Table of contents
npm Open-Source Terms
Table of contents
npm last updated these npm Open Source Terms on March 10, 2022. You can review prior versions at https://github.com/npm/documentation/blob/main/content/policies/open-source-terms.mdx.
These Terms include a number of important provisions that affect your rights and responsibilities, such as the disclaimers in "Disclaimers", limits on npm's liability to you in "Limits on Liability", and an agreement to arbitrate disputes individually in "Arbitration".
npm offers additional, paid services (Paid Services) that are subject to additional terms:
- Additional terms for npm Paid Services are available at https://docs.npmjs.com/policies/private-terms.
npm Open Source and any Paid Services you may agree to use are together called npm Services throughout these Terms.
You may only access or use npm Services by agreeing to these Terms. If npm adds any additional functionality to npm Services, you must agree to these Terms to use that new functionality, too. You show your agreement with npm on these Terms by creating a user account (your Account) or by accessing or using npm Services without creating an account. The agreement between you and npm is a legally binding contract (this Agreement).
npm may change these Terms and the additional terms for Paid Services in the future. npm will post changes on the Website with a new "last updated" date. If you have an Account, npm will notify you of changes by email to the address provided for your Account, by a message on the Website, or both. If you do not have an account, npm may notify you of changes by a general announcement via the Website, but it is up to you to check for changes to these Terms. After receiving notice of changes to these Terms, you must accept those changes to continue using npm Services. You accept changes to these Terms by continuing to use npm Services. npm may change, suspend, or discontinue npm Services at any time without notice or liability to you.
npm respects the exclusive rights of copyright holders and responds to notifications about alleged infringement via npm Services per the copyright policy at https://docs.npmjs.com/dmca (the Copyright Policy).
npm resolves disputes about package names, user names, and organization names in the Public Registry per the policy at https://docs.npmjs.com/disputes (Dispute Policy). This includes "package squatting".
Use of all npm Services is governed by the code of conduct at https://docs.npmjs.com/conduct (Code of Conduct).
npm permits use of npm trademarks per the policy at https://docs.npmjs.com/trademark.
Subject to these Terms, npm grants you permission to use npm Open Source. That permission is not exclusive to you, and you cannot transfer it to anyone else.
Your permission to use npm Open Source entitles you to do the following:
You may search for, download, publish, and manage packages of computer code (Packages) in the Public Registry, and otherwise interact with the Public Registry, via the command-line tool published by npm at https://www.github.com/npm/cli (the CLI).
You may search for, download, publish, and manage Packages using software other than CLI via application programming interfaces that npm publicly documents or makes available for public use (Public APIs).
You may search for and manage Packages in the Public Registry, and otherwise interact with the Public Registry, via the Website.
You may update and manage your Account via the Website.
You may visit, create an account for, and participate in, discussions on npm.community.
Your permission to use npm Open Source, as well as any permission you may have to use Paid Services, are subject to the following conditions:
You must be at least 13 years of age to use npm Services.
You may not use npm Services after npm says you may not, such as by disabling your Account.
You must use npm Services only in accordance with "Acceptable Use".
You may access and use data about the security of Packages, such as vulnerability reports, audit status reports, and supplementary security documentation, only for your own personal or internal business purposes. You may not provide others access to, copies of, or use of npm data about the security of Packages, directly or as part of other products or services.
You will not submit material to npm as a package or in any other form that violates npm's Acceptable Content, described below.
You will not disclose information that you do not have the right to disclose, such as confidential information of others.
You will not copy or share any personally identifiable information of any other person without their specific permission.
You will not violate any applicable law.
You will not use or attempt to use another person's Account without their specific permission.
You will not buy, sell, or otherwise trade in user names, organization names, names for Packages, or any other names reserved on npm Services, for money or other compensation.
You will not use npm Services' ability to send e-mail to send advertisements, chain letters, or other solicitations.
You will not automate access to, use, or monitor the Website, such as with a web crawler, browser plug-in or add-on, or other computer program that is not a web browser. You may replicate data from the Public Registry using the Public APIs per this Agreement.
You will not use npm Services to send email to distribution lists, newsgroups, or group mail aliases.
You will not falsely imply that you are affiliated with or endorsed by npm.
You will not operate illegal schemes, such as pyramid schemes, via npm Services.
You will not deep-hyperlink to images or other non-hypertext content served by npm Services.
You will not remove any marking indicating proprietary ownership from any material got via npm Services.
You will not display any portion of the Website via an HTML IFRAME.
You will not disable, avoid, or circumvent any security or access restrictions of npm Services, or access parts of npm Services not intended for access by you.
You will not strain infrastructure of npm Services with an unreasonable volume of requests, or requests designed to impose an unreasonable load on IT systems underlying npm Services. This rule is intentionally loose, to give npm the flexibility it needs to keep npm Services working for the user community as a whole. But to draw one clear line, under no circumstances are five million requests to npm Services in a single month-long period by any single individual, organization, or group of affiliated companies remotely reasonable. If you have a special need to make lots and lots of requests, our sales team can help.
