npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

"Oh no! I accidentally published private data to the public registry!"

Note: as of January 30, 2020, the unpublish policy has been updated

We get this specific support issue once or twice a week, so we thought it would be useful to state publicly what we say privately: if you publish sensitive information to the public npm registry, that information is irreversibly public, and you should change whatever secrets you can.

Here’s why: the registry run by npm Inc. is not the only npm registry. Via the public registry replication stream at replicate.npmjs.com, there are several thousand mirrors of the registry, run by various private individuals for their own purposes. When you publish any public package, it is replicated to all of these registries within 2-3 seconds.

(Obviously, this is not true if you are using private packages, which are not replicated. This post only applies to public packages.)

If you quickly realize your mistake, you can unpublish the package and it will be deleted from our servers. When that happens a “delete” event is sent to the downstream replicas. However, we cannot control what the downstream replicas do with that event; we cannot guarantee that third parties will delete your data. No matter how important, private, or sensitive the information in that package was, we can’t claw it back.

After 24 hours, to protect the stability of the registry, it becomes impossible to unpublish a package yourself, and you must contact support. They will happily unpublish anything published accidentally, but after 24 hours many, many mirrors of your package will exist, so this is entirely a cosmetic change.

To reduce the risk of accidentally publishing private information publicly, there are a couple of things you can do:

  1. Use scoped package names, like @seldo/my-package. Scoped packages are private by default, so you have to explicitly make them public using npm publish --access=public, which is harder to do by accident. Apart from that default, public scoped packages work exactly like unscoped packages, so there’s no reason not to do this. (Private scoped packages require a subscription, however.)

  2. If control of your data is a high priority, consider using npm Enterprise. npm Enterprise gives you your own private registry that mirrors the public registry. No matter how you publish to npm Enterprise, the data stays on your servers.

The bottom line: if you accidentally publish a public package containing private information, that information is immediately compromised and you must revoke or roll any credentials contained in it. The data will have been immediately copied to hundreds of computers outside of npm’s control, and there is nothing we can do.

Note: this post was updated on October 8, 2020, to clarify that private scoped packages require a subscription. Public scoped packages remain available for no charge.