Reporting a vulnerability in an npm package

Note: Vulnerability reporting is currently only available for packages in the public npm registry.

If you find a security vulnerability in an npm package (either yours or someone else’s), you can report it to the npm Security team to help keep the Javascript ecosystem safe.

Disclosure timeline

Reporting a vulnerability

Note: Vulnerability reports are sent to the npm Security team, not the package maintainer.
  1. Gather information about the vulnerability.
  2. On the package page, click Report a vulnerability.
  3. On the vulnerability report page, provide information about yourself and the vulnerability:
    • Name: Your name.
    • Email address: An email address the npm Security team can use to contact you.
    • Package name and version: The name of the package that contains the vulnerability.
    • Package version: The version of the package that contains the vulnerability. Include all affected versions.
    • Description of vulnerability: A brief description of the vulnerability and its effects. Include references, commits, and/or code examples that would help our researchers reproduce and investigate the vulnerability.
  4. Click Send Report.

< Requiring 2FA for package publishing and settings modification