本文档概述了 npm 所采用的实践和政策,旨在确保我们发布稳定/安全的软件,并在出现安全威胁时做出适当的反应。
🌐 Outlined in this document are the practices and policies that npm applies to help ensure that we release stable/secure software, and react appropriately to security threats when they arise.
🌐 Table of Contents
🌐 Reporting Security Problems to npm
如果你需要报告安全漏洞,请访问 https://npmjs.com/support。如果你的问题与你的账户相关,例如丢失凭证或双因素认证问题,联系 我们的支持团队 更为合适。
🌐 If you need to report a security vulnerability. Please visit https://npmjs.com/support. If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting our support team is more appropriate.
我们会在下一个工作日审查所有安全报告。请注意,npm 员工在大多数美国假期期间通常处于离线状态,但请不要延迟提交报告!我们的非工作时间支持人员可以解决许多问题,并在需要时通知我们的安全联系人。
🌐 We review all security reports on the next business day. Note that the npm staff is generally offline for most US holidays, but please do not delay your report! Our off-hours support staff can fix many issues, and will alert our security point of contact if needed.
🌐 Security Point of Contact
通过 https://npmjs.com/support 提交的任何安全工单将被升级到安全联系人,由其根据情况分配事件响应活动。这是联系 npm 处理任何与安全相关事务的最佳且最快的方法。
🌐 Any security tickets opened using https://npmjs.com/support will be escalated to the security point of contact, who will delegate incident response activities as appropriate. This is the best and fastest way to contact npm about any security-related matter.
🌐 Critical Updates And Security Notices
我们从各种来源了解关键软件更新和安全威胁:
🌐 We learn about critical software updates and security threats from a variety of sources:
🌐 Changes
这是一个动态文档,可能会不时更新。请参考此文档的 Git 历史以查看更改内容。
🌐 This is a living document and may be updated from time to time. Please refer to the git history for this document to view the changes.
🌐 License
本文件可在知识共享署名-相同方式共享许可下重复使用。
🌐 This document may be reused under a Creative Commons Attribution-ShareAlike License.