This notice describes how npm, Inc., or npm for short, collects and uses data about you.
Skip to:
- What's most important?
- How does npm collect data about me?
- What data does npm collect about me, and why?
- How can I make choices about data collection?
- Where does npm keep data about me?
- How can I access data about me?
- Does npm comply with the EU General Data Protection Regulation?
- How can I change or erase data about me?
- Does the right to be forgotten cover unpublishing packages?
- How does npm notify others about published data that's erased?
- Does npm make automated decisions based on data about me?
- Does npm share data about me with others?
- Who can I contact about npm and my privacy?
- How can I find out about changes?
That depends on your personal situation, which is why you should read on and decide for yourself. But at a minimum, absolutely every npm user should understand:
The npm public registry is for making software available to everyone online.
But: Software comes from people, and says something about us.
So: Think carefully about what packages to publish, what data you put in those packages, and what others might do with that data.
Publishing a password or a private email address could obviously affect your privacy. But even one version of a small package with your name and email in it says a lot about you and your work.
If you find yourself in a jam, email privacy@npmjs.com.
npm collects data about you:
-
when you use the
npmcommand, thenpxcommand or another program to access the npm public registry, Enterprise registries that npm hosts, private packages, and APIs for functionality like account and permissions management -
when you browse the npm website, npmjs.com
-
when you use either the
npmcommand or the website to create an npm account, update your account, and sign up for npm services -
when you send support, privacy, legal, and other requests to npm
-
when working with and researching current and potential customers
When researching potential customers, npm staff sometimes search the public World Wide Web or paid business databases. Otherwise, npm doesn't buy or receive data about you from data brokers or other private services.
When you use the npm command, the npx command, or other software to
work with the npm public registry, an Enterprise registry that npm hosts,
or private packages, npm logs data that might be identified to you:
-
a random, unique identifier, called
npm-session, for each time you run commands likenpm install -
the names and versions of your project's dependencies, their dependencies, and so on, that come from the npm public registry, but not of other dependencies, like Git dependencies
-
the versions of Node.js, the
npmcommand, and the operating system you are using -
an
npm-in-ciheader, showing whether the command was run on a continuous integration server -
the scope of the package for which you ran
npm install, as annpm-scopeheader -
a
refererheader that shows the command you ran, with any file or directory paths redacted -
data about the software you're using to access the registry, such as the
User-Agentstring -
network request data, such as the date and time, your IP address, and the URL
npm uses this data to:
-
fulfill you requests, such as by sending the packages you ask for
-
send you alerts about security vulnerabilities that may affect the software you're building, when you run
npm installornpm audit -
keep registries working quickly and reliably
-
debug and develop the
npmcommand and other software -
defend registries from abuse and technical attacks
-
compile statistics on package usage and popularity
-
prepare reports on trends in the developer community
-
improve search results on the website
-
recommend packages that may be relevant to your work
npm usually deletes registry log entries with identifiable information within a few weeks, but may preserve logs longer, as needed in specific cases, like investigations of specific incidents. npm stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.
When you visit www.npmjs.com, docs.npmjs.com, and other npm websites, npm uses cookies, server logs, and other methods to collect data about what pages you visit, and when. npm also collects technical information about the software and computer you use, such as:
-
your IP address
-
your preferred language
-
the web browser software you use
-
the kind of computer you use
-
the website that referred you
npm uses data about how you use the website to:
-
optimize the website, so that it's quick and easy to use
-
diagnose and debug technical errors
-
defend the website from abuse and technical attacks
-
compile statistics on package popularity
-
compile statistics on the kinds of software and computers visitors use
-
compile statistics on visitor searches and needs, to guide development of new website pages and functionality
-
decide who to contact about about product announcements, service changes, and new features
npm usually deletes website log entries with identifiable information within a few weeks, but keeps entries for visitors with npm accounts, and visitors using paid services like Enterprise registries, longer. npm reviews log entries for those users twice a year, and deletes entries when they're no longer needed.
npm may preserve log entries for all kinds of visitors longer, as needed in specific cases, like investigation of specific incidents. npm stores aggregate statistics indefinitely, but those statistics don't include data identifiable to you personally.
Many features of npm services require an npm account. For example, you must have an npm account to publish packages to the npm public registry.
To create an npm account, npm requires a working email address and an available user name. npm uses this data to provide you access to features and identify you across npm services, publicly and within npm.
You do not have to give your personal or legal name to create an npm account. You can use a pseudonym instead. You can also open more than one account.
npm publishes account data for the whole world to see on user pages
like this one. npm also publishes
account data through the npm public registry and Enterprise registries
that npm hosts for others to find with commands like npm owner ls tap.
If you give npm a personal name or names on social media like GitHub and Twitter through the website, npm publishes that data along with the email address and user name for the account. You don't have to give npm a personal name or any social media names, and you can erase this data at any time.
npm uses your email to:
-
notify you about packages published using your account
-
reset your password and help keep your account secure
-
add metadata to packages that you publish
-
contact you in special circumstances related to your account or packages
-
contact you about support requests
-
contact you about legal requests, like DMCA takedown requests and privacy complaints
-
announce new npm product offerings, service changes, and features
npm stores account data as long as the account stays open. When account data also appear in package data, npm stores that data as long as it stores the package.
