npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

npm and Heartbleed

If you’ve been alive on the Internet in the last 18 hours, you have probably heard about the evocatively-named Heartbleed vulnerability in OpenSSL.

We started patching machines within 30 minutes of the revelation of the bug, and our last vulnerable machine was patched at 7.30am Pacific today.

There has been no evidence so far that our keys were compromised during this period, but nevertheless we are regenerating all our SSL keys anyway and will be rolling them out over the next couple of days (we are very cautious about testing and rolling out new certs since an earlier incident in which we broke a lot of older npm clients while doing so).

Update 2014-04-11: our new SSL certs based on fresh keys are now in production worldwide.