本通知说明了 npm, Inc.,简称 npm,如何收集和使用关于你的数据。
🌐 This notice describes how npm, Inc., or npm for short, collects and uses data about you.
🌐 What's most important?
这取决于你的个人情况,这也是为什么你应该继续阅读并自行决定。但至少,每个 npm 用户都应当了解:
🌐 That depends on your personal situation, which is why you should read on and decide for yourself. But at a minimum, absolutely every npm user should understand:
npm 公共注册表用于让每个人都可以在线获取软件。
🌐 The npm public registry is for making software available to everyone online.
但是:软件来自人,也反映了我们的一些特质。
🌐 But: Software comes from people, and says something about us.
所以:仔细考虑要发布哪些包、在这些包中包含哪些数据,以及其他人可能会如何使用这些数据。
🌐 So: Think carefully about what packages to publish, what data you put in those packages, and what others might do with that data.
当你创建账户时,某些联系信息会在 npm 平台上公开显示。当你上传一个软件包时,你的名称和联系信息可能会与该软件包关联。
🌐 When you create an account, certain contact information is displayed publicly in the npm platform. And when you upload a package, your name and contact information may become associated with that package.
如果你遇到麻烦,提交支持请求。
🌐 If you find yourself in a jam, open a support ticket.
🌐 How does npm collect data about me?
npm 收集你的数据:
🌐 npm collects data about you:
在研究潜在客户时,npm 员工有时会搜索公共万维网或付费商业数据库。除此之外,npm 不会从数据经纪商或其他私有服务购买或获取你的数据。
🌐 When researching potential customers, npm staff sometimes search the public World Wide Web or paid business databases. Otherwise, npm doesn't buy or receive data about you from data brokers or other private services.
如果你或其他人上传的软件包中包含你的数据,npm 可能会无意中收集你的数据。
🌐 npm may inadvertently collect data about you if it is included in software packages that you or others upload.
🌐 What data does npm collect about me, and why?
🌐 npm collects data about how you use npm software and registries
当你使用 npm 命令、npx 命令或其他软件与 npm 公共注册表、npm 托管的企业注册表或私有包进行交互时,npm 会记录可能识别到你的数据:
🌐 When you use the npm command, the npx command, or other software to work with the npm public registry, an Enterprise registry that npm hosts, or private packages, npm logs data that might be identified to you:
npm install 这样的命令时,都会生成一个随机的、唯一的标识符,称为 npm-sessionnpm-in-ci 头部,显示命令是否在持续集成服务器上运行npm install 的包的范围,作为 npm-scope 头文件referrer 头部,隐藏了任何文件或目录路径User-Agent 字符串npm 使用这些数据来:
🌐 npm uses this data to:
npm install 或 npm audit 时,会向你发送可能影响你正在构建的软件的安全漏洞警报npm 命令及其他软件🌐 npm collects data about how you use the website
当你访问 www.npmjs.com、docs.npmjs.com 以及其他 npm 网站时,npm 会使用 Cookie、服务器日志及其他方法收集你访问的页面信息和时间。npm 还会收集关于你所使用的软件和计算机的技术信息,例如:
🌐 When you visit www.npmjs.com, docs.npmjs.com, and other npm websites, npm uses cookies, server logs, and other methods to collect data about what pages you visit, and when. npm also collects technical information about the software and computer you use, such as:
npm 使用有关你如何使用网站的数据来:
🌐 npm uses data about how you use the website to:
🌐 npm collects account data
npm 服务的许多功能都需要 npm 账户。例如,你必须拥有 npm 账户才能将软件包发布到 npm 公共注册表。
🌐 Many features of npm services require an npm account. For example, you must have an npm account to publish packages to the npm public registry.
要创建 npm 账户,npm 需要一个有效的电子邮件地址和一个可用的用户名。npm 使用这些信息为你提供功能访问权限,并在 npm 服务中公开及内部识别你的身份。
🌐 To create an npm account, npm requires a working email address and an available user name. npm uses this data to provide you access to features and identify you across npm services, publicly and within npm.
