional attributes are ignored.
Can also be set via the environment variable NEW_RELIC_NAMING_RULES
, with
multiple rules passed in as a list of comma-delimited JSON object literals:
NEW_RELIC_NAMING_RULES='{"pattern":"^t","name":"u"},{"pattern":"^u","name":"t"}'
A list of patterns for matching incoming request URLs to be ignored. When using ignoring rules with instrumented routers, the matches are still made against the URL paths, not the name returned by the router. Patterns may be strings or regular expressions.
Can also be set via the environment variable NEW_RELIC_IGNORING_RULES
, with
multiple rules passed in as a list of comma-delimited patterns:
NEW_RELIC_IGNORING_RULES='^/socket\.io/\*/xhr-polling,ignore_me'
Note that
currently there is no way to escape commas in patterns.
Programmatic version of rules.name
above. Naming rules can not be removed
until the Node process is restarted. They can also be added via the module's
configuration. Both parameters are mandatory.
Programmatic version of rules.ignore
above. Ignoring rules can not be removed
until the Node process is restarted. They can also be added via the module's
configuration. The pattern is mandatory.
Set a custom parameter value to be displayed along with the transaction trace in the New Relic UI. This must be called within the context of a transaction, so it has a place to set the custom parameters. Only displayed in the transaction trace detail view.
Tell the module explicitly whether or not a given request should be ignored.
Allows you to explicitly filter out long-polling routes or requests you know
are going to be time-consuming in an uninteresting way, and also allows you
to gather metrics for requests that would otherwise be ignored. Note that
to prevent a transaction from being ignored with this function, you must
pass false
as the parameter – in this case null
or undefined
will be
ignored.
If your app is doing its own error handling with domains or try/catch clauses, but you want all of the information about how many errors are coming out of the app to be centrally managed, use this call. Unlike most of the calls here, this function can be used outside of route handlers, but will have additional context if called from within transaction scope. If custom parameters are passed in on an object literal, they will be passed back to New Relic for display.
This is the Node-specific version of New Relic's transaction naming API documentation. The naming API exists to help us deal with the very real problem that trying to handle too many metrics will make New Relic slow for everybody, not just the account with too many metrics. If, in conversation with New Relic Support, you see discussion of "metric explosion", this is what they're talking about.
While we have a variety of strategies for dealing with these issues, the most severe is simply to blacklist offending applications. The main reason for you to be careful in using our request-naming tools is to prevent that from happening to your applications. We will do everything in our power to ensure that you have a good experience with New Relic even if your application is causing us trouble, but sometimes this will require manual intervention on the part of our team, and this can take a little while.
The module can be tailored to your app's requirements, both from the server and
via the newrelic.js configuration file you created. For complete details on
what can be configured, refer to
lib/config.default.js
,
which documents the available variables and their default values.
In addition, for those of you running in PaaS environments like Heroku or
Microsoft Azure, all of the configuration variables in newrelic.js
have
counterparts that can be set via environment variables. You can mix and match
variables in the configuration file and environment variables freely;
environment variables take precedence.
Here's the list of the most important variables and their values:
NEW_RELIC_LICENSE_KEY
: Your New Relic license key. This is a required
setting with no default value.NEW_RELIC_APP_NAME
: The name of this application, for reporting to New
Relic's servers. This value can be also be a comma-delimited list of names.
This is a required setting with no default value. (NOTE: as a convenience to
Azure users, the module will use APP_POOL_ID
as the application name if
it's set, so you can use the name you chose for your Azure Web Server without
setting it twice.)NEW_RELIC_NO_CONFIG_FILE
: Inhibit loading of the configuration file
altogether. Use with care. This presumes that all important configuration
will be available via environment variables, and some log messages assume
that a config file exists.NEW_RELIC_HOME
: path to the directory in which you've placed newrelic.js.NEW_RELIC_USE_SSL
: Use SSL for communication with New Relic's servers.
Enabled by default.NEW_RELIC_LOG
: Complete path to the New Relic agent log, including the
filename. The agent will shut down the process if it can't create this file,
and it creates the log file with the same umask of the process. Setting this
to stdout
will write all logging to stdout, and stderr
will write all
logging to stderr.NEW_RELIC_LOG_LEVEL
: Logging priority for the New Relic agent. Can be one
of error
, warn
, info
, debug
, or trace
. debug
and trace
are
pretty chatty; unless you're helping New Relic figure out irregularities with
the module, you're probably best off using info
or higher.For completeness, here's the rest of the list:
NEW_RELIC_ENABLED
: Whether or not the agent should run. Good for
temporarily disabling the agent while debugging other issues with your code.
