What I Wanted to Do
We use Microsoft Azure DevOps (formerly Visual Studio Team Services) as a third party npm registry with an npm upstream. Periodically, I check whether
npm audit is supported, but DevOps still does not have an endpoint set up for that. I have submitted a Developer Community suggestion which has garnered moderate support but has not yet been picked up or commented on by Microsoft.
What Happened Instead
npm audit while pointed to the DevOps registry yields this result:
npm ERR! code E401 npm ERR! Unable to authenticate, your authentication token seems to be invalid. npm ERR! To correct this please trying logging in again with: npm ERR! npm login npm ERR! A complete log of this run can be found in: npm ERR! C:\Users\skurtz\AppData\Roaming\npm-cache\_logs\2018-12-11T15_05_34_810Z-debug.log
From the looks of it, the
audit command does not pass any authentication credentials (no Bearer token), which I suspect is done, so that audit can run as unencumbered as possible. DevOps, however, receives an unauthenticated request and returns a 401. That makes sense from Microsoft’s perspective as they don’t support that endpoint, so no authentication exclusions specifically for audit exist.
Prior to npm 6.5.0,
audit showed an error message that read
Your configured registry <registry URL> does not support audit requests. That used to show for all HTTP errors >= 400. I see that Rebecca changed it to
=== 404 || >= 500 in commit 5702175.
While I can agree with that change, it does leave DevOps and perhaps other 3rd party registry users a tad bit confused as the issue is not one of authentication but of support of the audit feature.
What I would like to see would be a bit more detail that indicates that this may not necessarily be authentication related, although it may be a bit of a stretch for npm to bridge that gap here. I will submit a PR to take a stab at this and see if it gains any traction. Update 12/17: Link to PR.
Point to a registry on Azure DevOps and run
npm audit. I’m sorry I cannot be more specific or helpful here as our registry is private.
0 info it worked if it ends with ok 1 verbose cli [ 'C:\\Program Files\\nodejs\\node.exe', 1 verbose cli 'C:\\Users\\skurtz\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js', 1 verbose cli 'audit' ] 2 info using email@example.com 3 info using firstname.lastname@example.org 4 verbose npm-session 300374f1549a7b48 5 timing audit compress Completed in 19ms 6 info audit Submitting payload of 70493 bytes 7 http fetch POST 401 https://<redacted>.pkgs.visualstudio.com/_packaging/<redacted>Npm/npm/registry/-/npm/v1/security/audits 463ms 8 verbose stack Error: Unable to authenticate, need: Bearer 8 verbose stack at res.buffer.catch.then.body (C:\Users\skurtz\AppData\Roaming\npm\node_modules\npm\node_modules\npm-registry-fetch\check-response.js:89:17) 8 verbose stack at process.internalTickCallback (internal/process/next_tick.js:77:7) 9 verbose statusCode 401 10 verbose cwd C:\Dev\<redacted> 11 verbose Windows_NT 6.1.7601 12 verbose argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Users\\skurtz\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js" "audit" 13 verbose node v11.4.0 14 verbose npm v6.5.0 15 error code E401 16 error Unable to authenticate, your authentication token seems to be invalid. 17 error To correct this please trying logging in again with: 17 error npm login 18 verbose exit [ 1, true ]
$ npm --versions 6.5.0 $ node -p process.platform v11.4.0