创建 npm 账户时,你不必提供个人或法定名称。你可以使用化名。你也可以开设多个账户。
🌐 You do not have to give your personal or legal name to create an npm account. You can use a pseudonym instead. You can also open more than one account.
如果你注册一个账户,npm 将会在用户页面上发布账户数据让全世界都能看到 像这个。npm 还会通过 npm 公共注册表发布账户数据,所有人都可以查看,以及通过 npm 托管的企业注册表发布账户数据,其他人可以使用像 npm owner ls tap 这样的命令查找。
🌐 If you sign up for an account, then npm will publish account data for the whole world to see on user pages like this one. npm also publishes account data through the npm public registry, which is available for everyone to see, and Enterprise registries that npm hosts for others to find with commands like npm owner ls tap.
如果你通过网站向 npm 提供个人名称或社交媒体名称(如 GitHub),例如在你的个人资料或用户页面中包含这些信息,npm 会将这些数据与账户的电子邮件地址和用户名一起公布。你不必向 npm 提供个人名称或任何社交媒体名称,并且你可以随时通过更新你的用户页面来删除这些数据。
🌐 If you give npm a personal name or names on social media like GitHub through the website, like when you include this on your profile or user page, npm publishes that data along with the email address and user name for the account. You don't have to give npm a personal name or any social media names, and you can remove this data at any time by updating your user page.
npm 使用你的电子邮件来:
🌐 npm uses your email to:
🌐 npm collects package data
当你使用 npm publish 或其他软件将包发布到 npm 公共注册表、npm 托管的企业注册表,或作为私有包时,npm 会收集包的内容以及元数据,包括你的账户信息。其他 npm 用户也可能发布包含你相关数据的包,例如你为某个包贡献了代码的事实。
🌐 When you use npm publish or other software to publish packages to the npm public registry, an Enterprise registry that npm hosts, or as a private package, npm collects the contents of the package, plus metadata, including your account data. Other npm users may also publish packages that include data about you, such as the fact that you contributed code to a package.
npm 使用软件包中的数据将这些软件包提供给你和其他请求者:
🌐 npm uses data in packages to provide those packages to you and others who request them:
将软件包数据提供给其他人,允许他们下载、构建和依赖你的工作。
🌐 Making package data available to others allows them to download, build on, and depend on your work.
🌐 npm collects payment card data
要注册付费服务,npm 需要你的付款卡信息。npm 本身不会收集或存储足够的信息来直接向你的卡收费。相反,Stripe 代表 npm 收集这些信息,并提供给 npm 安全令牌,使 npm 能够创建收费和订阅。
🌐 To sign up for paid services, npm requires your payment card data. npm itself does not collect or store enough information to charge your card itself. Rather, Stripe collects that data on npm's behalf, and gives npm security tokens that allow npm to create charges and subscriptions.
npm 仅使用你的支付卡数据来收取 npm 服务费用。
🌐 npm uses your payment card data only to charge for npm services.
npm 指示 Stripe 仅在你使用付费 npm 服务时存储你的支付卡数据。
🌐 npm instructs Stripe to store your payment card data only as long as you use paid npm services.
🌐 npm collects data about correspondence
当你发送 npm 支持请求、法律投诉、隐私查询和业务咨询时,npm 会收集你的相关数据。这些数据通常包括你的名称和电子邮件地址,可能还包括你的公司或其他隶属关系。
🌐 npm collects data about you when you send npm support requests, legal complaints, privacy inquiries, and business inquiries. Those data usually include your name and email address, and may include your company or other affiliation.
npm 使用联系数据来:
🌐 npm uses contact data to:
🌐 npm collects data about use of npm.community
npm 会收集有关访问、用户账户以及 npm.community 论坛数据,这是面向 npm 产品和服务用户的讨论论坛。npm 使用来自 npm.community 的数据与开发社区进行协作,并为命令行接口和其他软件的开发决策提供参考。
🌐 npm collects data about visits, user accounts, and forum data on npm.community, the discussion forum for users of npm products and services. npm uses data from npm.community to collaborate with the development community, and to inform development decisions about the command-line interface and other software.