It doesn't prevent the module from bootstrapping its instrumentation or
setting up all its pieces, it just prevents it from starting up or connecting
to New Relic's servers. Defaults to true.NEW_RELIC_ERROR_COLLECTOR_ENABLED
: Whether or not to trace errors within
your application. Values are true
or false
. Defaults to true.NEW_RELIC_ERROR_COLLECTOR_IGNORE_ERROR_CODES
: Comma-delimited list of HTTP
status codes to ignore. Maybe you don't care if payment is required? Ignoring
a status code means that the transaction is not renamed to match the code,
and the request is not treated as an error by the error collector. Defaults
to ignoring 404.NEW_RELIC_IGNORE_SERVER_CONFIGURATION
: Whether to ignore server-side
configuration for this application. Defaults to false.NEW_RELIC_TRACER_ENABLED
: Whether to collect and submit slow transaction
traces to New Relic. Values are true
or false
. Defaults to true.NEW_RELIC_TRACER_THRESHOLD
: Duration (in seconds) at which a transaction
trace will count as slow and be sent to New Relic. Can also be set to
apdex_f
, at which point it will set the trace threshold to 4 times the
current ApdexT.NEW_RELIC_APDEX
: Set the initial Apdex tolerating / threshold value in
seconds. This is more often than not set from the server. Defaults to 0.100.NEW_RELIC_CAPTURE_PARAMS
: Whether to capture request parameters on slow
transaction or error traces. Defaults to false.NEW_RELIC_IGNORED_PARAMS
: Some parameters may contain sensitive values you
don't want being sent out of your application. This setting is a
comma-delimited list of names of parameters to ignore. Defaults to empty.NEW_RELIC_NAMING_RULES
: A list of comma-delimited JSON object literals:
NEW_RELIC_NAMING_RULES='{"pattern":"^t","name":"u"},{"pattern":"^u","name":"t"}'
See the section on request and transaction naming for details. Defaults to
empty.NEW_RELIC_IGNORING_RULES
: A list of comma-delimited patterns:
NEW_RELIC_IGNORING_RULES='^/socket\.io/.*/xhr-polling,ignore_me'
Note that
currently there is no way to escape commas in patterns. Defaults to empty.NEW_RELIC_TRACER_TOP_N
: Increase this number to increase the diversity of
slow transaction traces sent to New Relic. Defaults to 1. See the description
in lib/config.default.js
, as this feature is exceedingly hard to summarize.NEW_RELIC_HOST
: Hostname for the New Relic collector. You shouldn't
need to change this.NEW_RELIC_PORT
: Port number on which the New Relic collector will be
listening. You shouldn't need to change this either.NEW_RELIC_PROXY_URL
: A fully-qualified URL to an http/https proxy.
The proxy URL may include basic authentication.
The use of NEW_RELIC_PROXY_URL
overrides other proxy settings.NEW_RELIC_PROXY_HOST
: Proxy hostnameNEW_RELIC_PROXY_PORT
: Proxy port.NEW_RELIC_PROXY_USER
: Proxy user name (basic auth only).NEW_RELIC_PROXY_PASS
: Proxy password.NEW_RELIC_DEBUG_METRICS
: Whether to collect internal supportability metrics
for the agent. Don't mess with this unless New Relic asks you to.NEW_RELIC_DEBUG_TRACER
: Whether to dump traces of the transaction tracer's
internal operation. It's unlikely to be informative unless you're a New Relic
Node.js engineer and it has a significant performance cost, so use with care.NEW_RELIC_BROWSER_MONITOR_ENABLE
: Whether to generate browser timing (RUM) headers or not.We take security (and the protection of your and your users' privacy) very seriously. See SECURITY.md for details, but the brief version is that if you feel you've found a security issue in New Relic for Node, contact us at security@newrelic.com.
We owe a debt to all of the beta testers and users who have provided us with feedback, and in some cases significant pieces of code. (If you wish to contribute, please see CONTRIBUTING.md in this directory.) In particular, we're indebted to these people:
Information about changes to the module are in NEWS.md.
New Relic for Node is free-to-use, proprietary software. Please see the full license (found in LICENSE in this distribution) for details on its license and the licenses of its dependencies.
FAQs
New Relic agent
The npm package newrelic receives a total of 856,936 weekly downloads. As such, newrelic popularity was classified as popular.
We found that newrelic demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.