Privacy Questions and Answers

This notice describes how npm, Inc., or npm for short, collects and uses data about you.

What's most important?

That depends on your personal situation, which is why you should read on and decide for yourself. But at a minimum, absolutely every npm user should understand:

The npm public registry is for making software available to everyone online.

But: Software comes from people, and says something about us.

So: Think carefully about what packages to publish, what data you put in those packages, and what others might do with that data.

When you create an account, certain contact information is displayed publicly in the npm platform. And when you upload a package, your name and contact information may become associated with that package.

If you find yourself in a jam, open a support ticket.

How does npm collect data about me?

npm collects data about you:

  • when you use the npm command, the npx command or another program to access the npm public registry, Enterprise registries that npm hosts, private packages, such as when you're publishing a software package, and APIs for functionality like account and permissions management

  • when you browse the npm website, npmjs.com

  • when you use either the npm command or the website to create an npm account, update your account, and sign up for npm services

  • when you send support, privacy, legal, and other requests to npm

  • when working with and researching current and potential customers

When researching potential customers, npm staff sometimes search the public World Wide Web or paid business databases. Otherwise, npm doesn't buy or receive data about you from data brokers or other private services.

npm may inadvertently collect data about you if it is included in software packages that you or others upload.

What data does npm collect about me, and why?

npm collects data about how you use npm software and registries

When you use the npm command, the npx command, or other software to work with the npm public registry, an Enterprise registry that npm hosts, or private packages, npm logs data that might be identified to you:

  • a random, unique identifier, called npm-session, for each time you run commands like npm install

  • the names and versions of your project's dependencies, their dependencies, and so on, that come from the npm public registry, but not of other dependencies, like Git dependencies

  • the versions of Node.js, the npm command, and the operating system you are using

  • an npm-in-ci header, showing whether the command was run on a continuous integration server

  • the scope of the package for which you ran npm install, as an npm-scope header

  • a referrer header that shows the command you ran, with any file or directory paths redacted

  • data about the software you're using to access the registry, such as the User-Agent string

  • network request data, such as the date and time, your IP address, and the URL

npm uses this data to:

  • fulfill your requests, such as by sending the packages you ask for

  • send you alerts about security vulnerabilities that may affect the software you're building, when you run npm install or npm audit

  • keep registries working quickly and reliably

  • debug and develop the npm command and other software

  • defend registries from abuse and technical attacks

  • compile statistics on package usage and popularity

  • prepare reports on trends in the developer community

  • improve search results on the website

  • recommend packages that may be relevant to your work

npm collects data about how you use the website.

When you visit www.npmjs.com, docs.npmjs.com, and other npm websites, npm uses cookies, server logs, and other methods to collect data about what pages you visit, and when. npm also collects technical information about the software and computer you use, such as:

  • your IP address

  • your preferred language

  • the web browser software you use

  • the kind of computer you use

  • the website that referred you

npm uses data about how you use the website to:

  • optimize the website, so that it's quick and easy to use

  • diagnose and debug technical errors

  • defend the website from abuse and technical attacks

  • compile statistics on package popularity

  • compile statistics on the kinds of software and computers visitors use

  • compile statistics on visitor searches and needs, to guide development of new website pages and functionality

  • decide who to contact about about product announcements, service changes, and new features

npm collects account data

Many features of npm services require an npm account. For example, you must have an npm account to publish packages to the npm public registry.

To create an npm account, npm requires a working email address and an available user name. npm uses this data to provide you access to features and identify you across npm services, publicly and within npm.

You do not have to give your personal or legal name to create an npm account. You can use a pseudonym instead. You can also open more than one account.

If you sign up for an account, then npm will publish account data for the whole world to see on user pages like this one. npm also publishes account data through the npm public registry, which is available for everyone to see, and Enterprise registries that npm hosts for others to find with commands like npm owner ls tap.

If you give npm a personal name or names on social media like GitHub and Twitter through the website, like when you include this on your profile or user page, npm publishes that data along with the email address and user name for the account. You don't have to give npm a personal name or any social media names, and you can remove this data at any time by updating your user page.

npm uses your email to:

  • notify you about packages published using your account

  • reset your password and help keep your account secure

  • add metadata to packages that you publish

  • contact you in special circumstances related to your account or packages

  • contact you about support requests

  • contact you about legal requests, like DMCA takedown requests and privacy complaints

  • announce new npm product offerings, service changes, and features

  • send you tips about how to better use free and paid services

  • send you messages about paid services you might want

npm collects package data

When you use npm publish or other software to publish packages to the npm public registry, an Enterprise registry that npm hosts, or as a private package, npm collects the contents of the package, plus metadata, including your account data. Other npm users may also publish packages that include data about you, such as the fact that you contributed code to a package.

npm uses data in packages to provide those packages to you and others who request them:

  • When you publish a package to the npm public registry, or change a package from private to public, npm makes the package and metadata available to everyone, online.

  • When you publish a package to an Enterprise registry that npm hosts, or as a private package, npm makes all of that data available to other users according to how the registry or the private packages account is configured. You may be able to configure who can access the package, or that may be up to others, such as the administrator of your company's Enterprise registry.