🌐 Does npm share data about me with others?
npm 会将账户数据与他人共享,如 账户数据部分 所述。
🌐 npm shares account data with others as mentioned in the section about account data.
npm 会将包数据与他人共享,如 在有关包数据的部分 中所述。
🌐 npm shares package data with others as mentioned in the section about package data.
npm 会发布你提交到 npm.community 的帖子和其他内容。
🌐 npm publishes posts and other content you submit to npm.community.
npm 不会将你的信息出售给他人。然而,npm 使用其他公司提供的服务来提供 npm 服务。npm 使用的服务提供商类型包括:
🌐 npm does not sell information about you to others. However, npm uses services provided by other companies to provide npm services. The types of service providers that npm uses include:
🌐 npm uses cookies
npm 的网站仅使用为提供、优化和保障网站所必需的 Cookie。例如,我们使用它们来保持你登录状态、记住你的偏好设置、对你的设备进行安全认证、分析你对服务的使用情况、编制统计报告以及为 npm 的未来开发提供信息。该网站使用内部 Cookie 进行分析目的,不使用任何第三方分析或服务提供商。
🌐 npm's website only uses cookies strictly necessary to provide, optimize and secure the website. For example, we use them to keep you logged in, remember your preferences, authenticate your device for security purposes, analyze your use of the service, compile statistical reports, and provide information for future development of npm. The website uses internal cookies for analytics purposes, not any third-party analytics or service providers.
使用本网站,即表示你同意我们可以在你的计算机或设备上放置这些类型的cookie。如果你禁用浏览器或设备接受这些cookie的功能,你将无法登录或使用本网站。
🌐 By using the website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use the website.
🌐 How can I make choices about data collection?
你可以选择 npm publish 命令在包数据中包含哪些数据。你可以在包中使用 .npmignore 文件来将特定文件排除在包之外。你也可以在 package.json 的 files 列表 中使用,以指示 npm 仅包含你指定的特定文件,此外还包括诸如 README 文件、LICENSE 文件和 package.json 等标准文件。
🌐 You choose what data the npm publish command includes in package data. You can use an .npmignore file in your package to keep specific files out of the package. You can also use a files list in package.json files to instruct npm to include only specific files that you name, in addition to standard files like README files, LICENSE files, and package.json.
要仔细检查你计划发布的包中要共享的数据,请运行 npm publish --dry-run 命令。如果你使用的是旧版本的 npm 命令,请运行 npm pack 命令来创建一个 tarball,然后检查其内容,例如使用 tar tvzf $tarball。
要将包发布到 npm 公共注册表,npm 的服务条款要求你 许可 npm 以共享它。如果一个包被设为公开,那么任何人都可以在线查看它。但是,你为包选择的公共许可证可能会影响其他人对包中关于你的数据的使用方式。
🌐 To publish a package to the npm public registry, npm's terms of service require you to license npm to share it. If a package is made public, it is available for everyone online to see. However, your choice of public license for your package may affect what others can do with data about you in your package.
npm 对 不跟踪 HTTP 头 没有响应。
🌐 npm does not respond to the Do Not Track HTTP header.
🌐 Where does npm keep data about me?
npm 将账户数据、网站使用数据、注册表使用数据以及私有包存储在美国的服务器上。通过内容分发网络,在全球范围内存储关于这些包的元数据。
🌐 npm stores account data, data about website use, data about registry use, and private packages on servers in the United States of America. metadata about those packages worldwide, via content delivery networks.
npm 将发布到 npm 托管的企业注册表的软件包数据及其元数据存储在客户选择的云计算区域中。
🌐 npm stores package data published to Enterprise registries that npm hosts, plus metadata about them, in cloud computing zones of customers' choosing.
使用 npm 平台,即表示你同意我们按照本节所述收集和存储你的数据。
🌐 By using the npm platform, you consent to the collection and storage of your data as outlined in this section.
🌐 How does npm handle data under the EU General Data Protection Regulation?
npm 尊重 条例(EU)2016/679 下的隐私权,即欧盟的一般数据保护条例(GDPR)。npm 处理“个人数据”的法律依据如下:(1)经你同意;(2)为履行我们提供服务的协议所必需;以及(3)为实现我们提供服务的合法利益所必需,前提是这些利益不会凌驾于你与数据隐私相关的基本权利和自由之上。我们收集的信息可能会被转移到并存储和处理于美国,或我们或我们的关联公司或分包商设有设施的任何其他国家,如上文所述。
🌐 npm respects privacy rights under Regulation (EU) 2016/679, the European Union's General Data Protection Regulation (GDPR). npm processes "Personal Data" on the following legal bases: (1) with your consent; (2) as necessary to perform our agreement to provide our services; and (3) as necessary for our legitimate interests in providing our services where those interests do not override your fundamental rights and freedom related to data privacy. Information we collect may be transferred to, and stored and processed in, the United States or any other country in which we or our affiliates or subcontractors maintain facilities, as described above.
如果你居住在欧洲经济区 (EEA)、瑞士或英国,你享有以下权利:
🌐 If you reside in the EEA, Switzerland, or United Kingdom, you are entitled to certain rights, like the right to:
当你行使你的权利时,npm 可能需要验证你的身份,并在我们访问包含你信息的记录之前向我们提供信息。如果你想行使你的权利,请通过 提交支持请求 联系 npm。根据法律规定,我们可能有理由不必遵守你的请求,或者可能以比你预期更有限的方式遵守。如果是这种情况,我们将在回复中向你说明原因。
🌐 When you exercise your rights, npm may need to verify your identity and provide us with information before we access records containing your information. If you want to exercise your rights, please contact npm by opening a support ticket. We may have a reason under the law why we do not have to comply with your request or may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
🌐 How does npm handle data under the California Consumer Privacy Act?
npm 尊重加利福尼亚居民在《加利福尼亚消费者隐私法》(CCPA)下的权利。当我们收集受 CCPA 约束的信息时,我们收集的信息及你的权利如下所述。
🌐 npm respects the rights of California residents under the California Consumer Privacy Act (CCPA). Where we collect information that is subject to the CCPA, that information we collect and your rights are described below.
我们收集的个人信息类别:
🌐 Categories of personal information we collect:
我们可能会收集你上传到我们网站的软件包中包含的任何其他信息,如上文“npm 收集包数据”部分所述。我们还会收集你与我们的通信内容,例如,当你通过网页表单向我们提交问题或在社交媒体上向我们发表评论时。
🌐 We may collect any other information about you contained in software packages uploaded to our site, as described above under the "npm collects package data" section. We also collect the contents of your communications with us, e.g., when you submit a question to us through a web form or comments to us on social media.
我们可能会披露上述列出的任何类别的个人信息,并将其用于上述列出的目的或其他与收集个人信息时的情况相符的商业或运营目的。我们披露个人信息的行为包括向我们的“服务提供商”披露,这些服务提供商是我们为商业目的而聘请的公司,代表我们开展活动。我们共享信息的服务提供商类别及其提供的服务如下所述。
🌐 We may disclose any of the categories of personal information listed above and use them for the above-listed purposes or for other business or operational purposes compatible with the context in which the personal information was collected. Our disclosures of personal information include disclosures to our "service providers," which are companies that we engage for business purposes to conduct activities on our behalf. The categories of service providers with whom we share information and the services they provide are described below.
CCPA 下的权利:
🌐 Rights under CCPA:
若要行使上述权利,你可以提交支持工单。当我们处理你的请求时,我们必须通过以下方式验证你的身份:(1) 提供我们可以与之前可能收集的你的信息进行匹配的个人标识信息;以及 (2) 使用请求中所述的电子邮件确认你的请求。
🌐 To exercise your rights above, you can open a support ticket. When we process your request, we must verify your identity by asking you to (1) provide personal identifiers that we can match against information we may have collected from you previously; and (2) confirm your request using the email stated in the request.
