Report a security vulnerability

You must be logged in and have verified your email address in order to report a vulnerability.

You can also send an email to [email protected].

Our disclosure timeline

  1. Vulnerability is reported
  2. npm Security triages vulnerability report
  3. npm Security notifies package maintainers
  4. npm Security publishes security advisory when package maintainers release a fix
  5. If maintainers are unresponsive after 45 days, npm Security makes the advisory public