1NPM-DISPUTES(7)                                                NPM-DISPUTES(7)
2
3
4

NAME

6       npm-disputes - Handling Module Name Disputes
7
8       This  document describes the steps that you should take to resolve mod‐
9       ule name disputes with other npm publishers. It also describes  special
10       steps you should take about names you think infringe your trademarks.
11
12       This document is a clarification of the acceptable behavior outlined in
13       the npm Code  of  Conduct  https://www.npmjs.com/policies/conduct,  and
14       nothing in this document should be interpreted to contradict any aspect
15       of the npm Code of Conduct.
16

TL;DR

18       1. Get the author email with npm owner ls <pkgname>
19
20       2. Email the author, CC support@npmjs.com
21
22       3. After a few weeks, if there's no resolution, we'll sort it out.
23
24
25       Don't squat on package names.  Publish code or move out of the way.
26

DESCRIPTION

28       There sometimes arise cases where a user publishes a module,  and  then
29       later,  some  other  user  wants to use that name. Here are some common
30       ways that happens (each of these is based on actual events.)
31
32       1. Alice writes a JavaScript module foo, which  is  not  node-specific.
33          Alice doesn't use node at all. Yusuf wants to use foo in node, so he
34          wraps it in an npm module. Some time later, Alice starts using node,
35          and wants to take over management of her program.
36
37       2. Yusuf  writes  an  npm  module  foo,  and publishes it. Perhaps much
38          later, Alice finds a bug in foo, and fixes  it.  She  sends  a  pull
39          request  to  Yusuf, but Yusuf doesn't have the time to deal with it,
40          because he has a new job and a new baby and is focused  on  his  new
41          Erlang  project,  and kind of not involved with node any more. Alice
42          would like to publish a new foo, but  can't,  because  the  name  is
43          taken.
44
45       3. Yusuf  writes  a 10-line flow-control library, and calls it foo, and
46          publishes it to the npm registry. Being a simple  little  thing,  it
47          never  really has to be updated. Alice works for Foo Inc, the makers
48          of the critically acclaimed and widely-marketed foo JavaScript tool‐
49          kit framework.  They publish it to npm as foojs, but people are rou‐
50          tinely confused when npm install foo is some different thing.
51
52       4. Yusuf writes a parser for the widely-known foo file format,  because
53          he needs it for work. Then, he gets a new job, and never updates the
54          prototype.  Later on, Alice writes a much more complete foo  parser,
55          but can't publish, because Yusuf's foo is in the way.
56
57       5. npm  owner  ls  foo.  This  will tell Alice the email address of the
58          owner (Yusuf).
59
60       6. Alice emails Yusuf, explaining the situation as respectfully as pos‐
61          sible,  and what she would like to do with the module name. She adds
62          the npm support staff support@npmjs.com to the CC list of the email.
63          Mention  in  the email that Yusuf can run npm owner add alice foo to
64          add Alice as an owner of the foo package.
65
66       7. After a reasonable amount of time, if Yusuf has not responded, or if
67          Yusuf  and Alice can't come to any sort of resolution, email support
68          support@npmjs.com and we'll sort it out. ("Reasonable" is usually at
69          least 4 weeks.)
70
71

REASONING

73       In  almost  every  case  so far, the parties involved have been able to
74       reach an amicable resolution without any major intervention. Most  peo‐
75       ple  really  do  want to be reasonable, and are probably not even aware
76       that they're in your way.
77
78       Module ecosystems are most  vibrant  and  powerful  when  they  are  as
79       self-directed  as  possible.  If an admin one day deletes something you
80       had worked on, then that is going to  make  most  people  quite  upset,
81       regardless  of  the  justification. When humans solve their problems by
82       talking to other humans with respect, everyone has the chance to end up
83       feeling good about the interaction.
84

EXCEPTIONS

86       Some  things are not allowed, and will be removed without discussion if
87       they are brought to the attention of the npm registry admins, including
88       but not limited to:
89
90       1. Malware  (that is, a package designed to exploit or harm the machine
91          on which it is installed).
92
93       2. Violations  of  copyright  or  licenses  (for  example,  cloning  an
94          MIT-licensed  program,  and  then removing or changing the copyright
95          and license statement).
96
97       3. Illegal content.
98
99       4. "Squatting" on a package name that you plan to use, but aren't actu‐
100          ally  using.  Sorry, I don't care how great the name is, or how per‐
101          fect a fit it is for the thing that someday might happen. If someone
102          wants to use it today, and you're just taking up space with an empty
103          tarball, you're going to be evicted.
104
105       5. Putting empty packages in the  registry.  Packages  must  have  SOME
106          functionality.  It can be silly, but it can't be nothing. (See also:
107          squatting.)
108
109       6. Doing weird things with the registry, like using it as your own per‐
110          sonal  application database or otherwise putting non-packagey things
111          into it.
112
113       7. Other   things   forbidden   by   the   npm    Code    of    Conduct
114          https://www.npmjs.com/policies/conduct  such  as  hateful  language,
115          pornographic content, or harassment.
116
117
118       If you see bad behavior like this, please report it to  abuse@npmjs.com
119       right  away. You are never expected to resolve abusive behavior on your
120       own. We are here to help.
121

TRADEMARKS

123       If you think another npm publisher is infringing your  trademark,  such
124       as  by  using a confusingly similar package name, email abuse@npmjs.com
125       with  a  link  to   the   package   or   user   account   on   https://
126       https://www.npmjs.com/.   Attach  a copy of your trademark registration
127       certificate.
128
129       If we see that the package's publisher is intentionally misleading oth‐
130       ers by misusing your registered mark without permission, we will trans‐
131       fer the package name to you. Otherwise, we  will  contact  the  package
132       publisher  and ask them to clear up any confusion with changes to their
133       package's README file or metadata.
134

CHANGES

136       This is a living document and may be updated from time to time.  Please
137       refer      to     the     git     history     for     this     document
138       https://github.com/npm/cli/commits/latest/doc/misc/npm-disputes.md   to
139       view the changes.
140

LICENSE

142       Copyright (C) npm, Inc., All rights reserved
143
144       This document may be reused under a Creative Commons Attribution-Share‐
145       Alike License.
146

SEE ALSO

148       · npm help 7 registry
149
150       · npm help owner
151
152
153
154
155
156                                  April 2019                   NPM-DISPUTES(7)
Impressum