├── .gitignore ├── README.md └── archived ├── .npmrc ├── DEVELOPING.md ├── Makefile ├── README.md ├── bin └── write.sh ├── business-solution-terms.md ├── conduct.md ├── configuration.tmpl ├── crawlers.md ├── deploy.sh ├── disputes.md ├── dmca.md ├── domains.md ├── npm-license.md ├── open-source-terms.md ├── orgs-plan.md ├── package-lock.json ├── package.json ├── privacy.md ├── private-terms.md ├── receiving-reports.md ├── security.md ├── solo-plan.md ├── terms.md ├── trademark.md └── unpublish.md /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | out 3 | Gemfile.lock 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # policies 2 | 3 | This Repository is now Archived. Our current policies can be found at https://github.com/npm/documentation/tree/main/content/policies 4 | -------------------------------------------------------------------------------- /archived/.npmrc: -------------------------------------------------------------------------------- 1 | @npm:registry=https://npm.pkg.github.com/ -------------------------------------------------------------------------------- /archived/DEVELOPING.md: -------------------------------------------------------------------------------- 1 | # developing 2 | 3 | ## Creating new files or renaming existing files 4 | 5 | TEMPORARY AS OF 09/17: If you create new files, or rename existing files, 6 | please ping **@chrisdickinson** or **@jefflembeck** in Slack. They will move 7 | the files from "draft" mode to "live" mode. 8 | 9 | ## Deploying to staging or production 10 | 11 | This repo follows our formula for git-deploy repos, meaning that you can deploy 12 | to the staging or production environments by pushing the contents of a branch 13 | to the `deploy-staging` or `deploy-production branch`: 14 | 15 | `git push origin +master:deploy-staging` 16 | `git push origin +master:deploy-production` 17 | -------------------------------------------------------------------------------- /archived/Makefile: -------------------------------------------------------------------------------- 1 | mdfiles = $(wildcard *.md) 2 | htmlfiles = $(addprefix out/,$(mdfiles:.md=.html)) 3 | marked = ./node_modules/.bin/marked 4 | 5 | all: html 6 | 7 | html: $(htmlfiles) 8 | 9 | out/%.html: %.md $(marked) 10 | @mkdir -p out 11 | $(marked) < $< > $@ 12 | 13 | $(marked): 14 | npm install 15 | 16 | .PHONY: clean 17 | 18 | clean: 19 | rm -rf out 20 | -------------------------------------------------------------------------------- /archived/README.md: -------------------------------------------------------------------------------- 1 | # old policies 2 | 3 | These are the archived policies of npm. The policies in this folder are out of date. The current up to date policies can be found at https://docs.npmjs.com/policies and the source can be found at https://github.com/npm/documentation/tree/main/content/policies -------------------------------------------------------------------------------- /archived/bin/write.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | head=$(git rev-parse HEAD) 4 | target=$(git rev-parse origin/deploy-${NODE_ENV}) 5 | 6 | if [ "$head" != "$target" ]; then 7 | exit 8 | fi 9 | 10 | npm ci 11 | make 12 | echo out/*.html 13 | for path in out/*.html; do 14 | filename=$(basename $path) 15 | name=${filename%.*} 16 | candidate_slug="/policies/${name}" 17 | slug=${candidate_slug/\/README/} 18 | title=${name/-/ } 19 | 20 | echo '
' >> ${path}.tmp 21 | cat $path >> ${path}.tmp 22 | echo '
' >> ${path}.tmp 23 | 24 | echo "writing $slug ('$title') for $path" 25 | node_modules/.bin/mkp $slug -t "npm | policies | ${title}" ${path}.tmp >/dev/null || echo 'failed to write' 26 | done 27 | -------------------------------------------------------------------------------- /archived/business-solution-terms.md: -------------------------------------------------------------------------------- 1 | # npm Business Solution Terms 2 | 3 | Version 4.2.1 4 | 5 | These terms and the **Quote** sent by _npm_ or presented to _Customer_ through npmjs.com or AWS Marketplace make up an agreement between **npm** and **Customer**. 6 | 7 | ## Background 8 | 9 | - _npm_ develops computer software and services for installing, managing, and sharing **Packages** of computer code and data. 10 | 11 | - _npm_'s command-line interface, or **CLI**, allows programmers to create, download, and share _Packages_ through online repositories called registries. _npm_ licenses the _CLI_ on _Open-Source Terms_, so anyone can use it free of charge. 12 | 13 | - _npm_ hosts the world's largest and most-used registry of _Packages_, the **npm Public Registry**. All _Packages_ in the _npm Public Registry_ are public, and anyone can download them. 14 | 15 | - Most software developers search and discover _Packages_ in the _npm Public Registry_ through the **npm Website**, https://www.npmjs.com. Developers also visit the _npm Website_ to create and manage accounts for publishing _Packages_. 16 | 17 | - _npm_ uses its familiarity and expertise with the _CLI_, _npm Public Registry_, and _npm Website_ to develop and offer software services for sharing _Packages_ privately within organizations, and for performing security analysis of _Packages_ that organizations use. 18 | 19 | - **npm Orgs** gives organizations access to, and control over, a named space, or **Scope**, for public and private _Packages_ of their own, on the same infrastructure as the _npm Public Registry_. 20 | 21 | - **npm Enterprise** gives organizations access to their own, private registry, hosted on infrastructure separate from the _npm Public Registry_. 22 | 23 | - _npm_ publishes **Documentation** for the _CLI_, _npm Orgs_, and _npm Enterprise_ at https://docs.npmjs.com/. 24 | 25 | - This is an agreement for _npm_ to provide either _npm Orgs_ or _npm Enterprise_ for _Customer_, as **Customer's Solution**. 26 | 27 | - This agreement governs use of _Customer's Solution_. _Customer_'s use of the _npm Public Registry_, _npm Website_, and any other _npm_ services is governed by the terms of use for those offerings. 28 | 29 | ## npm's Obligations 30 | 31 | ### Host Customer's Solution 32 | 33 | _npm_ agrees to provide _Customer's Solution_ so that _Customer Personnel_ can use the _Feature Set_ via the Internet, with computers and software that meet the requirements set out in the _Documentation_. 34 | 35 | ### Isolate npm Enterprise 36 | 37 | If _Customer's Solution_ is _npm Enterprise_, _npm_ agrees to run _npm Enterprise_ for _Customer_ in its own, isolated virtual environment, separated from environments used to run _npm Enterprise_ for other customers. 38 | 39 | ### Provide a Scope 40 | 41 | If _Customer's Solution_ is _npm Orgs_, _npm_ agrees to provide _Customer_ its own, uniquely named _Scope_ for _Packages_ on _npm Public Registry_ infrastructure. If _Customer_ received the _Quote_ and selected a _Scope_ name through the _npm Website_, that will be the name of _Customer_'s _Scope_. Otherwise, _npm_ and _Customer_ will collaborate to identify an available _Scope_ name for _Customer_. 42 | 43 | ### Maintain Customer's Solution 44 | 45 | _npm_ agrees to update _Customer's Solution_ with software updates and fixes made generally available to other customers paying for the same solution. Updates and fixes do not include new or preexisting add-on features and complimentary services for which _npm_ charges additional fees. 46 | 47 | ### Allow High-Volume Use of the npm Public Registry 48 | 49 | While this agreement continues and _Customer_ has paid all fees as required by this agreement, _npm_ waives the rule of its terms of service for the _npm Public Registry_ that prohibits _Customer_ from making an unreasonable volume of requests. _Customer_ may make up to 500,000,000 requests to the _npm Public Registry_ in any rolling thirty-calendar-day period, through _Customer's Solution_ or otherwise. This agreement does not change the terms of service for the _npm Public Registry_ in any other way. 50 | 51 | ### Publish Documentation 52 | 53 | _npm_ agrees to publish the _Documentation_ so _Customer_ personnel can read it on the World Wide Web. 54 | 55 | ### Maintain the CLI 56 | 57 | _npm_ agrees to publish a version of the _CLI_ compatible with _Customer's Solution_, free of charge, on _Open-Source Terms_. 58 | 59 | ### List Customer as a Supporter 60 | 61 | If the _Quote_ specifies a promotional tier, then _npm_ agrees to display _Customer_'s logotype with those of other sponsors of the same tier on the _npm Website_. 62 | 63 | ### Keep Customer Data Confidential 64 | 65 | _npm_ agrees not to access, use, or disclose _Customer Data_ without _Permission_, except: 66 | 67 | - as needed to host _Customer's Solution_ 68 | 69 | - to monitor use of _Customer's Solution_ to prevent, detect, and mitigate breach of this agreement 70 | 71 | - to improve _Customer's Solution_ and the efficiency with which _npm_ provides it, to _Customer_ and others 72 | 73 | - to respond to _Technical Support Requests_ 74 | 75 | ### Take Security Precautions 76 | 77 | _npm_ agrees to take industry-standard security precautions to defend _Customer's Solution_ from malicious technical attack and _Data Breach_. _npm_ does not guarantee that _Customer's Solution_ will be completely free of software bugs or configuration errors affecting security, or completely secure from all possible technical attack. 78 | 79 | ### Provide Technical Support 80 | 81 | #### Technical Support 82 | 83 | _npm_ agrees to task _npm_ **Support Personnel** with responding to **Technical Support Requests** from _Customer Personnel_. _Technical Support Requests_ must be opened at https://npmjs.com/support/. 84 | 85 | #### Scope of Technical Support 86 | 87 | _npm_ agrees to task _Support Personnel_ with diagnosing and resolving _Technical Support Requests_ related to configuring standard features of _Customer's Solution_ per the _Documentation_, use of the _CLI_ with _Customer's Solution_, downtime or software errors encountered when using _Customer's Solution_, and threats of malicious technical attack or _Data Breach_. 88 | 89 | #### Support Request Triage 90 | 91 | - **Critical Support Requests** are _Technical Support Requests_ that report that: 92 | 93 | - Systems providing _Customer's Solution_ are down or unresponsive. 94 | 95 | - _Users_ cannot download from or publish to _Customer's Solution_. 96 | 97 | - _Customer's Solution_ is under imminent threat of malicious technical attack or _Data Breach_. 98 | 99 | - All other _Technical Support Requests_ are **Regular Support Requests**. 100 | 101 | #### Technical Support Responsiveness 102 | 103 | ##### Support Offerings 104 | 105 | - If _Customer's Solution_ is _npm Enterprise_, then _npm_ agrees to provide _Premium Support_. _npm_ does not offer _npm Enterprise_ with _Basic Support_. 106 | 107 | - If _Customer's Solution_ is _npm Orgs_, then _npm_'s support commitment depends on the _Quote_. If the _Quote_ specifies _Premium Support_, then _npm_ agrees to provide _Premium Support_. Otherwise, by default, _npm_ agrees to provide _Basic Support_. 108 | 109 | ##### Premium Support 110 | 111 | **Premium Support** means that _npm_ will: 112 | 113 | - Respond to _Critical Support Requests_ within three _Business Hours_, and update on status every two Business Hours. 114 | 115 | - Respond to _Regular Support Requests_ within eight _Business Hours_. 116 | 117 | ##### Basic Support 118 | 119 | **Basic Support** means that _npm_ will: 120 | 121 | - Respond to _Critical Support Requests_ within eight _Business Hours_, and update on status every Business Day. 122 | 123 | - Respond to _Regular Support Requests_ within sixteen _Business Hours_. 124 | 125 | #### Technical Support Escalation 126 | 127 | _npm_ agrees to task _Support Personnel_ with promptly escalating _Technical Support Requests_ that _Support Personnel_ cannot resolve independently to _npm_ engineering personnel responsible for _Customer's Solution_. In general, _Support Personnel_ will remain the primary point of contact for _Customer Personnel_, coordinate with _npm_ engineering personnel, and relay questions, advice, and progress to _Customer Personnel_. Where appropriate, _Support Personnel_ may connect _Customer Personnel_ to _npm_ engineering personnel directly. 128 | 129 | #### Refund Fees for Unresponsive Technical Support 130 | 131 | If _npm_ fails to meet [Technical Support Responsiveness](#technical-support-responsiveness) for three _Billing Periods_ in a row, and _Customer_ ends this agreement at the end of those _Billing Periods_, citing poor support responsiveness, _npm_ agrees to refund any _Prepaid Fees_, as well as 5% of all fees that _Customer_ paid for the three _Billing Periods_. 132 | 133 | ### Honor any Uptime Commitment 134 | 135 | If _npm_ makes an **Uptime Commitment** in the _Quote_: 136 | 137 | #### Service-Level Agreement 138 | 139 | So long as _Customer's Solution_ remains within the _Use Limits_ and customer abides by [Follow Rules About Use](#follow-rules-about-use) and [Enforce Rules About Use](#enforce-rules-about-use), _npm_ agrees to host _Customer's Solution_ with _Uptime_ no less than the _Uptime Commitment_. 140 | 141 | #### Give Credits for Low Uptime 142 | 143 | _npm_ agrees to credit _Customer_'s account on _Notice_ and verification that _npm_ failed to provide service according to [Service-Level Agreement](#service-level-agreement) in the current _Billing Period_ or any of the three prior _Billing Periods_: 144 | 145 | - 5% of _Service Fees_ for any _Billing Period_ with _Uptime_ between zero and one percentage point less than the _Uptime Commitment_ 146 | 147 | - 10% of _Service Fees_ for any _Billing Period_ with _Uptime_ between one and two percentage points less than the _Uptime Commitment_ 148 | 149 | - 25% of _Service Fees_ for any _Billing Period_ with _Uptime_ at or below three percentage points less than the _Uptime Commitment_ 150 | 151 | #### Apply Credits for Low Uptime 152 | 153 | _npm_ agrees to apply any credits under [Give Credits for Low Uptime](#give-credits-for-low-uptime) against _Customer_'s obligations to pay fees as soon as possible. _npm_ does not agree to refund any credits. 154 | 155 | #### Refund Fees for Low Uptime 156 | 157 | If _npm_ credits _Customer_'s account under [Give Credits for Low Uptime](#give-credits-for-low-uptime) for three _Billing Periods_ in a row, and _Customer_ ends this agreement at the end of those _Billing Periods_, citing low _Uptime_, _npm_ agrees to refund all _Service Fees_ that _Customer_ paid for the three _Billing Periods_, as well as any _Prepaid Fees_. 158 | 159 | ### Use Responsible Subcontractors 160 | 161 | _npm_ agrees to take responsibility for any breach of [Keep Customer Data Confidential](#keep-customer-data-confidential), [Take Security Precautions](#take-security-precautions), [Prepare for Disasters](#prepare-for-disasters), or [Keep Malicious Code Out of the Software](#keep-malicious-code-out-of-the-software) by _npm_ employees and contractors, as if _npm_ breached itself. 162 | 163 | ### Refund Prepaid Fees for Removed Features 164 | 165 | If _npm_ changes or removes features from _Customer's Solution_, substantially reducing how useful _Customer's Solution_ is to _Customer_, and _Customer_ ends this agreement in the same _Billing Period_ as the change or the next _Billing Period_, citing the change, _npm_ agrees to refund any _Prepaid Fees_. 166 | 167 | ### Keep Malicious Code Out of the Software 168 | 169 | _npm_ agrees to take industry-standard precautions to keep the software that _npm_ runs to provide _Customer's Solution_ free of computer viruses, Trojans, worms, and other malicious code. 170 | 171 | ### Prepare for Disasters 172 | 173 | _npm_ agrees to: 174 | 175 | - adopt, maintain, and periodically review a written plan to recover from any _Disaster_ affecting the systems used to provide _Customer's Solution_ or the integrity of _Customer Data_ 176 | 177 | - share the plan with relevant _npm_ personnel 178 | 179 | - follow the plan if a _Disaster_ happens 180 | 181 | ### Protect Customer from Liability 182 | 183 | So long as _Customer_ has paid all fees as required by this agreement: 184 | 185 | #### Indemnify Customer 186 | 187 | Subject to [How to Receive Indemnification](#how-to-receive-indemnification), _npm_ agrees to give _Customer_ _Indemnification_ for _Legal Claims_ by others alleging that _Permitted Use of Customer's Solution_ infringes any copyright, trademark, or trade secret right, or breaks any law. 188 | 189 | #### Provide Assurance About Patents 190 | 191 | As of the day _npm_ signs this agreement, _npm_ employees are not aware of any patent that _npm_ would infringe by selling _Customer's Solution_ under this agreement, or that _Customer_ would infringe by _Permitted Use of Customer's Solution_. 192 | 193 | #### Give Notice of Infringement or Noncompliance Claims 194 | 195 | _npm_ agrees to give _Customer_ prompt _Notice_ of any _Infringement or Noncompliance Claim_. 196 | 197 | ### Protect Customer After this Agreement Ends 198 | 199 | [Keep Customer Data Confidential](#keep-customer-data-confidential) and [Indemnify Customer](#indemnify-customer) will continue after this agreement ends. 200 | 201 | ## Customer's Obligations 202 | 203 | ### Pay Fees 204 | 205 | _Customer_ agrees to pay all **Service Fees** for _Customer's Solution_ in advance, for each _Billing Period_, according to the _Quote_. _Customer_ agrees to pay all tax on fees, except tax _npm_ owes on income. 206 | 207 | ### Handle Tax Withholding 208 | 209 | If _Customer_ is located outside the United States, and local law requires _Customer_ to withhold taxes on fees paid under this agreement: 210 | 211 | - _Customer_ agrees to make the required tax withholding payments for _npm_ by deducting the right amounts from payments to _npm_ and paying them to the proper tax authorities. 212 | 213 | - _Customer_ agrees to increase the amount of each payment made under this agreement to offset withholding, so that _npm_ receives the full amount owed according to the _Quote_. 214 | 215 | - _Customer_ agrees to provide _npm_ relevant official tax documentation and tax receipts showing that withholding was required, and that proper withholding payment has been made, as soon as possible after making any withholding payment. 216 | 217 | ### Follow Rules About Use 218 | 219 | _Customer_ agrees not to: 220 | 221 | - infringe anyone else's _Intellectual Property Right_ using _Customer's Solution_ 222 | 223 | - violate anyone else's rights using _Customer's Solution_ 224 | 225 | - breach any agreement using _Customer's Solution_ 226 | 227 | - break the law using _Customer's Solution_ 228 | 229 | - reverse engineer _Customer's Solution_ 230 | 231 | - circumvent any access controls or other limits of _Customer's Solution_ 232 | 233 | - circumvent code in _Customer's Solution_ that monitors, reports on, or enforces _Use Limits_ 234 | 235 | - strain the technical infrastructure of _Customer's Solution_ with an unreasonable volume of requests, or requests designed to impose an unreasonable load on IT systems underlying _Customer's Solution_ 236 | 237 | - license, sell, lease, or otherwise let anyone but _Customer Personnel_ use _Customer's Solution_ 238 | 239 | - furnish _Customer Data_ in any way that infringes any _Intellectual Property Right_, breaks any law, or breaches any other agreement 240 | 241 | - furnish _Customer Data_ subject to _Special Data Regulations_ 242 | 243 | - reuse any one set of _Access Credentials_ for multiple _Users_ 244 | 245 | - remove proprietary notices from _Customer's Solution_ or the _Documentation_ 246 | 247 | - use _Customer's Solution_ to assess whether or how to create a competitive offering, or to assess the competitive strengths or weaknesses of _Customer's Solution_ in comparison to a current or potential _Customer_ offering 248 | 249 | - publish data about the performance of _Customer's Solution_ 250 | 251 | ### Keep Access Credentials Secret and Secure 252 | 253 | _Customer_ agrees to keep _Access Credentials_ secret and secure, and to share and distribute _Access Credentials_ only as needed to use _Customer's Solution_ and services under this agreement. 254 | 255 | ### Enforce Rules About Use 256 | 257 | _Customer_ agrees to take responsibility for any breach of [Follow Rules About Use](#follow-rules-about-use) or [Keep Access Credentials Secret and Secure](#keep-access-credentials-secret-and-secure) by _Customer Personnel_, as if _Customer_ breached itself. 258 | 259 | ### Update Account Details 260 | 261 | _Customer_ agrees to use the _Account Dashboard_ to keep its contact, payment, and other administrative details complete, accurate, and up-to-date. 262 | 263 | ### Indemnify npm 264 | 265 | Subject to [How to Receive Indemnification](#how-to-receive-indemnification), _Customer_ agrees to give _npm_ _Indemnification_ from _Legal Claims_ by others based on: 266 | 267 | - breach of this agreement 268 | 269 | - _Customer Data_ 270 | 271 | - _Use of Customer's Solution at Customer's Own Risk_ 272 | 273 | - misuse of _Customer_'s _Access Credentials_ 274 | 275 | ### Protect npm After this Agreement Ends 276 | 277 | [Pay Fees](#pay-fees) and [Indemnify npm](#indemnify-npm) will continue after this agreement ends. 278 | 279 | ## Intellectual Property 280 | 281 | ### Existing and Outside IP 282 | 283 | This agreement does not change ownership of any _Intellectual Property Right_ held by either side, before or after entering this agreement. 284 | 285 | ### Copyright License 286 | 287 | _npm_ grants _Customer_ and each of the _Users_ a _Standard License_, for any copyrights _npm_ can license, as needed to make _Permitted Use of Customer's Solution_ and read the _Documentation_. 288 | 289 | ### Patent License 290 | 291 | _npm_ grants _Customer_ and each of the _Users_ a _Standard License_, for any patents _npm_ can license, as needed to make _Permitted Use of Customer's Solution_. 292 | 293 | ### No Other Licenses 294 | 295 | Except for the licenses in [Intellectual Property](#intellectual-property), this agreement does not license or assign any _Intellectual Property Right_. 296 | 297 | ### Public Licenses 298 | 299 | The terms of this agreement are separate from, and independent of, the terms of any public licenses that _npm_ grants for the _CLI_ or other _npm_ software. 300 | 301 | ## Changes 302 | 303 | ### Changes Customer May Make 304 | 305 | Subject to [How to Make Changes](#how-to-make-changes): 306 | 307 | - _Customer_ may end this agreement at any time. 308 | 309 | - If the _Quote_ specifies a way to calculate fees for different _Use Limits_, _Customer_ may change its _Use Limits_ within the limits specified in the _Quote_ at any time. _Customer_ changes to _Use Limits_ take effect as soon as _Customer_ pays any added fees. 310 | 311 | - _Customer_ may grant and revoke access to _Customer's Solution_ to _Users_' _npm_ accounts within _Customer_'s _Use Limits_. 312 | 313 | ### Changes npm May Make 314 | 315 | Subject to [How to Make Changes](#how-to-make-changes): 316 | 317 | - _npm_ may end this agreement on the next date it would otherwise renew by giving _Notice_ at least one month in advance. 318 | 319 | - _npm_ may end this agreement immediately if _Customer_ breaches this agreement and fails to cure the breach within seven calendar days of _Notice_. 