docs.npmjs.com
Open in
urlscan Pro
2606:50c0:8002::153
Public Scan
Submitted URL: https://www.npmjs.com/policies/privacy
Effective URL: https://docs.npmjs.com/policies/privacy/
Submission: On June 27 via api from US — Scanned from DE
Effective URL: https://docs.npmjs.com/policies/privacy/
Submission: On June 27 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to content
npm Docs
npmjs.comStatusSupport
About npm
Getting started
Packages and modules
Integrations
Organizations
Policies
Terms of Use
Open Source Terms
Private Terms
Code of Conduct
Package Name Disputes
npm License
Privacy Policy
Unpublish Policy
Copyright and DMCA Policy
Logos and Usage
Security
Replication and web crawler policy
Threats and Mitigations
npm CLI
PRIVACY QUESTIONS AND ANSWERS
Table of contents
* What's most important?
* How does npm collect data about me?
* What data does npm collect about me, and why?
* npm collects data about how you use npm software and registries
* npm collects data about how you use the website.
* npm collects account data
* npm collects package data
* npm collects payment card data
* npm collects data about correspondence
* npm collects data about use of npm.community
* Does npm share data about me with others?
* npm uses cookies
* How can I make choices about data collection?
* Where does npm keep data about me?
* How does npm handle data under the EU General Data Protection Regulation?
* How does npm handle data under the California Consumer Privacy Act?
* How can I see what data is publicly available about me?
* How can I change data about me?
* What is npm's policy on unpublishing packages?
* How does npm notify others about published data that's erased?
* What happens if npm merges with or is bought by another company?
* What are npm's information practices regarding information belonging to
children?
* Who can I contact about npm and my privacy?
* How can I find out about changes?
This notice describes how npm, Inc., or npm for short, collects and uses data
about you.
WHAT'S MOST IMPORTANT?
That depends on your personal situation, which is why you should read on and
decide for yourself. But at a minimum, absolutely every npm user should
understand:
The npm public registry is for making software available to everyone online.
But: Software comes from people, and says something about us.
So: Think carefully about what packages to publish, what data you put in those
packages, and what others might do with that data.
When you create an account, certain contact information is displayed publicly in
the npm platform. And when you upload a package, your name and contact
information may become associated with that package.
If you find yourself in a jam, open a support ticket.
HOW DOES NPM COLLECT DATA ABOUT ME?
npm collects data about you:
* when you use the npm command, the npx command or another program to access
the npm public registry, Enterprise registries that npm hosts, private
packages, such as when you're publishing a software package, and APIs for
functionality like account and permissions management
* when you browse the npm website, npmjs.com
* when you use either the npm command or the website to create an npm account,
update your account, and sign up for npm services
* when you send support, privacy, legal, and other requests to npm
* when working with and researching current and potential customers
When researching potential customers, npm staff sometimes search the public
World Wide Web or paid business databases. Otherwise, npm doesn't buy or receive
data about you from data brokers or other private services.
npm may inadvertently collect data about you if it is included in software
packages that you or others upload.
WHAT DATA DOES NPM COLLECT ABOUT ME, AND WHY?
NPM COLLECTS DATA ABOUT HOW YOU USE NPM SOFTWARE AND REGISTRIES
When you use the npm command, the npx command, or other software to work with
the npm public registry, an Enterprise registry that npm hosts, or private
packages, npm logs data that might be identified to you:
* a random, unique identifier, called npm-session, for each time you run
commands like npm install
* the names and versions of your project's dependencies, their dependencies,
and so on, that come from the npm public registry, but not of other
dependencies, like Git dependencies
* the versions of Node.js, the npm command, and the operating system you are
using
* an npm-in-ci header, showing whether the command was run on a continuous
integration server
* the scope of the package for which you ran npm install, as an npm-scope
header
* a referrer header that shows the command you ran, with any file or directory
paths redacted
* data about the software you're using to access the registry, such as the
User-Agent string
* network request data, such as the date and time, your IP address, and the URL
npm uses this data to:
* fulfill your requests, such as by sending the packages you ask for
* send you alerts about security vulnerabilities that may affect the software
you're building, when you run npm install or npm audit
* keep registries working quickly and reliably
* debug and develop the npm command and other software
* defend registries from abuse and technical attacks
* compile statistics on package usage and popularity
* prepare reports on trends in the developer community
* improve search results on the website
* recommend packages that may be relevant to your work
NPM COLLECTS DATA ABOUT HOW YOU USE THE WEBSITE.
