Passing our user credentials to the npm server in cleartext over HTTP poses a security concern for us. Also, any npm modules downloaded from the server are transmitted over HTTP.

Would like to see support for SSL/HTTPS so that we could address these security concerns. Is this on the roadmap?

Terminate SSL before the app. This configuration should not be a part of the app itself.