npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

upcoming change: verified email required

npm’s open source terms of use require that you provide us with a valid email address. Starting next week, you will need to verify your email before you can publish new packages.

This change affects only the requirements for new packages. You do not need to verify your email address to publish new versions of existing packages.

Why we’re doing this

When npm was a smaller registry with fewer users, we were not an attractive spam target, but this is no longer true. We’ve seen a recent increase in spammers publishing many packages to the registry, sometimes thousands of packages at once. Sometimes spammers publish these packages from a single account, and sometimes they create a new account for every package published. Spammers can, currently, create accounts very easily and begin spamming immediately since no verification step is required.

Requiring valid email addresses for people intending to publish new packages is one of several steps we’re taking to slow down spammers. We are also working with Smyte to identify spam packages from their metadata and README data as they are published, so we can clean up incidents faster than in the past.

How to verify your email address

Log into your account on the npm website and go to your profile page. Mine, for example is If your email address needs verification, you’ll see a banner like this one:

Click the “send it again” link to send verification email.

If you need to change your email address, you can do so on the email edit page.

When this change will take effect

Next week, on Tuesday July 25.


You need to have a valid email address associated with your npm account to publish new packages. Verify your email address now if you have not already done so.

Contact our support team if you have questions about this requirement or experience problems following the steps above. npm loves you, but it doesn’t love spam.