@newrelic/security-agent New Relic Software License v1.0 6 versions

@newrelic/security-agent

npm Repository Homepage

New Relic Security Agent for Node.js

6

Versions

New Relic Software License v1.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

newrelic

Keywords

instrumentationIASTRASPNew Relic Security AgentNode.js Application Security

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	slsa-provenance	AI (provenance): SLSA provenance via Sigstore/CI is a strong integrity signal for this New Relic org package.	ai	2026/05/06
semgrep	semgrep:base64-decode	AI (semgrep): Decoding fuzz request headers in gRPC hook; expected for IAST agent functionality.	ai	2026/04/30
semgrep	semgrep:eval-usage	AI (semgrep): Eval used for generator function feature detection, not arbitrary input execution. Stable pattern for this security agent.	ai	2026/04/30
semgrep	semgrep:child-process-import	AI (semgrep): Security instrumentation agent legitimately imports child_process to monitor system calls; expected for IAST/RASP tooling.	ai	2026/04/30
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require resolves own package.json for version info using a known config constant; not user-controlled input.	ai	2026/04/30

Versions (showing 6 of 6)

Version	Deps	Published
3.0.4	17 / 30	2026-05-14
3.0.3	18 / 30	2026-04-08
3.0.2	18 / 30	2026-02-17
3.0.1	22 / 30	2026-01-29
3.0.0	22 / 30	2026-01-06
0.2.0	22 / 30	2023-07-24

v3.0.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.2

2 findings

HIGH Publisher changed: newrelic → GitHub Actions (on 2026-02-17) provenance

This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.1

2 findings

HIGH Publisher changed: newrelic → GitHub Actions (on 2026-01-29) provenance

This version was published by a different npm account than previous versions on 2026-01-29. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.0

2 findings

HIGH Publisher changed: newrelic → GitHub Actions (on 2026-01-06) provenance

This version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.