npm Security Policy
Outlined in this document are the practices and policies that npm applies to help ensure that we release stable/secure software, and react appropriately to security threats when they arise.
Table of Contents
Reporting Security Problems to npm
If you need to report a security vulnerability. Please visit https://npmjs.com/support. If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting our support team is more appropriate.
We review all security reports on the next business day. Note that the npm staff is generally offline for most US holidays, but please do not delay your report! Our off-hours support staff can fix many issues, and will alert our security point of contact if needed.
Security Point of Contact
Any security tickets opened using https://npmjs.com/support will be escalated to the security point of contact, who will delegate incident response activities as appropriate. This is the best and fastest way to contact npm about any security-related matter.
Critical Updates And Security Notices
We learn about critical software updates and security threats from a variety of sources:
- Ubuntu's security notices page: https://usn.ubuntu.com/
- The Node.js mailing list.
- Security tickets sent to us.
- and other media sources.
This is a living document and may be updated from time to time. Please refer to the git history for this document to view the changes.
This document may be reused under a Creative Commons Attribution-ShareAlike License.