npm Security Policy

Outlined in this document are the practices and policies that npm applies to help ensure that we release stable/secure software, and react appropriately to security threats when they arise.

Table of Contents

  1. Reporting Security Problems to npm
  2. Security Point of Contact
  3. Critical Updates And Security Notices

Reporting Security Problems to npm

If you need to report a security vulnerability. Please visit If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting our support team is more appropriate.

We review all security reports on the next business day. Note that the npm staff is generally offline for most US holidays, but please do not delay your report! Our off-hours support staff can fix many issues, and will alert our security point of contact if needed.

Security Point of Contact

Any security tickets opened using will be escalated to the security point of contact, who will delegate incident response activities as appropriate. This is the best and fastest way to contact npm about any security-related matter.

Critical Updates And Security Notices

We learn about critical software updates and security threats from a variety of sources:


This is a living document and may be updated from time to time. Please refer to the git history for this document to view the changes.


This document may be reused under a Creative Commons Attribution-ShareAlike License.