320 | 321 | - _npm_ may add, remove, and change software features of _Customer's Solution_. 322 | 323 | - _npm_ may change the _Documentation_. 324 | 325 | - _npm_ may take any of these steps in response to an _Infringement or Noncompliance Claim_: 326 | 327 | - _npm_ may upgrade _Customer's Solution_ so that _Permitted Use of Customer's Solution_ will no longer infringe or break the law. 328 | 329 | - _npm_ may change how it provides _Customer's Solution_ so that use of _Customer's Solution_ will no longer infringe or break the law. 330 | 331 | - If the problem is infringement, _npm_ may get a license for _Customer_ so that use of _Customer's Solution_ will no longer infringe. 332 | 333 | - If the problem is illegality, _npm_ may get the government approvals, licenses, or other requirements needed to abide by the law. 334 | 335 | - _npm_ may end this agreement and refund any _Prepaid Fees_. 336 | 337 | ### Renewal 338 | 339 | This agreement begins on the date in the _Quote_ and continues for the initial term in the _Quote_. If the _Quote_ does not specify an initial term, this agreement continues for an initial term of one _Billing Period_. Unless the _Quote_ says otherwise, this agreement renews automatically for consecutive _Billing Periods_ after the initial term. 340 | 341 | ## Liability 342 | 343 | ### Agreed Legal Remedies 344 | 345 | - _Customer_'s only legal remedy for failures to meet [Technical Support Responsiveness](#technical-support-responsiveness) will be credits under [Refund Fees for Unresponsive Technical Support](#refund-fees-for-unresponsive-technical-support). 346 | 347 | - _Customer_'s only legal remedies for failures to meet [Honor any Uptime Commitment](#honor-any-uptime-commitment) will be credits under [Apply Credits for Low Uptime](#apply-credits-for-low-uptime) and refunds under [Refund Fees for Low Uptime](#refund-fees-for-low-uptime). 348 | 349 | - _Customer_'s only legal remedy for changes to the software features of _Customer's Solution_ will be refunds under [Refund Prepaid Fees for Removed Features](#refund-prepaid-fees-for-removed-features). 350 | 351 | - Each side's only legal remedy for _Legal Claims_ covered by _Indemnification_ will be _Indemnification_. 352 | 353 | ### Valid Excuses 354 | 355 | Neither side will be liable for any failure or delay in meeting any obligation under this agreement caused by a _Disaster_, failure of the other side or its personnel to meet their obligations under this agreement, or actions done or delayed on specific written request of the other side. 356 | 357 | ### Only Express Warranties 358 | 359 | ***Except for its obligations in [npm's Obligations](#npms-obligations), _npm_ provides _Customer's Solution_ "as is", without any warranty at all. _npm_ disclaims any warranties the law might otherwise imply, like warranties of merchantability, fitness for any particular purpose, title, or noninfringement.*** 360 | 361 | ### Limited Damages 362 | 363 | #### Damages Limit 364 | 365 | ***Subject to [Damages Limit Exceptions](#damages-limit-exceptions), neither side's total liability under this agreement will exceed the amount of fees _npm_ received from _Customer_ during the twelve months before the first claim is filed. This limit applies even if the side liable is advised that the other side may suffer damages.*** 366 | 367 | #### Damages Exclusion 368 | 369 | ***Neither side will be liable for breach-of-contract damages they could not have reasonably foreseen when entering this agreement.*** 370 | 371 | #### Damages Limit Exceptions 372 | 373 | [Limited Damages](#limited-damages) does not limit damages for breach of: 374 | 375 | - [Keep Customer Data Confidential](#keep-customer-data-confidential) 376 | 377 | - [Provide Assurance About Patents](#provide-assurance-about-patents) 378 | 379 | - [Indemnify Customer](#indemnify-customer) 380 | 381 | - [Pay Fees](#pay-fees) 382 | 383 | - [Follow Rules About Use](#follow-rules-about-use) 384 | 385 | - [Enforce Rules About Use](#enforce-rules-about-use) 386 | 387 | - [Indemnify npm](#indemnify-npm) 388 | 389 | ## Process 390 | 391 | ### How to Receive Indemnification 392 | 393 | Both sides agree that to receive _Indemnification_ under this agreement, they must give _Notice_ of any covered _Legal Claims_ quickly, allow the other side to control investigation, defense, and settlement, and cooperate with those efforts. Both sides agree that if they fail to give _Notice_ of any covered _Legal Claims_ quickly, _Indemnification_ will not cover amounts that could have been defended against or mitigated if _Notice_ had been given quickly. Both sides agree that if they take control of the defense and settlement of any _Legal Claims_ covered by _Indemnification_, they will not agree to any settlements that admit fault for, or impose obligations on, the other side without their _Permission_. 394 | 395 | ### How to Give Notice 396 | 397 | Both sides agree that to give _Notice_ under this agreement, the side giving _Notice_ must send by e-mail to the address the recipient provided on entering into this agreement, to _npm_ at legal@npmjs.com, or to a different address given later for _Notice_ going forward. If either side finds that e-mail can't be delivered to the address given, it may give _Notice_ by registered mail to the address on file for the recipient with the state under whose laws it is organized. 398 | 399 | ### How to Make Changes 400 | 401 | _Customer_ agrees to make changes to this agreement through the account dashboard of _Customer's Solution_ whenever possible. If the account dashboard does not provide a user interface for making a particular change, or the account dashboard is not available or malfunctions, _Customer_ may make its change by _Notice_ to _npm_. _npm_ agrees to make changes to this agreement by _Notice_. 402 | 403 | ## General Contract Terms 404 | 405 | ### Governing Law 406 | 407 | California law will govern this agreement. 408 | 409 | ### Government Procurement 410 | 411 | _npm Orgs_ and _npm Enterprise_ are commercial computer software, and the _Documentation_ is commercial computer software documentation. All were developed exclusively at private expense. If _Customer_'s procurement is subject to Federal Acquisition Regulation 12.212 or Defense Federal Acquisition Regulation Supplement 227.7202, _Customer_'s rights will be only those stated in this agreement. 412 | 413 | ### Publicity 414 | 415 | _npm_ may identify _Customer_ as an _npm_ customer to current and potential customers, and may list _Customer_'s business name and logotype in promotional materials, such as _npm_'s websites. 416 | 417 | ### Whole Agreement 418 | 419 | Both parties intend these terms, together with the _Quote_, as the final, complete, and only expression of their terms about use of _Customer's Solution_. However, this agreement does not affect the terms of any separate nondisclosure or confidentiality agreement _npm_ and _Customer_ may have. 420 | 421 | ### Enforcement 422 | 423 | Only _npm_ and _Customer_ may enforce this agreement. 424 | 425 | ### Assignment 426 | 427 | Each party may assign all its rights, licenses, and obligations under this agreement, as a whole, to a new legal entity created to change its jurisdiction or legal form of organization, or to an entity that acquires substantially all of its assets or enough securities to control its management. Otherwise, each party needs _Permission_ to assign any right, license, or obligation under this agreement. Attempts to assign against this agreement will have no legal effect. 428 | 429 | ### Lawsuits 430 | 431 | #### Forum 432 | 433 | Both sides agree to bring any _Lawsuit_ in the state and federal courts sitting in the cities of San Francisco and Oakland, California \(the **Designated Courts**\). 434 | 435 | #### Exclusive Jurisdiction 436 | 437 | Both sides consent to the exclusive jurisdiction of the _Designated Courts_. Both sides may enforce judgments from the _Designated Courts_ in other jurisdictions. 438 | 439 | #### Inconvenient Forum Waiver 440 | 441 | Both sides waive any objection to venue for any _Lawsuit_ in the _Designated Courts_ and any claim that the other brought any _Lawsuit_ in the _Designated Courts_ in an inconvenient forum. 442 | 443 | ## Definitions 444 | 445 | - **Access Credentials** means a user name and password, license key, or other secret that affords use of _Customer's Solution_. 446 | 447 | - **Account Dashboard** means the account management section of the _npm Website_. 448 | 449 | - **Billing Period** means a successive, month-long period. The first _Billing Period_ starts on the date of this agreement. The plural is **Billing Periods**. 450 | 451 | - **Business Day** means a day other than a Saturday, Sunday, or a day when commercial banks in San Francisco, California typically stay closed. The plural is **Business Days**. 452 | 453 | - **Business Hour** means an hour between 0900 and 1800 Pacific Time on a _Business Day_. The plural is **Business Hours**. 454 | 455 | - **Customer Data** means data that: 456 | 457 | - _Users_ furnish to _Customer's Solution_, such as by entering it or configuring _Customer's Solution_ to gather or receive it, if doing so doesn't breach this agreement 458 | 459 | - _Customer's Solution_ collects about _Users_ and how they use _Customer's Solution_ 460 | 461 | - _Customer Personnel_ furnish to _Support Personnel_ via _Technical Support Requests_ 462 | 463 | - **Customer Personnel** means _Customer_'s employees and each _Customer_ subsidiary's employees, as well as individuals providing services to _Customer_ as independent contractors. 464 | 465 | - **Data Breach** means malicious technical compromise, unauthorized access to, or unauthorized disclosure of _Customer Data_. 466 | 467 | - **Disaster** means: 468 | 469 | - fire, flood, earthquake, and other natural disasters 470 | 471 | - declared and undeclared war, act of terrorism, sabotage, riot, civil disorder, rebellion, and revolution 472 | 473 | - extraordinary malfunction of Internet infrastructure, data centers, or communications utilities 474 | 475 | - malicious technical attack on systems providing _Customer's Solution_ 476 | 477 | - government action taken in response to any of these 478 | 479 | - **Feature Set** means all software features of _Customer's Solution_ described in the _Documentation_ on the date of this agreement. 480 | 481 | - **Indemnification** means indemnity and holding harmless for all liability, expenses, damages, and costs. 482 | 483 | - **Infringement or Noncompliance Claim** means a court order against use of _Customer's Solution_ based on a claim that it infringes any _Intellectual Property Right_, or breaks any law, or a threat of that kind of claim that _npm_ believes credible. 484 | 485 | - **Intellectual Property Right** means any patent, copyright, trademark, or trade secret right, or any other legal right typically referred to as an intellectual property right. 486 | 487 | - **Lawsuit** means a lawsuit brought by one side against the other, related to this agreement or _Customer's Solution_. 488 | 489 | - **Legal Claims** means claims, demands, lawsuits, and other legal actions. 490 | 491 | - **Notice** means a written communication from one side to the other per [How to Give Notice](#how-to-give-notice). 492 | 493 | - **Open-Source Terms** means the terms of a form license approved by the Open Source Initiative. 494 | 495 | - **Permission** means prior _Notice_ of consent. 496 | 497 | - **Permitted Use of Customer's Solution** means _Customer_'s use of _Customer's Solution_, other than _Use of Customer's Solution at Customer's Own Risk_. 498 | 499 | - **Prepaid Fees** means fees _Customer_ prepaid for _Billing Periods_ yet to begin. 500 | 501 | - **Special Data Regulations** means laws and regulations that impose special requirements on the collection, storage, processing, or transmission of particular kinds of data about individuals. The Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Children's Online Privacy Protection Act, and Fair Credit Reporting Act are some _Special Data Regulations_. Laws that apply to data merely because they may identify specific individuals are not _Special Data Regulations_. 502 | 503 | - **Standard License** means a nonexclusive license during the term of this agreement, without rights to sublicense, that is conditional on payment of all fees as required by this agreement and limited by the _Use Limits_. 504 | 505 | - **Use of Customer's Solution at Customer's Own Risk** means: 506 | 507 | - use of _Customer's Solution_ in breach of this agreement 508 | 509 | - use of _Customer's Solution_ with changes, additions, or in combination with other software, systems, or data, in a way that infringes someone else's _Intellectual Property Right_ or breaks the law, if use of _Customer's Solution_ as provided, as described by the _Documentation_, would not 510 | 511 | - unauthorized use of _Customer's Solution_ with _Customer_ _Access Credentials_ 512 | 513 | - **Uptime** means the percentage of wall-clock time during a _Billing Period_ when _Users_ can download from, publish to, and search _Customer's Solution_, subject to [Valid Excuses](#valid-excuses). 514 | 515 | - **Use Limits** means any numeric limits on use of _Customer's Solution_ specified in the _Quote_, such as a limit on number of _Users_. 516 | 517 | - **Users** means _Customer Personnel_ that _Customer_ configures _Customer's Solution_ to allow to: 518 | 519 | - download or publish _Packages_ to _Customer_'s _Scope_, if _Customer's Solution_ is _npm Orgs_ 520 | 521 | - download or publish _Packages_ to _Customer_'s instance of _npm Enterprise_, if _Customer's Solution_ is _npm Enterprise_ 522 | -------------------------------------------------------------------------------- /archived/conduct.md: -------------------------------------------------------------------------------- 1 | # npm Code of Conduct 2 | 3 | npm exists to facilitate sharing code, by making it easy for 4 | JavaScript module developers to publish and distribute packages. 5 | 6 | npm is a piece of technology, but more importantly, it is a community. 7 | 8 | We believe that our mission is best served in an environment that is 9 | friendly, safe, and accepting; free from intimidation or harassment. 10 | 11 | Towards this end, certain behaviors and practices will not be 12 | tolerated. 13 | 14 | ## tl;dr 15 | 16 | * Be respectful. 17 | * We're here to help 18 | * Abusive behavior is never tolerated. 19 | * Data published to npm is hosted at the discretion of the service 20 | administrators, and may be removed. 21 | * Violations of this code may result in swift and permanent expulsion 22 | from the npm community. 23 | 24 | ## Scope 25 | 26 | We expect all members of the npm community, including paid and unpaid 27 | agents, administrators, users, and customers of npm, Inc., to abide by 28 | this Code of Conduct at all times in all npm community venues, online 29 | and in person, and in one-on-one communications pertaining to npm 30 | affairs. 31 | 32 | This policy covers the usage of the npm registry, as well as the npm 33 | website, npm related events, and any other services offered by or on 34 | behalf of npm, Inc. (collectively, the "Service"). It also applies to 35 | behavior in the context of the npm Open Source project communities, 36 | including but not limited to public GitHub repositories, IRC channels, 37 | social media, mailing lists, and public events. 38 | 39 | This Code of Conduct is in addition to, and does not in any way 40 | nullify or invalidate, any other terms or conditions related to use of 41 | the Service. 42 | 43 | The definitions of various subjective terms such as "discriminatory", 44 | "hateful", or "confusing" will be decided at the sole discretion of 45 | the npm abuse team. 46 | 47 | ## Friendly Harassment-Free Space 48 | 49 | We are committed to providing a friendly, safe and welcoming 50 | environment for all, regardless of gender identity, sexual 51 | orientation, ability, ethnicity, religion, age, physical 52 | appearance, body size, race, or similar personal characteristics. 53 | 54 | We ask that you please respect that people have differences of opinion 55 | regarding technical choices, and that every design or implementation 56 | choice carries a trade-off and numerous costs. There is seldom a 57 | single right answer. A difference of technology preferences is not a 58 | license to be rude. 59 | 60 | Disputes over package rights must be handled respectfully, according 61 | to the terms described in the [Disputes Policy](https://www.npmjs.com/policies/disputes). 62 | There is never a good reason to be rude over package name disputes. 63 | 64 | Any spamming, trolling, flaming, baiting, or other attention-stealing 65 | behavior is not welcome, and will not be tolerated. 66 | 67 | Harassing other users of the Service is never tolerated, whether via 68 | public or private media. 69 | 70 | Avoid using offensive or harassing package names, nicknames, or other 71 | identifiers that might detract from a friendly, safe, and welcoming 72 | environment for all. 73 | 74 | Harassment includes, but is not limited to: harmful or prejudicial 75 | verbal or written comments related to gender identity, sexual 76 | orientation, ability, ethnicity, religion, age, physical 77 | appearance, body size, race, or similar personal characteristics; 78 | inappropriate use of nudity, sexual images, and/or sexually explicit 79 | language in public spaces; threats of physical or non-physical harm; 80 | deliberate intimidation, stalking or following; harassing photography 81 | or recording; sustained disruption of talks or other events; 82 | inappropriate physical contact; and unwelcome sexual attention. 83 | 84 | ## Acceptable Use 85 | 86 | The Service administrators reserve the right to make judgment calls 87 | about what is and isn't appropriate in published packages, package names, 88 | user and organization names, and other public content. Package that 89 | violates the npm Service's 90 | [Acceptable Use](https://www.npmjs.com/policies/open-source-terms#acceptable-use) 91 | rules including its 92 | [Acceptable Content](https://www.npmjs.com/policies/open-source-terms#acceptable-use) 93 | rules will be deleted, at the discretion of npm. 94 | 95 | ## Reporting Violations of this Code of Conduct 96 | 97 | Please select the method of contact you think is most appropriate for 98 | the form of violation: 99 | 100 | * For urgent security issues, please open a ticket at . 101 | Requests to un-publish packages are not usually considered urgent security 102 | issues, as it is possible to [un-publish a package](https://docs.npmjs.com/cli/unpublish) 103 | within 24 hours of its first publish. Any publicly published package 104 | is [immediately replicated to thousands of third-party mirrors](http://blog.npmjs.org/post/101934969510/oh-no-i-accidentally-published-private-data-to), 105 | so any confidential information contained in a package should be considered 106 | immediately compromised. 107 | 108 | * If you believe someone is harassing you or is demonstrating 109 | some other form of malicious or inappropriate behavior, open a support 110 | ticket at https://npmjs.com/support. If this is the initial report of a problem, 111 | please include as much detail as possible. It is easiest for us 112 | to address issues when we have more context. 113 | 114 | * If you have concerns about a potential copyright violation, 115 | please refer to our [Copyright Policy](https://www.npmjs.com/policies/dmca) 116 | and take action as recommended by that policy. 117 | 118 | * If you think a package or other content is "squatting" on a name, 119 | follow the process described in the 120 | [Disputes Policy](https://www.npmjs.com/policies/disputes). 121 | 122 | For any other issues, or if in doubt, [contact support](https://npmjs.com/support). 123 | 124 | 125 | ## Consequences 126 | 127 | All content published to the Service, including user account 128 | credentials, is hosted at the sole discretion of the npm 129 | administrators. 130 | 131 | Unacceptable behavior from any community member, including sponsors, 132 | employees, customers, or others with decision-making authority, will 133 | not be tolerated. 134 | 135 | Anyone asked to stop unacceptable behavior is expected to comply 136 | immediately. 137 | 138 | If a community member engages in unacceptable behavior, the npm 139 | administrators may take any action they deem appropriate, up to and 140 | including a temporary ban or permanent expulsion from the community 141 | without warning (and without refund in the case of a paid event or 142 | service). 143 | 144 | ## Addressing Grievances 145 | 146 | If you feel you have been falsely or unfairly accused of violating 147 | this Code of Conduct, you should notify npm, Inc. We will do our best 148 | to ensure that your grievance is handled appropriately. 149 | 150 | In general, we will choose the course of action that we judge as being 151 | most in the interest of fostering a safe and friendly community. 152 | 153 | ## Contact Info 154 | 155 | Please open a support ticket at if you need to 156 | report a problem or address a grievance related to an abuse report. 157 | 158 | You are also encouraged to contact us if you are curious about 159 | something that might be "on the line" between appropriate and 160 | inappropriate content. We are happy to provide guidance to help you 161 | be a successful part of our community. 162 | 163 | ## Changes 164 | 165 | This is a living document and may be updated from time to time. 166 | Please refer to the [git history for this 167 | document](https://github.com/npm/policies/commits/master/conduct.md) 168 | to view the changes. 169 | 170 | ## Credit and License 171 | 172 | This Code of Conduct borrows heavily from the Stumptown Syndicate 173 | [Citizen's Code of Conduct](http://citizencodeofconduct.org/), and the 174 | [Rust Project Code of 175 | Conduct](https://www.rust-lang.org/conduct.html). 176 | 177 | This document may be reused under a [Creative Commons 178 | Attribution-ShareAlike 179 | License](https://creativecommons.org/licenses/by-sa/4.0/). 180 | -------------------------------------------------------------------------------- /archived/configuration.tmpl: -------------------------------------------------------------------------------- 1 | app = "policies" 2 | description = "the rules" 3 | processes = 1 4 | start = "node -pe 'Date.now()'" 5 | 6 | [build] 7 | command = "./bin/write.sh" 8 | 9 | [environment] 10 | SERVICE_NAME = "wubwub" 11 | NODE_ENV = "{{node_env}}" 12 | CMS_HOST = "{{cms_host}}" 13 | CMS_API_KEY = "{{cms_api_key}}" 14 | 15 | -------------------------------------------------------------------------------- /archived/crawlers.md: -------------------------------------------------------------------------------- 1 | # Crawler policy 2 | 3 | npm's full public dataset is available via the [public registry](https://docs.npmjs.com/misc/registry). Using CouchDB replication, you can get a full copy of all metadata, and it is acceptable within our terms of use to download copies of tarballs for inspection or experimentation. 