Leaking package maintainer email to bots

npms-io / npms-www

The https://npms.io website

MIT License

245 stars 35 forks source link

Leaking package maintainer email to bots #225

Closed ankurk91 closed 6 years ago

ankurk91 commented 6 years ago

Hi, The website https://npms.io is leaking all package maintainer email addresses to bots. It is visible to Google (try to search email address on google) and scrapping sites can scrap the email addresses to spam them.

screenshot from 2018-07-14 11 08 16 You can notice email address in image tag's alt attribute.

screenshot from 2018-07-14 11 14 15

I know that npm requires to have a pubic email. But npm itself never expose it to pubic in that way.

ankurk91 commented 6 years ago

I just noticed same issue https://github.com/npms-io/npms-www/issues/214

satazor commented 6 years ago

It seems we can send the md5 of the email to the component instead of the email. Could you do a PR with this strategy? We can use the sparkmd5 package.