选择退出销售:
🌐 Opt-out of sale:
加利福尼亚州居民有权要求我们停止“销售”他们的个人信息。“销售”个人信息的定义非常广泛:“将消费者的个人信息通过口头、书面或电子或其他方式,由企业向另一企业或第三方出于金钱或其他有价值的对价进行出售、出租、释放、披露、传播、提供、转让或以其他方式传达。” 根据《加州消费者隐私法案》(CCPA) 的定义,我们不会出售你的信息。
🌐 California residents have the right to request that we stop "selling" their personal information. A "sale" of personal information is defined broadly: "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." We do not sell your information as defined by the CCPA.
请注意,你的选择退出权利不适用于我们与服务提供商共享个人信息的情况。服务提供商是我们委托的代表我们执行某项功能的机构,并且根据合同义务,他们仅将个人信息用于该功能。
🌐 Please note that your right to opt out does not apply to our sharing of personal information with service providers, who are parties we engage to perform a function on our behalf and are contractually obligated to use the Personal Information only for that function.
我们还可能根据法律要求或为了保护我们公司或其他人,向此处未列出的其他实体披露信息,如我们的隐私政策中所述。
🌐 We may also disclose information to other entities who are not listed here when required by law or to protect our Company or other persons, as described in our Privacy Policy.
🌐 How can I see what data is publicly available about me?
你可以随时通过访问 www.npmjs.com 上的账户页面来访问你的账户数据。你的账户页面还会列出你账户下或其他账户发布的所有软件包。
🌐 You can access your account data at any time by visiting your account page on www.npmjs.com. Your account page also lists all the packages published under your account or other accounts.
你可以通过下载软件包来访问软件包数据,只要它们是公开的或你有访问权限即可。
🌐 You can access package data by downloading the packages, as long as they're public or you have permission to access them.
你可以通过运行 npm info $package 查看包的元数据,或者通过访问相应的注册表 API。注册表 API 以标准的JSON 格式提供元数据,并以tar 包 提供包。
🌐 How can I change data about me?
你可以随时通过访问你的账户设置页面 www.npmjs.com 来更改个人账户数据和支付卡信息。你可以通过 联系支持 来更改企业账户和支付数据。
🌐 You can change your personal account data and payment card data at any time by visiting your account settings page on www.npmjs.com. You can change account and payment data for Enterprise by contacting support.
你可以随时通过发送电子邮件联系 支持团队 来关闭你的 npm 账户。关闭账户会将你的个人资料从公共注册表中移除,但不会自动删除你账户下发布的包。即使你关闭账户,我们可能仍会在内部保留一些你的数据。
🌐 You can close your npm account at any time by e-mailing contacting support. Closing your account removes the profile from the public registry but does not automatically erase packages published under your account. We may retain some data about you internally even where you close your account.
npm 的 取消发布政策 决定了你何时可以从 npm 公共注册表中删除包。取消发布政策在发布和托管包的目的、他人对已公开内容的依赖以及个人权利和自由之间取得了艰难的平衡。
🌐 npm's unpublish policy determines when you can erase packages from the npm public registry. The unpublish policy strikes a difficult balance between the purpose of publishing and hosting packages, others' reliance on what has been made public, and individual rights and freedoms.
如果其他用户不当发布你的个人信息,无论是在封装中还是以其他方式,请提交支持请求。
🌐 If another user improperly publishes personal data about you, in a package or otherwise, open a support ticket.
请注意,虽然 npm 会发布有关已删除数据的通知,但 npm 无法替每个下载了已发布软件包数据或账户数据的人删除这些数据。选择公共许可,例如开源软件许可,可能会鼓励并允许无限期存储、分发和使用软件包数据。几乎所有流行的开源软件许可实际上都要求保留将软件归属到你的个人数据,例如版权声明,作为软件使用许可的前提条件。
🌐 Please note that while npm publishes notices about published data that's been erased, npm can't make everyone who has downloaded published package data or account data erase that data on your behalf. Choosing a public license, such as an open source software license, may encourage and allow storage, distribution, and use of package data indefinitely. Nearly all popular open source software licenses actually require preserving personal data that attributes the software to you, such as copyright notices, as a condition of permission for the software.
