Note: Vulnerability reporting is currently only available for packages in the public npm registry.
- Vulnerability is reported
- npm Security triages vulnerability report
- npm Security notifies package maintainers
- npm Security publishes security advisory when package maintainers release a fix
- If maintainers are unresponsive after 45 days, npm Security makes the advisory public
Reporting a vulnerability
Note: Vulnerability reports are sent to the npm Security team, not the package maintainer.
- Gather information about the vulnerability.
- On the package page, click Report a vulnerability.
- On the vulnerability report page, provide information about yourself and the vulnerability:
- Name: Your name.
- Email address: An email address the npm Security team can use to contact you.
- Package name and version: The name of the package that contains the vulnerability.
- Package version: The version of the package that contains the vulnerability. Include all affected versions.
- Description of vulnerability: A brief description of the vulnerability and its effects. Include references, commits, and/or code examples that would help our researchers reproduce and investigate the vulnerability.
- Click Send Report.