4 | 5 | npm's [website](https://www.npmjs.com) also has package metadata available. We allow this content to be indexed by commercial crawlers such as GoogleBot. At our discretion, we also allow experimental crawlers to access the site, as long as they keep their request velocity to 1 request per second or less. At that velocity, indexing all packages would take 3 days, so if you want a full copy of our metadata it is always going to be faster to access the data via replication, which takes only an hour or two to provide full data and will thereafter automatically stay in sync. 6 | 7 | If you do not wish to install CouchDB to manage replication, we provide [open source software](https://github.com/npm/concurrent-couch-follower) that makes it easy to sync to the registry's public feed. 8 | 9 | If you attempt to access package metadata by high-velocity crawling of the npm website, we reserve the right to rate-limit or ban your IP, user-agent or both. 10 | -------------------------------------------------------------------------------- /archived/deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | git push origin +master:deploy-staging 3 | git push origin +master:deploy-production 4 | -------------------------------------------------------------------------------- /archived/disputes.md: -------------------------------------------------------------------------------- 1 | # Dispute Resolution 2 | 3 | This document describes the steps that you should take to resolve module 4 | name disputes with other npm publishers. It also describes special steps 5 | you should take about names you think [infringe your trademarks](#trademarks). 6 | 7 | This document is additive to the guidelines in the 8 | [npm Code of Conduct](https://www.npmjs.com/policies/conduct) and 9 | [npm Open-Source terms](https://www.npmjs.com/policies/open-source-terms). 10 | Nothing in this document should be interpreted to contradict any aspect 11 | of the npm Code of Conduct or Open-Source Terms. 12 | 13 | ## tl;dr 14 | 15 | 1. Open a support ticket at 16 | 1. Explain why you require a package, org, or username transferred 17 | 1. Support will address your request. Please note submitting a report does not 18 | guarantee the transfer of a package, org, or username. 19 | 20 | ## When to use this process 21 | 22 | This process is an excellent way to: 23 | 24 | * Adopt a package created from your project, published by someone else 25 | * Report a deliberately misleading or confusing package name 26 | 27 | This process does not apply if the package violates our 28 | [Terms of Use](https://www.npmjs.com/policies/open-source-terms), 29 | in particular our 30 | [Acceptable Use](https://www.npmjs.com/policies/open-source-terms#acceptable-use) 31 | and [Acceptable Content](https://www.npmjs.com/policies/open-source-terms) 32 | rules, or our [Code of Conduct](https://www.npmjs.com/policies/conduct). 33 | Those documents refer to this one to resolve cases of "squatting"; see 34 | below. 35 | 36 | If you see bad behavior or content you believe is unacceptable, refer to 37 | the Code of Conduct for guidelines on 38 | [reporting violations](https://www.npmjs.com/policies/conduct#reporting-violations-of-this-code-of-conduct). 39 | **You are never expected to resolve abusive behavior on your own.** 40 | **We are here to help.** 41 | 42 | ## When not to use this process 43 | 44 | We are not currently accepting dispute requests to "adopt an abandoned 45 | package" or "Report Squatting" as we re-evaluate and update the overall 46 | dispute process. 47 | 48 | ## Beginning the process 49 | 50 | ### Packages 51 | 52 | To dispute a package called `foo`, follow these steps: 53 | 54 | 1. Open a support ticket at , indicating that 55 | you would like to start the process to request ownership of the `foo` 56 | package. Please explain the why you believe the package should be transferred. 57 | You will get an automated reply from npm support to your email address. 58 | 1. Support will address your request. Please note submitting a report does not 59 | guarantee the transfer of a package. 60 | 61 | ### Organizations 62 | 63 | To dispute an organization name, follow these steps: 64 | 65 | 1. Open a support ticket at , indicating that 66 | you dispute an organization name. Include the name of the organization, 67 | e.g. `@foo`. Please explain the why you believe the Organizations should 68 | be transferred. You will get an automated reply from npm support to your 69 | email address. 70 | 1. Support will address your request. Please note submitting a report does not 71 | guarantee the transfer of an organization. 72 | 73 | ### User names 74 | 75 | To dispute a user name, follow these steps: 76 | 77 | 1. Open a support ticket at , indicating that 78 | you dispute a user name. Include the name of the user account, 79 | e.g. `@foo`. Please explain why you believe the Username should be 80 | transferred. You will get an automated reply from npm support to your 81 | email address. 82 | 1. Support will address your request. Please note submitting a report does not 83 | guarantee the transfer of a user name. 84 | 85 | ## Trademarks 86 | 87 | If you think another npm publisher is infringing your trademark, such 88 | as by using a confusingly similar package, org, or user account name, 89 | open a support ticket at with a link to 90 | the package, org, or user account page on . Attach 91 | a copy of your trademark registration certificate. 92 | 93 | If we see that the user, org, or package publisher is intentionally 94 | misleading others by misusing your registered mark without permission, 95 | we will transfer the account, org, or package name to you. Otherwise, we 96 | will contact the relevant user and ask them to clear up any confusion with 97 | changes to their user account page, or page, or package `README` file. 98 | 99 | Use of npm's own trademarks is covered by our Trademark Policy at 100 | . 101 | 102 | ## Changes 103 | 104 | This is a living document and may be updated from time to time. 105 | Please refer to the [git history for this 106 | document](https://github.com/npm/policies/commits/master/disputes.md) 107 | to view the changes. 108 | 109 | ## Definitions 110 | 111 | ### Squatting 112 | 113 | It is against npm's 114 | [Terms of Use](https://www.npmjs.com/policies/open-source-terms#acceptable-content) 115 | to publish a package, register a user name or an organization name 116 | simply for the purposes of reserving it for future use. 117 | 118 | We do not pro-actively scan the registry for squatted packages, so 119 | the fact that a name is in use does not mean we consider it valid. 120 | The standards for what we consider squatting depend on what is being 121 | squatted: 122 | 123 | #### Packages 124 | 125 | Package names are considered squatted if the package has no genuine 126 | function. 127 | 128 | #### Organizations 129 | 130 | Organization names are considered squatted if there are no packages 131 | published within a reasonable time. If an organization is a paid 132 | organization, it may have private packages that are invisible to 133 | third parties. For privacy reasons, we cannot reveal whether or not 134 | an organization has private packages, so a paid organization will 135 | never be considered squatted. 136 | 137 | #### User names 138 | 139 | We are extremely unlikely to transfer control of a user name, as it 140 | is totally valid to be an npm user and never publish any packages: 141 | for instance, you might be part of an organization or need read-only 142 | access to private packages. 143 | 144 | ## License 145 | 146 | Copyright (C) npm, Inc., All rights reserved 147 | 148 | This document may be reused under a [Creative Commons 149 | Attribution-ShareAlike 150 | License](https://creativecommons.org/licenses/by-sa/4.0/). 151 | -------------------------------------------------------------------------------- /archived/dmca.md: -------------------------------------------------------------------------------- 1 | # Copyright Policy 2 | 3 | This policy describes how we at npm, Inc., the company behind npmjs.com 4 | and the npm public registry, respond to claims that materials user 5 | have submitted to our service infringe copyright. In short, we follow 6 | the Digital Millennium Copyright Act, or DMCA. 7 | 8 | ## What's the DMCA? 9 | 10 | The DMCA is a United States federal law that sets up a formal process 11 | for reports of copyright infringement by our users, called takedown 12 | notices. It also sets up a process for disputing takedown notices 13 | by sending counter notices. The law protects us from liability for 14 | infringement by our users when we follow these steps. It also makes 15 | those who abuse the takedown and dispute processes liable for damage 16 | they cause. 17 | 18 | Many online service providers like us handle great numbers of takedown 19 | notices and counter notices. Often, the whole process takes place 20 | online, with the help of automated tools. However, the legal claims 21 | and documents involved remain very serious. Please approach the 22 | process accordingly. 23 | 24 | ## Should I send a takedown notice? 25 | 26 | If you aren't absolutely sure both that you own copyright, and that a 27 | user' material on our service infringes, speak to an attorney before 28 | sending a DMCA takedown notice. Knowing, material misrepresentations 29 | about infringement in a takedown notice can make you liable to us, 30 | the person you allege infringes, copyright owners, and licensees, 31 | all for significant damages, including costs and attorneys' fees. 32 | A lawyer can help you decide if you should file a takedown notice, 33 | and if so, help you prepare it correctly. We cannot. 34 | 35 | ## How do I send a takedown notice? 36 | 37 | Send takedown notices to our agent. You can find their contact 38 | information [below](#agent). 39 | 40 | Per United States Code, title 17, section 512(c)(3), your takedown 41 | notice must have: 42 | 43 | 1. A physical or electronic signature of a person authorized to act 44 | on behalf of the copyright owner. 45 | 46 | 2. Identification of the copyrighted work you claim is been infringed. 47 | 48 | 3. Identification of the infringing material to be removed. 49 | 50 | 4. Contact information, preferably an email address, that we can 51 | use to reach you. 52 | 53 | 5. Your statement of good faith belief that use of the material in 54 | the manner complained of is not authorized by the copyright owner, 55 | its agent, or the law. 56 | 57 | 6. Your statement that the information in your notice is accurate. 58 | 59 | 7. Your statement, under penalty of perjury, that you are authorized 60 | to act on behalf of the owner of the copyright allegedly infringed. 61 | 62 | ## How do we respond to takedown notices? 63 | 64 | When we receive a valid takedown notice, we forward a copy to the 65 | [Lumen Database](https://lumendatabase.org/) and remove or restrict 66 | access to allegedly infringing material. We then try to contact 67 | the user that submitted the material, to notify them that we have 68 | removed or restricted access to the material, provide them a copy of 69 | the takedown notice, and direct them to this policy. 70 | 71 | When appropriate, we suspend or terminate the accounts of users who 72 | repeatedly infringe copyright through our service. 73 | 74 | ## Should I dispute a takedown? 75 | 76 | If you aren't absolutely sure that your material doesn't infringe 77 | copyright, speak to an attorney before sending a DMCA counter notice. 78 | Knowing, material misrepresentations about mistaken removal or access 79 | restriction can make you liable to us, the one who filed the takedown 80 | notice, copyright owners, and licensees, all for significant damages, 81 | including costs and attorneys' fees. A lawyer can help you decide 82 | if you should file a counter notice, and if so, help you prepare 83 | it correctly. We cannot. 84 | 85 | ## How do I dispute a takedown? 86 | 87 | Do _not_ resubmit material to our service that we removed or restricted 88 | in response to a takedown notice. If you do this, we will suspend 89 | or terminate your account. 90 | 91 | Send counter notices to our agent. You can find their contact 92 | information [below](#agent). 93 | 94 | Per United States Code, title 17, section 512(g)(3), your counter 95 | notice must have: 96 | 97 | 1. Your physical or electronic signature. 98 | 99 | 2. Identification of the material removed access-restricted, and 100 | where it was available via our service before we removed or 101 | restricted access to it. 102 | 103 | 3. Your statement, under penalty of perjury, that you have a good 104 | faith belief that the material was removed or disabled as a result 105 | of a mistake or misidentification of the material. 106 | 107 | 4. Your name, address, and telephone number. 108 | 109 | 5. Your statement that you consent to the jurisdiction of the Federal 110 | District Court for the judicial district in which your address 111 | is located, or if outside the United Sates, for any any judicial 112 | district in which we may be found. 113 | 114 | 6. Your statement that you will accept service of process from the 115 | person who provided the takedown notice, or their agent. 116 | 117 | ## How do we respond to counter notices? 118 | 119 | When we receive a valid counter-notice, we forward a copy to the 120 | person who filed the takedown notice. If they don't notify us in ten 121 | business days that they are seeking a court order to prevent further 122 | infringement, we may replace or restore access to to the material 123 | we removed. 124 | 125 | ## Where do I send notice? 126 | 127 | Send all takedown notices and counter notices to: 128 | 129 | You can also send an email notification to 130 | [copyright@npmjs.com](mailto:copyright@npmjs.com). You may include an 131 | attachment if you like, but please also include a plain-text version of 132 | your letter in the body of your message. 133 | 134 | If you must send your notice by physical mail, you can do that too, but 135 | it will take substantially longer for us to receive and respond to it. 136 | Notices we receive via plain-text email have a much faster turnaround 137 | than PDF attachments or physical mail. If you still wish to mail us 138 | your notice, our physical address is: 139 | 140 | GitHub, Inc 141 | Attn: DMCA Agent 142 | 88 Colin P Kelly Jr St 143 | San Francisco, CA. 94107 144 | -------------------------------------------------------------------------------- /archived/domains.md: -------------------------------------------------------------------------------- 1 | # What domains does npm use? 2 | 3 | How can you tell an email or domain really belongs to npm and isn't a phishing attempt? Here's a full list: 4 | 5 | ## Active domains 6 | 7 | * registry.npmjs.org - the official, default npm registry 8 | * npmjs.com - the domain of our website and any email from us 9 | * npm.im - a short domain used to redirect to packages, e.g. npm.im/express 10 | * npm.me - a short domain used for redirects in marketing campaigns, ads, etc. 11 | * npm.red - a domain used for staging our website and registry in development 12 | 13 | ## Formerly used 14 | 15 | * npmcamp.com, npm.camp - for our conference 16 | 17 | ## Idle 18 | 19 | We own these but don't use them for anything (yet). 20 | 21 | * npmjs.net 22 | * npm.rocks 23 | * npm.tips 24 | * npm.xyz 25 | * npm.computer 26 | * npm.technology 27 | * npm.today 28 | * npm.email 29 | * npm.mn 30 | * npm.so 31 | 32 | ## Changes 33 | 34 | This is a living document and may be updated from time to time. 35 | Please refer to the [git history for this 36 | document](https://github.com/npm/policies/commits/master/domains.md) 37 | to view the changes. 38 | 39 | ## License 40 | 41 | Copyright (C) npm, Inc., All rights reserved 42 | 43 | This document may be reused under a [Creative Commons 44 | Attribution-ShareAlike 45 | License](https://creativecommons.org/licenses/by-sa/4.0/). 46 | -------------------------------------------------------------------------------- /archived/npm-license.md: -------------------------------------------------------------------------------- 1 | Copyright (c) npm, Inc. and Contributors 2 | All rights reserved. 3 | 4 | npm is released under the Artistic License 2.0, subject to additional terms 5 | that are listed below. 6 | 7 | The text of the npm License follows and the text of the additional terms 8 | follows the Artistic License 2.0 terms: 9 | 10 | 11 | -------- 12 | 13 | 14 | The Artistic License 2.0 15 | 16 | Copyright (c) 2000-2006, The Perl Foundation. 17 | 18 | Everyone is permitted to copy and distribute verbatim copies 19 | of this license document, but changing it is not allowed. 20 | 21 | Preamble 22 | 23 | This license establishes the terms under which a given free software 24 | Package may be copied, modified, distributed, and/or redistributed. 25 | The intent is that the Copyright Holder maintains some artistic 26 | control over the development of that Package while still keeping the 27 | Package available as open source and free software. 28 | 29 | You are always permitted to make arrangements wholly outside of this 30 | license directly with the Copyright Holder of a given Package. If the 31 | terms of this license do not permit the full use that you propose to 32 | make of the Package, you should contact the Copyright Holder and seek 33 | a different licensing arrangement. 34 | 35 | Definitions 36 | 37 | "Copyright Holder" means the individual(s) or organization(s) 38 | named in the copyright notice for the entire Package. 39 | 40 | "Contributor" means any party that has contributed code or other 41 | material to the Package, in accordance with the Copyright Holder's 42 | procedures. 43 | 44 | "You" and "your" means any person who would like to copy, 45 | distribute, or modify the Package. 46 | 47 | "Package" means the collection of files distributed by the 48 | Copyright Holder, and derivatives of that collection and/or of 49 | those files. A given Package may consist of either the Standard 50 | Version, or a Modified Version. 51 | 52 | "Distribute" means providing a copy of the Package or making it 53 | accessible to anyone else, or in the case of a company or 54 | organization, to others outside of your company or organization. 55 | 56 | "Distributor Fee" means any fee that you charge for Distributing 57 | this Package or providing support for this Package to another 58 | party. It does not mean licensing fees. 59 | 60 | "Standard Version" refers to the Package if it has not been 61 | modified, or has been modified only in ways explicitly requested 62 | by the Copyright Holder. 63 | 64 | "Modified Version" means the Package, if it has been changed, and 65 | such changes were not explicitly requested by the Copyright 66 | Holder. 67 | 68 | "Original License" means this Artistic License as Distributed with 69 | the Standard Version of the Package, in its current version or as 70 | it may be modified by The Perl Foundation in the future. 71 | 72 | "Source" form means the source code, documentation source, and 73 | configuration files for the Package. 74 | 75 | "Compiled" form means the compiled bytecode, object code, binary, 76 | or any other form resulting from mechanical transformation or 77 | translation of the Source form. 78 | 79 | 80 | Permission for Use and Modification Without Distribution 81 | 82 | (1) You are permitted to use the Standard Version and create and use 83 | Modified Versions for any purpose without restriction, provided that 84 | you do not Distribute the Modified Version. 85 | 86 | 87 | Permissions for Redistribution of the Standard Version 88 | 89 | (2) You may Distribute verbatim copies of the Source form of the 90 | Standard Version of this Package in any medium without restriction, 91 | either gratis or for a Distributor Fee, provided that you duplicate 92 | all of the original copyright notices and associated disclaimers. At 93 | your discretion, such verbatim copies may or may not include a 94 | Compiled form of the Package. 95 | 96 | (3) You may apply any bug fixes, portability changes, and other 97 | modifications made available from the Copyright Holder. The resulting 98 | Package will still be considered the Standard Version, and as such 99 | will be subject to the Original License. 100 | 101 | 102 | Distribution of Modified Versions of the Package as Source 103 | 104 | (4) You may Distribute your Modified Version as Source (either gratis 105 | or for a Distributor Fee, and with or without a Compiled form of the 106 | Modified Version) provided that you clearly document how it differs 107 | from the Standard Version, including, but not limited to, documenting 108 | any non-standard features, executables, or modules, and provided that 109 | you do at least ONE of the following: 110 | 111 | (a) make the Modified Version available to the Copyright Holder 112 | of the Standard Version, under the Original License, so that the 113 | Copyright Holder may include your modifications in the Standard 114 | Version. 115 | 116 | (b) ensure that installation of your Modified Version does not 117 | prevent the user installing or running the Standard Version. In 118 | addition, the Modified Version must bear a name that is different 119 | from the name of the Standard Version. 120 | 121 | (c) allow anyone who receives a copy of the Modified Version to 122 | make the Source form of the Modified Version available to others 123 | under 124 | 125 | (i) the Original License or 126 | 127 | (ii) a license that permits the licensee to freely copy, 128 | modify and redistribute the Modified Version using the same 129 | licensing terms that apply to the copy that the licensee 130 | received, and requires that the Source form of the Modified 131 | Version, and of any works derived from it, be made freely 132 | available in that license fees are prohibited but Distributor 133 | Fees are allowed. 134 | 135 | 136 | Distribution of Compiled Forms of the Standard Version 137 | or Modified Versions without the Source 138 | 139 | (5) You may Distribute Compiled forms of the Standard Version without 140 | the Source, provided that you include complete instructions on how to 141 | get the Source of the Standard Version. Such instructions must be 142 | valid at the time of your distribution. If these instructions, at any 143 | time while you are carrying out such distribution, become invalid, you 144 | must provide new instructions on demand or cease further distribution. 145 | If you provide valid instructions or cease distribution within thirty 146 | days after you become aware that the instructions are invalid, then 147 | you do not forfeit any of your rights under this license. 148 | 149 | (6) You may Distribute a Modified Version in Compiled form without 150 | the Source, provided that you comply with Section 4 with respect to 151 | the Source of the Modified Version. 152 | 153 | 154 | Aggregating or Linking the Package 155 | 156 | (7) You may aggregate the Package (either the Standard Version or 157 | Modified Version) with other packages and Distribute the resulting 158 | aggregation provided that you do not charge a licensing fee for the 159 | Package. Distributor Fees are permitted, and licensing fees for other 160 | components in the aggregation are permitted. The terms of this license 161 | apply to the use and Distribution of the Standard or Modified Versions 162 | as included in the aggregation. 