npm Registry


The npm Registry includes subdomains under * and * These are services related to serving npm packages to external users and other support for npm.

Focus areas

Ineligible submissions

Vulnerabilities in packages that are hosted on the registry

npm users are responsible for the content hosted in their packages. Any vulnerabilities in user content do not affect the security of npm or its users. We recommend that you report these vulnerabilities directly to the owner of the package.

Malicious packages

npm users are responsible for vetting the content of packages that they choose to install. However, npm takes its responsibility as steward of the JavaScript ecosystem seriously; therefore, we actively scan for malware in the registry.

Infrastructure vulnerabilities

Infrastructure vulnerabilities such as an outdated version of Transport Layer Security (TLS) or a lack of rate limiting are considered out of scope for this bounty program unless you are able to prove privilege escalation or the ability to use it as part of a larger, more impactful attack.

Submit a vulnerability for npm Registry

Recently collected npm Registry bounties:

No vulnerabilities have been reported yet. Yours can be the first!