Making package data available to others allows them to download, build on, and depend on your work.

npm collects payment card data

To sign up for paid services, npm requires your payment card data. npm itself does not collect or store enough information to charge your card itself. Rather, Stripe collects that data on npm's behalf, and gives npm security tokens that allow npm to create charges and subscriptions.

npm uses your payment card data only to charge for npm services.

npm instructs Stripe to store your payment card data only as long as you use paid npm services.

npm collects data about correspondence

npm collects data about you when you send npm support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address, and may include your company or other affiliation.

npm uses contact data to:

  • respond to you

  • compile aggregate statistics about correspondence

  • train support staff and other npm personnel

  • review the performance of npm personnel who respond

  • defend npm from legal claims

npm collects data about use of npm.community

npm collects data about visits, user accounts, and forum data on npm.community, the discussion forum for users of npm products and services. npm uses data from npm.community to collaborate with the development community, and to inform development decisions about the command-line interface and other software.

Does npm share data about me with others?

npm shares account data with others as mentioned in the section about account data.

npm shares package data with others as mentioned in the section about package data.

npm publishes posts and other content you submit to npm.community.

npm does not sell information about you to others. However, npm uses services provided by other companies to provide npm services. The types of service providers that npm uses include:

  • Companies that enable us to offer features on our website, such as to display your avatar

  • Companies that facilitate the efficient distribution of content

  • Cloud computing platforms and services that host our discussion forums

  • Services that assist with the detection of spam, scams, abuse others, or other violations of our terms of service

  • Payment processors

  • Platforms to help us receive, manage, and respond to support requests

  • Platforms for internal communication

npm uses cookies

npm's website only uses cookies strictly necessary to provide, optimize and secure the website. For example, we use them to keep you logged in, remember your preferences, authenticate your device for security purposes, analyze your use of the service, compile statistical reports, and provide information for future development of npm. The website uses internal cookies for analytics purposes, not any third-party analytics or service providers.

By using the website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use the website.

How can I make choices about data collection?

You choose what data the npm publish command includes in package data. You can use an .npmignore file in your package to keep specific files out of the package. You can also use a files list in package.json files to instruct npm to include only specific files that you name, in addition to standard files like README files, LICENSE files, and package.json.

To double check the data that you will share in a package that you plan to publish, run the npm publish --dry-run command. If you are running an older version of the npm command, run the npm pack command to create a tarball, then check its contents, such as with tar tvzf $tarball.

To publish a package to the npm public registry, npm's terms of service require you to license npm to share it. If a package is made public, it is available for everyone online to see. However, your choice of public license for your package may affect what others can do with data about you in your package.

npm does not respond to the Do Not Track HTTP header.

Where does npm keep data about me?

npm stores account data, data about website use, data about registry use, and private packages on servers in the United States of America. metadata about those packages worldwide, via content delivery networks.

npm stores package data published to Enterprise registries that npm hosts, plus metadata about them, in cloud computing zones of customers' choosing.

By using the npm platform, you consent to the collection and storage of your data as outlined in this section.

How does npm handle data under the EU General Data Protection Regulation?

npm respects privacy rights under Regulation (EU) 2016/679, the European Union's General Data Protection Regulation (GDPR). npm processes "Personal Data" on the following legal bases: (1) with your consent; (2) as necessary to perform our agreement to provide our services; and (3) as necessary for our legitimate interests in providing our services where those interests do not override your fundamental rights and freedom related to data privacy. Information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities, as described above.

If you reside in the EEA, Switzerland, or United Kingdom, you are entitled to certain rights, like the right to:

  • complain about our data collection or processing actions with the supervisor authority concerned. You can find a list of data protection authorities here.

  • access to information held about you.

  • ask us to correct or amend inaccurate or incomplete information we have about you.

  • ask us to erase data that under certain circumstances, like (1) when it is no longer necessary for the purpose for which it was collected, (2) you withdraw consent and no other legal basis for processing exists, or (3) you believe your fundamental rights to data privacy and protection outweigh our legitimate interest in continuing the processing.

  • request that we restrict our processing if we are processing your data based on legitimate interests or the performance of a task in the public interest as an exercise of official authority (including profiling); using your data for direct marketing (including profiling); or processing your data for purposes of scientific or historical research and statistics.

When you exercise your rights, npm may need to verify your identity and provide us with information before we access records containing your information. If you want to exercise your rights, please contact npm by opening a support ticket. We may have a reason under the law why we do not have to comply with your request or may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

How does npm handle data under the California Consumer Privacy Act?

npm respects the rights of California residents under the California Consumer Privacy Act (CCPA). Where we collect information that is subject to the CCPA, that information we collect and your rights are described below.

Categories of personal information we collect:

  • Personal Identifiers:

    • Name and email address when you create an account. You will also be asked to create a username and we will assign one or more unique identifiers to your profile. We use this information to provide our services, respond to your requests, and send information to you.

    • We also collect your social media handle and basic account information if you provide it to us or interact with our services, such as our help desk, through social media.