163 | 164 | (8) You are permitted to link Modified and Standard Versions with 165 | other works, to embed the Package in a larger work of your own, or to 166 | build stand-alone binary or bytecode versions of applications that 167 | include the Package, and Distribute the result without restriction, 168 | provided the result does not expose a direct interface to the Package. 169 | 170 | 171 | Items That are Not Considered Part of a Modified Version 172 | 173 | (9) Works (including, but not limited to, modules and scripts) that 174 | merely extend or make use of the Package, do not, by themselves, cause 175 | the Package to be a Modified Version. In addition, such works are not 176 | considered parts of the Package itself, and are not subject to the 177 | terms of this license. 178 | 179 | 180 | General Provisions 181 | 182 | (10) Any use, modification, and distribution of the Standard or 183 | Modified Versions is governed by this Artistic License. By using, 184 | modifying or distributing the Package, you accept this license. Do not 185 | use, modify, or distribute the Package, if you do not accept this 186 | license. 187 | 188 | (11) If your Modified Version has been derived from a Modified 189 | Version made by someone other than you, you are nevertheless required 190 | to ensure that your Modified Version complies with the requirements of 191 | this license. 192 | 193 | (12) This license does not grant you the right to use any trademark, 194 | service mark, tradename, or logo of the Copyright Holder. 195 | 196 | (13) This license includes the non-exclusive, worldwide, 197 | free-of-charge patent license to make, have made, use, offer to sell, 198 | sell, import and otherwise transfer the Package with respect to any 199 | patent claims licensable by the Copyright Holder that are necessarily 200 | infringed by the Package. If you institute patent litigation 201 | (including a cross-claim or counterclaim) against any party alleging 202 | that the Package constitutes direct or contributory patent 203 | infringement, then this Artistic License to you shall terminate on the 204 | date that such litigation is filed. 205 | 206 | (14) Disclaimer of Warranty: 207 | THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS 208 | IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED 209 | WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR 210 | NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL 211 | LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL 212 | BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL 213 | DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF 214 | ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 215 | 216 | 217 | -------- 218 | 219 | 220 | The following additional terms shall apply to use of the npm software, the npm 221 | website, the npm repository and any other services or products offered by npm, 222 | Inc.: 223 | 224 | "Node.js" trademark Joyent, Inc. npm is not officially part of the Node.js 225 | project, and is neither owned by nor affiliated with Joyent, Inc. 226 | 227 | "npm" and "The npm Registry" are owned by npm, Inc. All rights reserved. 228 | 229 | Modules published on the npm registry are not officially endorsed by npm, Inc. 230 | or the Node.js project. 231 | 232 | Data published to the npm registry is not part of npm itself, and is the sole 233 | property of the publisher. While every effort is made to ensure accountability, 234 | there is absolutely no guarantee, warrantee, or assertion expressed or implied 235 | as to the quality, fitness for a specific purpose, or lack of malice in any 236 | given npm package. Packages downloaded through the npm registry are 237 | independently licensed and are not covered by this license. 238 | 239 | Additional policies relating to, and restrictions on use of, npm products and 240 | services are available on the npm website. All such policies and restrictions, 241 | as updated from time to time, are hereby incorporated into this license 242 | agreement. By using npm, you acknowledge your agreement to all such policies 243 | and restrictions. 244 | 245 | If you have a complaint about a package in the public npm registry, and cannot 246 | resolve it with the package owner, please 247 | [contact support](https://npmjs.com/support) and explain the situation. 248 | See the [npm Dispute Resolution policy](https://github.com/npm/policies/blob/master/disputes.md) for more details. 249 | 250 | Any data published to The npm Registry (including user account information) may 251 | be removed or modified at the sole discretion of the npm server administrators. 252 | 253 | "npm Logo" contributed by Mathias Pettersson and Brian Hammond, 254 | use is subject to https://www.npmjs.com/policies/trademark 255 | 256 | "Gubblebum Blocky" font 257 | Copyright (c) by Tjarda Koster, https://jelloween.deviantart.com 258 | included for use in the npm website and documentation, 259 | used with permission. 260 | 261 | This program uses several Node modules contained in the node_modules/ 262 | subdirectory, according to the terms of their respective licenses. 263 | -------------------------------------------------------------------------------- /archived/open-source-terms.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # npm Open-Source Terms 4 | 5 | These npm Open Source terms of use (these _Terms_) govern access to 6 | and use of (the _Website_) as well as the 7 | "npm Public Registry" at (the _Public 8 | Registry_), and the discussion forum at 9 | (_npm.community_). npm, Inc. (_npm_) operates each of those 10 | services. These terms refer to all of them together as _npm Open 11 | Source_. 12 | 13 | npm last updated these npm Open Source Terms on 14 | December 16, 2019. 15 | You can review prior versions at 16 | . 17 | 18 | ## Important Terms 19 | 20 | ***These Terms include a number of important provisions that affect your 21 | rights and responsibilities, such as the disclaimers in "Disclaimers", 22 | limits on npm's liability to you in "Limits on Liability", and an 23 | agreement to arbitrate disputes individually in "Arbitration".*** 24 | 25 | ## Other Terms 26 | 27 | npm offers additional, paid services (_Paid Services_) that are subject 28 | to additional terms: 29 | 30 | - Additional terms for npm Paid Services are available at 31 | . 32 | 33 | npm Open Source and any Paid Services you may agree to use are together 34 | called _npm Services_ throughout these Terms. 35 | 36 | ## Legal Agreement 37 | 38 | You may only access or use npm Services by agreeing to these Terms. 39 | If npm adds any additional functionality to npm Services, you must 40 | agree to these Terms to use that new functionality, too. You show your agreement 41 | with npm on these Terms by creating a user account (your _Account_) 42 | or by accessing or using npm Services without creating an account. 43 | The agreement between you and npm is a legally binding contract (this 44 | _Agreement_). 45 | 46 | ## Changes 47 | 48 | npm may change these Terms and the additional terms for Paid Services 49 | in the future. npm will post changes on the Website with a new "last 50 | updated" date. If you have an Account, npm will notify you of changes 51 | by email to the address provided for your Account, by a message on the 52 | Website, or both. If you do not have an account, npm may notify you of 53 | changes by a general announcement via the Website, but it is up to you 54 | to check for changes to these Terms. After receiving notice of changes 55 | to these Terms, you must accept those changes to continue using npm 56 | Services. You accept changes to these Terms by continuing to use npm 57 | Services. npm may change, suspend, or discontinue npm Services at any 58 | time without notice or liability to you. 59 | 60 | ## npm Policies 61 | 62 | npm respects your privacy and limits use and sharing of information 63 | about you collected by npm Services. The privacy policy at 64 | (the _Privacy Policy_) 65 | describes these policies. npm will abide by the Privacy Policy and honor 66 | the privacy settings that you choose via npm Services. 67 | 68 | npm respects the exclusive rights of copyright holders and responds 69 | to notifications about alleged infringement via npm Services per 70 | the copyright policy at (the 71 | _Copyright Policy_). 72 | 73 | npm resolves disputes about package names, user names, and organization 74 | names in the Public Registry per the policy at 75 | (_Dispute Policy_). This 76 | includes "package squatting". 77 | 78 | Use of all npm Services is governed by the code of conduct at 79 | (_Code of Conduct_). 80 | 81 | npm permits use of npm trademarks per the policy at 82 | . 83 | 84 | ## Use of npm Open Source 85 | 86 | Subject to these Terms, npm grants you permission to use npm Open 87 | Source. That permission is not exclusive to you, and you cannot transfer 88 | it to anyone else. 89 | 90 | Your permission to use npm Open Source entitles you to do the following: 91 | 92 | 1. You may search for, download, publish, and manage packages of 93 | computer code (_Packages_) in the Public Registry, and otherwise 94 | interact with the Public Registry, via the command-line tool 95 | published by npm at (the _CLI_). 96 | 97 | 2. You may search for, download, publish, and manage Packages using 98 | software other than CLI via application programming interfaces that 99 | npm publicly documents or makes available for public use (_Public 100 | APIs_). 101 | 102 | 3. You may search for and manage Packages in the Public Registry, and 103 | otherwise interact with the Public Registry, via the Website. 104 | 105 | 4. You may update and manage your Account via the Website. 106 | 107 | 5. You may visit, create an account for, and participate in, 108 | discussions on npm.community. 109 | 110 | ## Conditions 111 | 112 | Your permission to use npm Open Source, as well as any permission you 113 | may have to use Paid Services, are subject to the following conditions: 114 | 115 | 1. You must be at least 13 years of age to use npm Services. 116 | 117 | 2. You may not use npm Services after npm says you may not, such as by 118 | disabling your Account. 119 | 120 | 3. You must use npm Services only in accordance with "Acceptable Use". 121 | 122 | 4. You may access and use data about the security of Packages, such 123 | as vulnerability reports, audit status reports, and supplementary 124 | security documentation, only for your own personal or internal 125 | business purposes. You may _not_ provide others access to, copies 126 | of, or use of npm data about the security of Packages, directly 127 | or as part of other products or services. 128 | 129 | ## Acceptable Use 130 | 131 | 1. You will abide by the 132 | [Code of Conduct](https://www.npmjs.com/policies/conduct) and the 133 | [Dispute Policy](https://www.npmjs.com/policies/disputes). 134 | 135 | 2. You will not submit material to npm as a package or in any other 136 | form that violates npm's _Acceptable Content_, described below. 137 | 138 | 3. You will not disclose information that you do not have the right to 139 | disclose, such as confidential information of others. 140 | 141 | 4. You will not copy or share any personally identifiable information of 142 | any other person without their specific permission. 143 | 144 | 5. You will not violate any applicable law. 145 | 146 | 6. You will not use or attempt to use another person's Account without 147 | their specific permission. 148 | 149 | 7. You will not buy, sell, or otherwise trade in user names, 150 | organization names, names for _Packages_, or any other names 151 | reserved on _npm Services_, for money or other compensation. 152 | 153 | 8. You will not use _npm Services_' ability to send e-mail to send 154 | advertisements, chain letters, or other solicitations. 155 | 156 | 9. You will not automate access to, use, or monitor the Website, such 157 | as with a web crawler, browser plug-in or add-on, or other computer 158 | program that is not a web browser. You may replicate data from the 159 | Public Registry using the Public APIs per this Agreement. 160 | 161 | 10. You will not use npm Services to send email to distribution lists, 162 | newsgroups, or group mail aliases. 163 | 164 | 11. You will not falsely imply that you are affiliated with or endorsed 165 | by npm. 166 | 167 | 12. You will not operate illegal schemes, such as pyramid schemes, via 168 | npm Services. 169 | 170 | 13. You will not deep-hyperlink to images or other non-hypertext content 171 | served by npm Services. 172 | 173 | 14. You will not remove any marking indicating proprietary ownership 174 | from any material got via npm Services. 175 | 176 | 15. You will not display any portion of the Website via an HTML IFRAME. 177 | 178 | 16. You will not disable, avoid, or circumvent any security or access 179 | restrictions of npm Services, or access parts of npm Services not 180 | intended for access by you. 181 | 182 | 17. You will not strain infrastructure of npm Services with an 183 | unreasonable volume of requests, or requests designed to impose an 184 | unreasonable load on IT systems underlying npm Services. This rule 185 | is intentionally loose, to give npm the flexibility it needs to keep 186 | npm Services working for the user community as a whole. But to draw 187 | one clear line, under no circumstances are five million requests to 188 | npm Services in a single month-long period by any single individual, 189 | organization, or group of affiliated companies remotely reasonable. If 190 | you have a special need to make lots and lots of requests, [our 191 | sales team](mailto:sales@npmjs.com) can help. 192 | 193 | 18. You will not encourage or assist any other person in violation of 194 | "Acceptable Use". 195 | 196 | ## Acceptable Content 197 | 198 | Administrators at npm reserve the right to delete content hosted on 199 | the npm Services that they deem unacceptable. Unacceptable content 200 | can take the form of a package, a README file, a user or organization 201 | name, or any other content submitted to npm Services. A few examples 202 | of unacceptable content: 203 | 204 | 1. Content that is illegal, offensive, or otherwise harmful. This includes 205 | content that is harassing, inappropriate, or abusive. 206 | 207 | 2. Content in violation of law, infringing the intellectual property 208 | rights of others, violating the privacy or other rights of others, 209 | or in violation of any agreement with a third party. This includes 210 | code that violates a public license for others' work. 211 | 212 | 3. Content containing malicious computer code, such as computer viruses, 213 | computer worms, rootkits, back doors, or spyware. This includes content 214 | submitted for research purposes. Tools designed and documented explicitly to 215 | assist in security research are acceptable, but exploits and malware that 216 | use the npm registry as a deployment or delivery vector are not. 217 | 218 | 4. Packages that are not functionally compatible with the npm 219 | command-line client. For example, a "package" cannot simply be 220 | a PNG or JPEG image, a movie file, or a text document uploaded 221 | directly to the registry. Using the Public Registry as a general purpose database is not allowed. 222 | 223 | 5. Content that exists only to "reserve" a name, whether a package name, 224 | user name, or organization name. The 225 | [Dispute Policy](https://www.npmjs.com/policies/disputes) governs 226 | how npm handles such cases of "squatting". 227 | 228 | To find out how to report violations of Acceptable Content, refer to the 229 | [Code of Conduct](https://www.npmjs.com/policies/conduct). 230 | 231 | ## Commercial Content 232 | 233 | The npm Public Registry is about Packages. All manner of 234 | useful Packages are welcome, from hobby projects to 235 | competitive products, enterprise infrastructure and tooling 236 | to the latest fun hack or work of software art. 237 | 238 | At the same time, the npm Public Registry, the Website, and 239 | important conventions like `README` go beyond just code. 240 | Developers use all of those channels to communicate more 241 | broadly about code, who is developing it, why, and how. 242 | 243 | That communication is important, and welcome, so long as it 244 | respects that the npm Public Registry, the website, and npm 245 | Open Source more generally remain neutral. You are free to 246 | use npm Open Source for commercial projects, to advance your 247 | career, and for other business purposes. But you may not 248 | leverage content or system conventions to make the npm 249 | Public Registry, Website, or CLI put business before code. 250 | 251 | These kinds of commercial content are generally acceptable 252 | in `README` files and other documentation: 253 | 254 | 1. Credits, acknowledgments, attributions, and other 255 | recognitions of contributions to Packages. 256 | 257 | 2. Information on how to pay, donate to, and otherwise 258 | support Package development, Package developers, and 259 | Package steward organizations. 260 | 261 | 3. Logos from, and links to, organizations developing, 262 | stewarding, or sponsoring Package development. 263 | 264 | 4. Information on paid products and services related to 265 | Packages, such as enhanced versions, add-ons, commercial 266 | license terms, training, integration, or support. 267 | 268 | These kinds of commercial content generally _aren't_ 269 | acceptable: 270 | 271 | 1. `README`, `package.json`, or other content displaying 272 | advertisements. 273 | 274 | 2. Packages that display ads at runtime, on installation, 275 | or at other stages of the software development 276 | lifecycle, such as via [npm 277 | scripts](https://docs.npmjs.com/misc/scripts). Packages 278 | with code that can be used to display ads are fine. 279 | Packages that themselves display ads are not. 280 | 281 | 3. Packages that function primarily as ads, with only 282 | placeholder or negligible code, data, and other 283 | technical content. 284 | 285 | These examples are just examples. npm will continue to 286 | apply its judgment when deciding what content is acceptable. 287 | npm will continue to expect you to apply your own judgment 288 | when choosing what you share and how. 289 | 290 | ## Enforcement of Acceptable Use 291 | 292 | npm may investigate and prosecute violations of this Agreement to the 293 | fullest legal extent. npm may notify and cooperate with law enforcement 294 | authorities in prosecuting violations of this Agreement. 295 | 296 | ## Your Account 297 | 298 | You must create and log into an Account to access features of some npm 299 | Services, including npm Open Source. 300 | 301 | To create an Account, you must provide certain information about 302 | yourself, as required by the account creation form on the Website or the 303 | CLI. If you create an Account, you will provide, at a minimum, a valid 304 | email address. You will keep that email address up-to-date. You will 305 | not impersonate any other individual. You may delete your Account at any 306 | time by [contacting support](https://npmjs.com/support). 307 | 308 | You will be responsible for all action taken using your account, whether 309 | authorized by you or not, until you either close your account or give 310 | npm notice that the security of your Account has been compromised. 311 | You will notify npm immediately if you suspect the security of your 312 | Account has been compromised. You will select a secure password for your 313 | Account. You will keep your password secret. 314 | 315 | npm may restrict, suspend, or terminate your Account according to the 316 | Copyright Policy, if npm reasonably believes that you are in breach of 317 | these Terms, or if npm reasonably believes that you have misused npm 318 | Services. 319 | 320 | ## Your Content 321 | 322 | Nothing in this Agreement gives npm any ownership rights in intellectual 323 | property that you share with npm Services, such as your Account 324 | information or any Packages you share with npm Services (_Your 325 | Content_). Nothing in this Agreement gives you any ownership rights in 326 | npm intellectual property provided via npm Services, like software, 327 | documentation, trademarks, service marks, logotypes, or other 328 | distinguishing graphics. 329 | 330 | Between you and npm, you remain solely responsible for Your Content. You 331 | will not wrongly imply that Your Content is sponsored or approved by 332 | npm. npm will not be obligated to store, maintain, or provide copies of 333 | your content, except per the Privacy Policy. 334 | 335 | npm may remove Your Content from npm Services without notice if npm 336 | suspects Your Content was submitted or used in violation of "Acceptable 337 | Use", as well as per the Copyright Policy. 338 | 339 | Your Content belongs to you. You decide whether and how to license it. 340 | But at a minimum, you license npm to provide Your Content to users 341 | of npm Services when you share Your Content. That special license 342 | allows npm to copy, publish, and analyze Your Content, and to share 343 | its analyses with others. npm may run computer code in Your Content to 344 | analyze it, but npm's special license alone does not give npm the right 345 | to run code for its functionality in npm products or services. 346 | 347 | When Your Content is removed from npm Services, 348 | whether by you or npm, npm's special license ends when the last copy 349 | disappears from npm's backups, caches, and other systems. Other 350 | licenses, such as open source licenses, may continue after Your Content 351 | is removed. Those licenses may give others, or npm itself, the right to 352 | share Your Content with npm Services again. 353 | 354 | Others who receive Your Content via npm Services may violate the terms 355 | on which you license Your Content. You agree that npm will not be liable 356 | to you for those violations or their consequences. 357 | 358 | ## Feedback 359 | 360 | npm welcomes your feedback and suggestions for npm Services. You agree 361 | that npm will be free to act on feedback and suggestions you provide 362 | without further notice, consent, or payment. You will not submit 363 | feedback or suggestions that you consider confidential or proprietary. 364 | 365 | ## Indemnity 366 | 367 | You will indemnify npm, its officers, directors, employees, 368 | representatives, and agents, and hold them harmless for, all liability, 369 | expenses, damages, and costs from any third-party claims, demands, 370 | lawsuits, or other proceedings alleging that Your Content, your use 371 | of npm Services, or both, violate the intellectual property right of 372 | a third party, this Agreement, or applicable law. You will not settle 373 | any such proceeding without the prior written consent of npm. npm will 374 | notify you of any such proceeding it becomes aware of. 375 | 376 | ## Disclaimers 377 | 378 | ***Use of npm Services is at your sole risk. npm Services are provided 379 | on an "as is" and "as available" basis. npm expressly disclaims all 380 | warranties of any kind, whether express, implied, or statutory, 381 | including implied warranties of title, noninfringement, merchantability, 382 | and fitness for a particular purpose.