Skip to content

Added policy pages #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Jul 16, 2021
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,5 @@ npm owner add <their-username> <package-name> --otp=123456
npm owner rm <your-username> <package-name> --otp=123456
```

[dispute-policy]: https://www.npmjs.com/policies/disputes
[dispute-policy]: /policies/disputes
[npm-owner]: cli/owner
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import shared from '../../../src/shared.js'

## How to unpublish

As a package owner or collaborator, if your package has no dependents, you can permanently remove it from the npm registry by using the CLI. You can [unpublish][unpublish-cli] within 72 hours of the initial publish. Beyond 72 hours,so you can still unpublish your package if [it meets certain criteria](https://www.npmjs.com/policies/unpublish).
As a package owner or collaborator, if your package has no dependents, you can permanently remove it from the npm registry by using the CLI. You can [unpublish][unpublish-cli] within 72 hours of the initial publish. Beyond 72 hours,so you can still unpublish your package if [it meets certain criteria][unpublish].

<Note>

Expand Down Expand Up @@ -61,9 +61,8 @@ You might want to unpublish a package because you:
If you are no longer interested in maintaining a package, but want it to remain available for users to install, or if your package has dependents, we'd recommend [deprecating][deprecate-cli] it. To learn about how to deprecate a package, see "[Deprecating and undeprecating packages or package versions][deprecate-package]".


[unpublish-cli]: cli/unpublish
[oh-no]: https://blog.npmjs.org/post/101934969510/oh-no-i-accidentally-published-private-data-to
[deprecate-cli]: cli/deprecate
[deprecate-package]: deprecating-and-undeprecating-packages-or-package-versions
[unpublish-policy]: https://www.npmjs.com/policies/unpublish
[two-factor-auth]: about-two-factor-authentication
[unpublish]: /policies/unpublish
523 changes: 523 additions & 0 deletions content/policies/business-solution-terms.mdx

Large diffs are not rendered by default.

186 changes: 186 additions & 0 deletions content/policies/conduct.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
---
title: npm Code of Conduct
---
npm exists to facilitate sharing code, by making it easy for
JavaScript module developers to publish and distribute packages.

npm is a piece of technology, but more importantly, it is a community.

We believe that our mission is best served in an environment that is
friendly, safe, and accepting; free from intimidation or harassment.

Towards this end, certain behaviors and practices will not be
tolerated.

## tl;dr

* Be respectful.
* We're here to help
* Abusive behavior is never tolerated.
* Data published to npm is hosted at the discretion of the service
administrators, and may be removed.
* Violations of this code may result in swift and permanent expulsion
from the npm community.

## Scope

We expect all members of the npm community, including paid and unpaid
agents, administrators, users, and customers of npm, Inc., to abide by
this Code of Conduct at all times in all npm community venues, online
and in person, and in one-on-one communications pertaining to npm
affairs.

This policy covers the usage of the npm registry, as well as the npm
website, npm related events, and any other services offered by or on
behalf of npm, Inc. (collectively, the "Service"). It also applies to
behavior in the context of the npm Open Source project communities,
including but not limited to public GitHub repositories, IRC channels,
social media, mailing lists, and public events.

This Code of Conduct is in addition to, and does not in any way
nullify or invalidate, any other terms or conditions related to use of
the Service.

The definitions of various subjective terms such as "discriminatory",
"hateful", or "confusing" will be decided at the sole discretion of
the npm abuse team.

## Friendly Harassment-Free Space

We are committed to providing a friendly, safe and welcoming
environment for all, regardless of gender identity, sexual
orientation, ability, ethnicity, religion, age, physical
appearance, body size, race, or similar personal characteristics.

We ask that you please respect that people have differences of opinion
regarding technical choices, and that every design or implementation
choice carries a trade-off and numerous costs. There is seldom a
single right answer. A difference of technology preferences is not a
license to be rude.

Disputes over package rights must be handled respectfully, according
to the terms described in the [Disputes Policy][disputes].
There is never a good reason to be rude over package name disputes.

Any spamming, trolling, flaming, baiting, or other attention-stealing
behavior is not welcome, and will not be tolerated.

Harassing other users of the Service is never tolerated, whether via
public or private media.

Avoid using offensive or harassing package names, nicknames, or other
identifiers that might detract from a friendly, safe, and welcoming
environment for all.

Harassment includes, but is not limited to: harmful or prejudicial
verbal or written comments related to gender identity, sexual
orientation, ability, ethnicity, religion, age, physical
appearance, body size, race, or similar personal characteristics;
inappropriate use of nudity, sexual images, and/or sexually explicit
language in public spaces; threats of physical or non-physical harm;
deliberate intimidation, stalking or following; harassing photography
or recording; sustained disruption of talks or other events;
inappropriate physical contact; and unwelcome sexual attention.

