The npm CLI project does not have designated LTS releases. The project only makes regular releases to the most recent major release-line. If you want to learn more, please read our LICENSE. Using the latest version of npm is advised.

In the event of a security issue, the project will try to backport - when possible - security patches to versions of npm currently shipping with "maintained" Node.js versions. There are no guarantees that legacy versions of npm will receive updates. Using the latest version of npm is advised.

If you believe you've found a security issue with the npm CLI, we kindly ask that you check if a previous issue has already been filed against the npm/cli, or any one of it's dependencies, repositories that is similar to your finding. Please also ensure your vulnerability meets the eligibility criteria outlined in our Bug Bounty Program before submission. Notably, exploits which require social engineering are ineligible for bounties & more generally are out of scope for the npm CLI to reasonably protect against. Examples of hypothetical, ineligible exploitations would be: manipulating dependent system binaries (ex. git, node etc.), environment or project configuration (ex. PATH, npm_config_* etc.), files, caches or packages & package references prior to executing any npm command. npm should always be run on trusted systems with secure network access.

Older versions of the npm CLI should continue to work with the npm Public Registry (ie. registry.npmjs.org) but may not support all of its latest features & reliability of those APIs/services may change or degrade over time. Using the latest version of npm is advised.

Questions, comments, or requests to change this policy should be opened in npm's feedback repository.