The npm blog has been discontinued.
npm and Heartbleed
If you’ve been alive on the Internet in the last 18 hours, you have probably heard about the evocatively-named Heartbleed vulnerability in OpenSSL.
We started patching machines within 30 minutes of the revelation of the bug, and our last vulnerable machine was patched at 7.30am Pacific today.
There has been no evidence so far that our keys were compromised during this period, but nevertheless we are regenerating all our SSL keys anyway and will be rolling them out over the next couple of days (we are very cautious about testing and rolling out new certs since an earlier incident in which we broke a lot of older npm clients while doing so).
Update 2014-04-11: our new SSL certs based on fresh keys are now in production worldwide.