When you use npm publish or other software to publish packages to the
npm public registry, an Enterprise registry that npm hosts, or as a
private package, npm collects the contents of the package, plus
metadata, including your
account data. Other npm users may also publish packages that include
data about you, such as the fact that you contributed code to a package.
npm uses data in packages to provide those packages to you and others who request them:
-
When you publish a package to the npm public registry, or change a package from private to public, npm makes the package and metadata available to everyone, online.
-
When you publish a package to an Enterprise registry that npm hosts, or as a private package, npm makes all of that data available to other users according to how the registry or the private packages account is configured. You may be able to configure who can access the package, or that may be up to others, such as the administrator of your company's Enterprise registry.
Making package data available to others allows them to download, build on, and depend on your work. In the vast majority of cases, npm stores data in and metadata about every version of every package indefinitely, unless it's unpublished.
In some cases, however, package publishers can unpublish packages, erasing them from the public registry. Erased packages linger on for a short time in npm's public and private caches, but eventually disappear completely from npm's storage.
To sign up for paid services, npm requires your payment card data. npm itself does not collect or store enough information to charge your card itself. Rather, Stripe collects that data on npm's behalf, and gives npm security tokens that allow npm to create charges and subscriptions.
npm uses your payment card data only to charge for npm services.
npm instructs Stripe to store your payment card data only as long as you use paid npm services.
npm's sales and marketing teams collect information about npm users who might like to try npm paid services, as individuals or through organizations. npm also collects data about customer personnel, such as lists of people who need Enterprise registry accounts or access to channels for technical support. When npm's sales and marketing teams send email to current and potential customers, they collect data about whether those messages get read, and whether readers follow hyperlinks.
npm's sales team also uses public World Wide Web searches and paid business databases to research who users work for, and their positions, based on account data like name or email address. The vast majority of this data is publicly available.
npm uses data about current and potential customer personnel to:
-
ensure npm meets its obligations to provide access, support, and other services under contracts for paid services
-
decide which people to contact about product announcements, service changes, and new features
-
ensure that people who opt out do not receive any more messages about npm services and upgrades
-
keep track of how users express interest in npm products and services over time
-
decide who should receive email about product announcements, service changes, and new features
npm stores data about current and potential customers as only as long as they remain relevant for these purposes, reviews data collection practices and data collected each year, and deletes data that's no longer needed.
npm collects data about you when you send npm support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address, and may include your company or other affiliation.
npm uses contact data to:
-
respond to you
-
compile aggregate statistics about correspondence
-
train support staff and other npm personnel
-
review the performance of npm personnel who respond
-
defend npm from legal claims
npm stores correspondence as long as it may be useful for these purposes.
You choose what data the npm publish command includes in package data.
You can use an .npmignore
file in your package to keep specific files out of the package. You can
also use a files list in package.json files
to instruct npm to include only specific files that you name, in
addition to standard files like README files, LICENSE files, and
package.json.
To double check the data that you will share in a package that you plan
to publish, run the npm publish --dry-run command. If you are running
an older version of the npm command, run the npm pack command to
create a tarball, then
check its contents, such as with tar tvzf $tarball.
To publish a package to the npm public registry, npm's terms of service require you to license npm to share it. However, your choice of public license for your package may affect what others can do with data about you in your package.
npm does not respond to the Do Not Track HTTP header.
npm stores account data, data about website use, data about registry use, and private packages on servers in the United States of America.
npm stores package data published to Enterprise registries that npm hosts, plus metadata about them, in cloud computing zones of customers' choosing.
npm distributes package data published to the npm public registry and metadata about those packages worldwide, via content delivery networks.
npm respects privacy rights under Regulation (EU) 2016/679, the European Union's General Data Protection Regulation (GDPR). Information that GDPR requires npm to give can be found throughout these privacy questions and answers. So can information about specific rights, like access, rectification, erasure, data portability, and objection to automated decision-making.
GDPR does not apply to everyone worldwide. But npm's policy is to do its best to offer all users the same privacy information, control, and protections, whether GDPR applies to them or not.
You can access your account data at any time by visiting your account page on www.npmjs.com. Your account page also lists all the packages published under your account or other accounts.
You can access package data by downloading the packages, as long as they're public or you have permission to access them.
You can see metadata about packages by running npm info $package, or
by accessing the appropriate registry's API.
Registry APIs provide metadata in standard JSON
format, and packages as tarballs.
You can change your personal account data and payment card data at any time by visiting your account settings page on www.npmjs.com. You can change account and payment data for Enterprise by emailing support@npmjs.com.
You can close your npm account at any time through www.npmjs.com. Closing your account starts a process of erasing npm's records of your account data. Closing your account does not automatically erase packages published under your account.
npm's unpublish policy determines when you can erase packages from the npm public registry. The unpublish policy strikes a difficult balance between the purpose of publishing and hosting packages, others' reliance on what has been made public, and individual rights and freedoms.
