Gathering detailed insights and metrics for newrelic
Gathering detailed insights and metrics for newrelic
New Relic Node.js agent code base. Developers are welcome to create pull requests here, please see our contributing guidelines. For New Relic technical support, please go to http://support.newrelic.com.
Installations
npm install newrelicDeveloper
newrelic
Developer Guide
BETA
Module System
Unable to determine the module system for this package.
Min. Node Version
>=18
Typescript Support
No
Node Version
22.11.0
NPM Version
10.9.0
Statistics
971 Stars
10,624 Commits
399 Forks
44 Watching
7 Branches
147 Contributors
Updated on 26 Nov 2024
Languages
JavaScript (99.47%)
HTML (0.23%)
Shell (0.16%)
PowerShell (0.08%)
Handlebars (0.02%)
Batchfile (0.02%)
TypeScript (0.01%)
Total Downloads
Cumulative downloads
Total Downloads
223,132,873
Last day
-7.6%
153,562
Compared to previous day
Last week
-0.8%
856,976
Compared to previous week
Last month
5.9%
3,694,241
Compared to previous month
Last year
6.9%
43,046,367
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
14
Dev Dependencies
45
@aws-sdk/client-s3@aws-sdk/s3-request-presigner@koa/router@matteo.collina/tspl@newrelic/eslint-config@newrelic/newrelic-oss-cli@newrelic/test-utilities@octokit/rest@slack/bolt@smithy/eventstream-codec@smithy/util-utf8ajvasyncaws-sdkborpc8clean-jsdoc-themecommanderconventional-changelog-conventionalcommitsconventional-changelog-writerconventional-commits-parsereslinteslint-plugin-disableeslint-plugin-jsdoceslint-plugin-sonarjsexpressgit-raw-commitsglobgothuskyjsdockoakoa-routekoa-routerlint-stagedlockfile-lintnockproxyquirerimrafself-certshouldsinonsuperagenttaptemp
Optional Dependencies
3
Versions
New Relic's Node.js agent
This package instruments your application for performance monitoring with New Relic.
In order to take full advantage of this package, make sure you have a New Relic account before starting. Available features, such as slow transaction traces, will vary based on account level.
As with any instrumentation tool, please test before using in production.
Installation
To use New Relic's Node.js agent entails these three steps, which are described in detail below:
- Install the
newrelicpackage - Create a base configuration file
- Require the agent in your program
-
To install the agent for performance monitoring, use your favorite npm-based package manager and install the
newrelicpackage into your application:1$ npm install newrelic -
Then, copy the stock configuration file to your program's base folder:
1$ cp ./node_modules/newrelic/newrelic.js ./<your destination> -
Now, add your New Relic license key and application/service name to that file:
1 /* File: newrelic.js */ 2 'use strict' 3 /** 4 * New Relic agent configuration. 5 * 6 * See lib/config/default.js in the agent distribution for a more complete 7 * description of configuration variables and their potential values. 8 */ 9 exports.config = { 10 app_name: ['Your application or service name'], 11 license_key: 'your new relic license key', 12 /* ... rest of configuration .. */ 13 }
- Finally, run your program with the
newrelicmodule loaded first by using node's-r/--requireflag.
$ node -r newrelic your-program.js
If you cannot control how your program is run, you can load the newrelic module before any other module in your program.
1 const newrelic = require('newrelic') 2 3 /* ... the rest of your program ... */
Next.js instrumentation
Note: The minimum supported Next.js version is 12.0.9. If you are using Next.js middleware the minimum supported version is 12.2.0.
The New Relic Node.js agent provides instrumentation for Next.js The instrumentation provides telemetry for server-side rendering via getServerSideProps, middleware, and New Relic transaction naming for both page and server requests. It does not provide any instrumentation for actions occurring during build or in client-side code. If you want telemetry data on actions occurring on the client (browser), you can inject the browser agent.
Here are documents for more in-depth explanations about transaction naming, and segments/spans.
Setup
Typically you are running a Next.js app with the next cli and you must load the agent via NODE_OPTIONS:
1NODE_OPTIONS='-r newrelic' next start
If you are having trouble getting the newrelic package to instrument Next.js, take a look at our FAQs.
Next.js example projects
The following example applications show how to load the newrelic instrumentation, inject browser agent, and handle errors:
Custom Next.js servers
If you are using next as a custom server, you're probably not running your application with the next CLI. In that scenario we recommend running the Next.js instrumentation as follows.
1node -r newrelic your-program.js
ECMAScript Modules
If your application is written with import and export statements in javascript, you are using ES Modules and must bootstrap the agent in a different way.
