← Home

@newrelic/native-metrics

npm Repository Homepage

A module for generating metrics from V8.

2
Versions
Apache-2.0
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

newrelic

Keywords

newrelicgcmetricsstatsgc-statsgc statsgc metricsnative-metricsnative metrics

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): New Relic migrated to GitHub Actions CI/CD publishing with SLSA attestation; publisher change is expected and documented. ai
publish-pattern dormant-publish AI (publish-pattern): Long dormancy followed by CI/CD migration is consistent with New Relic's publishing workflow change, not account takeover. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in build.js for native compilation; expected and stable for this package. ai
install-scripts install-script:install AI (install-scripts): node-gyp-build is the canonical install pattern for native Node.js addons; stable for this package. ai
phantom-deps phantom-dep:prebuildify AI (phantom-deps): prebuildify is a build-time tool invoked via build.js script, not directly imported in JS; stable false positive. ai
phantom-deps phantom-dep:nan AI (phantom-deps): nan is a native addon dependency referenced in binding.gyp/C++ sources, not JS imports; stable false positive. ai
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt .node binaries are expected for a native metrics addon from the official New Relic org. ai

Versions (showing 2 of 2)

Version Deps Published
13.0.0 3 / 21
12.0.0 3 / 20

v13.0.0

2 findings
HIGH Publisher changed: newrelic → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v12.0.0

3 findings
HIGH Package has 'install' script install-scripts

Script: node-gyp-build

HIGH Bundled binary files (14) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/@newrelic+native-metrics.abi115.uv1.armv8.glibc.node • prebuilds/linux-arm64/@newrelic+native-metrics.abi115.uv1.armv8.glibc.node • prebuilds/linux-x64/@newrelic+native-metrics.abi115.uv1.glibc.node • prebuilds/win32-ia32/@newrelic+native-metrics.abi115.uv1.glibc.node • prebuilds/win32-x64/@newrelic+native-metrics.abi115.uv1.glibc.node • prebuilds/darwin-arm64/@newrelic+native-metrics.abi127.uv1.armv8.glibc.node • prebuilds/linux-arm64/@newrelic+native-metrics.abi127.uv1.armv8.glibc.node • prebuilds/linux-x64/@newrelic+native-metrics.abi127.uv1.glibc.node • prebuilds/win32-ia32/@newrelic+native-metrics.abi127.uv1.glibc.node • prebuilds/win32-x64/@newrelic+native-metrics.abi127.uv1.glibc.node ... and 4 more

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.