This document describes the steps that you should take to resolve naming disputes with other npm publishers. It also describes the steps you should take if you think a name infringes your trademark.
This document is additive to the guidelines in the npm Code of Conduct and npm Open-Source terms. Nothing in this document should be interpreted to contradict any aspect of the npm Code of Conduct or Open-Source Terms.
- Open a support ticket at https://support.github.com/contact/npm-name-disputes.
- Fill out the form with as much detail as possible.
- Support will address your request. Please note submitting a report does not guarantee the transfer of a package, org, or username.
When to use this process
This process is an excellent way to:
- Request a name that you believe is currently misleading or could be confused with a name used by your company or open source project
- Request a name related to your company or open source project that cannot be claimed via account recovery
If you see bad behavior or content you believe is unacceptable, refer to the Code of Conduct for guidelines on reporting violations. You are never expected to resolve abusive behavior on your own. We are here to help.
When not to use this process
This process is not available for dispute requests due to lack of activity related to a specific name.
Please also note there are cases where a party may have claim to a specific name, but giving that name to the requesting party would pose a supply-chain risk to the npm ecosystem. In such cases, requests may be denied independent of the validity of the claim.
npm processes Trademark claims under GitHub's Trademark Policy.
If you think another npm publisher is infringing your trademark, such as by using a confusingly similar package, org, or user account name, please submit a Trademark Policy Violation Report via our form.
Use of npm's own trademarks is covered by our Logo and Usage Policy.
This is a living document and may be updated from time to time. Please refer to the git history for this document to view the changes.
We do not pro-actively scan the registry for squatted packages, so the fact that a name is in use does not mean we consider it valid. The standards for what we consider squatting depend on what is being squatted:
Package names are considered squatted if the package has no genuine function.
Organization names are considered squatted if there are no packages published within a reasonable time. If an organization is a paid organization, it may have private packages that are invisible to third parties. For privacy reasons, we cannot reveal whether or not an organization has private packages, so a paid organization will never be considered squatted.
We are extremely unlikely to transfer control of a user name, as it is totally valid to be an npm user and never publish any packages: for instance, you might be part of an organization or need read-only access to private packages.
Copyright (C) npm, Inc., All rights reserved
This document may be reused under a Creative Commons Attribution-ShareAlike License.