npm is the package manager for JavaScript.
The npm package manager is tier 1.
- security - [email protected]
- support - [email protected]
- homepage: https://npmjs.com
| Control | Status | Comments |
|---|---|---|
| Strong Authentication | Optional | |
| MFA To Push Artifacts | Optional | |
| Security Contacts | Yes | security.txt |
| Packages Can Notify of Security Issues | Partial | A report a vulnerability function is available on every package page for maintainers to get an entry into the npm audit advisory feed |
| Code package tied to source code | No | |
| Update notifications | Partial | Maintainer that published the package is notified |
| Code signing | Partial | npm signs package metadata with internal gpg keys, verification is currently a manual process |
| Code analysis (static) | No | |
| Code Dependency Analysis | Yes | npm audit |
| Package Manager Does Not Run Code | Optional | The --ignore-scripts argument will cause npm to not execute any scripts defined in the package.json |
| Package Manager Does Not Collect Info | No | npm privacy policy |
| Project Roles Guide | No | |
| Project Roles Review | No | |
| Account Level Library Tagging | No |