Fixed bug affecting npm package and organization maintainers

GitHub Security was recently notified about a caching issue affecting npm. This bug had been present since 2016 and sporadically caused npm maintainers to be re-invited upon removal from packages or organizations. Our Security team investigated potential instances of the issue and believe this bug only occurred if a user was removed, followed shortly by the addition of a different member. This bug affected npm-cli version 6 and above, and was fixed in version 7+.

Out of an abundance of caution, we are recommending all npm users review the maintainers of their projects and organizations for any discrepancies that may be a result of this bug and remove any unexpected members. Please feel free to reach out to us with any additional questions or concerns through the following contact form: https://www.npmjs.com/support.

JUN.17Improvement
Secret scanning updates – June 2026
- Application Security
JUN.16Release
GitHub Code Quality generally available July 20, 2026
- Application Security
JUN.16Release
Organization-level enablement for GitHub Code Quality
- Application Security
JUN.10Improvement
Dedicated security review command now available in Copilot CLI
- Application Security
JUN.10Improvement
Incremental analysis for Go, C/C++, and CodeQL CLI
- Application Security
JUN.9Release
Periodic code scanning of inactive repositories
- Application Security
JUN.9Improvement
Security validation for third-party coding agents
- Application Security
JUN.5Improvement
CodeQL 2.25.6 adds Swift 6.3.2 support and improves C# coverage
- Application Security
JUN.2Release
Cloud and local sandboxes for GitHub Copilot now in public preview
- Application Security

Fixed bug affecting npm package and organization maintainers

Related Posts

Subscribe to our developer newsletter