When you visit www.npmjs.com, docs.npmjs.com, and other npm websites, npm uses
cookies, server logs, and other methods to collect data about what pages you
visit, and when. npm also collects technical information about the software and
computer you use, such as:
* your IP address
* your preferred language
* the web browser software you use
* the kind of computer you use
* the website that referred you
npm uses data about how you use the website to:
* optimize the website, so that it's quick and easy to use
* diagnose and debug technical errors
* defend the website from abuse and technical attacks
* compile statistics on package popularity
* compile statistics on the kinds of software and computers visitors use
* compile statistics on visitor searches and needs, to guide development of new
website pages and functionality
* decide who to contact about about product announcements, service changes, and
new features
NPM COLLECTS ACCOUNT DATA
Many features of npm services require an npm account. For example, you must have
an npm account to publish packages to the npm public registry.
To create an npm account, npm requires a working email address and an available
user name. npm uses this data to provide you access to features and identify you
across npm services, publicly and within npm.
You do not have to give your personal or legal name to create an npm account.
You can use a pseudonym instead. You can also open more than one account.
If you sign up for an account, then npm will publish account data for the whole
world to see on user pages like this one. npm also publishes account data
through the npm public registry, which is available for everyone to see, and
Enterprise registries that npm hosts for others to find with commands like npm
owner ls tap.
If you give npm a personal name or names on social media like GitHub and Twitter
through the website, like when you include this on your profile or user page,
npm publishes that data along with the email address and user name for the
account. You don't have to give npm a personal name or any social media names,
and you can remove this data at any time by updating your user page.
npm uses your email to:
* notify you about packages published using your account
* reset your password and help keep your account secure
* add metadata to packages that you publish
* contact you in special circumstances related to your account or packages
* contact you about support requests
* contact you about legal requests, like DMCA takedown requests and privacy
complaints
* announce new npm product offerings, service changes, and features
* send you tips about how to better use free and paid services
* send you messages about paid services you might want
NPM COLLECTS PACKAGE DATA
When you use npm publish or other software to publish packages to the npm public
registry, an Enterprise registry that npm hosts, or as a private package, npm
collects the contents of the package, plus metadata, including your account
data. Other npm users may also publish packages that include data about you,
such as the fact that you contributed code to a package.
npm uses data in packages to provide those packages to you and others who
request them:
* When you publish a package to the npm public registry, or change a package
from private to public, npm makes the package and metadata available to
everyone, online.
* When you publish a package to an Enterprise registry that npm hosts, or as a
private package, npm makes all of that data available to other users
according to how the registry or the private packages account is configured.
You may be able to configure who can access the package, or that may be up to
others, such as the administrator of your company's Enterprise registry.
Making package data available to others allows them to download, build on, and
depend on your work.
NPM COLLECTS PAYMENT CARD DATA
To sign up for paid services, npm requires your payment card data. npm itself
does not collect or store enough information to charge your card itself. Rather,
Stripe collects that data on npm's behalf, and gives npm security tokens that
allow npm to create charges and subscriptions.
npm uses your payment card data only to charge for npm services.
npm instructs Stripe to store your payment card data only as long as you use
paid npm services.
NPM COLLECTS DATA ABOUT CORRESPONDENCE
npm collects data about you when you send npm support requests, legal
complaints, privacy inquiries, and business inquiries. Those data usually
include your name and email address, and may include your company or other
affiliation.
npm uses contact data to:
* respond to you
* compile aggregate statistics about correspondence
* train support staff and other npm personnel
* review the performance of npm personnel who respond
* defend npm from legal claims
NPM COLLECTS DATA ABOUT USE OF NPM.COMMUNITY
npm collects data about visits, user accounts, and forum data on npm.community,
the discussion forum for users of npm products and services. npm uses data from
npm.community to collaborate with the development community, and to inform
development decisions about the command-line interface and other software.
DOES NPM SHARE DATA ABOUT ME WITH OTHERS?
npm shares account data with others as mentioned in the section about account
data.
npm shares package data with others as mentioned in the section about package
data.
npm publishes posts and other content you submit to npm.community.
npm does not sell information about you to others. However, npm uses services
provided by other companies to provide npm services. The types of service
providers that npm uses include:
* Companies that enable us to offer features on our website, such as to display
your avatar
* Companies that facilitate the efficient distribution of content
* Cloud computing platforms and services that host our discussion forums
* Services that assist with the detection of spam, scams, abuse others, or
other violations of our terms of service
* Payment processors
* Platforms to help us receive, manage, and respond to support requests
* Platforms for internal communication
NPM USES COOKIES
npm's website only uses cookies strictly necessary to provide, optimize and
secure the website. For example, we use them to keep you logged in, remember
your preferences, authenticate your device for security purposes, analyze your
use of the service, compile statistical reports, and provide information for
future development of npm. The website uses internal cookies for analytics
purposes, not any third-party analytics or service providers.
By using the website, you agree that we can place these types of cookies on your
computer or device. If you disable your browser or device’s ability to accept
these cookies, you will not be able to log in or use the website.
HOW CAN I MAKE CHOICES ABOUT DATA COLLECTION?
