-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Support Policy
The npm
CLI project does not have designated LTS releases. The project only makes regular releases to the most recent major release-line. If you want to learn more, please read our LICENSE
. Using the latest
version of npm
is advised.
In the event of a security issue, the project will try to backport - when possible - security patches to versions of npm
currently shipping with "maintained" Node.js versions. There are no guarantees that legacy versions of npm
will receive updates. Using the latest
version of npm
is advised.
If you believe you've found a security issue with the npm
CLI, we kindly ask that you check if a previous issue has already been filed against the npm/cli
, or any one of it's dependencies, repositories that is similar to your finding. Please also ensure your vulnerability meets the eligibility criteria outlined in our Bug Bounty Program before submission. Notably, exploits which require social engineering are ineligible for bounties & more generally are out of scope for the npm
CLI to reasonably protect against. Examples of hypothetical, ineligible exploitations would be: manipulating dependent system binaries (ex. git
, node
etc.), environment or project configuration (ex. PATH
, npm_config_*
etc.), files, caches or packages & package references prior to executing any npm
command. npm
should always be run on trusted systems with secure network access.
Older versions of the npm
CLI should continue to work with the npm Public Registry (ie. registry.npmjs.org
) but may not support all of its latest features & reliability of those APIs/services may change or degrade over time. Using the latest
version of npm
is advised.
Questions, comments, or requests to change this policy should be opened in npm's feedback repository.