*** 383 | 384 | ***npm makes no warranty that npm Services will meet your requirements, 385 | operate in an uninterrupted, timely, secure, or error-free manner, or 386 | that errors in npm Services will be corrected.*** 387 | 388 | ***You receive material via npm Services at your sole risk. You will be 389 | solely responsible for any damage to your computer system and network, 390 | as well as any data loss that may result from use of npm Services or 391 | material received via npm Services.*** 392 | 393 | npm Services may provide information and software that is inaccurate, 394 | incomplete, misleading, illegal, offensive, or otherwise harmful. npm 395 | may, but does not promise to, review content provided by npm Services. 396 | 397 | npm Services provide information about ownership and licensing of 398 | Packages, as provided by those Packages' publishers. That information 399 | may be wrong. npm cannot and does not provide legal advice. 400 | 401 | ### Third-Party Services 402 | 403 | npm Services may hyperlink to and integrate with third-party 404 | applications, websites, and other services. You decide whether and how 405 | to use and interact with such services. npm does not make any warranty 406 | regarding such services or content they may provide, and will not be 407 | liable to you for any damages related to such services. Use of such 408 | third-party services may be governed by other terms and privacy notices 409 | that are not part of this Agreement and are not controlled by npm. 410 | 411 | ## Limits on Liability 412 | 413 | ***Neither npm nor any third-party service provider used by npm to 414 | provide npm Services will, under any circumstances, be liable to you 415 | for any indirect, incidental, consequential, special, or exemplary 416 | damages related to your use of npm Services or this Agreement, whether 417 | based on breach of contract, breach of warranty, tort (including 418 | negligence, product liability, or otherwise), or any other pecuniary 419 | loss, and whether or not npm has been advised of the possibility of such 420 | damages.*** 421 | 422 | ***To the maximum extent permitted by law, npm's liability to you for 423 | any damages related to this Agreement, for any one or more causes and 424 | regardless of the form of action, will not exceed $50.*** 425 | 426 | Some jurisdictions do not allow exclusion of certain warranties or 427 | limits on liability for incidental or consequential damages. Some of 428 | "Disclaimers" and "Limits on Liability" may not apply to you. 429 | 430 | ## Termination 431 | 432 | Either you or npm may terminate this Agreement at any time with notice 433 | to the other. 434 | 435 | On termination of this Agreement, your permission to use npm Open 436 | Source, as well any permission you may have to access Paid Services 437 | under additional terms, also terminate. 438 | 439 | The following provisions survive termination of this Agreement: "Your 440 | Content", "Feedback", "Indemnity", "Disclaimers", "Limits on Liability", 441 | and "General Terms". Users of npm Services may continue to copy and 442 | share Your Content after termination of this Agreement. 443 | 444 | ## Payment Terms 445 | 446 | There is no charge for use of npm Open Source. If you use Paid Services 447 | from npm, our Paid Services Terms at 448 | apply. 449 | 450 | ## General Terms 451 | 452 | If a provision of this Agreement is unenforceable as written, but could 453 | be changed to make it enforceable, that provision should be modified to 454 | the minimum extent necessary to make it enforceable. Otherwise, that 455 | provision should be removed. 456 | 457 | You may not assign this Agreement. npm may assign this Agreement to any 458 | affiliate of npm, any third party that obtains control of npm, or any 459 | third party that purchases assets of npm relating to npm Services. Any 460 | purported assignment of rights in breach of this provision is void. 461 | 462 | Neither the exercise of any right under this Agreement, nor waiver of 463 | any breach of this Agreement, waives any other breach of this Agreement. 464 | 465 | This Agreement, together with the additional terms for Paid Services 466 | and npm software that you and npm agree to, embody all the terms of 467 | agreement between you and npm about npm Services. This Agreement 468 | supersedes any other agreements about npm Services, written or not. 469 | 470 | ## Disputes 471 | 472 | The law of the State of California will govern any dispute, including 473 | any legal proceedings, relating to this Agreement or your use of npm 474 | Services (a _Dispute_). 475 | 476 | You and npm will seek injunctions related to this agreement only in 477 | state or federal court in San Francisco, California. Neither you nor npm 478 | will object to jurisdiction, forum, or venue in those courts. 479 | 480 | ***Other than to seek an injunction, you and npm will resolve any 481 | Dispute by binding American Arbitration Association arbitration. 482 | Arbitration will follow the AAA's Commercial Arbitration Rules and 483 | Supplementary Procedures for Consumer Related Disputes. Arbitration will 484 | happen in San Francisco, California. You will settle any Dispute as an 485 | individual, and not as part of a class action or other representative 486 | proceeding, whether as the plaintiff or a class member. No arbitrator 487 | will consolidate any Dispute with any another arbitration without npm's 488 | permission.*** 489 | 490 | Any arbitration award will include costs of the arbitration, reasonable 491 | attorneys' fees, and reasonable costs for witnesses. You or npm can 492 | enter arbitration awards in any court with jurisdiction. 493 | 494 | ## Notices and Questions 495 | 496 | You may send notice to npm and questions about the terms governing npm 497 | products and services to [legal@npmjs.com](mailto:legal@npmjs.com) or 498 | by mail to: 499 | 500 | GitHub, Inc 501 | Attn: npm Legal Department 502 | 88 Colin P Kelly Jr St 503 | San Francisco, CA. 94107 504 | 505 | npm may send you notice using the email address you provide for your 506 | Account or by posting a message to the homepage or your Account page 507 | on the Website. 508 | -------------------------------------------------------------------------------- /archived/orgs-plan.md: -------------------------------------------------------------------------------- 1 | # npm Orgs Payment Plan 2 | 3 | This npm Orgs Payment Plan (this _Payment Plan_) supplements 4 | the terms for npm Open Source offered by npm, Inc. (_npm_) at 5 | (_npm Open Source 6 | Terms_), as well as the terms for npm Paid Services (_npm Paid Services_) 7 | at (_npm 8 | Paid Services Terms_). This Payment Plan governs payment for 9 | _Orgs_ and use of npm Paid Services by user 10 | accounts added as members of those Orgs. 11 | 12 | This Payment Plan was last updated on 13 | August 6, 2018. 14 | You can review prior versions at 15 | . 16 | 17 | Under this Payment Plan, you may create one or more Orgs. 18 | 19 | You will pay a minimum of $7.00 via your Payment Card when you create 20 | an Org, and thereafter on the same day every month (your 21 | _Billing Day_), until you delete the Org. This minimum payment 22 | entitles you to a single member of the Org (a _New Paid Services 23 | User_). You will pay $7.00 via your Payment Card per each additional 24 | New Paid Services User that you add to an Org, counted and 25 | billed on your Billing Day. 26 | 27 | Note that the npm Paid Services Terms require everyone using npm Paid 28 | Services to have an Account of their own, added under a Payment Plan. 29 | You must add a New Paid Services User to an Org for each 30 | person who will use npm Paid Services under this Payment Plan. 31 | -------------------------------------------------------------------------------- /archived/package-lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@npm/policies", 3 | "version": "1.0.0", 4 | "lockfileVersion": 1, 5 | "requires": true, 6 | "dependencies": { 7 | "@npm/mkp": { 8 | "version": "1.0.2", 9 | "resolved": "https://npm.pkg.github.com/download/@npm/mkp/1.0.2/200cfe6f7c58b1b3dd2cd7d54201082c49277bd62ae3ad50463957facfe0f01b", 10 | "integrity": "sha512-loUMd8zHZ8sAGzUh9Cwmo6lNLrVcS+EpXoTGEpmrGW27vo5ei6EPR7f1ib6kqmoGBFslLZ7cERzE87YRR8C7MA==", 11 | "requires": { 12 | "axios": "^0.18.0", 13 | "cuid": "^2.1.0", 14 | "minimist": "^1.2.0", 15 | "rc": "^1.2.5" 16 | } 17 | }, 18 | "axios": { 19 | "version": "0.18.1", 20 | "resolved": "https://registry.npmjs.org/axios/-/axios-0.18.1.tgz", 21 | "integrity": "sha512-0BfJq4NSfQXd+SkFdrvFbG7addhYSBA2mQwISr46pD6E5iqkWg02RAs8vyTT/j0RTnoYmeXauBuSv1qKwR179g==", 22 | "requires": { 23 | "follow-redirects": "1.5.10", 24 | "is-buffer": "^2.0.2" 25 | }, 26 | "dependencies": { 27 | "is-buffer": { 28 | "version": "2.0.5", 29 | "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-2.0.5.tgz", 30 | "integrity": "sha512-i2R6zNFDwgEHJyQUtJEk0XFi1i0dPFn/oqjK3/vPCcDeJvW5NQ83V8QbicfF1SupOaB0h8ntgBC2YiE7dfyctQ==" 31 | } 32 | } 33 | }, 34 | "cuid": { 35 | "version": "2.1.8", 36 | "resolved": "https://registry.npmjs.org/cuid/-/cuid-2.1.8.tgz", 37 | "integrity": "sha512-xiEMER6E7TlTPnDxrM4eRiC6TRgjNX9xzEZ5U/Se2YJKr7Mq4pJn/2XEHjl3STcSh96GmkHPcBXLES8M29wyyg==" 38 | }, 39 | "deep-extend": { 40 | "version": "0.6.0", 41 | "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz", 42 | "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==" 43 | }, 44 | "follow-redirects": { 45 | "version": "1.5.10", 46 | "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz", 47 | "integrity": "sha512-0V5l4Cizzvqt5D44aTXbFZz+FtyXV1vrDN6qrelxtfYQKW0KO0W2T/hkE8xvGa/540LkZlkaUjO4ailYTFtHVQ==", 48 | "requires": { 49 | "debug": "=3.1.0" 50 | }, 51 | "dependencies": { 52 | "debug": { 53 | "version": "3.1.0", 54 | "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz", 55 | "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==", 56 | "requires": { 57 | "ms": "2.0.0" 58 | } 59 | } 60 | } 61 | }, 62 | "ini": { 63 | "version": "1.3.8", 64 | "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", 65 | "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==" 66 | }, 67 | "marked": { 68 | "version": "0.3.19", 69 | "resolved": "https://registry.npmjs.org/marked/-/marked-0.3.19.tgz", 70 | "integrity": "sha512-ea2eGWOqNxPcXv8dyERdSr/6FmzvWwzjMxpfGB/sbMccXoct+xY+YukPD+QTUZwyvK7BZwcr4m21WBOW41pAkg==" 71 | }, 72 | "minimist": { 73 | "version": "1.2.5", 74 | "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", 75 | "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==" 76 | }, 77 | "ms": { 78 | "version": "2.0.0", 79 | "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", 80 | "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=" 81 | }, 82 | "rc": { 83 | "version": "1.2.8", 84 | "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz", 85 | "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==", 86 | "requires": { 87 | "deep-extend": "^0.6.0", 88 | "ini": "~1.3.0", 89 | "minimist": "^1.2.0", 90 | "strip-json-comments": "~2.0.1" 91 | } 92 | }, 93 | "strip-json-comments": { 94 | "version": "2.0.1", 95 | "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz", 96 | "integrity": "sha1-PFMZQukIwml8DsNEhYwobHygpgo=" 97 | } 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /archived/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@npm/policies", 3 | "version": "1.0.0", 4 | "description": "npm policies, documented", 5 | "repository": { 6 | "type": "git", 7 | "url": "https://github.com/npm/policies.git" 8 | }, 9 | "keywords": [ 10 | "npm", 11 | "policies", 12 | "documentation", 13 | "conduct", 14 | "disputes", 15 | "privacy", 16 | "trademark" 17 | ], 18 | "author": "Zeke Sikelianos (http://zeke.sikelianos.com/)", 19 | "license": "ISC", 20 | "bugs": { 21 | "url": "https://github.com/npm/policies/issues" 22 | }, 23 | "homepage": "https://github.com/npm/policies", 24 | "dependencies": { 25 | "@npm/mkp": "^1.0.2", 26 | "marked": "^0.3.5" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /archived/privacy.md: -------------------------------------------------------------------------------- 1 | # Privacy Questions and Answers 2 | 3 | This notice describes how [npm, Inc.](https://www.npmjs.com/about), or _npm_ for short, collects and uses data about you. 4 | 5 | Skip to: 6 | - [What's most important?](#important) 7 | - [How does npm collect data about me?](#collection) 8 | - [What data does npm collect about me, and why?](#data) 9 | - [Does npm share data about me with others?](#sharing) 10 | - [How can I make choices about data collection?](#choice) 11 | - [Where does npm keep data about me?](#locality) 12 | - [How does npm handle data under the EU General Data Protection Regulation?](#gdpr) 13 | - [How does npm handle data under the California Consumer Privacy Act?](#ccpa) 14 | - [How can I see what data is publicly available about me?](#access) 15 | - [How can I change data about me?](#change) 16 | - [What is npm's policy on unpublishing packages?](#forgotten) 17 | - [How does npm notify others about published data that's erased?](#erasure-notice) 18 | - [What happens if npm merges with or is bought by another company?](#merge) 19 | - [What are npm's information practices regarding information belonging to children?](#children) 20 | - [Who can I contact about npm and my privacy?](#contact) 21 | - [How can I find out about changes?](#changes) 22 | 23 | ## What's most important? 24 | 25 | That depends on your personal situation, which is why you should read on 26 | and decide for yourself. But at a minimum, absolutely every npm user 27 | should understand: 28 | 29 | *The npm public registry is for making software available to everyone 30 | online.* 31 | 32 | But: *Software comes from people, and says something about us.* 33 | 34 | So: *Think carefully about what packages to publish, what data you put 35 | in those packages, and what others might do with that data.* 36 | 37 | When you create an account, certain contact information is displayed 38 | publicly in the npm platform. And when you upload a package, your name 39 | and contact information may become associated with that package. 40 | 41 | If you find yourself in a jam, 42 | [open a support ticket](https://npmjs.com/support). 43 | 44 | 45 | ## How does npm collect data about me? 46 | 47 | npm collects data about you: 48 | 49 | - when you use the [npm command](https://www.npmjs.com/package/npm), 50 | the [npx command](https://www.npmjs.com/package/npx) or another 51 | program to access the [npm public registry](https://registry.npmjs.org/), 52 | [Enterprise registries that npm hosts](https://www.npmjs.com/enterprise), 53 | [private packages](https://www.npmjs.com/features), 54 | such as when you're publishing a software package, and APIs for 55 | functionality like account and permissions management 56 | 57 | - when you browse the npm website, [npmjs.com](https://www.npmjs.com/) 58 | 59 | - when you use either the npm command or the website to create an npm account, 60 | update your account, and sign up for npm services 61 | 62 | - when you send support, privacy, legal, and other requests to npm 63 | 64 | - when working with and researching current and potential customers 65 | 66 | When researching potential customers, npm staff sometimes search the 67 | public World Wide Web or paid business databases. Otherwise, npm 68 | doesn't buy or receive data about you from data brokers or other 69 | private services. 70 | 71 | npm may inadvertently collect data about you if it is included in 72 | software packages that you or others upload. 73 | 74 | ## What data does npm collect about me, and why? 75 | 76 | ### npm collects data about how you use npm software and registries. 77 | 78 | When you use the `npm` command, the `npx` command, or other software to work 79 | with the npm public registry, an Enterprise registry that npm hosts, or 80 | private packages, npm logs data that might be identified to you: 81 | 82 | - a random, unique identifier, called `npm-session`, for each time you 83 | run commands like `npm install` 84 | 85 | - the names and versions of your project's dependencies, their 86 | dependencies, and so on, that come from the npm public registry, 87 | [but not of other dependencies, like Git 88 | dependencies](https://docs.npmjs.com/cli/audit) 89 | 90 | - the versions of Node.js, the npm command, and the operating system 91 | you are using 92 | 93 | - an `npm-in-ci` header, showing whether the command was run on a 94 | continuous integration server 95 | 96 | - the scope of the package for which you ran `npm install`, as an 97 | `npm-scope` header 98 | 99 | - a `referrer` header that shows the command you ran, with any file or 100 | directory paths redacted 101 | 102 | - data about the software you're using to access the registry, such 103 | as the `User-Agent` string 104 | 105 | - network request data, such as the date and time, your IP address, 106 | and the URL 107 | 108 | npm uses this data to: 109 | 110 | - fulfill your requests, such as by sending the packages you ask for 111 | 112 | - send you alerts about security vulnerabilities that may affect the 113 | software you're building, when you run `npm install` or `npm audit` 114 | 115 | - keep registries working quickly and reliably 116 | 117 | - debug and develop the `npm` command and other software 118 | 119 | - defend registries from abuse and technical attacks 120 | 121 | - compile statistics on package usage and popularity 122 | 123 | - prepare reports on trends in the developer community 124 | 125 | - improve search results on the website 126 | 127 | - recommend packages that may be relevant to your work 128 | 129 | ### npm collects data about how you use the website. 130 | 131 | When you visit [www.npmjs.com](https://www.npmjs.com/), 132 | [docs.npmjs.com](https://docs.npmjs.com/), and other npm 133 | websites, npm uses cookies, server logs, and other methods to collect 134 | data about what pages you visit, and when. npm also collects technical 135 | information about the software and computer you use, such as: 136 | 137 | - your IP address 138 | 139 | - your preferred language 140 | 141 | - the web browser software you use 142 | 143 | - the kind of computer you use 144 | 145 | - the website that referred you 146 | 147 | npm uses data about how you use the website to: 148 | 149 | - optimize the website, so that it's quick and easy to use 150 | 151 | - diagnose and debug technical errors 152 | 153 | - defend the website from abuse and technical attacks 154 | 155 | - compile statistics on package popularity 156 | 157 | - compile statistics on the kinds of software and computers visitors 158 | use 159 | 160 | - compile statistics on visitor searches and needs, to guide 161 | development of new website pages and functionality 162 | 163 | - decide who to contact about about product announcements, service 164 | changes, and new features 165 | 166 | ### npm collects account data. 167 | 168 | Many features of npm services require an npm account. For example, you 169 | must have an npm account to publish packages to the npm public registry. 170 | 171 | To create an npm account, npm requires a working email address and an 172 | available user name. npm uses this data to provide you access to 173 | features and identify you across npm services, publicly and within npm. 174 | 175 | You do not have to give your personal or legal name to create an npm 176 | account. You can use a pseudonym instead. You can also open more than 177 | one account. 178 | 179 | If you sign up for an account, then npm will publish account data for 180 | the whole world to see on user pages [like this one](https://www.npmjs.com/~kemitchell). 181 | npm also publishes account data through the npm public registry, 182 | which is available for everyone to see, and Enterprise registries that npm hosts for others to 183 | find with commands like npm owner ls tap. 184 | 185 | If you give npm a personal name or names on social media like 186 | [GitHub](https://github.com/) and 187 | [Twitter](https://twitter.com/) through the website, like 188 | when you include this on your profile or user page, npm publishes that 189 | data along with the email address and user name for the account. You 190 | don't have to give npm a personal name or any social media names, and 191 | you can remove this data at any time by updating your user page. 192 | 193 | npm uses your email to: 194 | 195 | - notify you about packages published using your account 196 | 197 | - reset your password and help keep your account secure 198 | 199 | - add metadata to packages that you publish 200 | 201 | - contact you in special circumstances related to your account or packages 202 | 203 | - contact you about support requests 204 | 205 | - contact you about legal requests, like DMCA takedown requests and privacy complaints 206 | 207 | - announce new npm product offerings, service changes, and features 208 | 209 | - send you tips about how to better use free and paid services 210 | 211 | - send you messages about paid services you might want 212 | 213 | ### npm collects package data. 214 | 215 | When you use npm publish or other software to publish packages to the 216 | npm public registry, an Enterprise registry that npm hosts, or as a 217 | private package, npm collects the contents of the package, plus 218 | [metadata](https://en.wikipedia.org/wiki/Metadata), 219 | including your account data. Other npm users may also publish packages 220 | that include data about you, such as the fact that you contributed code 221 | to a package. 222 | 223 | npm uses data in packages to provide those packages to you and others 224 | who request them: 225 | 226 | - When you publish a package to the npm public registry, or change a 227 | package from private to public, npm makes the package and metadata 228 | available to everyone, online. 229 | 230 | - When you publish a package to an Enterprise registry that npm hosts, 231 | or as a private package, npm makes all of that data available to 232 | other users according to how the registry or the private packages 233 | account is configured. You may be able to configure who can access 234 | the package, or that may be up to others, such as the 235 | administrator of your company's Enterprise registry. 236 | 237 | Making package data available to others allows them to download, build 238 | on, and depend on your work. 239 | 240 | ### npm collects payment card data. 241 | 242 | To sign up for paid services, npm requires your payment card data. npm 243 | itself does not collect or store enough information to charge your card 244 | itself. Rather, [Stripe](https://stripe.com/) collects 245 | that data on npm's behalf, and gives npm security tokens that allow npm 246 | to create charges and subscriptions. 247 | 248 | npm uses your payment card data only to charge for npm services. 249 | 250 | npm instructs [Stripe](https://stripe.com/) to store your 251 | payment card data only as long as you use paid npm services. 252 | 253 | 254 | ### npm collects data about correspondence. 255 | 256 | npm collects data about you when you send npm support requests, legal 257 | complaints, privacy inquiries, and business inquiries. Those data 258 | usually include your name and email address, and may include your 259 | company or other affiliation. 