## Acceptable Use

The Service administrators reserve the right to make judgment calls
about what is and isn't appropriate in published packages, package names,
user and organization names, and other public content. Package that
violates the npm Service's
[Acceptable Use][acceptable-use]
rules including its
[Acceptable Content][acceptable-content]
rules will be deleted, at the discretion of npm.

## Reporting Violations of this Code of Conduct

Please select the method of contact you think is most appropriate for
the form of violation:

* For urgent security issues, please open a ticket at <https://npmjs.com/support>.
Requests to un-publish packages are not usually considered urgent security
issues, as it is possible to [un-publish a package][unpublish]
within 24 hours of its first publish. Any publicly published package
is [immediately replicated to thousands of third-party mirrors](http://blog.npmjs.org/post/101934969510/oh-no-i-accidentally-published-private-data-to),
so any confidential information contained in a package should be considered
immediately compromised.

* If you believe someone is harassing you or is demonstrating
some other form of malicious or inappropriate behavior, open a support
ticket at https://npmjs.com/support. If this is the initial report of a problem,
please include as much detail as possible. It is easiest for us
to address issues when we have more context.

* If you have concerns about a potential copyright violation,
please refer to our [Copyright Policy][dmca]
and take action as recommended by that policy.

* If you think a package or other content is "squatting" on a name,
follow the process described in the
[Disputes Policy][disputes].

For any other issues, or if in doubt, [contact support](https://npmjs.com/support).


## Consequences

All content published to the Service, including user account
credentials, is hosted at the sole discretion of the npm
administrators.

Unacceptable behavior from any community member, including sponsors,
employees, customers, or others with decision-making authority, will
not be tolerated.

Anyone asked to stop unacceptable behavior is expected to comply
immediately.

If a community member engages in unacceptable behavior, the npm
administrators may take any action they deem appropriate, up to and
including a temporary ban or permanent expulsion from the community
without warning (and without refund in the case of a paid event or
service).

## Addressing Grievances

If you feel you have been falsely or unfairly accused of violating
this Code of Conduct, you should notify npm, Inc. We will do our best
to ensure that your grievance is handled appropriately.

In general, we will choose the course of action that we judge as being
most in the interest of fostering a safe and friendly community.

## Contact Info

Please open a support ticket at <https://npmjs.com/support> if you need to
report a problem or address a grievance related to an abuse report.

You are also encouraged to contact us if you are curious about
something that might be "on the line" between appropriate and
inappropriate content. We are happy to provide guidance to help you
be a successful part of our community.

## Changes

This is a living document and may be updated from time to time.
Please refer to the [git history for this
document](https://github.com/npm/documentation/blob/main/content/policies/conduct.mdx)
to view the changes.

## Credit and License

This Code of Conduct borrows heavily from the Stumptown Syndicate
[Citizen's Code of Conduct](http://citizencodeofconduct.org/), and the
[Rust Project Code of
Conduct](https://www.rust-lang.org/conduct.html).

This document may be reused under a [Creative Commons
Attribution-ShareAlike
License](https://creativecommons.org/licenses/by-sa/4.0/).

[disputes]: /policies/disputes
[acceptable-use]: /policies/open-source-terms#acceptable-use
[acceptable-content]: /policies/open-source-terms#acceptable-content
[unpublish]: /policies/unpublish
[dmca]: /policies/dmca
11 changes: 11 additions & 0 deletions content/policies/crawlers.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
title: Crawler policy
---

npm's full public dataset is available via the [public registry](https://docs.npmjs.com/misc/registry). Using CouchDB replication, you can get a full copy of all metadata, and it is acceptable within our terms of use to download copies of tarballs for inspection or experimentation.

npm's [website](https://www.npmjs.com) also has package metadata available. We allow this content to be indexed by commercial crawlers such as GoogleBot. At our discretion, we also allow experimental crawlers to access the site, as long as they keep their request velocity to 1 request per second or less. At that velocity, indexing all packages would take 3 days, so if you want a full copy of our metadata it is always going to be faster to access the data via replication, which takes only an hour or two to provide full data and will thereafter automatically stay in sync.

If you do not wish to install CouchDB to manage replication, we provide [open source software](https://github.com/npm/concurrent-couch-follower) that makes it easy to sync to the registry's public feed.

If you attempt to access package metadata by high-velocity crawling of the npm website, we reserve the right to rate-limit or ban your IP, user-agent or both.
159 changes: 159 additions & 0 deletions content/policies/disputes.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
---
title: Dispute Resolution
---

This document describes the steps that you should take to resolve module
name disputes with other npm publishers. It also describes special steps
you should take about names you think [infringe your trademarks](#trademarks).