You will not encourage or assist any other person in violation of "Acceptable Use".
Administrators at npm reserve the right to delete content hosted on the npm Services that they deem unacceptable. Unacceptable content can take the form of a package, a README file, a user or organization name, or any other content submitted to npm Services. A few examples of unacceptable content:
Content that is illegal, offensive, or otherwise harmful. This includes content that is harassing, inappropriate, or abusive.
Content in violation of law, infringing the intellectual property rights of others, violating the privacy or other rights of others, or in violation of any agreement with a third party. This includes code that violates a public license for others' work.
Content containing malicious computer code, such as computer viruses, computer worms, rootkits, back doors, or spyware. This includes content submitted for research purposes. Tools designed and documented explicitly to assist in security research are acceptable, but exploits and malware that use the npm registry as a deployment or delivery vector are not.
Packages that are not functionally compatible with the npm command-line client. For example, a "package" cannot simply be a PNG or JPEG image, a movie file, or a text document uploaded directly to the registry. Using the Public Registry as a general purpose database is not allowed.
Content that exists only to "reserve" a name, whether a package name, user name, or organization name. The Dispute Policy governs how npm handles such cases of "squatting".
To find out how to report violations of Acceptable Content, refer to the Code of Conduct.
The npm Public Registry is about Packages. All manner of useful Packages are welcome, from hobby projects to competitive products, enterprise infrastructure and tooling to the latest fun hack or work of software art.
At the same time, the npm Public Registry, the Website, and important conventions like
README go beyond just code. Developers use all of those channels to communicate more broadly about code, who is developing it, why, and how.
That communication is important, and welcome, so long as it respects that the npm Public Registry, the website, and npm Open Source more generally remain neutral. You are free to use npm Open Source for commercial projects, to advance your career, and for other business purposes. But you may not leverage content or system conventions to make the npm Public Registry, Website, or CLI put business before code.
These kinds of commercial content are generally acceptable in
README files and other documentation:
Credits, acknowledgments, attributions, and other recognitions of contributions to Packages.
Information on how to pay, donate to, and otherwise support Package development, Package developers, and Package steward organizations.
Logos from, and links to, organizations developing, stewarding, or sponsoring Package development.
Information on paid products and services related to Packages, such as enhanced versions, add-ons, commercial license terms, training, integration, or support.
These kinds of commercial content generally aren't acceptable:
package.json, or other content displaying advertisements.
Packages that display ads at runtime, on installation, or at other stages of the software development lifecycle, such as via npm scripts. Packages with code that can be used to display ads are fine. Packages that themselves display ads are not.
Packages that function primarily as ads, with only placeholder or negligible code, data, and other technical content.
These examples are just examples. npm will continue to apply its judgment when deciding what content is acceptable. npm will continue to expect you to apply your own judgment when choosing what you share and how.
npm may investigate and prosecute violations of this Agreement to the fullest legal extent. npm may notify and cooperate with law enforcement authorities in prosecuting violations of this Agreement.
You must create and log into an Account to access features of some npm Services, including npm Open Source.
To create an Account, you must provide certain information about yourself, as required by the account creation form on the Website or the CLI. If you create an Account, you will provide, at a minimum, a valid email address. You will keep that email address up-to-date. You will not impersonate any other individual. You may delete your Account at any time by contacting support.
You will be responsible for all action taken using your account, whether authorized by you or not, until you either close your account or give npm notice that the security of your Account has been compromised. You will notify npm immediately if you suspect the security of your Account has been compromised. You will select a secure password for your Account. You will keep your password secret.
npm may restrict, suspend, or terminate your Account according to the Copyright Policy, if npm reasonably believes that you are in breach of these Terms, or if npm reasonably believes that you have misused npm Services.
Nothing in this Agreement gives npm any ownership rights in intellectual property that you share with npm Services, such as your Account information or any Packages you share with npm Services (Your Content). Nothing in this Agreement gives you any ownership rights in npm intellectual property provided via npm Services, like software, documentation, trademarks, service marks, logotypes, or other distinguishing graphics.
npm may remove Your Content from npm Services without notice if npm suspects Your Content was submitted or used in violation of "Acceptable Use", as well as per the Copyright Policy.
Your Content belongs to you. You decide whether and how to license it. But at a minimum, you license npm to provide Your Content to users of npm Services when you share Your Content. That special license allows npm to copy, publish, and analyze Your Content, and to share its analyses with others. npm may run computer code in Your Content to analyze it, but npm's special license alone does not give npm the right to run code for its functionality in npm products or services.
When Your Content is removed from npm Services, whether by you or npm, npm's special license ends when the last copy disappears from npm's backups, caches, and other systems. Other licenses, such as open source licenses, may continue after Your Content is removed. Those licenses may give others, or npm itself, the right to share Your Content with npm Services again.
