Description
Current Behavior
npmjs.com's Terms & Conditions references the following item4.of"Conditions"...
"You may access and use data about the security of Packages, such as vulnerability reports, audit status reports, and supplementary security documentation, only for your own personal or internal business purposes. You may not provide others access to, copies of, or use of npm data about the security of Packages, directly or as part of other products or services."
ref.
documentation/content/policies/open-source-terms.mdx
Lines 122 to 127 in 8c9313d
Expected Behavior
npmjs.comshould have similar language/aligned withgithub.com's Advisory Database Terms & Conditions
"The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.
License Grant to Us
We need the legal right to submit your contributions to the GitHub Advisory Database into public domain datasets such as the National Vulnerability Database and to license the GitHub Advisory Database under open terms for use by security researchers, the open source community, industry, and the public. You agree to release your contributions to the GitHub Advisory Database under the Creative Commons Zero license.
License to the GitHub Advisory Database
The GitHub Advisory Database is licensed under the Creative Commons Attribution 4.0 license. The attribution term may be fulfilled by linking to the GitHub Advisory Database at https://github.com/advisories or to individual GitHub Advisory Database records used, prefixed by https://github.com/advisories."
IANAL, but when npm switched to proxying through to the GitHub Advisory Database the results of the security audit endpoints indirectly assumed the license/terms of that data. It seems (& again, IANAL) incorrect that any data returned from those endpoints would not be covered by the same CC 4.0 License which explicitly states "You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits."