Need to report a security vulnerability? Please contact us or email security@npmjs.com.
Our engineering team is well-versed in security best practices.
Our software is regularly audited by reputable third-party security firms, currently Lift Security.
We maintain a recent, production-ready OS that is regularly patched with the latest security fixes.
Our servers live behind a firewall that only allows expected traffic on limited ports.
Our services are fronted by a CDN that allows for protection from Distributed Denial of Service (DDoS) attacks.
All private data exchanged with npm from the command line and via the website is passed over encrypted connections (HTTPS and SSL).
npm's servers are hosted on Amazon Web Services. Physical security is maximized because nobody knows exactly which physical servers host our virtual ones.
All registry data and binaries are stored in multiple redundant, physically separate locations. All binaries and metadata are backed up to a third-party, off-site location. These backups are encrypted.
Employees of npm Inc. have access to package metadata and binaries for support and debugging purposes. Employees do not have access to the password for your npm account, which is always encrypted.
For more information about how we handle your personal data, you may wish to review our privacy policy.
For firms interested in greater levels of physical and operational security, npm On-Site is a self-hosted version of the npm Registry that allows total control of the operation and policies of the registry.
If you have further questions or concerns about npm security, please contact us.
Last modified November 29, 2015 Found a typo? Send a pull request!