The New Relic Node.js agent includes experimental support for ES Modules. The agent is reliant on an experimental feature in Node.js in order to appropriately register instrumentation. Until the Node.js API for ES Module Loaders is stable, breaking changes may occur when updating Node.js. Lastly, the ESM loader does not follow the same supported Node.js versions as the agent. The minimum supported version of Node.js is v16.12.0.
Setup
- If you rely on a configuration file to run the agent, you must rename the file from
newrelic.jstonewrelic.cjsso it can be properly loaded. All the contents of the configuration file will behave the same once you rename. See CommonJS modules in ESM for more details.
1$ mv newrelic.js newrelic.cjs
- To use the newrelic ESM loader, start your program with node and use the
--experimental-loaderflag and a path to the loader file, like this:
1$ node --experimental-loader newrelic/esm-loader.mjs -r newrelic your-program.js
Note: Unlike the CommonJS methods listed above, there are no alternatives to running the agent without the --experimental-loader flag.
Custom Instrumentation
The agent supports adding your own custom instrumentation to ES module applications. You can use the instrumentation API methods. The only other difference between CommonJS custom instrumentation and ESM is you must provide a property of isEsm: true.
1import newrelic from 'newrelic' 2newrelic.instrument({ moduleName: 'parse-json', isEsm: true }, function wrap(shim, parseJson, moduleName) { 3 shim.wrap(parseJson.default, function wrapParseJson(shim, orig) { 4 return function wrappedParseJson() { 5 const result = orig.apply(this, arguments) 6 result.instrumented = true 7 return true 8 } 9 }) 10})
We support the following custom instrumentation API methods in ES module apps:
newrelic.instrumentnewrelic.instrumentConglomeratenewrelic.instrumentDatastorenewrelic.instrumentMessagesnewrelic.instrumentWebframework
Note that we do not support newrelic.instrumentLoadedModule, for the same issue of immutability mentioned above.
If you want to see an example of how to write custom instrumentation in an ES module app, check out our examples repo for a working demo.
Getting Started
For more information on getting started, check the Node.js docs.
External Modules
There are modules that can be installed and configured to accompany the Node.js agent:
- @newrelic/apollo-server-plugin: New Relic's official Apollo Server plugin for use with the Node.js agent.
There are modules included within the Node.js agent to add more instrumentation for 3rd party modules:
- @newrelic/native-metrics: Provides hooks into the native v8 layer of Node.js to provide metrics to the Node.js agent.
Usage
Using the API
The newrelic module returns an object with the Node.js agent's API methods attached.
1 const newrelic = require('newrelic') 2 3 /* ... */ 4 newrelic.addCustomAttribute('some-attribute', 'some-value')
You can read more about using the API over on the New Relic documentation site.
Testing
These are the steps to work on core agent features, with more detail below:
- Fork the agent
- Install its dependencies
- Run tests using
npm
-
Fork and clone this GitHub repository:
$ git clone git@github.com:your-user-name/node-newrelic.git $ cd node-newrelic
-
Install the project's dependencies:
$ npm install
Then you're all set to start programming.
To run the test suite
- Install Docker
- Start the Docker services:
$ npm run services - Run all the tests using
$ npm run test
Available test suites include:
$ npm run unit
$ npm run integration
$ npm run versioned
$ npm run lint
$ npm run smoke
Further Reading
Here are some resources for learning more about the agent:
-
Configuring the agent using
newrelic.jsor environment variables -
Example applications - Working examples of New Relic features in Node.js.
Support
Should you need assistance with New Relic products, you are in good hands with several support channels.
If the issue has been confirmed as a bug or is a feature request, please file a GitHub issue.
Support Channels
- New Relic Documentation: Comprehensive guidance for using our platform
- New Relic Community: The best place to engage in troubleshooting questions
- New Relic Developer: Resources for building a custom observability applications
- New Relic University: A range of online training for New Relic users of every level
- New Relic Technical Support 24/7/365 ticketed support. Read more about our Technical Support Offerings.
Privacy
At New Relic we take your privacy and the security of your information seriously, and are committed to protecting your information. We must emphasize the importance of not sharing personal data in public forums, and ask all users to scrub logs and diagnostic information for sensitive information, whether personal, proprietary, or otherwise.
We define “Personal Data” as any information relating to an identified or identifiable individual, including, for example, your name, phone number, post code or zip code, Device ID, IP address and email address.
Please review New Relic’s General Data Privacy Notice for more information.
Roadmap
See our roadmap, to learn more about our product vision, understand our plans, and provide us valuable feedback.
Contribute
We encourage your contributions to improve the Node.js agent! Keep in mind when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project.
If you have any questions, or to execute our corporate CLA, required if your contribution is on behalf of a company, please drop us an email at opensource@newrelic.com.
