`npm audit` fails when installing dependencies via commit hash

What I Wanted to Do

I wanted to run npm audit without it crashing. This happens when both of those conditions are true:

  • a dependency is installed via a commit hash (repo#hash instead of a semver).
  • another dependency is using that same dependency but without a commit hash.

What Happened Instead

npm audit crashed.

Reproduction Steps

package.json:

{
  "name": "npm-audit-bug",
  "version": "1.0.0",
  "dependencies": {
    "execa": "sindresorhus/execa#6853316dd101a3a31060f1e4e4c69dbdea1be4d7",
    "husky": "^2.3.0"
  }
}
$ npm install
npm WARN npm-audit-bug@1.0.0 No description
npm WARN npm-audit-bug@1.0.0 No repository field.
npm WARN npm-audit-bug@1.0.0 No license field.

up to date in 0.766s

$ npm ls execa
npm-audit-bug@1.0.0 /home/ether/Desktop/npm-audit-bug
β”œβ”€β”€ execa@1.0.0  (github:sindresorhus/execa#6853316dd101a3a31060f1e4e4c69dbdea1be4d7)
└─┬ husky@2.3.0
  └── execa@1.0.0  deduped (github:sindresorhus/execa#6853316dd101a3a31060f1e4e4c69dbdea1be4d7)

$ npm audit
npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) does not support audit requests, or the audit endpoint is temporarily unavailable.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/ether/.npm/_logs/2019-05-30T16_04_54_980Z-debug.log 

$ cat /home/ether/.npm/_logs/2019-05-30T16_04_54_980Z-debug.log 
0 info it worked if it ends with ok
1 verbose cli [
1 verbose cli   '/home/ether/.nvm/versions/node/v12.3.1/bin/node',
1 verbose cli   '/home/ether/.nvm/versions/node/v12.3.1/bin/npm',
1 verbose cli   'audit'
1 verbose cli ]
2 info using npm@6.9.0
3 info using node@v12.3.1
4 verbose npm-session c0b761ec351798bc
5 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 459ms
6 verbose stack Error: Your configured registry (https://registry.npmjs.org/) does not support audit requests, or the audit endpoint is temporarily unavailable.
6 verbose stack     at /home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/lib/audit.js:201:18
6 verbose stack     at tryCatcher (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
6 verbose stack     at Promise._settlePromiseFromHandler (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
6 verbose stack     at Promise._settlePromise (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
6 verbose stack     at Promise._settlePromise0 (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:614:10)
6 verbose stack     at Promise._settlePromises (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:690:18)
6 verbose stack     at _drainQueueStep (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:138:12)
6 verbose stack     at _drainQueue (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:131:9)
6 verbose stack     at Async._drainQueues (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:147:5)
6 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (/home/ether/.nvm/versions/node/v12.3.1/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
6 verbose stack     at processImmediate (internal/timers.js:439:21)
7 verbose cwd /home/ether/Desktop/npm-audit-bug
8 verbose Linux 5.0.0-15-generic
9 verbose argv "/home/ether/.nvm/versions/node/v12.3.1/bin/node" "/home/ether/.nvm/versions/node/v12.3.1/bin/npm" "audit"
10 verbose node v12.3.1
11 verbose npm  v6.9.0
12 error code ENOAUDIT
13 error audit Your configured registry (https://registry.npmjs.org/) does not support audit requests, or the audit endpoint is temporarily unavailable.
14 verbose exit [ 1, true ]

Platform Info

$ npm --versions
{
  'npm-audit-bug': '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  llhttp: '1.1.3',
  modules: '72',
  napi: '4',
  nghttp2: '1.38.0',
  node: '12.3.1',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.29.1',
  v8: '7.4.288.27-node.18',
  zlib: '1.2.11'
}

$ node -p process.platform
linux

This will fix the β€œCLI” part and will not give you confusing errors:

https://github.com/npm/cli/pull/128

This seems like this PR would just change the error message.

This would not solve the problem of npm audit failing.