260 | 261 | npm uses contact data to: 262 | 263 | - respond to you 264 | 265 | - compile aggregate statistics about correspondence 266 | 267 | - train support staff and other npm personnel 268 | 269 | - review the performance of npm personnel who respond 270 | 271 | - defend npm from legal claims 272 | 273 | ### npm collects data about use of npm.community. 274 | 275 | npm collects data about visits, user accounts, and forum data on 276 | [npm.community](https://npm.community/), the discussion 277 | forum for users of npm products and services. npm uses data from 278 | npm.community to collaborate with the development community, and to 279 | inform development decisions about the command-line interface and other 280 | software. 281 | 282 | ## Does npm share data about me with others? 283 | 284 | npm shares account data with others as [mentioned in the section about 285 | account data](#account-data). 286 | 287 | npm shares package data with others as [mentioned in the section about 288 | package data](privacy#package-data). 289 | 290 | npm publishes posts and other content you submit to [npm.community](https://npm.community/). 291 | 292 | npm does not sell information about you to others. However, npm uses 293 | services provided by other companies to provide npm services. The types 294 | of service providers that npm uses include: 295 | 296 | - Companies that enable us to offer features on our website, such as to display your avatar 297 | 298 | - Companies that facilitate the efficient distribution of content 299 | 300 | - Cloud computing platforms and services that host our discussion forums 301 | 302 | - Services that assist with the detection of spam, scams, abuse 303 | others, or other violations of our [terms of service](https://www.npmjs.com/policies/terms) 304 | 305 | - Payment processors 306 | 307 | - Platforms to help us receive, manage, and respond to support requests 308 | 309 | - Platforms for internal communication 310 | 311 | ### npm uses cookies. 312 | 313 | npm's website only uses cookies strictly necessary to provide, optimize 314 | and secure the website. For example, we use them to keep you logged in, 315 | remember your preferences, authenticate your device for security 316 | purposes, analyze your use of the service, compile statistical reports, 317 | and provide information for future development of npm. The website uses 318 | internal cookies for analytics purposes, not any third-party analytics 319 | or service providers. 320 | 321 | By using the website, you agree that we can place these types of 322 | cookies on your computer or device. If you disable your browser or 323 | device’s ability to accept these cookies, you will not be able to log 324 | in or use the website. 325 | 326 | ## How can I make choices about data collection? 327 | 328 | You choose what data the npm publish command includes in package data. 329 | You can use an [.npmignore](https://docs.npmjs.com/files/package.json#files) 330 | file in your package to keep specific files out of the package. You can 331 | also use a [files list in package.json 332 | files](https://docs.npmjs.com/files/package.json#files) to 333 | instruct npm to include only specific files that you name, in addition 334 | to standard files like `README` files, `LICENSE` files, and package.json. 335 | 336 | To double check the data that you will share in a package that you plan 337 | to publish, run the `npm publish --dry-run` command. If you are running 338 | an older version of the npm command, run the npm pack command to create a 339 | [tarball](https://en.wikipedia.org/wiki/Tar_(computing%29), 340 | then check its contents, such as with `tar tvzf $tarball`. 341 | 342 | To publish a package to the npm public registry, npm's terms of service 343 | require you to [license npm to share it](https://www.npmjs.com/policies/open-source-terms#your-content). 344 | If a package is made public, it is available for everyone online to see. 345 | However, your [choice of public license for your package](https://docs.npmjs.com/files/package.json#license) 346 | may affect what others can do with data about you in your package. 347 | 348 | npm does not respond to the [Do Not Track HTTP header](https://en.wikipedia.org/wiki/Do_Not_Track). 349 | 350 | ## Where does npm keep data about me? 351 | 352 | npm stores account data, data about website use, data about registry 353 | use, and private packages on servers in the United States of America. 354 | metadata about those packages worldwide, via content delivery 355 | networks. 356 | 357 | npm stores package data published to Enterprise registries that npm 358 | hosts, plus metadata about them, in cloud computing zones of customers' choosing. 359 | 360 | By using the npm platform, you consent to the collection and storage of 361 | your data as outlined in this section. 362 | 363 | ## How does npm handle data under the EU General Data Protection Regulation? 364 | 365 | 366 | npm respects privacy rights under [Regulation (EU) 2016/679](http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG), 367 | the European Union's General Data Protection Regulation (GDPR). npm 368 | processes "Personal Data" on the following legal bases: (1) with your 369 | consent; (2) as necessary to perform our agreement to provide our 370 | services; and (3) as necessary for our legitimate interests in providing 371 | our services where those interests do not override your fundamental 372 | rights and freedom related to data privacy. Information we collect may 373 | be transferred to, and stored and processed in, the United States or any 374 | other country in which we or our affiliates or subcontractors maintain 375 | facilities, as described above. 376 | 377 | If you reside in the EEA, Switzerland, or United Kingdom, you are 378 | entitled to certain rights, like the right to: 379 | 380 | - complain about our data collection or processing actions with the 381 | supervisor authority concerned. You can find a list of data 382 | protection authorities [here](http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm). 383 | 384 | - access to information held about you. 385 | 386 | - ask us to correct or amend inaccurate or incomplete information we have about you. 387 | 388 | - ask us to erase data that under certain circumstances, like (1) when 389 | it is no longer necessary for the purpose for which it was 390 | collected, (2) you withdraw consent and no other legal basis for 391 | processing exists, or (3) you believe your fundamental rights to 392 | data privacy and protection outweigh our legitimate interest in 393 | continuing the processing. 394 | 395 | - request that we restrict our processing if we are processing your 396 | data based on legitimate interests or the performance of a task in 397 | the public interest as an exercise of official authority 398 | (including profiling); using your data for direct marketing 399 | (including profiling); or processing your data for purposes of 400 | scientific or historical research and statistics. 401 | 402 | When you exercise your rights, npm may need to verify your identity and 403 | provide us with information before we access records containing your 404 | information. If you want to exercise your rights, please contact npm by 405 | [opening a support ticket](https://npmjs.com/support). We 406 | may have a reason under the law why we do not have to comply with your 407 | request or may comply with it in a more limited way than you 408 | anticipated. If we do, we will explain that to you in our response. 409 | 410 | ## How does npm handle data under the California Consumer Privacy Act? 411 | 412 | npm respects the rights of California residents under the [California 413 | Consumer Privacy Act](https://www.oag.ca.gov/privacy/ccpa) 414 | (CCPA)]. Where we collect information that is subject to the 415 | CCPA, that information we collect and your rights are described below. 416 | 417 | Categories of personal information we collect: 418 | 419 | - _Personal Identifiers_: 420 | 421 | - Name and email address when you create an account. You will also 422 | be asked to create a username and we will assign one or more 423 | unique identifiers to your profile. We use this information to 424 | provide our services, respond to your requests, and send 425 | information to you. 426 | 427 | - We also collect your social media handle and basic account 428 | information if you provide it to us or interact with our 429 | services, such as our help desk, through social media. 430 | 431 | - We collect your payment information through our service 432 | provider, Stripe, as described above. 433 | 434 | - _Internet or Other Electronic Network Activity Information_: device 435 | identifiers such as IP address and user agent; the assigned unique 436 | IDs in cookies (as described below); information about how you 437 | arrived at and navigated through our Services. 438 | 439 | - _Geolocation Data:_ We do not collect your specific longitude and 440 | latitude. However, we do collect imprecise location (e.g., your IP address). 441 | 442 | - _Professional or employment-related information:_ If you apply for 443 | employment with us, information about your employment history. 444 | 445 | - _Education information:_ If you apply for employment with us, 446 | information about your educational history. 447 | 448 | We may collect any other information about you contained in software 449 | packages uploaded to our site, as described above under the "npm 450 | collects package data" section. We also collect the contents of your 451 | communications with us, e.g., when you submit a question to us through 452 | a web form or comments to us on social media. 453 | 454 | We may disclose any of the categories of personal information listed 455 | above and use them for the above-listed purposes or for other business 456 | or operational purposes compatible with the context in which the 457 | personal information was collected. Our disclosures of personal 458 | information include disclosures to our "service providers," which are 459 | companies that we engage for business purposes to conduct activities 460 | on our behalf. The categories of service providers with whom we share 461 | information and the services they provide are described below. 462 | 463 | Rights under CCPA: 464 | 465 | - _Access/Right to Know_: You have the right to request access to 466 | personal information we collected about you and information 467 | regarding the source of that personal information, the purposes 468 | for which we collect it, and the third parties and service 469 | providers with whom we share it. 470 | 471 | - _Deletion_: You have the right to request that we erase data we have 472 | collected from you. Please note that we may have a reason to deny 473 | your deletion request or delete data in a more limited way than 474 | you anticipated, e.g., because of a legal obligation to retain it. 475 | 476 | To exercise your rights above, you can 477 | [open a support ticket](https://npmjs.com/support). When we 478 | process your request, we must verify your identity by asking you to 479 | (1) provide personal identifiers that we can match against information 480 | we may have collected from you previously; and (2) confirm your 481 | request using the email stated in the request. 482 | 483 | Opt-out of sale: 484 | 485 | California residents have the right to request that we stop "selling" 486 | their personal information. A "sale" of personal information is 487 | defined broadly: "selling, renting, releasing, disclosing, 488 | disseminating, making available, transferring, or otherwise 489 | communicating orally, in writing, or by electronic or other means, a 490 | consumer's personal information by the business to another business or 491 | a third party for monetary or other valuable consideration." We do not 492 | sell your information as defined by the CCPA. 493 | 494 | Please note that your right to opt out does not apply to our sharing 495 | of personal information with service providers, who are parties we 496 | engage to perform a function on our behalf and are contractually 497 | obligated to use the Personal Information only for that function. 498 | 499 | We may also disclose information to other entities who are not listed 500 | here when required by law or to protect our Company or other persons, 501 | as described in our Privacy Policy. 502 | 503 | 504 | ## How can I see what data is publicly available about me? 505 | 506 | You can access your account data at any time by visiting your account 507 | page on [www.npmjs.com](https://www.npmjs.com/). Your 508 | account page also lists all the packages published under your account or 509 | other accounts. 510 | 511 | You can access package data by downloading the packages, as long as 512 | they're public or you have permission to access them. 513 | 514 | You can see metadata about packages by running npm info $package, or by 515 | accessing the appropriate [registry's 516 | API](https://github.com/npm/registry/tree/master/docs). 517 | Registry APIs provide metadata in standard [JSON](https://www.json.org/) 518 | format, and packages as 519 | [tarballs](https://en.wikipedia.org/wiki/Tar_(computing)). 520 | 521 | ## How can I change data about me? 522 | 523 | You can change your personal account data and payment card data at any 524 | time by visiting your account settings page on 525 | [www.npmjs.com](https://www.npmjs.com/). You can change 526 | account and payment data for Enterprise by [contacting support](https://npmjs.com/support). 527 | 528 | You can close your npm account at any time by e-mailing 529 | [contacting support](https://npmjs.com/support). Closing 530 | your account removes the profile from the public registry but does not 531 | automatically erase packages published under your account. We may retain 532 | some data about you internally even where you close your account. 533 | 534 | npm's [unpublish policy](https://www.npmjs.com/policies/unpublish) 535 | determines when you can erase packages from the npm public registry. The 536 | unpublish policy strikes a difficult balance between the purpose of 537 | publishing and hosting packages, others' reliance on what has been made 538 | public, and individual rights and freedoms. 539 | 540 | If another user improperly publishes personal data about you, in a 541 | package or otherwise, 542 | [open a support ticket](https://npmjs.com/support). 543 | 544 | Please note that while [npm publishes notices about published data 545 | that's been erased](#erasure-notice), 546 | npm can't make everyone who has downloaded published package data or 547 | account data erase that data on your behalf. Choosing a public 548 | license, such as an open source software license, 549 | may encourage and allow storage, distribution, and use of package data 550 | indefinitely. Nearly all popular open source software licenses actually 551 | require preserving personal data that attributes the software to you, 552 | such as copyright notices, as a condition of permission for the 553 | software. 554 | 555 | 556 | ## What is npm's policy on unpublishing packages? 557 | 558 | Please see [our policy on "unpublishing" packages](https://www.npmjs.com/policies/unpublish) or 559 | [our terms of service](https://www.npmjs.com/policies/open-source-terms) for more 560 | information on erasing packages]. 561 | 562 | If you accidentally publish a package that threatens your privacy, or 563 | discover someone else has published a package that does, 564 | [open a support ticket](https://npmjs.com/support). 565 | npm can and will take down packages in specific, exceptional situations 566 | to protect you, especially if others violate your privacy. Using npm to 567 | violate others' privacy is against our [terms of 568 | service](https://www.npmjs.com/policies/open-source-terms). 569 | 570 | 571 | ## How does npm notify others about published data that's erased? 572 | 573 | npm takes a few steps to notify others who may be copying data from the 574 | npm public registry that published data has been erased: 575 | 576 | - npm publishes new placeholder versions of some erased packages, with 577 | `README` files that mention the package has been erased, and why. 578 | 579 | - npm's [registry APIs](https://github.com/npm/registry/tree/master/docs), 580 | special software services that others use to copy data from the 581 | npm public registry, send update messages about packages that have 582 | been erased. 583 | 584 | 585 | ## What happens if npm merges with or is bought by another company? 586 | 587 | We may transfer to another entity or its affiliates or service providers 588 | some or all information about you in connection with, or during 589 | negotiations of, any merger, acquisition, sale of assets or any line of 590 | business, change in ownership control, or financing transaction. We 591 | cannot promise that an acquiring party or the merged entity will have 592 | the same privacy practices or treat your information the same as 593 | described in this Policy. 594 | 595 | 596 | ## What are npm's information practices regarding information belonging to children? 597 | 598 | npm's site and services are intended for users age sixteen and older. 599 | npm does not knowingly collect information from children. If we discover 600 | that we have inadvertently collected information from anyone younger 601 | than the age of 16, we will delete that information. 602 | 603 | ## Who can I contact about npm and my privacy? 604 | 605 | Please [open a support ticket](https://npmjs.com/support). You may also 606 | contact our Data Protection Officer directly. 607 | 608 | Our United States HQ: 609 | 610 | GitHub Data Protection Officer 611 | Attention: npm Data Protection 612 | 88 Colin P. Kelly Jr. St. 613 | San Francisco, CA 94107 614 | United States 615 | 616 | or our EU Office: 617 | 618 | GitHub BV 619 | Vijzelstraat 68-72 620 | 1017 HL Amsterdam 621 | The Netherlands 622 | 623 | ## How can I find out about changes? 624 | 625 | This version of npm's privacy questions and answers took effect June 3, 2020. 626 | 627 | npm will announce the next version on the [npm blog](https://blog.npmjs.org/). 628 | In the meantime, npm may update [its contact information](#contact) 629 | by updating the page at 630 | [https://www.npmjs.com/policies/privacy](https://www.npmjs.com/policies/privacy), 631 | without an announcement. npm may change how it announces changes in 632 | future privacy versions. 633 | 634 | You can review the history of changes in [the Git repository for npm's 635 | public policies](https://github.com/npm/policies/commits/master/privacy.md). 636 | -------------------------------------------------------------------------------- /archived/private-terms.md: -------------------------------------------------------------------------------- 1 | # npm Paid Services Terms 2 | 3 | These npm Paid Services Terms of Use (these _npm Paid Services Terms_) 4 | supplement the terms for npm Open Source offered by npm, Inc. 5 | (_npm_) at (_npm Open 6 | Source Terms_). They govern access to and use of _npm Paid Services_, 7 | including but not limited to the products known as _npm Solo_ and 8 | _npm Orgs_, the private package storage, delivery, 9 | organization management, and access control features of 10 | (the _Website_) and the npm public registry 11 | at (the _Public Registry_). These are 12 | collectively called the _Paid Services_. 13 | 14 | These npm Paid Services Terms were last updated on 15 | August 6, 2018. 16 | You can review prior versions at 17 | . 18 | 19 | You may only access or use npm Paid Services by agreeing to the npm 20 | Open Source Terms as supplemented by these npm Paid Services Terms. If 21 | npm adds any additional functionality to npm Paid Services, you must 22 | agree to these npm Paid Services Terms to use those new features, too. 23 | You add these npm Paid Services Terms to your agreement with npm by 24 | using npm Paid Services with your account (your _Account_). These 25 | npm Paid Services Terms then become a part of the contract between you 26 | and npm, until you or npm disable npm Paid Services for your Account. 27 | 28 | ## Payment Terms 29 | 30 | There is no charge for use of npm Open Source. If you use Paid Services, 31 | these payment terms apply. When enabling Paid Services, you must provide 32 | all the payment card details requested by the Website (your _Payment 33 | Details_). Those details must be for a valid payment card that you have 34 | the right to use (your _Payment Card_). You must keep your Payment 35 | Details up-to-date via the Website. 36 | 37 | You can disable Paid Services at any time via the Website. npm will not 38 | refund any payment you have already made for Paid Services when you 39 | disable Paid Services. 40 | 41 | Dollar amounts throughout this Agreement are amounts of United States 42 | Dollars. You must pay for Paid Services in United States Dollars. 43 | 44 | Dollar amounts throughout this Agreement do not include tax. You will 45 | pay any tax. 46 | 47 | ## Use of npm Paid Services 48 | 49 | npm will provide the private package storage and delivery features and 50 | services described in the public documentation for npm Paid Services 51 | at (the _npm Paid Services 52 | Documentation_). npm grants you permission to use those features and 53 | services. 54 | 55 | npm will also provide the organization management and access control 56 | features described in the npm Paid Services Documentation, and grants 57 | you permission to use those features and services, for npm 58 | "organizations" to which your Account belongs. 59 | 60 | Permission to use npm Paid Services is not exclusive to you, and you 61 | may not transfer it to others. These npm Paid Services Terms do not 62 | give you permission to give others rights to use npm Paid Services. 63 | If you agree to a Payment Plan that gives you that right, you may do so 64 | only according to that Payment Plan. 65 | 66 | ## Payment for npm Paid Services 67 | 68 | Both your permission to use npm Paid Services and npm's commitment to 69 | provide npm Paid Services are subject to these npm Paid Services 70 | Terms, the npm Open Source Terms, and payment for use of npm Paid 71 | Services by your Account under a _Payment Plan_. Payment plans include: 72 | 73 | 1. the npm Solo Payment Plan at 74 | 75 | 76 | 2. or the npm Orgs Payment Plan at 77 | 78 | 79 | You may not use npm Paid Services unless you or someone else has 80 | agreed to a Payment Plan, enabled npm Paid Services for your Account 81 | under that Payment Plan, and made payment. 82 | -------------------------------------------------------------------------------- /archived/receiving-reports.md: -------------------------------------------------------------------------------- 1 | # Receiving Reports 2 | 3 | 6 | 7 | This is a guide for npm staff for handling user reports of harassment, 8 | package name disputes, and other user-generated pain points. 9 | 10 | It is shared publicly in order to add transparency in our process 11 | 12 | Nothing in this document should be considered a hard and fast rule in 13 | cases where it runs contrary to npm's mission of creating a safe, 14 | inclusive, and productive platform for easily sharing JavaScript 15 | modules. 16 | 17 | When in doubt, seek help from your fellow admin staff. 