You choose what data the npm publish command includes in package data. You can
use an .npmignore file in your package to keep specific files out of the
package. You can also use a files list in package.json files to instruct npm to
include only specific files that you name, in addition to standard files like
README files, LICENSE files, and package.json.
To double check the data that you will share in a package that you plan to
publish, run the npm publish --dry-run command. If you are running an older
version of the npm command, run the npm pack command to create a tarball, then
check its contents, such as with tar tvzf $tarball.
To publish a package to the npm public registry, npm's terms of service require
you to license npm to share it. If a package is made public, it is available for
everyone online to see. However, your choice of public license for your package
may affect what others can do with data about you in your package.
npm does not respond to the Do Not Track HTTP header.
WHERE DOES NPM KEEP DATA ABOUT ME?
npm stores account data, data about website use, data about registry use, and
private packages on servers in the United States of America. metadata about
those packages worldwide, via content delivery networks.
npm stores package data published to Enterprise registries that npm hosts, plus
metadata about them, in cloud computing zones of customers' choosing.
By using the npm platform, you consent to the collection and storage of your
data as outlined in this section.
HOW DOES NPM HANDLE DATA UNDER THE EU GENERAL DATA PROTECTION REGULATION?
npm respects privacy rights under Regulation (EU) 2016/679, the European Union's
General Data Protection Regulation (GDPR). npm processes "Personal Data" on the
following legal bases: (1) with your consent; (2) as necessary to perform our
agreement to provide our services; and (3) as necessary for our legitimate
interests in providing our services where those interests do not override your
fundamental rights and freedom related to data privacy. Information we collect
may be transferred to, and stored and processed in, the United States or any
other country in which we or our affiliates or subcontractors maintain
facilities, as described above.
If you reside in the EEA, Switzerland, or United Kingdom, you are entitled to
certain rights, like the right to:
* complain about our data collection or processing actions with the supervisor
authority concerned. You can find a list of data protection authorities here.
* access to information held about you.
* ask us to correct or amend inaccurate or incomplete information we have about
you.
* ask us to erase data that under certain circumstances, like (1) when it is no
longer necessary for the purpose for which it was collected, (2) you withdraw
consent and no other legal basis for processing exists, or (3) you believe
your fundamental rights to data privacy and protection outweigh our
legitimate interest in continuing the processing.
* request that we restrict our processing if we are processing your data based
on legitimate interests or the performance of a task in the public interest
as an exercise of official authority (including profiling); using your data
for direct marketing (including profiling); or processing your data for
purposes of scientific or historical research and statistics.
When you exercise your rights, npm may need to verify your identity and provide
us with information before we access records containing your information. If you
want to exercise your rights, please contact npm by opening a support ticket. We
may have a reason under the law why we do not have to comply with your request
or may comply with it in a more limited way than you anticipated. If we do, we
will explain that to you in our response.
HOW DOES NPM HANDLE DATA UNDER THE CALIFORNIA CONSUMER PRIVACY ACT?
npm respects the rights of California residents under the California Consumer
Privacy Act (CCPA). Where we collect information that is subject to the CCPA,
that information we collect and your rights are described below.
Categories of personal information we collect:
* Personal Identifiers:
* Name and email address when you create an account. You will also be asked
to create a username and we will assign one or more unique identifiers to
your profile. We use this information to provide our services, respond to
your requests, and send information to you.
* We also collect your social media handle and basic account information if
you provide it to us or interact with our services, such as our help desk,
through social media.
* We collect your payment information through our service provider, Stripe,
as described above.
* Internet or Other Electronic Network Activity Information: device identifiers
such as IP address and user agent; the assigned unique IDs in cookies (as
described below); information about how you arrived at and navigated through
our Services.
* Geolocation Data: We do not collect your specific longitude and latitude.
However, we do collect imprecise location (e.g., your IP address).
* Professional or employment-related information: If you apply for employment
with us, information about your employment history.
* Education information: If you apply for employment with us, information about
your educational history.
We may collect any other information about you contained in software packages
uploaded to our site, as described above under the "npm collects package data"
section. We also collect the contents of your communications with us, e.g., when
you submit a question to us through a web form or comments to us on social
media.
We may disclose any of the categories of personal information listed above and
use them for the above-listed purposes or for other business or operational
purposes compatible with the context in which the personal information was
collected. Our disclosures of personal information include disclosures to our
"service providers," which are companies that we engage for business purposes to
conduct activities on our behalf. The categories of service providers with whom
we share information and the services they provide are described below.
Rights under CCPA:
* Access/Right to Know: You have the right to request access to personal
information we collected about you and information regarding the source of
that personal information, the purposes for which we collect it, and the
third parties and service providers with whom we share it.