Others who receive Your Content via npm Services may violate the terms on which you license Your Content. You agree that npm will not be liable to you for those violations or their consequences.
npm welcomes your feedback and suggestions for npm Services. You agree that npm will be free to act on feedback and suggestions you provide without further notice, consent, or payment. You will not submit feedback or suggestions that you consider confidential or proprietary.
You will indemnify npm, its officers, directors, employees, representatives, and agents, and hold them harmless for, all liability, expenses, damages, and costs from any third-party claims, demands, lawsuits, or other proceedings alleging that Your Content, your use of npm Services, or both, violate the intellectual property right of a third party, this Agreement, or applicable law. You will not settle any such proceeding without the prior written consent of npm. npm will notify you of any such proceeding it becomes aware of.
Use of npm Services is at your sole risk. npm Services are provided on an "as is" and "as available" basis. npm expressly disclaims all warranties of any kind, whether express, implied, or statutory, including implied warranties of title, noninfringement, merchantability, and fitness for a particular purpose.
npm makes no warranty that npm Services will meet your requirements, operate in an uninterrupted, timely, secure, or error-free manner, or that errors in npm Services will be corrected.
You receive material via npm Services at your sole risk. You will be solely responsible for any damage to your computer system and network, as well as any data loss that may result from use of npm Services or material received via npm Services.
npm Services may provide information and software that is inaccurate, incomplete, misleading, illegal, offensive, or otherwise harmful. npm may, but does not promise to, review content provided by npm Services.
npm Services provide information about ownership and licensing of Packages, as provided by those Packages' publishers. That information may be wrong. npm cannot and does not provide legal advice.
npm Services may hyperlink to and integrate with third-party applications, websites, and other services. You decide whether and how to use and interact with such services. npm does not make any warranty regarding such services or content they may provide, and will not be liable to you for any damages related to such services. Use of such third-party services may be governed by other terms and privacy notices that are not part of this Agreement and are not controlled by npm.
Neither npm nor any third-party service provider used by npm to provide npm Services will, under any circumstances, be liable to you for any indirect, incidental, consequential, special, or exemplary damages related to your use of npm Services or this Agreement, whether based on breach of contract, breach of warranty, tort (including negligence, product liability, or otherwise), or any other pecuniary loss, and whether or not npm has been advised of the possibility of such damages.
To the maximum extent permitted by law, npm's liability to you for any damages related to this Agreement, for any one or more causes and regardless of the form of action, will not exceed $50.
Some jurisdictions do not allow exclusion of certain warranties or limits on liability for incidental or consequential damages. Some of "Disclaimers" and "Limits on Liability" may not apply to you.
Either you or npm may terminate this Agreement at any time with notice to the other.
On termination of this Agreement, your permission to use npm Open Source, as well any permission you may have to access Paid Services under additional terms, also terminate.
The following provisions survive termination of this Agreement: "Your Content", "Feedback", "Indemnity", "Disclaimers", "Limits on Liability", and "General Terms". Users of npm Services may continue to copy and share Your Content after termination of this Agreement.
There is no charge for use of npm Open Source. If you use Paid Services from npm, our Paid Services Terms at https://docs.npmjs.com/policies/private-terms apply.
If a provision of this Agreement is unenforceable as written, but could be changed to make it enforceable, that provision should be modified to the minimum extent necessary to make it enforceable. Otherwise, that provision should be removed.
You may not assign this Agreement. npm may assign this Agreement to any affiliate of npm, any third party that obtains control of npm, or any third party that purchases assets of npm relating to npm Services. Any purported assignment of rights in breach of this provision is void.
Neither the exercise of any right under this Agreement, nor waiver of any breach of this Agreement, waives any other breach of this Agreement.
This Agreement, together with the additional terms for Paid Services and npm software that you and npm agree to, embody all the terms of agreement between you and npm about npm Services. This Agreement supersedes any other agreements about npm Services, written or not.
The law of the State of California will govern any dispute, including any legal proceedings, relating to this Agreement or your use of npm Services (a Dispute).
You and npm will seek injunctions related to this agreement only in state or federal court in San Francisco, California. Neither you nor npm will object to jurisdiction, forum, or venue in those courts.
Other than to seek an injunction, you and npm will resolve any Dispute by binding American Arbitration Association arbitration. Arbitration will follow the AAA's Commercial Arbitration Rules and Supplementary Procedures for Consumer Related Disputes. Arbitration will happen in San Francisco, California. You will settle any Dispute as an individual, and not as part of a class action or other representative proceeding, whether as the plaintiff or a class member. No arbitrator will consolidate any Dispute with any another arbitration without npm's permission.
Any arbitration award will include costs of the arbitration, reasonable attorneys' fees, and reasonable costs for witnesses. You or npm can enter arbitration awards in any court with jurisdiction.
You may send notice to npm and questions about the terms governing npm products and services to firstname.lastname@example.org or by mail to:
Attn: npm Legal Department
88 Colin P Kelly Jr St
San Francisco, CA. 94107
npm may send you notice using the email address you provide for your Account or by posting a message to the homepage or your Account page on the Website.