Security
Need to report a security vulnerability? Please contact us or email [email protected].
System Security
Our engineering team is well-versed in security best practices.
Our software is regularly audited by reputable third-party security firms, currently Lift Security.
We maintain a recent, production-ready OS that is regularly patched with the latest security fixes.
Our servers live behind a firewall that only allows expected traffic on limited ports.
Our services are fronted by a CDN that allows for protection from Distributed Denial of Service (DDoS) attacks.
Security in Transit
All private data exchanged with npm from the command line and via the website is passed over encrypted connections (HTTPS and SSL).
Physical and Data Security
npm's servers are hosted on Amazon Web Services. Physical security is maximized because nobody knows exactly which physical servers host our virtual ones.
All registry data and binaries are stored in multiple redundant, physically separate locations. All binaries and metadata are backed up to a third-party, off-site location. These backups are encrypted.
Employees of npm Inc. have access to package metadata and binaries for support and debugging purposes. Employees do not have access to the password for your npm account, which is always encrypted.
For more information about how we handle your personal data, you may wish to review our privacy policy.
Higher Levels of security
For firms interested in greater levels of physical and operational security, npm Enterprise is a self-hosted version of the npm Registry that allows total control of the operation and policies of the registry.
Contact Us
If you have further questions or concerns about npm security, please contact us.