npm CLI


The npm CLI is the command line client that allows developers to install and publish packages to npm registries.

Focus areas

Ineligible submissions

Social engineering

Code execution requiring social engineering or unlikely user interaction is typically not eligible for rewards.

Local access

Vulnerabilities which require local system access, such as local credential storage issues.

Arbitrary code execution in commands that modify the package tree

By default, commands that modify the package tree, such as npm install, run the pre- and post-install scripts. If you would like to disable this, you can set the --ignore-scripts flag.

Upstream dependencies

Vulnerabilities that are due to a vulnerability in an upstream dependency are out of scope and should instead be disclosed to the upstream maintainers. We may make exceptions for vulnerabilities that we deem to have a substantial impact; however, issues should still be directed to the maintainers of the upstream dependency first.

Submit a vulnerability for npm CLI

Recently collected npm CLI bounties:

No vulnerabilities have been reported yet. Yours can be the first!