🌐 What is npm's policy on unpublishing packages?
有关擦除软件包的更多信息,请参阅 我们关于“撤回”软件包的政策 或 我们的服务条款。
🌐 Please see our policy on "unpublishing" packages or our terms of service for more information on erasing packages.
如果你不小心发布了可能威胁你隐私的软件包,或者发现有人发布的包存在类似问题,提交支持工单。npm 可以并且会在特定的、特殊的情况下下架某些软件包以保护你,尤其是当他人侵犯你的隐私时。使用 npm 侵犯他人隐私是违反我们的 服务条款 的行为。
🌐 If you accidentally publish a package that threatens your privacy, or discover someone else has published a package that does, open a support ticket. npm can and will take down packages in specific, exceptional situations to protect you, especially if others violate your privacy. Using npm to violate others' privacy is against our terms of service.
🌐 How does npm notify others about published data that's erased?
npm 采取了一些措施来通知可能正在从 npm 公共注册表复制数据的其他人,已发布的数据已被删除:
🌐 npm takes a few steps to notify others who may be copying data from the npm public registry that published data has been erased:
README 文件,文件中说明了该包已被删除以及删除原因。🌐 What happens if npm merges with or is bought by another company?
在与任何合并、收购、资源出售或任何业务线、所有权控制变更或融资交易相关的过程中,或在谈判期间,我们可能会将你的一些或全部信息转移给另一实体或其关联公司或服务提供商。我们无法保证收购方或合并后的实体会遵循相同的隐私惯例,或像本政策中所述那样处理你的信息。
🌐 We may transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information the same as described in this Policy.
🌐 What are npm's information practices regarding information belonging to children?
npm 的网站和服务面向年龄在十六岁及以上的用户。npm 不会有意收集儿童的信息。如果我们发现无意中收集了任何 16 岁以下的人的信息,我们会删除该信息。
🌐 npm's site and services are intended for users age sixteen and older. npm does not knowingly collect information from children. If we discover that we have inadvertently collected information from anyone younger than the age of 16, we will delete that information.
🌐 Who can I contact about npm and my privacy?
请提交支持工单。你也可以直接联系数据保护主管。
🌐 Please open a support ticket. You may also contact our Data Protection Officer directly.
我们的美国总部:
🌐 Our United States HQ:
GitHub 数据保护官 收件人:npm 数据保护 88 Colin P. Kelly Jr. 街 旧金山,加利福尼亚州 94107 美国
🌐 GitHub Data Protection Officer
Attention: npm Data Protection
88 Colin P. Kelly Jr. St.
San Francisco, CA 94107
United States
或我们的欧盟办公室:
🌐 or our EU Office:
GitHub BV Vijzelstraat 68-72 1017 HL 阿姆斯特丹 荷兰
🌐 GitHub BV
Vijzelstraat 68-72
1017 HL Amsterdam
The Netherlands
🌐 How can I find out about changes?
此版本的 npm 隐私问答于 2020 年 6 月 3 日生效。
🌐 This version of npm's privacy questions and answers took effect June 3, 2020.
npm 将在 npm 博客 上宣布下一个版本。同时,npm 可能会通过更新 https://npm.nodejs.cn/privacy 上的页面来更新 其联系信息,而不另行公告。npm 可能会在未来的隐私版本中改变其公告更改的方式。
🌐 npm will announce the next version on the npm blog. In the meantime, npm may update its contact information by updating the page at https://npm.nodejs.cn/privacy, without an announcement. npm may change how it announces changes in future privacy versions.
你可以查看 npm 公共政策的 Git 仓库 中的更改历史。
🌐 You can review the history of changes in the Git repository for npm's public policies.