npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

Statement on npm‑cdn.com and npm‑js.com

An anonymous person recently registered domains that appear to be affiliated with npm, Inc., and in recent days has contacted some npm users to promote a commercial service that our users could confuse for an npm, Inc. product.

npm, Inc. is not affiliated with this individual, we do not endorse these actions, and we are taking action to protect our users and defend our intellectual property rights.

This is what we know:

A few weeks ago, an unknown party registered the domains npm-cdn.com and npm-js.com. They are hosted on DigitalOcean behind the Cloudflare CDN.

npm, Inc. is not affiliated with these domain names, which we believe are an intentional attempt to confuse npm users as to their association with npm, Inc. They are a violation of npm’s trademark policy.

The domains point to sites that run a fork of unpkg, a CDN backend written by Michael J. Jackson. Michael is an upstanding Open Source citizen with whom we have a longstanding relationship. Unpkg is not released under a license that would allow others to use the codebase in this way. The npm-cdn.com and npm-js.com forks are code theft.

A few days ago, the anonymous party began creating a flood of automated accounts on the npm Registry, and created thousands of empty packages that link back to their website. These actions are in violation of npm’s terms of use.

They also have emailed npm maintainers to advertise their product, and BCC’ed other maintainers about packages with which they’re not involved. This is a violation of not only our terms of use, but also common decency.

We have reached out to Cloudflare and DigitalOcean to shut down this abusive behavior. These companies’ processes take some time, and are still underway. As the situation unfolds, we’ll keep the community informed. If you’re not sure whether a piece of communication is really from npm, Inc., contact npm support at support@npmjs.com for assistance.

Supporting the npm Registry and the Open Source community remains our highest priority. We’ll continue to take every possible action to support the community and help developers build amazing things.

Isaac Z. Schlueter, CEO