npm 安全政策

See Details

本文档概述了 npm 所采用的实践和政策，旨在确保我们发布稳定/安全的软件，并在出现安全威胁时做出适当的反应。

¥Outlined in this document are the practices and policies that npm applies to help ensure that we release stable/secure software, and react appropriately to security threats when they arise.

向 npm 报告安全问题

¥Reporting Security Problems to npm

如果你需要报告安全漏洞。请访问 https://npmjs.com/support。如果你的问题特定于你的账户，例如凭据丢失或双重身份验证问题，则联系我们的支持团队更为合适。

¥If you need to report a security vulnerability. Please visit https://npmjs.com/support. If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting our support team is more appropriate.

我们会在下一个工作日审查所有安全报告。请注意，npm 员工在美国大多数节假日通常处于离线状态，但请不要延迟你的报告！我们的非工作时间支持人员可以解决许多问题，并会在需要时通知我们的安全联系人。

¥We review all security reports on the next business day. Note that the npm staff is generally offline for most US holidays, but please do not delay your report! Our off-hours support staff can fix many issues, and will alert our security point of contact if needed.

安全联系人

¥Security Point of Contact

任何使用 https://npmjs.com/support 开具的安全工单都将上报至安全联系人，安全联系人将酌情委派事件响应活动。这是就任何安全相关问题联系 npm 的最佳和最快捷方式。

¥Any security tickets opened using https://npmjs.com/support will be escalated to the security point of contact, who will delegate incident response activities as appropriate. This is the best and fastest way to contact npm about any security-related matter.

关键更新和安全通知

¥Critical Updates And Security Notices

我们从各种来源了解关键软件更新和安全威胁：

¥We learn about critical software updates and security threats from a variety of sources:

Ubuntu 的安全声明页面：https://usn.ubuntu.com/

¥Ubuntu's security notices page: https://usn.ubuntu.com/
Node.js 邮件列表。

¥The Node.js mailing list.
安全工单已发送给我们。

¥Security tickets sent to us.
以及其他媒体资源。

¥and other media sources.