Why does the registry api leak email addresses?

[bjorn3]

Select Topic Area

Question

Body

Recently I got some automated spam email that seems like it got sent to everyone who has published a package to npm. After investigating how they got my email despite not putting it in package.json or anywhere else visible through the npmjs web interface, I discovered that the npmjs registry leaks the email address of every user through the maintainers field in the api response. When creating my npmjs account it was not clear at all that the email address would be made public. Why is it made public? Can this be reconsidered? And if not can it please be made much more clear that your email address will be leaked?

[azkam0445]

yes

[DavitEgoian]

Head to the npm support or feedback channels:

1. npm Support: npmjs.com/support - for account/privacy concerns
2. npm Feedback Repo: github.com/npm/feedback - for feature requests and policy discussions
3. Email: security@npmjs.com - if you want to frame this as a privacy/security concern

While GitHub owns npm, they operate as separate platforms with different support teams and policies. The npm registry API behavior you're describing is npm-specific and their support team would need to address it.

[bjorn3]

https://www.npmjs.com/support under the "Giving Feedback" section suggested to post here.

[DavitEgoian]

You're right, npm does direct feedback to GitHub Community. Here's what to tell them:

For this specific issue, you should open a discussion or issue at:
github.com/npm/feedback

That's the official npm feedback repository where npm maintainers actively track feature requests and privacy concerns like yours.

When you post there:

• Title: "Email addresses exposed in registry API maintainers field"
• Details:
  • The privacy concern (emails visible via API but not disclosed during signup)
  • The spam issue you experienced
  • Request for either: removing emails from API responses OR clear disclosure during account creation

[bjorn3]

Did you use AI to write this reply? That repo has been archived for almost two years.

[DavitEgoian]

Ohhhh sorry, I used that repo when I had same issue before 😅

[diegomanuel10x]

registry APIs leak emails because they have maintainer account data in public JSON metadata. Intended for developer collaboration, this feature allows bots to get.

[krillmango]

yike

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[bjorn3]

Nobody from npm has replied yet.