A note about vulnerabilities
As noted in our security policy, New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.
If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through our bug bounty program.
If you would like to contribute to this project, review these guidelines.
To all contributors, we thank you! Without your contribution, this project would not be what it is today. We also host a community project page dedicated to New Relic Node Agent.
License
Except as noted below, the Node.js agent is licensed under the Apache 2.0 License.
The New Relic security agent is licensed under the New Relic Software License v1.0. The New Relic security agent module may be integrated like the New Relic Node.js agent.
The Node.js agent also uses source code from third-party libraries. You can find full details on which libraries are used and the terms under which they are licensed in the third-party notices document.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
30 commit(s) and 28 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
0 existing vulnerabilities detected
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/azure-site-extension.yml:14
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/newrelic/.github/SECURITY.md:1
- Info: Found linked content: github.com/newrelic/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/newrelic/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/newrelic/.github/SECURITY.md:1
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Info: 'stale review dismissal' is required to merge on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Warn: codeowners review is not required on branch 'main'
- Warn: 'last push approval' is disabled on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
SAST tool is not run on all commits -- score normalized to 4
Details
- Warn: 12 commits out of 30 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Info: Possibly incomplete results: error parsing shell code: reached EOF without closing quote ': .github/workflows/update-snyk-prs.yml:24
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/azure-site-extension.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/azure-site-extension.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/azure-site-extension.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/azure-site-extension.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/azure-site-extension.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/azure-site-extension.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/azure-site-extension.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/azure-site-extension.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-tests.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/benchmark-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-tests.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/benchmark-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark-tests.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/benchmark-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:172: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:189: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:203: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:223: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:225: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:246: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/ci-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/compatibility-report.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/compatibility-report.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify-release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/notify-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify-release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/notify-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/post-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/post-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/post-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/post-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prep-release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/prep-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prep-release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/prep-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prep-release.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/prep-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-branch.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/publish-branch.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-branch.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/publish-branch.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-creation.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/release-creation.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-creation.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/release-creation.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-creation.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/release-creation.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/repolinter.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/repolinter.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/repolinter.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/repolinter.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/repolinter.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/repolinter.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-test-workflow.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/smoke-test-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-test-workflow.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/smoke-test-workflow.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-snyk-prs.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/update-snyk-prs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-snyk-prs.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/update-snyk-prs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/versioned-security-agent.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/versioned-security-agent.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/versioned-security-agent.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/versioned-security-agent.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/versioned-security-agent.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/newrelic/node-newrelic/versioned-security-agent.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark-tests.yml:29
- Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:87
- Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:111
- Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:230
- Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:63
- Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:143
- Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:179
- Warn: npmCommand not pinned by hash: .github/workflows/notify-release.yml:19
- Warn: npmCommand not pinned by hash: .github/workflows/post-release.yml:57
- Warn: npmCommand not pinned by hash: .github/workflows/post-release.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/prep-release.yml:45
- Warn: npmCommand not pinned by hash: .github/workflows/publish-branch.yml:23
- Warn: npmCommand not pinned by hash: .github/workflows/release-creation.yml:53
- Warn: npmCommand not pinned by hash: .github/workflows/release-creation.yml:55
- Warn: npmCommand not pinned by hash: .github/workflows/smoke-test-workflow.yml:29
- Warn: npmCommand not pinned by hash: .github/workflows/update-snyk-prs.yml:23
- Warn: npmCommand not pinned by hash: .github/workflows/versioned-security-agent.yml:76
- Warn: npmCommand not pinned by hash: .github/workflows/versioned-security-agent.yml:79
- Info: 0 out of 57 GitHub-owned GitHubAction dependencies pinned
- Info: 15 out of 16 third-party GitHubAction dependencies pinned
- Info: 0 out of 18 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/ci-workflow.yml:18
- Warn: no topLevel permission defined: .github/workflows/add-to-board.yml:1
- Warn: no topLevel permission defined: .github/workflows/azure-site-extension.yml:1
- Warn: no topLevel permission defined: .github/workflows/benchmark-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/board.yml:1
- Warn: no topLevel permission defined: .github/workflows/ci-workflow.yml:1
- Warn: no topLevel permission defined: .github/workflows/compatibility-report.yml:1
- Warn: no topLevel permission defined: .github/workflows/create-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/notify-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/post-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/prep-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/prepare-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish-branch.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-creation.yml:1
- Warn: no topLevel permission defined: .github/workflows/repolinter.yml:1
- Warn: no topLevel permission defined: .github/workflows/smoke-test-workflow.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-snyk-prs.yml:1
- Warn: no topLevel permission defined: .github/workflows/versioned-security-agent.yml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
7
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More