18 | 19 | ## Package Name Disputes 20 | 21 | If someone would like to take over a module name from another user, 22 | and asks for help with this, please refer them to the "Dispute 23 | Resolution" documentation. In cases like this, the two parties tend 24 | to be relatively rational and professional, and it is best if we 25 | encourage things to continue in that direction. 26 | 27 | The policy in brief, where "Alice" is the original author, and "Yusuf" 28 | is the person with the dispute: 29 | 30 | 1. Yusuf opens a support ticket, indicating that they would like to 31 | start the trasnfer process. 32 | 2. Yusuf responds to the automated email that we generate for new 33 | support tickets, and adds Alice to the email thread. Yusuf explains 34 | why they would want to transfer the module name. 35 | 3. We set a timer for 4 weeks. If that lands on a holiday or 36 | something, err on the side of making the delay longer. 37 | 4. At this point, one of three things have happened: 38 | 39 | a. Alice and Yusuf have resolved the situation in a way that works 40 | for both of them. 41 | 42 | b. Alice and Yusuf have reached an impasse, and cannot resolve the 43 | dispute. 44 | 45 | c. Alice has not responded to Yusuf at all. 46 | 47 | By far, (a) is the most common occurrence, and the answer is simple: 48 | we do nothing. This is ideal. 49 | 50 | **When package name disputes can be handled amicably between users 51 | without any administrative involvement, everyone feels better about 52 | it.** Everything we do in these cases should guide towards that 53 | endgame when possible. 54 | 55 | If Alice has not responded, then we must make a judgment call. There 56 | are a few possible considerations: 57 | 58 | 1. It could be that Alice has moved on to some other platform, doesn't 59 | care, and doesn't check this email address anymore, passed away, 60 | joined a monastery, meant to respond and forgot, who knows. 61 | 2. Alice has decided that she's never going to hand the module name 62 | over, so there's no point even discussing it. 63 | 64 | Abrupt dismissive autocratic administration has a way of upsetting 65 | people and bringing them out of hiding. We cannot safely assume that 66 | absence is evidence of apathy. 67 | 68 | 1. Check the source control repository to see if Alice is writing 69 | patches, closing issues, etc. 70 | 2. Check to see if Alice has published new versions of the module. 71 | 3. Check to see if the module still works with the current version of 72 | Node, has a lot of dependents, etc. 73 | 74 | If the module does appear abandoned, or if Yusuf's claim on the module 75 | is valid and that the hand-off would be less of a disruption than 76 | leaving an abandoned module in npm, then do this: 77 | 78 | 1. Reply-all to the thread with something like the following message, 79 | customized for your own "voice" as necessary: 80 | 81 | Alice, 82 | 83 | I hope that you are well, and that you only missed this 84 | message because your life is too full of wonderful 85 | distractions to be bothered dealing with this issue. 86 | 87 | Yusuf is eager to take over the `fooblx` module on npm, and 88 | plans to actively develop it. 89 | 90 | Currently, it is [not actively developed, marked as 91 | deprecated, apparently abandoned, not compatible with the 92 | latest Node versions, whatever], so I'd like to hand it off to 93 | Yusuf to take over. 94 | 95 | We'll hand this package over to Yusuf in one week. Please let 96 | us know if you intend to publish functional code before this 97 | time. 98 | 99 | 2. Set a timer for 1 week. 100 | 3. If Alice responds with concerns, then use diplomacy. Usually this 101 | comes down to telling Yusuf, "Sorry, you'll have to choose another 102 | name." Mostly, people are pretty receptive to this. 103 | 4. If Alice still does not reply, then reply-all to the thread with 104 | something like this: 105 | 106 | Alice, 107 | 108 | As per the email last week regarding the fooblx module, we've 109 | decided to hand control over to Yusuf, who will be actively 110 | developing it. 111 | 112 | Yusuf, 113 | 114 | You are now a package maintainer on the fooblx module. 115 | 116 | Please leave the existing versions in place, and bump the 117 | major version, so that any prior users are minimally impacted. 118 | 119 | Thank you both for your patience and understanding. 120 | 121 | --i 122 | 123 | 124 | Caveats and things to be sensitive of: 125 | 126 | * People are often surprisingly attached to the names that they give 127 | their code. 128 | * If someone feels like they have an opportunity to be heard, they are 129 | much more likely to feel like the process is fair, even if they 130 | don't ultimately get what they want. 131 | * Compassion and respect are pragmatic time-saving tools that prevent 132 | unnecessary pain and hardship for our users. Use these tools, 133 | always. 134 | 135 | Note that this does not mean that we will always try to accommodate 136 | users' wishes. If a module name is offensive, the package contents 137 | are violating licenses or other intellectual property rules that could 138 | get us in trouble, or the package is empty (i.e., squatting), or 139 | otherwise violates the terms of use, we reserve the right to remove 140 | packages without any discussion. 141 | 142 | Even in those cases, it is often best to try to give users a week or 143 | so to do things on their own, so that they can maintain a sense of 144 | ownership. Outright and obvious trolling or harassment is never 145 | tolerated, however. 146 | 147 | ## Harassment Reports 148 | 149 | These are cases where a user is reporting to us that someone is using 150 | the npm system for nefarious ends, or harassing other users in some 151 | other way. 152 | 153 | In this case, we draw a very hard line, as communicated by our 154 | zero-tolerance anti-harassment policy. 155 | 156 | Reports of abuse *of npm* are somewhat different than reports of abuse 157 | *of npm users*. 158 | 159 | ### Reports of Violations of the npm Terms of Service 160 | 161 | If a user is publishing a flood of empty squatting packages, spamming, 162 | phishing, offensive content, or other childish trolling aimed at the 163 | service rather than at a specific user, then the course of action is 164 | simple: 165 | 166 | 1. Ban the user. 167 | 2. Clean up the mess. 168 | 169 | If it's possible that they are unaware that their behavior is not 170 | allowed, it is a good idea to not ban the user outright, but send them 171 | an email asking them to please stop the bad behavior. 172 | 173 | Here's an example: 174 | 175 | Subject: Empty/duplicate packages removed 176 | From: npm support 177 | To: Some User 178 | 179 | Several empty and duplicated packages belonging to you were 180 | removed. 181 | 182 | Please do not publish empty packages to npm. This causes 183 | difficulty for others who may want to use names for new projects. 184 | 185 | We do not allow "reserving" names for future use. You must have 186 | something to publish before taking a package name. Otherwise, we 187 | quickly end up with a lot of empty packages, and names being used 188 | for no purpose. 189 | 190 | If you continue to publish empty packages to npm, your username 191 | and/or IP address may be blocked from accessing the service. 192 | 193 | Thank you. 194 | 195 | --i 196 | 197 | Do not mention, involve, or CC the person who reported the bad 198 | behavior, as this can only result in added conflict. Briefly thank 199 | them for the report, and let them know that it's been dealt with. 200 | 201 | ### Reports of Targeted Harassment 202 | 203 | This includes both abuse of npm users via the npm service, as well as 204 | auxiliary channels such as IRC, Twitter, GitHub, etc. 205 | 206 | **If it impacts npm users and degrades their experience of using the 207 | service, then it's our problem, and we take it seriously.** 208 | 209 | The vast majority of reports of harassment will come via written media 210 | (email, IRC, etc.) If you receive a report of harassment in a non-text 211 | format, ask the user for a written account if this is reasonable. If 212 | it is not, then take your own notes, or record it in a written format 213 | as soon as possible. 214 | 215 | A verbal report lasting more than a minute or so is probably better 216 | conducted in a quiet/private place rather than in a public space, for 217 | the safety and comfort of the reporter. This also decreases the 218 | chances for someone to overhear sensitive information that the 219 | reporter may not want spread around at an event. 220 | 221 | If the user would prefer to remain anonymous, please strip their name 222 | from the record prior to sharing it with the rest of the abuse team. 223 | 224 | Try to get as much detail as you can about the incident. This will 225 | assist us later if we ever need to make a case to defend our choices, 226 | as well as inform future decisions about how these incidents could be 227 | avoided. 228 | 229 | If the following information is not volunteered in the written or 230 | verbal report, ask for it/include it, but do not pressure them. 231 | 232 | * Identifying information (user name, email address, etc.) of the 233 | user doing the harassing. 234 | * The behavior that was in violation. 235 | * The approximate time of the behavior (if different than the time the 236 | report was made). 237 | * The circumstances surrounding the incident. 238 | * Other people involved in the incident. 239 | 240 | Generally we are not equipped for evidence gathering: do not going 241 | around "interviewing" others involved. 242 | 243 | #### Threats to physical well-being 244 | 245 | If someone reports that a user of the service or an attendee at an 246 | event has committed or is threatening violence towards another person, 247 | or other safety issues: 248 | 249 | * If there is any general threat to our users or the safety of anyone 250 | including npm staff is in doubt, summon security or police. 251 | * Offer the victim a private place to sit. 252 | * Ask "is there a friend or trusted person who you would like to be 253 | with you?" If so, arrange for someone to fetch this person. 254 | * Ask them "how can I help?" 255 | * Provide them with your list of emergency contacts if they need help 256 | later. 257 | * Do not touch the victim to console them unless they initiate. It 258 | can make things worse. 259 | 260 | #### Law enforcement 261 | 262 | If everyone is presently physically safe, involve law enforcement or 263 | security only at a victim's request. 264 | 265 | In many cases, reporting harassment to law enforcement is very 266 | unpleasant and may result in further harassment. Forcing victims to go 267 | to law enforcement will reduce reports of harassment (but not actual 268 | harassment). For more information, see [Why Didn't You Report 269 | It?](http://meloukhia.net/2010/04/why_didnt_you_report_it/) 270 | 271 | A staff member can provide the list of emergency contacts and say 272 | something like "if you want any help reporting this incident, please 273 | let us know" and leave it at that. 274 | 275 | #### Reports of harassment that were widely witnessed 276 | 277 | These include things like harassing content in package names, 278 | conference talks, or harassment that took place in a crowded space. 279 | 280 | Simply say "Thanks, this sounds like a breach of our anti-harassment 281 | policy. I am going to convene a meeting of a small group of people and 282 | figure out what our response will be." 283 | 284 | Often, the best approach is similar to handling package name disputes. 285 | For example, a user may be a non-native English speaker, and not 286 | realize that a given term is offensive. It is our responsibility as 287 | the caretakers of npm to attempt to resolve this as amicably as 288 | possible. 289 | 290 | Other times, this may be a matter of simply deleting some offensive 291 | packages and telling the user not to do it again. 292 | 293 | In the most egregious cases, it may require banning the user account 294 | and/or IP address of an abusive troll. 295 | 296 | #### Reports of more private harassment 297 | 298 | Offer the reporter/victim a chance to decide if any further action is 299 | taken: "OK, this sounds like a breach of our anti-harassment policy. 300 | If you're OK with it I am going to convene a meeting of a small group 301 | of people and figure out what our response will be." 302 | 303 | Pause, and see if they say they do not want this. Otherwise, go ahead. 304 | 305 | **Do not:** 306 | 307 | * Overtly invite them to withdraw the complaint or mention that 308 | withdrawal is OK. This suggests that you want them to do so, and is 309 | therefore coercive. "If you're OK with it [pursuing the complaint]" 310 | suggests that you are by default pursuing it and is not coercive. 311 | * Ask for their advice on how to deal with the complaint: this is our 312 | responsibility. 313 | * Offer them input into penalties: this is our responsibility. 314 | * Share details of the people involved or incident without specific 315 | permission from the victim. This includes sharing with other staff. 316 | 317 | 318 | #### Staff action in response to harassment reports 319 | 320 | We should aim to take action as soon as reasonably possible. During 321 | the event, a response within the next half-day is usually an 322 | appropriate timeframe. After the event you may need more time to 323 | gather sufficient decision makers, but ideally responding within the 324 | same week or sooner is good. 325 | 326 | #### Meeting 327 | 328 | Available staff should meet as soon as possible after a report to discuss: 329 | 330 | * What happened? 331 | * Are we doing anything about it? 332 | * Who is doing those things? 333 | * When are they doing them? 334 | 335 | Neither the complainant nor the alleged harasser should attend. (If 336 | the event was very widely witnessed, such as a harassing talk, this 337 | may be an exception to this guideline.) People with a conflict of 338 | interest should exclude themselves or if necessary be excluded by 339 | others. 340 | 341 | #### Communicate with the alleged harasser about the complaint 342 | 343 | As soon as possible, either before or during the above meeting, let 344 | the alleged harasser know that there is a complaint about them, let 345 | them tell someone their side of the story and that person takes it 346 | into the meeting. 347 | 348 | #### Communicate with the harasser about the response 349 | 350 | As soon as possible after that meeting, let the harasser know what 351 | action is being taken. Give them a place to appeal to if there is one, 352 | but in the meantime the action stands. "If you'd like to discuss this 353 | further, please contact XYZ, but in the meantime, you must 354 | <something something>" 355 | 356 | ### Don't require or encourage apologies 357 | 358 | Do not ask for an apology to the victim. We have no responsibility to 359 | enforce friendship, reconciliation, or anything beyond lack of 360 | harassment between any two given users, and in fact doing so can 361 | contribute to someone's lack of safety while using our service. 362 | 363 | Forcing a victim of harassment to acknowledge an apology from their 364 | harasser forces further contact with their harasser. It also creates a 365 | social expectation that they will accept the apology, forgive their 366 | harasser, and return their social connection to its previous status. A 367 | person who has been harassed will often prefer to ignore or avoid 368 | their harasser entirely. Bringing them together with a third party 369 | mediator and other attempts to "repair" the situation which require 370 | further interaction between them should likewise be avoided. 371 | 372 | If the harasser offers to apologize to the victim (especially in 373 | person), strongly discourage it. In fact, discourage *any* further 374 | interaction with the offended party. 375 | 376 | If a staff member relays an apology to the victim, it should be brief 377 | and not require a response. ("X apologizes and agrees to have no 378 | further contact with you" is brief. "X is very sorry that their 379 | attempts to woo you were not received in the manner that was intended 380 | and will try to do better next time, they're really really sorry and 381 | hope that you can find it in your heart to forgive them" is 382 | emphatically not.) 383 | 384 | If the harasser attempts to press an apology on someone who would 385 | clearly prefer to avoid them, or attempts to recruit others to relay 386 | messages on their behalf, this may constitute continued harassment. 387 | 388 | ### Data retention 389 | 390 | All (potentially de-identified) information about harassment reports 391 | should be stored for a period of at least 5 years, in an electronic 392 | format, accessible only by the npm abuse team. 393 | 394 | Lifetime bans are handled by banning a username or IP address. If it 395 | ever becomes necessary, we will maintain a lifetime ban of users for 396 | in-person events as well. 397 | 398 | ## Communicating with the npm community 399 | 400 | In general, we handle disputes and harassment quietly. Our code of 401 | conduct explicitly forbids harassment, and we maintain our 402 | reputability on this point by enforcing that policy appropriately. 403 | 404 | However, occasionally these events will spill out into public. In 405 | those cases, please let the npm executive team decide how best to 406 | communicate with the public. 407 | 408 | ### Principles of public communication 409 | 410 | * Show that the npm anti-harassment policy is being enforced fairly. 411 | * Explain (briefly, neutrally, anonymously) what violation led to the 412 | enforcement action. For example, "A package with an offensive name 413 | was removed by the npm staff, after reporting the issue to the 414 | author." 415 | * Help the community understand that they are not in danger of being 416 | victimized by capricious or irrational administrative actions. 417 | 418 | When necessary, this will be communicated via the npm blog. 419 | 420 | When it's necessary to communicate enforcement of our policy at an 421 | in-person event, a brief public statement to the attendees such as 422 | this would suffice: 423 | 424 | "[thing] happened. This was a violation of our policy. We apologize 425 | for this. We have taken [action]. This is a good time for all 426 | attendees to review our policy at [location]. If anyone would like to 427 | discuss this further they can [contact us somehow]." 428 | 429 | And then move on with the program. 430 | 431 | ### Dealing with upset users 432 | 433 | People may be upset and wish to express their concerns to npm staff. 434 | We should be in "making the person feel heard" mode; it's important 435 | not to cross into "education mode". Hear them out, take notes as 436 | appropriate, thank them for their thoughts. 437 | 438 | We should not share additional details of the incident with uninvolved 439 | parties. 440 | 441 | If a user is upset and a staff member agrees that a wrong was done to 442 | them, it helps a lot to just say simply "I'm so sorry." (Rather than 443 | "but we tried really hard" or "no one told us" or etc., even if that 444 | was true. "I'm so sorry" goes a long way to defusing many people's 445 | anger.) 446 | 447 | Whether or not a staffer agrees that a wrong was done to them, the 448 | user should be armed with an authority they can appeal to if talking 449 | wasn't enough. "Please open an abuse support ticket at 450 | " 451 | 452 | ## Evaluation 453 | 454 | After we have had a chance to observe how the anti-harassment and 455 | dispute resolution policies work in the real situations, we may wish 456 | to change the policy to better address them. 457 | 458 | Did anything unforeseen happen that there should be a rule about? 459 | Sometimes an unacceptable behavior does not warrant a whole new rule, 460 | but should be listed as a specific example of unacceptable behavior 461 | under an existing rule. 462 | 463 | For the sake of consistency, if there are changes to a rule, we try to 464 | apply that rule moving forward, rather than retroactively. If a 465 | judgment call is made, record the decision and the justification, and 466 | perhaps codify it in a rule going forward so that users can more 467 | easily succeed in our community. 468 | 469 | ## Changes 470 | 471 | This is a living document and may be updated from time to time. 472 | Please refer to the [git history for this 473 | document](https://github.com/npm/policies/commits/master/receiving-reports.md) 474 | to view the changes. 475 | 476 | ## Credit and License 477 | 478 | Parts of this policy borrow heavily from the [Geek Feminism Wikia 479 | guide](https://geekfeminism.wikia.com/wiki/Conference_anti-harassment/Responding_to_reports). 480 | 481 | This document may be reused under a [Creative Commons 482 | Attribution-ShareAlike 483 | License](https://creativecommons.org/licenses/by-sa/4.0/). 484 | -------------------------------------------------------------------------------- /archived/security.md: -------------------------------------------------------------------------------- 1 | # npm Security Policy 2 | 3 | Outlined in this document are the practices and policies that npm 4 | applies to help ensure that we release stable/secure software, and 5 | react appropriately to security threats when they arise. 6 | 7 | ## Table of Contents 8 | 9 | 1. [Reporting Security Problems to 10 | npm](#reporting-security-problems-to-npm) 11 | 2. [Security Point of Contact](#security-point-of-contact) 12 | 3. [Onboarding Developers](#onboarding-developers) 13 | 4. [Separation of Duties and 14 | Authorization](#separation-of-duties-and-authorization) 15 | 5. [Critical Updates And Security 16 | Notices](#critical-updates-and-security-notices) 17 | 6. [Responding to Security 18 | Threats](#responding-to-security-threats-and-critical-updates) 19 | 7. [Vulnerability Scanning](#vulnerability-scanning) 20 | 8. [Password Policies](#password-policies) 21 | 9. [Application Design Best 22 | Practices](#application-design-best-practices) 23 | 10. [Development Process](#development-process) 24 | 11. [AntiVirus Software](#antivirus-software) 25 | 26 | ## Reporting Security Problems to npm 27 | 28 | If you need to report a security vulnerability. Please visit [https://npmjs.com/support](https://npmjs.com/support). 29 | If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting [our support team](https://npmjs.com/support) is more appropriate. 30 | 31 | We review all security reports on the next business day. Note that 32 | the npm staff is generally offline for most US holidays, but please do 33 | not delay your report! Our off-hours support staff can fix many 34 | issues, and will alert our security point of contact if needed. 35 | 36 | ## Security Point of Contact 37 | 38 | Any security tickets opened using [https://npmjs.com/support](https://npmjs.com/support) 39 | will be escalated to the security point of contact, who will delegate incident response 40 | activities as appropriate. This is the best and fastest way to contact npm about any security-related matter. 41 | 42 | ## Onboarding Developers 43 | 44 | All new technical hires are introduced to our security policy as part 45 | of the onboarding process. 