Publishing New npm Packages Now Require Email Verification

Starting on Tuesday, July 25th, 2017, you will be required to verify your email address in order to publish new packages. This change applies to new packages only – You will not need to verify your email address to publish new versions of existing packages.

With the popularity and growth of npm, it has increasingly become a target for spammers. Spammers publish many packages, sometimes thousands at once, to the registry. Without a verification step, spammers can create new accounts and begin spamming very quickly.

In order to combat this, npm has decided to require email address verification to publish new packages. This is just one of several steps that npm is taking to prevent spam. Npm is also working with Smyte to use package metadata and README data to try to identify spam packages so that they can be removed as quickly as possible.

After logging into the npm website, if your email address needs verification you will now get a message like this one:

npm Email Verification
Click the “Do you need us to send it again?” link to have a verification email sent to you. The process is quick, and requiring it will slow down spammers and help keep the registry clean.