Privacy Policy
Last updated: April 3, 2026
safenpm is designed with privacy as a core principle. We collect the minimum data necessary to operate the threat intelligence network. No accounts. No tracking. No personal data.
1. The CLI Tool
The safenpm CLI runs entirely on your machine. It does not collect, transmit, or store any personal information. Specifically:
- No telemetry or usage analytics
- No tracking of what packages you install
- No file system data leaves your machine
- All sandboxing and static analysis runs locally
2. Threat Intelligence Network
When the CLI queries or reports to the threat intelligence API, the following data is involved:
Queries (automatic on install):
- Package names being installed are sent to check for community flags
- Your IP address is visible to our server (standard HTTP) but is not logged or stored
Signal reports (opt-in via --scan):
- Package name and version
- Reason for flagging (e.g., "network access", "credential exfiltration")
- Hash of the postinstall script
- A hash of your IP is used temporarily for rate limiting and deduplication — the raw IP is not stored
3. Website Analytics
The safenpm.dev website uses Vercel Analytics and Vercel Speed Insights. These collect:
- Page views and referrer URLs
- Anonymous performance metrics (page load times)
- Country-level geolocation (no city or IP stored)
- Browser and device type
Vercel Analytics is privacy-focused — it does not use cookies and does not track users across sites. See Vercel's privacy policy for details.
4. Cookies
safenpm.dev does not set any cookies.
5. Third Parties
We do not sell, share, or provide any data to third parties. The only external services involved are:
- Vercel — hosting and analytics
- Upstash — threat signal storage (stores only anonymous signal data)
6. Data Retention
- Threat signals are retained as long as they remain relevant to the network
- Rate-limiting data (IP hashes) expires automatically after 24 hours
- No personal data is retained because none is collected
7. Your Rights
Since we don't collect personal data, there is typically nothing to request deletion of. If you have concerns about a specific signal report, contact us via GitHub Issues.
8. Changes
We may update this policy as the project evolves. Changes will be reflected on this page with an updated date.
9. Contact
For privacy questions, open an issue on GitHub or reach out to the maintainer.