Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
unpkg is a fast, global content delivery network for everything published on npm. It was created by Michael Jackson, the maintainer of React Router and Remix, and runs on top of Cloudflare. Developers reference any npm package version with a URL such as https://unpkg.com/react@18/umd/react.production.min.js and get the file from the nearest Cloudflare edge. unpkg itself does not set marketing cookies, but Cloudflare may set __cf_bm and logs every request, raising the same GDPR considerations as any other US CDN.
unpkg is a free content delivery network that serves any file from any package published on npm. It is widely used for quick prototyping, documentation pages, demos and learning materials. A URL such as https://unpkg.com/lodash@4 fetches the latest minor version of lodash from the closest Cloudflare edge. unpkg is operated by Michael Jackson, the maintainer of React Router and Remix, in collaboration with Cloudflare, who donates the infrastructure.
unpkg itself does not place marketing or analytics cookies. The Cloudflare edge can set the __cf_bm bot management cookie (30 minutes) on unpkg.com when suspicious traffic is detected. Every request is logged for caching and abuse prevention, including IP, User-Agent, requested URL and Referer.
As with cdnjs and jsDelivr, loading from unpkg transmits the visitor IP to a US provider. The Bonn Regional Court ruling on Google Fonts and similar decisions across EU member states show that prior consent is the safest interpretation when no other legal basis applies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cloudflare Inc. is a US controlled provider certified under the EU-US Data Privacy Framework, providing an adequacy basis for transfers to the United States. unpkg itself is operated by a US natural person on Cloudflare infrastructure; the entity does not publish a DPA for free users.
Production deployments should not rely on unpkg. The recommended pattern is to install packages through npm or pnpm, bundle them with the rest of the application, and serve from the same origin or an EU CDN. If unpkg is used in a prototype or demo, gather opt-in consent before each script tag, or place a clear notice next to it.
Audit every script and link tag pointing to unpkg.com in the production codebase, replace them with bundled or self-hosted equivalents, add Subresource Integrity hashes for any unpkg URL that must remain in development tools, and document the choice in the privacy notice if unpkg is still used on customer facing pages.
Websites using unpkg must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is rarely necessary for unpkg alone. Document a transfer impact assessment on Cloudflare Inc. and unpkg LLC covering IP logging, edge log retention, the EU-US Data Privacy Framework certification and supplementary measures. Where many packages are loaded, fold the assessment into a broader review of third party JavaScript.
Sample consent text
This website loads some scripts from unpkg, a content delivery network for npm packages operated on Cloudflare. Your IP address, User-Agent and the requested URL are processed by Cloudflare under the EU-US Data Privacy Framework. By clicking Accept, you authorise this technical request. You can also Reject and we will bundle the libraries with our own application code.
Third-party domains contacted
unpkg.comcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | HTTP cookie | 30 minutes | Cloudflare bot management cookie set on unpkg.com when suspicious traffic is detected. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
unpkg itself sets no cookies. Cloudflare can place __cf_bm (30 minutes) on unpkg.com for bot management. Server logs capture IP, User-Agent, URL and Referer.
For production traffic, the safer approach is to avoid unpkg and bundle packages instead. If unpkg is kept, gather opt-in consent or document a legitimate interest assessment.
Legitimate interest under Article 6(1)(f) GDPR is defensible for fetching essential libraries. Consent under Article 6(1)(a) is the safer route in jurisdictions following the Bonn approach.
Yes. Cloudflare Inc. is US controlled and certified under the EU-US Data Privacy Framework. Avoid the transfer by bundling the packages.
Not for unpkg alone. A short transfer impact assessment is enough.
Install npm packages locally, bundle them with the application, deploy from your own domain or an EU CDN, and remove every reference to unpkg.com from production HTML.
Bundling via Vite, Webpack, esbuild or Rollup. EU CDN alternatives: Bunny CDN, Scaleway Edge. jsDelivr offers a similar service over Cloudflare and Fastly.
Mention Cloudflare Inc. as sub-processor, describe __cf_bm, the IP logging on every request, the EU-US Data Privacy Framework and link to the Cloudflare privacy policy.