If you have questions or problems using the website or npm command to
change or delete data about you,
email support@npmjs.com. If another user
improperly publishes personal data about you, in a package or otherwise,
email privacy@npmjs.com.
Please note that while npm publishes notices about published data that's been erased, npm can't make everyone who has downloaded published package data or account data erase that data on your behalf. Choosing a public license, such as an open source software license, may encourage and allow storage, distribution, and use of package data indefinitely. Nearly all popular open source software licenses actually require preserving personal data that attributes the software to you, such as copyright notices, as a condition of permission for the software.
We don't believe either the letter or the spirit of the right to be forgotten require changes to our our policy on "unpublishing" packages or our terms of service.
GDPR gives users the right to erase some data collected about them by others. GDPR also defines "personal data" broadly enough to cover package publisher and contributor metadata, and even copyright notices in license files. But GDPR requires a balance between privacy rights, other rights, and the public interest. The law itself makes a start, limiting the right to be forgotten to specific situations that don't apply to most packages, and making exceptions that do.
If you accidentally publish a package that threatens your privacy, or discover someone else has published a package that does, email privacy@npmjs.com immediately. npm can and will take down packages in specific, exceptional situations to protect you, especially if others violate your privacy. Using npm to violate others' privacy is against our terms of service.
npm takes a few steps to notify others who may be copying data from the npm public registry that published data has been erased:
-
npm publishes new placeholder versions of some erased packages, with
READMEfiles that mention the package has been erased, and why. -
npm's registry APIs, special software services that others use to copy data from the npm public registry, send update messages about packages that have been erased.
npm uses data in packages and data about how you use the registry to make decisions about whether the packages you publish are spam, promote scams, abuse others, or otherwise violate our terms of service. When Smyte decides that a package is likely in violation, npm blocks publishing the package or erases the package.
If you think your package has been wrongly blocked or erased, email support@npmjs.com to reach an npm team member who can review the decision.
npm shares account data with others as mentioned in the section about account data.
npm shares package data with others as mentioned in the section about package data.
npm does not sell information about you to others. However, npm uses services provided by other companies to provide npm services. Some of those services may collect data about you independently, for their own purposes. All of the companies are based in the United States.
Some of these services may be used to collect information about your online activities across different websites.
npm's website uses Google Analytics to collect and analyze data about visitors to its websites. You can read the privacy policy for Google Analytics online. You can opt out of Google Analytics by installing a free browser extension.
npm's website uses Oracle Marketing Cloud to track which parts of npm websites you visit, so we know which updates and service email messages to send you. We also use Oracle Marketing Cloud to notice when you click links in email that we send. You can read the privacy policy for Eloqua online.
The website uses Gravatar, a free online service from Automattic for hosting user avatar pictures. When you request page on the npm website that shows an avatar, your computer also sends a request to Gravatar. You can read the privacy policy for Gravatar online.
npm uses Cloudflare and Fastly to distribute copies of package and other data worldwide, so that others can download it quickly from a server near them. You can read the privacy and security policy for Cloudflare and the privacy policy for Fastly online.
npm uses Amazon Web Services servers and services, in service regions all across the world, to power the npm public registry, the website, and other npm services. You can read the privacy policy for AWS online.
npm uses Google Cloud Platform to host some npm Enterprise registries. You can read the privacy policy for Google services online.
npm uses Smyte to detect packages that are spam, promote scams, abuse others, or otherwise violate our terms of service. You can read the privacy policy for Smyte online by following the link at the bottom of their homepage.
npm uses Stripe to collect and use payment card payment data. You can read the privacy policy for Stripe online.
npm uses Salesforce.com to store data about current and potential customers. You can read the privacy policy for Salesforce.com online.
npm uses ZenDesk to receive, manage, and respond to support requests. You can read the privacy policy for ZenDesk online.
npm uses MailChimp to send email to users, such as newsletters. You can read the privacy policy for MailChimp online.
npm uses Yesware to send some email, as well as track who reads and follows links in those messages. You can read the privacy policy for Yesware online.
You can send questions or complaints to:
npm, Inc.
Attention: Data Protection Officer
privacy@npmjs.com
1999 Harrison Street #1150
Oakland, CA 94612
United States of America
European Union users with questions or complaints about GDPR compliance should also address npm's representative in the Union:
DP-Dock GmbH
npm@gdpr-rep.com
Ballindamm 39
20095 Hamburg
Germany
Telephone: +49 (0) 40 99999 - 3430
Mobile: +49 (0) 172 918 22 22
For complaints under GDPR more generally, European Union users may lodge complaints with their local data protection supervisory authorities.
This version of npm's privacy questions and answers took effect May 4, 2018.
npm will announce the next version on the npm blog. In the meantime, npm may update its contact information by updating the page at https://www.npmjs.com/policies/privacy, without an announcement. npm may change how it announces changes in future privacy versions.
You can review the history of changes in the Git repository for npm's public policies.