npm CLI


The npm CLI is the command line client that allows developers to install and publish packages to npm registries.

Focus areas

Ineligible submissions

Social engineering

Code execution requiring social engineering or unlikely user interaction is typically not eligible for rewards.

Local access

Vulnerabilities which require local system access, such as local credential storage issues.

Arbitrary code execution in commands that modify the package tree

By default, commands that modify the package tree, such as npm install, run the pre- and post-install scripts. If you would like to disable this, you can set the --ignore-scripts flag. However, note that general code execution that is achieved when using the --ignore-scripts flag is considered out of scope. As stated in the npm documentation, setting the --ignore-scripts flag to true means that “npm does not run scripts specified in package.json files.” Any code execution that occurs when using the --ignore-scripts flag, other than bypassing the specific intended behavior by successfully executing a pre- or post-install script from a package.json file, is considered ineligible.

Upstream dependencies

Vulnerabilities that are due to a vulnerability in an upstream dependency are out of scope and should instead be disclosed to the upstream maintainers. We may make exceptions for vulnerabilities that we deem to have a substantial impact; however, issues should still be directed to the maintainers of the upstream dependency first.

Submit a vulnerability for npm CLI