* Deletion: You have the right to request that we erase data we have collected
from you. Please note that we may have a reason to deny your deletion request
or delete data in a more limited way than you anticipated, e.g., because of a
legal obligation to retain it.
To exercise your rights above, you can open a support ticket. When we process
your request, we must verify your identity by asking you to (1) provide personal
identifiers that we can match against information we may have collected from you
previously; and (2) confirm your request using the email stated in the request.
Opt-out of sale:
California residents have the right to request that we stop "selling" their
personal information. A "sale" of personal information is defined broadly:
"selling, renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or
other means, a consumer's personal information by the business to another
business or a third party for monetary or other valuable consideration." We do
not sell your information as defined by the CCPA.
Please note that your right to opt out does not apply to our sharing of personal
information with service providers, who are parties we engage to perform a
function on our behalf and are contractually obligated to use the Personal
Information only for that function.
We may also disclose information to other entities who are not listed here when
required by law or to protect our Company or other persons, as described in our
Privacy Policy.
HOW CAN I SEE WHAT DATA IS PUBLICLY AVAILABLE ABOUT ME?
You can access your account data at any time by visiting your account page on
www.npmjs.com. Your account page also lists all the packages published under
your account or other accounts.
You can access package data by downloading the packages, as long as they're
public or you have permission to access them.
You can see metadata about packages by running npm info $package, or by
accessing the appropriate registry's API. Registry APIs provide metadata in
standard JSON format, and packages as tarballs.
HOW CAN I CHANGE DATA ABOUT ME?
You can change your personal account data and payment card data at any time by
visiting your account settings page on www.npmjs.com. You can change account and
payment data for Enterprise by contacting support.
You can close your npm account at any time by e-mailing contacting support.
Closing your account removes the profile from the public registry but does not
automatically erase packages published under your account. We may retain some
data about you internally even where you close your account.
npm's unpublish policy determines when you can erase packages from the npm
public registry. The unpublish policy strikes a difficult balance between the
purpose of publishing and hosting packages, others' reliance on what has been
made public, and individual rights and freedoms.
If another user improperly publishes personal data about you, in a package or
otherwise, open a support ticket.
Please note that while npm publishes notices about published data that's been
erased, npm can't make everyone who has downloaded published package data or
account data erase that data on your behalf. Choosing a public license, such as
an open source software license, may encourage and allow storage, distribution,
and use of package data indefinitely. Nearly all popular open source software
licenses actually require preserving personal data that attributes the software
to you, such as copyright notices, as a condition of permission for the
software.
WHAT IS NPM'S POLICY ON UNPUBLISHING PACKAGES?
Please see our policy on "unpublishing" packages or our terms of service for
more information on erasing packages].
If you accidentally publish a package that threatens your privacy, or discover
someone else has published a package that does, open a support ticket. npm can
and will take down packages in specific, exceptional situations to protect you,
especially if others violate your privacy. Using npm to violate others' privacy
is against our terms of service.
HOW DOES NPM NOTIFY OTHERS ABOUT PUBLISHED DATA THAT'S ERASED?
npm takes a few steps to notify others who may be copying data from the npm
public registry that published data has been erased:
* npm publishes new placeholder versions of some erased packages, with README
files that mention the package has been erased, and why.
* npm's registry APIs, special software services that others use to copy data
from the npm public registry, send update messages about packages that have
been erased.
WHAT HAPPENS IF NPM MERGES WITH OR IS BOUGHT BY ANOTHER COMPANY?
We may transfer to another entity or its affiliates or service providers some or
all information about you in connection with, or during negotiations of, any
merger, acquisition, sale of assets or any line of business, change in ownership
control, or financing transaction. We cannot promise that an acquiring party or
the merged entity will have the same privacy practices or treat your information
the same as described in this Policy.
WHAT ARE NPM'S INFORMATION PRACTICES REGARDING INFORMATION BELONGING TO
CHILDREN?
npm's site and services are intended for users age sixteen and older. npm does
not knowingly collect information from children. If we discover that we have
inadvertently collected information from anyone younger than the age of 16, we
will delete that information.
WHO CAN I CONTACT ABOUT NPM AND MY PRIVACY?
Please open a support ticket. You may also contact our Data Protection Officer
directly.
Our United States HQ:
GitHub Data Protection Officer
Attention: npm Data Protection
88 Colin P. Kelly Jr. St.
San Francisco, CA 94107
United States
or our EU Office:
GitHub BV
Vijzelstraat 68-72
1017 HL Amsterdam
The Netherlands
HOW CAN I FIND OUT ABOUT CHANGES?
This version of npm's privacy questions and answers took effect June 3, 2020.
npm will announce the next version on the npm blog. In the meantime, npm may
update its contact information by updating the page at
https://docs.npmjs.com/privacy, without an announcement. npm may change how it
announces changes in future privacy versions.
You can review the history of changes in the Git repository for npm's public
policies.