    • We collect your payment information through our service provider, Stripe, as described above.

  • Internet or Other Electronic Network Activity Information: device identifiers such as IP address and user agent; the assigned unique IDs in cookies (as described below); information about how you arrived at and navigated through our Services.

  • Geolocation Data: We do not collect your specific longitude and latitude. However, we do collect imprecise location (e.g., your IP address).

  • Professional or employment-related information: If you apply for employment with us, information about your employment history.

  • Education information: If you apply for employment with us, information about your educational history.

We may collect any other information about you contained in software packages uploaded to our site, as described above under the "npm collects package data" section. We also collect the contents of your communications with us, e.g., when you submit a question to us through a web form or comments to us on social media.

We may disclose any of the categories of personal information listed above and use them for the above-listed purposes or for other business or operational purposes compatible with the context in which the personal information was collected. Our disclosures of personal information include disclosures to our "service providers," which are companies that we engage for business purposes to conduct activities on our behalf. The categories of service providers with whom we share information and the services they provide are described below.

Rights under CCPA:

  • Access/Right to Know: You have the right to request access to personal information we collected about you and information regarding the source of that personal information, the purposes for which we collect it, and the third parties and service providers with whom we share it.

  • Deletion: You have the right to request that we erase data we have collected from you. Please note that we may have a reason to deny your deletion request or delete data in a more limited way than you anticipated, e.g., because of a legal obligation to retain it.

To exercise your rights above, you can open a support ticket. When we process your request, we must verify your identity by asking you to (1) provide personal identifiers that we can match against information we may have collected from you previously; and (2) confirm your request using the email stated in the request.

Opt-out of sale:

California residents have the right to request that we stop "selling" their personal information. A "sale" of personal information is defined broadly: "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." We do not sell your information as defined by the CCPA.

Please note that your right to opt out does not apply to our sharing of personal information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Information only for that function.

We may also disclose information to other entities who are not listed here when required by law or to protect our Company or other persons, as described in our Privacy Policy.

How can I see what data is publicly available about me?

You can access your account data at any time by visiting your account page on www.npmjs.com. Your account page also lists all the packages published under your account or other accounts.

You can access package data by downloading the packages, as long as they're public or you have permission to access them.

You can see metadata about packages by running npm info $package, or by accessing the appropriate registry's API. Registry APIs provide metadata in standard JSON format, and packages as tarballs.

How can I change data about me?

You can change your personal account data and payment card data at any time by visiting your account settings page on www.npmjs.com. You can change account and payment data for Enterprise by contacting support.

You can close your npm account at any time by e-mailing contacting support. Closing your account removes the profile from the public registry but does not automatically erase packages published under your account. We may retain some data about you internally even where you close your account.

npm's unpublish policy determines when you can erase packages from the npm public registry. The unpublish policy strikes a difficult balance between the purpose of publishing and hosting packages, others' reliance on what has been made public, and individual rights and freedoms.

If another user improperly publishes personal data about you, in a package or otherwise, open a support ticket.

Please note that while npm publishes notices about published data that's been erased, npm can't make everyone who has downloaded published package data or account data erase that data on your behalf. Choosing a public license, such as an open source software license, may encourage and allow storage, distribution, and use of package data indefinitely. Nearly all popular open source software licenses actually require preserving personal data that attributes the software to you, such as copyright notices, as a condition of permission for the software.

What is npm's policy on unpublishing packages?

Please see our policy on "unpublishing" packages or our terms of service for more information on erasing packages].

If you accidentally publish a package that threatens your privacy, or discover someone else has published a package that does, open a support ticket. npm can and will take down packages in specific, exceptional situations to protect you, especially if others violate your privacy. Using npm to violate others' privacy is against our terms of service.

How does npm notify others about published data that's erased?

npm takes a few steps to notify others who may be copying data from the npm public registry that published data has been erased:

  • npm publishes new placeholder versions of some erased packages, with README files that mention the package has been erased, and why.

  • npm's registry APIs, special software services that others use to copy data from the npm public registry, send update messages about packages that have been erased.

What happens if npm merges with or is bought by another company?

We may transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information the same as described in this Policy.

What are npm's information practices regarding information belonging to children?

npm's site and services are intended for users age sixteen and older. npm does not knowingly collect information from children. If we discover that we have inadvertently collected information from anyone younger than the age of 16, we will delete that information.

Who can I contact about npm and my privacy?

Please open a support ticket. You may also contact our Data Protection Officer directly.

Our United States HQ:

GitHub Data Protection Officer
Attention: npm Data Protection
88 Colin P. Kelly Jr. St.
San Francisco, CA 94107
United States

or our EU Office:

GitHub BV
Vijzelstraat 68-72
1017 HL Amsterdam
The Netherlands

How can I find out about changes?

This version of npm's privacy questions and answers took effect June 3, 2020.

npm will announce the next version on the npm blog. In the meantime, npm may update its contact information by updating the page at https://docs.npmjs.com/privacy, without an announcement. npm may change how it announces changes in future privacy versions.

You can review the history of changes in the Git repository for npm's public policies.