npm audit ENOAUDIT with private packages in npm > v6

triaged
priority:medium
registry
(Isaiah Thiessen) #1

What I Wanted to Do

Run npm audit on a project.

What Happened Instead

The following error message:

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) does not support audit requests, or the audit endpoint is temporarily unavailable.

npm ERR! A complete log of this run can be found in:
npm ERR!     /[...]/.npm/_logs/2019-02-07T22_00_09_579Z-debug.log

The debug-log has the following error:

5 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 353ms

Reproduction Steps

  • Have an enterprise npm registry
  • Install a private package from said registry using npm > v6
  • run npm audit

Details

With the same package, from the same registry, npm audit runs as expected in npm v5.x.x.

I have tried the following:

  • delete package-lock, node_modules, npm cache, etc. then reinstall and run again. The same problem occurs.

Platform Info

$ npm --versions
{ npm: '6.7.0',
  ares: '1.14.0',
  cldr: '32.0.1',
  http_parser: '2.7.1',
  icu: '60.2',
  modules: '57',
  nghttp2: '1.30.0',
  node: '8.10.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.18.0',
  v8: '6.2.414.50',
  zlib: '1.2.11' }
$ node -p process.platform
linux
0 Likes

(Joe Bowbeer) #2

Dup of Issue 3629?

0 Likes

(Isaiah Thiessen) #3

I don’t think so - I’ve been looking around at different threads on this forum, including that one. None of the fixes on those threads worked for me. The error code is also different.

0 Likes

(Isaiah Thiessen) #4

So I am able to run npm audit in npm 5.10.0. For some reason, npm audit doesn’t like the package-lock generated when this private package is present in npm v6+

Also, it would be nice to know more about what is wrong with the request when audit responds with a 400 error.

0 Likes

(Isaiah Thiessen) #5

This is the closest thing I could find to this issue: npm audit returns 400 from registry when non-registry packages satisfy specs that exist in the registry, but there doesn’t seem to be any kind of final solution/change that was found to solve it. None of the suggestions in the threads there (removing package-lock and node_modules etc) work for me.

0 Likes

(Isaiah Thiessen) #6

A workaround for this in the meantime is to install with the --no-save option so that the private package is not included in package-lock.json and therefore not audited.

1 Like