46 | 47 | ## Separation of Duties and Authorization 48 | 49 | * Developers are only given access to key npm services when it's required for their job. 50 | * IAM is used to limit the permissions on accounts, minimizing the damage that would be incurred if an account is compromised. 51 | 52 | ## Critical Updates And Security Notices 53 | 54 | We learn about critical software updates and security threats from a 55 | variety of sources: 56 | 57 | * Ubuntu's security notices page: 58 | * The Node.js mailing list. 59 | * [Security tickets](https://npmjs.com/support) sent to us. 60 | * and other media sources. 61 | 62 | ### Ubuntu Automatic Security Updates 63 | 64 | Along with keeping an eye out for critical security updates, automatic 65 | security updates are enabled on all of our production servers allowing 66 | patches to be applied immediately without human intervention. 67 | 68 | 69 | 70 | ## Responding to Security Threats and Critical Updates 71 | 72 | When a security threat is identified, we have the following process in 73 | place: 74 | 75 | 1. We have the slack channel `security-all`, which is used to 76 | prioritize and coordinate responses to security threats. 77 | 2. Our [Security Point of Contact](#security-point-of-contact) 78 | oversees this discussion: managing the triage, responding to 79 | emails, and updating npm's status page. 80 | 3. Based on the triage, work is allocated to developers to address the 81 | threat: 82 | 83 | * `P0`: Drop everything and fix! 84 | * `P1`: High severity, schedule work within 7 days. 85 | * `P2`: Medium severity, schedule work within 30 days. 86 | * `P3`: Low severity, fix within 180 days. 87 | 88 | ## Vulnerability Scanning 89 | 90 | Along with reacting to security notifications as they happen, we 91 | proactively pen-test and audit software. 92 | 93 | ### Internal Audits 94 | 95 | We have a dedicated security team who perform ongoing penetration testing, code auditing, and other forms of security oversight. 96 | 97 | While working on features at npm, all engineers coordinate security 98 | audits with the [Security Point of Contact](#security-point-of-contact). 99 | 100 | Documentation of our internal audits is available, and can be provided to customers when requested. 101 | 102 | ### Automated Scanning 103 | 104 | The cloud hosting platforms that we use provide options for automated 105 | vulnerability scanning. 106 | 107 | * AWS: 108 | * Google Cloud: 109 | 110 | ## Password Policies 111 | 112 | * Enable 2FA on all npm related accounts. 113 | * Passwords should be rolled every 90 days. 114 | * Passwords should contain alpha-numeric characters and symbols. 115 | * Passwords should be a minimum of 8 characters. 116 | * Any systems we build that accept a username and password should 117 | reject a user after repeated failed login attempts. 118 | 119 | ### Don't Use Passwords 120 | 121 | We should opt for alternative authentication methods when possible: 122 | 123 | * Asymmetric keys for connecting to servers. 124 | * Delegated authentication (SAML, OAuth2, etc). 125 | * Opaque access tokens. 126 | 127 | ### SSH Keys 128 | 129 | SSH keys should be rolled out selectively, providing developers access 130 | to only the servers that they require access to. 131 | 132 | ## Application Design Best Practices 133 | 134 | In the next section of the document, we discuss the design 135 | methodologies that we use to build stable and secure software. 136 | 137 | ### Logging Practices 138 | 139 | Logs are important for both debugging applications and detecting 140 | security breaches in our software. 141 | 142 | #### What We Log 143 | 144 | * We should track failed login attempts to servers: 145 | * Ubuntu provides this information in _/var/log/auth.log_ 146 | * We should log the operations performed by users: 147 | * Ubuntu provides this information in _history_. 148 | * Applications should provide detailed operational logs in a 149 | [standardized format](https://github.com/ceejbot/common-log-string). 150 | 151 | #### Log format 152 | 153 | All applications should contain logging for `date`, `time`, 154 | `operation`, and a `unique request identifier`. 155 | 156 | We use 157 | [common-log-string](https://github.com/ceejbot/common-log-string) 158 | internally to standardize this: 159 | 160 | #### Backing Up Logs 161 | 162 | At least 90 days of logs should be kept for each service. On high 163 | traffic hosts this may require backing-up logs in cloud storage on a 164 | regular basis. 165 | 166 | #### Reviewing Logs 167 | 168 | On the servers that we manage for other companies, we should audit 169 | logs on a regular basis. 170 | 171 | 172 | #### Secrets in Logs 173 | 174 | Logs should not contain any sensitive user information, e.g., 175 | passwords. 176 | 177 | The module [hide-secrets](https://www.npmjs.com/package/hide-secrets) 178 | is used to help with this. 179 | 180 | ### Limiting Access to Operating System Files 181 | 182 | Micro-services should only have access to databases and files that 183 | they need access to. 184 | 185 | With our docker-based infrastructure (npm Enterprise) this is achieved by 186 | having containers only mount folders on the root host that they 187 | require access to. 188 | 189 | In our production environment, this is achieved by partitioning 190 | services across multiple hosts. 191 | 192 | ### Security Groups 193 | 194 | Security groups are used to limit the network connectivity between hosts. 195 | 196 | When deploying a service, ask: "what other services does this 197 | actually need to connect to?" 198 | 199 | ### Storage of Data 200 | 201 | Any sensitive user information should be encrypted at rest. Using 202 | [encrypted EBS 203 | drives](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html), 204 | or an equivalent, is a great way to achieve this. 205 | 206 | ### Inter-Service Communication 207 | 208 | Communication between services on the same host can be performed via 209 | HTTP. 210 | 211 | All inter-service communication between two hosts is performed using 212 | TLS. 213 | 214 | ## Development Process 215 | 216 | npm has a well-defined, security-focused, development process: 217 | 218 | ### Code Reviews 219 | 220 | No code goes into production unless it is reviewed by at least one 221 | other developer. 222 | 223 | The onus is on the reviewer to ask hard questions: "what are the 224 | ramifications of opening up port-X?", "why is this connection being 225 | made over HTTP instead of HTTPS?" 226 | 227 | ### Deploying Updates 228 | 229 | * Any new code pushed to production is first thoroughly tested in a 230 | staging environment. 231 | * Mechanisms are in place for rolling back any changes that are pushed 232 | to production. 233 | * If a schema-change is involved, an inverse migration is first 234 | tested in staging (we want to be confident that we should role 235 | things back). 236 | 237 | ### Unit Testing 238 | 239 | We love testing at npm: 240 | 241 | * During the code-review process, if you see logic that's complicated 242 | and lacks a test, politely ask the developer for a test. 243 | * It's particularly important that tests are added to logic that 244 | interacts with sensitive parts of the system: ACL logic, password 245 | validation, database access. 246 | * Tests should not contain user-data, make sure to anonymize email 247 | addresses, usernames, etc. 248 | * Test coverage is a great way to make sure all of the nooks and 249 | crannies of your codebase are tested. npm maintains two tools for 250 | test coverage internally [tap](https://github.com/isaacs/node-tap), 251 | and [nyc](https://github.com/bcoe/nyc). 252 | * Any new functionality should always come with a test to verify that 253 | it does what we think it does. 254 | * Any bug fix should always come with a test so that we don't have to 255 | encounter the same bug multiple times. 256 | 257 | ### Design Cycle 258 | 259 | The design process, and management techniques vary from team to team 260 | at npm. Across the board, however, we strive to have continuous 261 | deployments. Releasing many small features as they become production 262 | ready. 263 | 264 | Security is taken into account during all phases of the software 265 | development life-cycle: unit tests think about potential threats; when 266 | testing on staging, we attempt to test potential exploits, etc. 267 | 268 | ## AntiVirus Software 269 | 270 | On our managed Ubuntu hosts, we run the 271 | [ClamAV](https://help.ubuntu.com/community/ClamAV) AntiVirus software. 272 | 273 | ### When A Virus Is Identified 274 | 275 | The infected server should be retired, and a new server should be 276 | provisioned from scratch. 277 | 278 | ## Changes 279 | 280 | This is a living document and may be updated from time to time. 281 | Please refer to the [git history for this 282 | document](https://github.com/npm/policies/commits/master/security.md) 283 | to view the changes. 284 | 285 | ## License 286 | 287 | This document may be reused under a [Creative Commons 288 | Attribution-ShareAlike 289 | License](https://creativecommons.org/licenses/by-sa/4.0/). 290 | -------------------------------------------------------------------------------- /archived/solo-plan.md: -------------------------------------------------------------------------------- 1 | # npm Solo Payment Plan 2 | 3 | This npm Solo Payment Plan (this _Payment Plan_) supplements 4 | the terms for npm Open Source offered by npm, Inc. (_npm_) at 5 | (_npm Open Source 6 | Terms_), as well as the terms for npm Paid Services (_npm Paid Services_) 7 | at (_npm Paid 8 | Services Terms_). This Payment Plan governs payment for use of 9 | npm Solo by a single user account. 10 | 11 | This Payment Plan was last updated on 12 | August 6, 2018. 13 | You can review prior versions at 14 | . 15 | 16 | You will pay $7.00 via your Payment Card when you enable npm Solo 17 | for your Account by selecting this Payment Plan, and thereafter 18 | on the same day every month while this Payment Plan remains 19 | selected for your Account. 20 | 21 | Note that the npm Paid Services Terms require everyone using npm Paid 22 | Services to have an Account of their own, added under a Payment Plan. 23 | You may not allow anyone else to use npm Paid Services under this 24 | Payment Plan. 25 | -------------------------------------------------------------------------------- /archived/terms.md: -------------------------------------------------------------------------------- 1 | # Term and Licenses 2 | 3 | npm, Inc. offers software and services under a few different licenses 4 | and terms of use. 5 | 6 | ## Software from npm 7 | 8 | License terms and notices for the `npm` command-line program can 9 | be found in the LICENSE file of the project's source code at 10 | . 11 | 12 | ## Free to use npm services 13 | 14 | Free usage of , the npm public registry, 15 | and 16 | are covered by the npm Open Source Terms at . 17 | These terms include several important policies, including: 18 | 19 | * What npm considers [acceptable package content](https://www.npmjs.com/policies/open-source-terms#acceptable-use). 20 | 21 | * npm's [Code of Conduct](https://www.npmjs.com/policies/conduct), which includes our policy on harassment. 22 | 23 | * npm's [Privacy Policy](https://www.npmjs.com/policies/privacy), which limits use and sharing of information 24 | about you collected by npm Services. 25 | 26 | * npm's policy on [copyright](https://www.npmjs.com/policies/dmca) including how to report violations thereof. 27 | 28 | * npm's [Dispute Policy](https://www.npmjs.com/policies/disputes) which addresses how to resolve disputes 29 | over the control of a package name, user name, or organization name in the Public Registry. This includes 30 | our policy on users "squatting" on these names. 31 | 32 | * User of npm's trademarks is governed by our [Trademark Policy](https://www.npmjs.com/policies/trademark). If you 33 | have concerns about your own trademark's use on npm please see our [Disputes Policy](https://www.npmjs.com/policies/disputes#trademarks). 34 | 35 | ## Paid npm services 36 | 37 | npm's paid products, including the npm Solo and Orgs plans, are 38 | covered by the npm Paid Services Terms at . 39 | 40 | The npm Solo Payment Plan 41 | 42 | and the npm Orgs Payment Plan 43 | 44 | govern payment for these services. 45 | -------------------------------------------------------------------------------- /archived/trademark.md: -------------------------------------------------------------------------------- 1 | # npm Trademark Policy 2 | 3 | This policy describes npm trademarks and how you may use them. 4 | For information on what to do if someone infringes a trademark of 5 | _yours_ with a confusing package name, see the [Dispute Resolution 6 | Policy](https://www.npmjs.com/policies/disputes). 7 | 8 | ## What is npm? 9 | 10 | The npm project contains two main parts: 11 | 12 | 1. The npm client. It is a command line tool to install and publish packages. 13 | 2. The npm registry service. npm, Inc. runs the registry as a free (as in beer) public service for anyone 14 | wanting to publish an open source package and for anyone to install an open source package. 15 | 16 | ## Why npm, Inc. has a trademark policy 17 | 18 | "npm" and the npm logos are trademarks owned by npm, Inc. We have developed this trademark usage policy to make it clear how other businesses and projects can (and cannot) use the npm name and logos. 19 | 20 | ## General rules 21 | 22 | * When referring to the npm software in body text, the first usage should be followed by a generic term such as "package manager," "services" or "client" to provide context. 23 | * "npm" should never be used or explained as an acronym. 24 | * When referring to the npm public registry, please follow npm with the word "registry" or the phrase "public registry". 25 | * When referring to a private registry for npm packages, please describe it as "private registry for npm packages" or a "proxy of the npm registry". 26 | * References to the owner of the npm client software and the operator of the npm public registry should be to "npm, Inc." 27 | * Any materials referring to npm should include the following notice in the footer or wherever you may have your own trademark notice: "npm is a registered trademark of npm, Inc." 28 | 29 | ## Nominative use - No need to type ™ on Twitter® 30 | 31 | "Nominative" or "referential" use means to refer to something or someone else by their trademark. So it's perfectly OK to use "npm" to refer to npm, Inc., the npm client, npm code, and the npm public registry. A referential use is generally going to be in a sentence or sentence fragment, like "first install the npm client," or in a book or article title. The use should not be attention-getting or potentially misperceived as suggesting "npm" is your own name, project, product or services. 32 | 33 | It is not a referential use to incorporate the letters "npm" or any of the npm logos in the name or logo for your own company or its projects, products, services or social media handles. 34 | 35 | If you need to use "npm" to indicate compatibility, you should use "npm" after your own product or service name and an accurate preposition: 36 | 37 | * Pink Unicorn Consulting Ltd. services for npm 38 | * Purple Unicorn Inc. private registry server compatible with the npm client 39 | * Kappa, a hirearchical proxy of the npm registry 40 | 41 | You need to ask for permission for any uses not described. When in doubt about your use of the npm name or logo, please contact [npm, Inc.](https://www.npmjs.com/contact) for clarification. 42 | 43 | ## Requesting permission 44 | 45 | We like to make it easy for anyone to use the npm name or logo for community-oriented efforts that help spread and improve npm. We are therefore likely to grant permission to use the npm name and logo in the following ways: 46 | 47 | * For projects where: 48 | * The primary purpose of your project is to promote the spread and 49 | improvement of the npm client software or the npm registry service. 50 | * Your project is non-commercial in nature (it can make money to cover 51 | its costs or contribute to non-profit entities, but it cannot be run 52 | as a for-profit project or business). 53 | * Your project neither promotes nor is associated with entities that 54 | currently fail to comply with the Artistic License 2.0 under which 55 | npm is distributed, or which are in violation of this trademark 56 | policy. 57 | 58 | * For a user group name where: 59 | * The main focus of the group is the software. 60 | * Any software or services the group provides are without cost. 61 | * The group does not make a profit. 62 | * Any charge to attend meetings are to cover the cost of the venue, food and drink only. 63 | 64 | Any other requests are not likely to be granted licenses, but feel free to [ask](https://www.npmjs.com/contact). 65 | 66 | ## The npm Logos 67 | 68 | Our npm Logos are very recognizable and deserves special treatment. The 69 | npm Logos signify us, or a special relationship with us, and you 70 | may use them only with our permission. Since the goal is to avoid 71 | confusion about you being us, or your relationship with us, context 72 | counts. We will [consider requests](https://www.npmjs.com/contact) on a case-by-case basis. 73 | 74 | ## The npm Wombat Mascot 75 | 76 | Like the npm Logo, the npm Wombat graphic is a very recognizable 77 | part of the npm brand, and signifies a special relationship with 78 | the npm project, service, or company. It should never be used except 79 | with explicit written permission. We will [consider requests](https://www.npmjs.com/contact) on a 80 | case-by-case basis. 81 | 82 | Please be advised that the Wombat and the logos generally may 83 | **not** be used to refer to the project, service, or company in a 84 | nominative sense, as any usage will almost always imply a special 85 | relationship with npm. 86 | 87 | ## Changes 88 | 89 | This is a living document and may be updated from time to time. 90 | Please refer to the [git history for this 91 | document](https://github.com/npm/policies/commits/master/trademark.md) 92 | to view the changes. 93 | 94 | ## License 95 | 96 | Copyright © npm, Inc. 97 | 98 | This document may be reused under a [Creative Commons 99 | Attribution-ShareAlike 100 | License](https://creativecommons.org/licenses/by-sa/4.0/). 101 | -------------------------------------------------------------------------------- /archived/unpublish.md: -------------------------------------------------------------------------------- 1 | # npm Unpublish Policy 2 | This document describes your options when looking to unpublish a package published to the public registry. 3 | 4 | Registry data is immutable, meaning once published, a package cannot change. We do this for reasons of security and stability of the users who depend on those packages. So if you've ever published a package called "bob" at version 1.1.0, no other package can ever be published with that name at that version. This is true even if that package is unpublished. 5 | 6 | However, because accidents happen, we allow you to unpublish packages in the situations described below. Otherwise, you can always deprecate a package. 7 | 8 | ## Packages published less than 72 hours ago 9 | 10 | For newly created packages, as long as no other packages in the npm Public Registry depend on your package, you can unpublish anytime within the first 72 hours after publishing. 11 | 12 | ## Packages published more than 72 hours ago 13 | 14 | Regardless of how long ago a package was published, you can unpublish a package that: 15 | 16 | - no other packages in the npm Public Registry depend on 17 | - had less than 300 downloads over the last week 18 | - has a single owner/maintainer 19 | 20 | ## How to unpublish 21 | 22 | To unpublish a single package version, run `npm unpublish @`. 23 | 24 | If all the versions of a package can be unpublished, you can unpublish all versions at once by running `npm unpublish --force`. 25 | 26 | ## Considerations: 27 | 28 | - Once `package@version` has been used, you can never use it again. You must publish a new version even if you unpublished the old one. 29 | - Once you have unpublished a package, you will not be able to undo the unpublish. 30 | - If you entirely unpublish all versions of a package, you may not publish any new versions of that package until 24 hours have passed. 31 | 32 | ## What to do if your package does not meet the unpublish criteria? 33 | 34 | If your package does not meet the unpublish policy criteria, we recommend [deprecating](https://docs.npmjs.com/cli/deprecate) the package. This allows the package to be downloaded but publishes a clear warning message (that you get to write) every time the package is downloaded, and on the package's npmjs.com page. Users will know that you do not recommend they use the package, but if they are depending on it their builds will not break. We consider this a good compromise between reliability and author control. 35 | 36 | This can be achieved by using one of the following from your command line: 37 | 38 | - `npm deprecate ""` to deprecate the entire package 39 | - `npm deprecate @ ""` to deprecate a specific version 40 | 41 | If the entire package is deprecated, the package name will be dropped from our search results. 42 | 43 | Once deprecated, if you would also like for the package to be removed from your user profile, it can be [transferred](https://docs.npmjs.com/cli/owner) to our [@npm](https://www.npmjs.com/~npm) account. This can be achieved by using the following from your command line: 44 | 45 | - `npm owner add npm ` 46 | - `npm owner rm ` 47 | 48 | 49 | ## More on our unpublish policy 50 | 51 | This document is additive to the [unpublish procedures](https://docs.npmjs.com/unpublishing-packages-from-the-registry), the CLI commands [unpublish documentation](https://docs.npmjs.com/cli/unpublish) and the ["Changes to npm Unpublish Policy - January 2020"](https://blog.npmjs.org/post/190553543620/changes-to-npm-unpublish-policy-january-2020) blog post. 52 | 53 | ## Issues? 54 | 55 | If for some reason your package meets the unpublish policy criteria but the unpublish command fails, or if you need assistance with the deprecate process, please [reach out to our support team](https://npmjs.com/support) where we'll be happy to assist. 56 | 57 | If you believe a package violates npm's terms or policies, such as our terms of use, [reach out to our support team](https://www.npmjs.com/support). If a package infringes your copyright, [refer to npm's DMCA takedown policy](https://www.npmjs.com/policies/dmca). If you believe a package violates your privacy rights, [contact our privacy team](https://www.npmjs.com/policies/privacy#contact) as soon as possible. 58 | 59 | ## Changes 60 | 61 | This is a living document and may be updated from time to time. 62 | Please refer to the [git history for this 63 | document](https://github.com/npm/policies/commits/master/unpublish.md) 64 | to view the changes. 65 | 66 | ## License 67 | 68 | Copyright (C) npm, Inc., All rights reserved 69 | 70 | This document may be reused under a [Creative Commons 71 | Attribution-ShareAlike 72 | License](https://creativecommons.org/licenses/by-sa/4.0/). 73 | --------------------------------------------------------------------------------