Npm audit fails with `child "requires" fails because ["requires" must be an object]`

What I Wanted to Do

I wanted to run npm audit

What Happened Instead

The command errored with a non-informative

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) does not support audit requests, or the audit endpoint is temporarily unavailable.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/twoabove/.npm/_logs/2019-07-02T07_47_58_415Z-debug.log

Reproduction Steps

Use the package-lock.json and run npm audit
package.json (3.0 KB)
package-lock.json (411.9 KB)

Details

npm audit does not state what the error is, so I did a manual check to get some usable error from the http request

2019-07-02T07_47_58_415Z-debug.log (2.7 KB)

Platform Info

$ npm --versions

{ 'kyc-management': '0.0.1',
  npm: '6.9.2',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.34.0',
  node: '10.16.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '6.8.275.32-node.52',
  zlib: '1.2.11' }

$ node -p process.platform
linux

You appear to have a local package in your package.json. When I removed that, the error went away.

		"kyc-ui-common": "../common",

(The error did not help me identify that line, it was a guess!)

Yes, and Looks like npm audit does not support it (but yarn, for example, does)

You can use local file deps in npm if you do "kyc-ui-common": "file:../common".

But regardless, this is a patently false and misleading error message. Definitely a bug, whatever the root cause was.

Hm, I spoke too soon. You can definitely do "kyc-ui-common": "../common" in package.json, and package-lock.json will turn it into a file:../common url.

So, I’m not sure what that would’ve fixed the issue. Very strange.


update: Ok, well the server is trying to be helpful. Response body is Invalid package tree, run npm install to rebuild your package-lock.json. I’ll rework that bit of the code so that it shares what the server says in those cases, and we can try to think of other areas where we might be obscuring helpful info that the registry shares.