npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit ENOAUDIT with private packages in npm > v6

What I Wanted to Do

Run npm audit on a project.

What Happened Instead

The following error message:

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) does not support audit requests, or the audit endpoint is temporarily unavailable.

npm ERR! A complete log of this run can be found in:
npm ERR!     /[...]/.npm/_logs/2019-02-07T22_00_09_579Z-debug.log

The debug-log has the following error:

5 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 353ms

Reproduction Steps

Details

With the same package, from the same registry, npm audit runs as expected in npm v5.x.x.

I have tried the following:

Platform Info

$ npm --versions
{ npm: '6.7.0',
  ares: '1.14.0',
  cldr: '32.0.1',
  http_parser: '2.7.1',
  icu: '60.2',
  modules: '57',
  nghttp2: '1.30.0',
  node: '8.10.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.18.0',
  v8: '6.2.414.50',
  zlib: '1.2.11' }
$ node -p process.platform
linux


Dup of Issue 3629?


I don’t think so - I’ve been looking around at different threads on this forum, including that one. None of the fixes on those threads worked for me. The error code is also different.


So I am able to run npm audit in npm 5.10.0. For some reason, npm audit doesn’t like the package-lock generated when this private package is present in npm v6+

Also, it would be nice to know more about what is wrong with the request when audit responds with a 400 error.


This is the closest thing I could find to this issue: npm audit returns 400 from registry when non-registry packages satisfy specs that exist in the registry, but there doesn’t seem to be any kind of final solution/change that was found to solve it. None of the suggestions in the threads there (removing package-lock and node_modules etc) work for me.


A workaround for this in the meantime is to install with the --no-save option so that the private package is not included in package-lock.json and therefore not audited.