Why does the registry api leak email addresses?

[bjorn3]

Select Topic Area

Question

Body

Recently I got some automated spam email that seems like it got sent to everyone who has published a package to npm. After investigating how they got my email despite not putting it in package.json or anywhere else visible through the npmjs web interface, I discovered that the npmjs registry leaks the email address of every user through the maintainers field in the api response. When creating my npmjs account it was not clear at all that the email address would be made public. Why is it made public? Can this be reconsidered? And if not can it please be made much more clear that your email address will be leaked?

[azkam0445]

yes

[DavitEgoian]

Head to the npm support or feedback channels:

1. npm Support: npmjs.com/support - for account/privacy concerns
2. npm Feedback Repo: github.com/npm/feedback - for feature requests and policy discussions
3. Email: security@npmjs.com - if you want to frame this as a privacy/security concern

While GitHub owns npm, they operate as separate platforms with different support teams and policies. The npm registry API behavior you're describing is npm-specific and their support team would need to address it.

[bjorn3]

https://www.npmjs.com/support under the "Giving Feedback" section suggested to post here.

[DavitEgoian]

You're right, npm does direct feedback to GitHub Community. Here's what to tell them:

For this specific issue, you should open a discussion or issue at:
github.com/npm/feedback

That's the official npm feedback repository where npm maintainers actively track feature requests and privacy concerns like yours.

When you post there:

• Title: "Email addresses exposed in registry API maintainers field"
• Details:
  • The privacy concern (emails visible via API but not disclosed during signup)
  • The spam issue you experienced
  • Request for either: removing emails from API responses OR clear disclosure during account creation

[bjorn3]

Did you use AI to write this reply? That repo has been archived for almost two years.

[DavitEgoian]

Ohhhh sorry, I used that repo when I had same issue before 😅

[diegomanuel10x]

registry APIs leak emails because they have maintainer account data in public JSON metadata. Intended for developer collaboration, this feature allows bots to get.