Report a security vulnerability
You must be logged in and have verified your email address in order to report a vulnerability.You can also send an email to [email protected].
Our disclosure timeline
- Vulnerability is reported
- npm Security triages vulnerability report
- npm Security notifies package maintainers
- npm Security publishes security advisory when package maintainers release a fix
- If maintainers are unresponsive after 45 days, npm Security makes the advisory public