The npm blog has been discontinued.
upcoming change: verified email required
This change affects only the requirements for new packages. You do not need to verify your email address to publish new versions of existing packages.
Why we’re doing this
When npm was a smaller registry with fewer users, we were not an attractive spam target, but this is no longer true. We’ve seen a recent increase in spammers publishing many packages to the registry, sometimes thousands of packages at once. Sometimes spammers publish these packages from a single account, and sometimes they create a new account for every package published. Spammers can, currently, create accounts very easily and begin spamming immediately since no verification step is required.
Requiring valid email addresses for people intending to publish new packages is one of several steps we’re taking to slow down spammers. We are also working with Smyte to identify spam packages from their metadata and README data as they are published, so we can clean up incidents faster than in the past.
How to verify your email address
Log into your account on the npm website and go to your profile page. Mine, for example is https://www.npmjs.com/~ceejbot. If your email address needs verification, you’ll see a banner like this one:
Click the “send it again” link to send verification email.
If you need to change your email address, you can do so on the email edit page.
When this change will take effect
Next week, on Tuesday July 25.
You need to have a valid email address associated with your npm account to publish new packages. Verify your email address now if you have not already done so.
Contact our support team if you have questions about this requirement or experience problems following the steps above. npm loves you, but it doesn’t love spam.