npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

400s coming back from registry on npm audit

I’ve been digging into why some, but not all, of our projects at work bomb out on npm audit with a 400 coming back from and want to see if anyone thinks this makes sense:

  1. We have a private fork of draft-js saved out on S3, so that’s a tarball dependency in the associated projects
  2. Elsewhere, we have a package (call it @company/our-package that has a registry dependency on draft-js, but it’s just for *
  3. In the projects that fail, both these things are involved

What I think is happening is that the private fork of draft-js is satisfying the * for the package in 2). Which is all well and good for npm install, but it gets problematic when audit tries to obfuscate private data. In that case, what ends up going into the JSON that’s gzipped and then POSTed to the registry has a bit like this, which explicitly references “draft-js”:

 "dependencies": {
        "@textio/our-package": {
            "version": "3.0.2",
            "integrity": "sha1-blahblahblah",
            "requires": {
                "draft-js": "*",

But further down in the JSON, the actual “draft-js” dependency listing has a name/version that’s gone through scrub (in lib/install/audit.js) and so is now an obfuscated name that doesn’t say “draft-js” in it anywhere. I think this mismatch is what’s causing it to blow up and come back as a 400. This hypothesis is backed up somewhat by the fact that if I hand-edit the JSON to either include a reference to “draft-js” (as if I were using a registry dependency) or remove the requires line that’s got “draft-js: *”, then I get a 200 and an audit report.

Does this seem plausible?

This does seem plausible, and @nlf agrees that this is likely being caused by the obfuscation.

If you could, do you think you could put together a minimal repro for this and file a formal bug in #bugs? Having that would be super helpful.

Yep yep! I’ll try to get a reduced repro up today. Thanks!

Thanks a bunch! I’ll keep an eye out for it. That will be so helpful. :smiley:

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)