Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The New Relic npm package is a powerful tool for monitoring and managing the performance of your Node.js applications. It provides insights into application performance, error tracking, and user interactions, helping developers to optimize and troubleshoot their applications effectively.
Application Performance Monitoring (APM)
New Relic APM provides detailed insights into the performance of your application, including response times, throughput, and error rates. By simply requiring the New Relic module at the start of your application, it will automatically start monitoring your app's performance.
const newrelic = require('newrelic');
// Your application code here
// New Relic will automatically monitor your app's performance
Custom Instrumentation
Custom instrumentation allows you to monitor specific parts of your application that are not automatically tracked by New Relic. By using the `getTransaction` method, you can create custom transactions and measure their performance.
const newrelic = require('newrelic');
function myCustomFunction() {
const transaction = newrelic.getTransaction();
// Your custom code here
transaction.end();
}
myCustomFunction();
Error Tracking
New Relic provides error tracking capabilities that allow you to capture and report errors that occur in your application. By using the `noticeError` method, you can send error details to New Relic for further analysis.
const newrelic = require('newrelic');
try {
// Your code that might throw an error
} catch (error) {
newrelic.noticeError(error);
}
Custom Events
Custom events allow you to send specific events to New Relic for tracking and analysis. By using the `recordCustomEvent` method, you can create and send custom events with associated data.
const newrelic = require('newrelic');
newrelic.recordCustomEvent('MyCustomEvent', {
key1: 'value1',
key2: 'value2'
});
AppDynamics is a comprehensive application performance management (APM) solution that provides real-time monitoring and analytics for applications. It offers similar functionalities to New Relic, including performance monitoring, error tracking, and custom instrumentation. AppDynamics is known for its robust analytics and detailed transaction tracking.
Datadog is a monitoring and analytics platform for cloud applications. It provides APM, log management, and infrastructure monitoring. Datadog offers similar features to New Relic, such as performance monitoring and error tracking, but it also includes extensive support for infrastructure monitoring and log management, making it a more comprehensive solution for full-stack monitoring.
Elastic APM is part of the Elastic Stack and provides performance monitoring for applications. The `elastic-apm-node` package allows you to monitor Node.js applications with features like transaction tracking, error reporting, and custom instrumentation. It integrates seamlessly with other Elastic Stack components, such as Elasticsearch and Kibana, for powerful data analysis and visualization.
This package instruments your application for performance monitoring with New Relic.
In order to take full advantage of this package, make sure you have a New Relic account before starting. Available features, such as slow transaction traces, will vary based on account level.
As with any instrumentation tool, please test before using in production.
To use New Relic's Node.js agent entails these three steps, which are described in detail below:
newrelic
packageTo install the agent for performance monitoring, use your favorite npm-based package manager and install the newrelic
package into your application:
$ npm install newrelic
Then, copy the stock configuration file to your program's base folder:
$ cp ./node_modules/newrelic/newrelic.js ./<your destination>
Now, add your New Relic license key and application/service name to that file:
/* File: newrelic.js */
'use strict'
/**
* New Relic agent configuration.
*
* See lib/config/default.js in the agent distribution for a more complete
* description of configuration variables and their potential values.
*/
exports.config = {
app_name: ['Your application or service name'],
license_key: 'your new relic license key',
/* ... rest of configuration .. */
}
newrelic
module loaded first by using node's -r/--require
flag. $ node -r newrelic your-program.js
If you cannot control how your program is run, you can load the newrelic
module before any other module in your program.
const newrelic = require('newrelic')
/* ... the rest of your program ... */
Note: The minimum supported Next.js version is 12.0.9. If you are using Next.js middleware the minimum supported version is 12.2.0.
The New Relic Node.js agent provides instrumentation for Next.js The instrumentation provides telemetry for server-side rendering via getServerSideProps, middleware, and New Relic transaction naming for both page and server requests. It does not provide any instrumentation for actions occurring during build or in client-side code. If you want telemetry data on actions occurring on the client (browser), you can inject the browser agent.
Here are documents for more in-depth explanations about transaction naming, and segments/spans.
Typically you are running a Next.js app with the next
cli and you must load the agent via NODE_OPTIONS
:
NODE_OPTIONS='-r newrelic' next start
If you are having trouble getting the newrelic
package to instrument Next.js, take a look at our FAQs.