This document is additive to the guidelines in the
[npm Code of Conduct][conduct] and
[npm Open-Source terms][open-source-terms].
Nothing in this document should be interpreted to contradict any aspect
of the npm Code of Conduct or Open-Source Terms.

## tl;dr

1. Open a support ticket at <https://npmjs.com/support>
1. Explain why you require a package, org, or username transferred
1. Support will address your request. Please note submitting a report does not
guarantee the transfer of a package, org, or username.

## When to use this process

This process is an excellent way to:

* Adopt a package created from your project, published by someone else
* Report a deliberately misleading or confusing package name

This process does not apply if the package violates our
[Terms of Use][open-source-terms],
in particular our
[Acceptable Use][acceptable-use]
and [Acceptable Content][acceptable-content]
rules, or our [Code of Conduct][conduct].
Those documents refer to this one to resolve cases of "squatting"; see
below.

If you see bad behavior or content you believe is unacceptable, refer to
the Code of Conduct for guidelines on
[reporting violations][violations].
**You are never expected to resolve abusive behavior on your own.**
**We are here to help.**

## When not to use this process

We are not currently accepting dispute requests to "adopt an abandoned
package" or "Report Squatting" as we re-evaluate and update the overall
dispute process.

## Beginning the process

### Packages

To dispute a package called `foo`, follow these steps:

1. Open a support ticket at <https://npmjs.com/support>, indicating that
you would like to start the process to request ownership of the `foo`
package. Please explain the why you believe the package should be transferred.
You will get an automated reply from npm support to your email address.
1. Support will address your request. Please note submitting a report does not
guarantee the transfer of a package.

### Organizations

To dispute an organization name, follow these steps:

1. Open a support ticket at <https://npmjs.com/support>, indicating that
you dispute an organization name. Include the name of the organization,
e.g. `@foo`. Please explain the why you believe the Organizations should
be transferred. You will get an automated reply from npm support to your
email address.
1. Support will address your request. Please note submitting a report does not
guarantee the transfer of an organization.

### User names

To dispute a user name, follow these steps:

1. Open a support ticket at <https://npmjs.com/support>, indicating that
you dispute a user name. Include the name of the user account,
e.g. `@foo`. Please explain why you believe the Username should be
transferred. You will get an automated reply from npm support to your
email address.
1. Support will address your request. Please note submitting a report does not
guarantee the transfer of a user name.

## Trademarks

If you think another npm publisher is infringing your trademark, such
as by using a confusingly similar package, org, or user account name,
open a support ticket at <https://npmjs.com/support> with a link to
the package, org, or user account page on <https://npmjs.com>. Attach
a copy of your trademark registration certificate.

If we see that the user, org, or package publisher is intentionally
misleading others by misusing your registered mark without permission,
we will transfer the account, org, or package name to you. Otherwise, we
will contact the relevant user and ask them to clear up any confusion with
changes to their user account page, or page, or package `README` file.

Use of npm's own trademarks is covered by our Trademark Policy at
<https://docs.npmjs.com/trademark>.

## Changes

This is a living document and may be updated from time to time.
Please refer to the [git history for this
document](https://github.com/npm/documentation/blob/main/content/policies/disputes.mdx)
to view the changes.

## Definitions

### Squatting

It is against npm's
[Terms of Use][acceptable-content]
to publish a package, register a user name or an organization name
simply for the purposes of reserving it for future use.

We do not pro-actively scan the registry for squatted packages, so
the fact that a name is in use does not mean we consider it valid.
The standards for what we consider squatting depend on what is being
squatted:

#### Packages

Package names are considered squatted if the package has no genuine
function.

#### Organizations

Organization names are considered squatted if there are no packages
published within a reasonable time. If an organization is a paid
organization, it may have private packages that are invisible to
third parties. For privacy reasons, we cannot reveal whether or not
an organization has private packages, so a paid organization will
never be considered squatted.

#### User names

We are extremely unlikely to transfer control of a user name, as it
is totally valid to be an npm user and never publish any packages:
for instance, you might be part of an organization or need read-only
access to private packages.

## License

Copyright (C) npm, Inc., All rights reserved

This document may be reused under a [Creative Commons
Attribution-ShareAlike
License](https://creativecommons.org/licenses/by-sa/4.0/).

[conduct]: /policies/conduct
[open-source-terms]: /policies/open-source-terms
[acceptable-use]: /policies/open-source-terms#acceptable-use
[acceptable-content]: /policies/open-source-terms#acceptable-content
[violations]: /policies/conduct#reporting-violations-of-this-code-of-conduct
[trademark]: /policies/trademark
Loading