-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Support Policy
The npm CLI project does not have designated LTS releases. The project only makes regular releases to the most recent major release-line. If you want to learn more, please read our LICENSE.
In the event of a security issue, the project will try to backport - when possible - security patches to versions of npm currently shipping with "maintained" Node.js versions. There are no guarantees that legacy versions of npm will receive updates.
If you believe you've found a security issue with the npm CLI, we kindly ask you to first check if a previous issue has already been filed against the npm/cli, or any one of it's relevant dependencies, that is similar to your finding. Please also ensure your vulnerability meets the eligibility criteria outlined in our Bug Bounty Program before submission. Notably, exploits which require social engineering are ineligible for bounties & more generally are out of scope for the npm CLI to reasonably protect against. Examples of hypothetical, ineligible exploitations would be: manipulating dependent system binaries (ex. git, node etc.), environment or project configuration (ex. PATH), files, caches or packages & package references prior to executing any npm command.
npm should always be run on trusted systems with secure network access. The CLI & its dependencies have no understanding of authentication or authorization for the various pieces of data & data sources it may interact with (ex. registries, packages, repositories, cves, users etc.); it takes a best-effort approach to validating the integrity of information in which has been cached at rest between the various sources of truth. That said, the responsibility to ensure your environment is secure & access controls are in place prior to the execution of an npm command is strictly the responsibility of end-users or the services in which access controls can be enforced.
Older versions of the npm CLI should also continue to work with the npm Public Registry (ie. registry.npmjs.org) but may not support all of its latest features & reliability of those APIs/services may change or degrade over time.
Questions, comments, or requests to change this policy should be opened in npm's feedback repository.