npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Invalid package tree

I have been trying to troubleshoot an issue with OWASP Dependency Check node analyzer. Through the course of narrowing down the issue, I found sending the below JSON body to the npm audit api results in a HTTP 400 error code. Why?

"name": "test",
"version": "1.0.8",
"requires": {
	"is-dom": "^1.1.0"
"dependencies": {
	"is-dom": {
		"version": "1.1.0",
		"integrity": "sha1-rx/O0pJ0JEO7Wco/dqtegJB7Too=",
		"requires": {
			"is-object": "^1.0.1",
			"is-window": "^1.0.2"
"install": [],
"remove": [],
"metadata": {
	"npm_version": "6.11.3",
	"node_version": "v12.10.0",
	"platform": "linux"

If I remove the “requires” object of the “is-dom” dependency, it works.