Privacy Policy
Last updated: April 3, 2026
safenpm is designed with privacy as a core principle. We collect the minimum data necessary to operate the threat intelligence network. No accounts. No tracking. No personal data.
1. The CLI Tool
The safenpm CLI runs entirely on your machine. It does not collect, transmit, or store any personal information. Specifically:
- No telemetry or usage analytics
- No tracking of what packages you install
- No file system data leaves your machine
- All sandboxing and static analysis runs locally
2. Threat Intelligence Network
When the CLI queries or reports to the threat intelligence API, the following data is involved:
Queries (automatic on install):
- Package names being installed are sent to check for community flags
- Your IP address is visible to our server (standard HTTP) but is not logged or stored
Signal reports (opt-in via --scan):
- Package name and version
- Reason for flagging (e.g., "network access", "credential exfiltration")
- Hash of the postinstall script
- A hash of your IP is used temporarily for rate limiting and deduplication — the raw IP is not stored
3. Website Analytics
The safenpm.dev website runs no client-side analytics or telemetry. Standard access logs kept by our host (Cloudflare Pages) may record page views, referrer URLs, and aggregate country/device data, but no user-identifying profile is built or retained.
4. Cookies
safenpm.dev does not set any cookies.
5. Third Parties
We do not sell, share, or provide any data to third parties. The only external services involved are:
- Cloudflare Pages — static hosting and API functions
- Upstash — threat signal storage (stores only anonymous signal data)
6. Data Retention
- Threat signals are retained as long as they remain relevant to the network
- Rate-limiting data (IP hashes) expires automatically after 24 hours
- No personal data is retained because none is collected
7. Your Rights
Since we don't collect personal data, there is typically nothing to request deletion of. If you have concerns about a specific signal report, contact us via GitHub Issues.
8. Changes
We may update this policy as the project evolves. Changes will be reflected on this page with an updated date.
9. Contact
For privacy questions, open an issue on GitHub or reach out to the maintainer.