Skip to content

Support Policy

Darcy Clarke edited this page Oct 26, 2022 · 17 revisions

Long Term Support (LTS)

The npm CLI project does not have designated LTS releases. The project only makes regular releases to the most recent major release-line. If you want to learn more, please read our LICENSE. Using the latest version of npm is advised.

Security Issues & Backports

In the event of a security issue, the project will try to backport - when possible - security patches to versions of npm currently shipping with "maintained" Node.js versions. There are no guarantees that legacy versions of npm will receive updates. Using the latest version of npm is advised.

Reporting Security Issues to our Bug Bounty Program

If you believe you've found a security issue with the npm CLI, we kindly ask that you check if a previous issue has already been filed against the npm/cli, or any one of it's dependencies, repositories that is similar to your finding. Please also ensure your vulnerability meets the eligibility criteria outlined in our Bug Bounty Program before submission. Notably, exploits which require social engineering are ineligible for bounties & more generally are out of scope for the npm CLI to reasonably protect against. Examples of hypothetical, ineligible exploitations would be: manipulating dependent system binaries (ex. git, node etc.), environment or project configuration (ex. PATH, npm_config_* etc.), files, caches or packages & package references prior to executing any npm command. npm should always be run on trusted systems with secure network access.

Registry Service & Reliability

Older versions of the npm CLI should continue to work with the npm Public Registry (ie. registry.npmjs.org) but may not support all of its latest features & reliability of those APIs/services may change or degrade over time. Using the latest version of npm is advised.

Other Questions, Comments or Concerns

Questions, comments, or requests to change this policy should be opened in npm's feedback repository.