-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Support Policy
The npm
CLI project does not have designated LTS releases. The project only makes regular releases to the most recent major release-line. If you want to learn more, please read our LICENSE
.
In the event of a security issue, the project will try to backport - when possible - security patches to versions of npm
currently shipping with "maintained" Node.js versions. There are no guarantees that legacy versions of npm
will receive updates. Always using the latest
version of npm
is advised.
If you believe you've found a security issue with the npm
CLI, we kindly ask you to first check if a previous issue has already been filed against the npm/cli
, or any one of it's relevant dependencies, that is similar to your finding. Please also ensure your vulnerability meets the eligibility criteria outlined in our Bug Bounty Program before submission. Notably, exploits which require social engineering are ineligible for bounties & more generally are out of scope for the npm
CLI to reasonably protect against. Examples of hypothetical, ineligible exploitations would be: manipulating dependent system binaries (ex. git
, node
etc.), environment or project configuration (ex. PATH
), files, caches or packages & package references prior to executing any npm
command.
npm
should always be run on trusted systems with secure network access. The CLI & its dependencies have no understanding of authentication or authorization for the various pieces of data & data sources it may interact with (ex. registries, packages, repositories, cves, users etc.); it takes a best-effort approach to validating the integrity of information in which has been cached at rest between the various sources of truth. That said, the responsibility to ensure your environment is secure & access controls are in place prior to the execution of an npm
command is strictly the responsibility of end-users or the services in which access controls can be enforced.
Older versions of the npm
CLI should also continue to work with the npm Public Registry (ie. registry.npmjs.org
) but may not support all of its latest features & reliability of those APIs/services may change or degrade over time.
Questions, comments, or requests to change this policy should be opened in npm's feedback repository.