The following example applications show how to load the newrelic
instrumentation, inject browser agent, and handle errors:
If you are using next as a custom server, you're probably not running your application with the next
CLI. In that scenario we recommend running the Next.js instrumentation as follows.
node -r newrelic your-program.js
If your application is written with import
and export
statements in javascript, you are using ES Modules and must bootstrap the agent in a different way.
The New Relic Node.js agent includes experimental support for ES Modules. The agent is reliant on an experimental feature in Node.js in order to appropriately register instrumentation. Until the Node.js API for ES Module Loaders is stable, breaking changes may occur when updating Node.js. Lastly, the ESM loader does not follow the same supported Node.js versions as the agent. The minimum supported version of Node.js is v16.12.0
.
newrelic.js
to newrelic.cjs
so it can be properly loaded. All the contents of the configuration file will behave the same once you rename. See CommonJS modules in ESM for more details.$ mv newrelic.js newrelic.cjs
--experimental-loader
flag and a path to the loader file, like this:$ node --experimental-loader newrelic/esm-loader.mjs -r newrelic your-program.js
Note: Unlike the CommonJS methods listed above, there are no alternatives to running the agent without the --experimental-loader
flag.
The agent supports adding your own custom instrumentation to ES module applications. You can use the instrumentation API methods. The only other difference between CommonJS custom instrumentation and ESM is you must provide a property of isEsm: true
.
import newrelic from 'newrelic'
newrelic.instrument({ moduleName: 'parse-json', isEsm: true }, function wrap(shim, parseJson, moduleName) {
shim.wrap(parseJson.default, function wrapParseJson(shim, orig) {
return function wrappedParseJson() {
const result = orig.apply(this, arguments)
result.instrumented = true
return true
}
})
})
We support the following custom instrumentation API methods in ES module apps:
newrelic.instrument
newrelic.instrumentConglomerate
newrelic.instrumentDatastore
newrelic.instrumentMessages
newrelic.instrumentWebframework
Note that we do not support newrelic.instrumentLoadedModule
, for the same issue of immutability mentioned above.
If you want to see an example of how to write custom instrumentation in an ES module app, check out our examples repo for a working demo.
For more information on getting started, check the Node.js docs.
There are modules that can be installed and configured to accompany the Node.js agent:
There are modules included within the Node.js agent to add more instrumentation for 3rd party modules:
The newrelic
module returns an object with the Node.js agent's API methods attached.
const newrelic = require('newrelic')
/* ... */
newrelic.addCustomAttribute('some-attribute', 'some-value')
You can read more about using the API over on the New Relic documentation site.
These are the steps to work on core agent features, with more detail below:
npm
Fork and clone this GitHub repository:
$ git clone git@github.com:your-user-name/node-newrelic.git $ cd node-newrelic
Install the project's dependencies:
$ npm install
Then you're all set to start programming.
$ npm run services
$ npm run test
Available test suites include:
$ npm run unit
$ npm run integration
$ npm run versioned
$ npm run lint
$ npm run smoke
Here are some resources for learning more about the agent:
Configuring the agent using newrelic.js
or environment variables
Example applications - Working examples of New Relic features in Node.js.
Should you need assistance with New Relic products, you are in good hands with several support channels.
If the issue has been confirmed as a bug or is a feature request, please file a GitHub issue.
Support Channels
At New Relic we take your privacy and the security of your information seriously, and are committed to protecting your information. We must emphasize the importance of not sharing personal data in public forums, and ask all users to scrub logs and diagnostic information for sensitive information, whether personal, proprietary, or otherwise.
We define “Personal Data” as any information relating to an identified or identifiable individual, including, for example, your name, phone number, post code or zip code, Device ID, IP address and email address.
Please review New Relic’s General Data Privacy Notice for more information.
See our roadmap, to learn more about our product vision, understand our plans, and provide us valuable feedback.
We encourage your contributions to improve the Node.js agent! Keep in mind when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project.
If you have any questions, or to execute our corporate CLA, required if your contribution is on behalf of a company, please drop us an email at opensource@newrelic.com.
A note about vulnerabilities
As noted in our security policy, New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.
If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through our bug bounty program.
If you would like to contribute to this project, review these guidelines.
To all contributors, we thank you! Without your contribution, this project would not be what it is today. We also host a community project page dedicated to New Relic Node Agent.
Except as noted below, the Node.js agent is licensed under the Apache 2.0 License.
The New Relic security agent is licensed under the New Relic Software License v1.0. The New Relic security agent module may be integrated like the New Relic Node.js agent.
The Node.js agent also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.
FAQs
New Relic agent
We found that newrelic demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.