npm audit fails with ENOAUDIT on 500 response


(Bob Van Der Linden) #1

What I Wanted to Do

Because my project was indirectly depending on flatmap-stream@0.1.1 and that package was deleted on npmjs, I wanted to fix the security problem by using npm audit. So I ran:

npm audit fix

This resulted in the following output:

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) does not support audit requests.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/bobvanderlinden/.npm/_logs/2018-11-27T21_59_55_227Z-debug.log

I looked in the debug log file and found:

2 info using npm@6.4.1
3 info using node@v10.10.0
4 verbose npm-session ce542b3a2d0b60f5
5 timing audit compress Completed in 9ms
6 info audit Submitting payload of 57080 bytes
7 http fetch POST 500 https://registry.npmjs.org/-/npm/v1/security/audits 1413ms
8 verbose stack Error: Your configured registry (https://registry.npmjs.org/) does not support audit requests.
8 verbose stack     at Bluebird.all.spread.then.catch (/usr/local/lib/node_modules/npm/lib/audit.js:172:18)
8 verbose stack     at tryCatcher (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
8 verbose stack     at Promise._settlePromiseFromHandler (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
8 verbose stack     at Promise._settlePromise (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
8 verbose stack     at Promise._settlePromise0 (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:614:10)
8 verbose stack     at Promise._settlePromises (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:689:18)
8 verbose stack     at Async._drainQueue (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:133:16)
8 verbose stack     at Async._drainQueues (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:143:10)
8 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
8 verbose stack     at runCallback (timers.js:694:18)
8 verbose stack     at tryOnImmediate (timers.js:665:5)
8 verbose stack     at processImmediate (timers.js:647:5)

Notice the line:

http fetch POST 500 https://registry.npmjs.org/-/npm/v1/security/audits 1413ms

This is a 500 response from registry.npmjs.org.

Reproduction Steps

git clone https://github.com/bobvanderlinden/probot-auto-merge
cd probot-auto-merge
git checkout 19d43febe0dcbc3ed089be342763906083221b89
npm install
# Notice the 404 on flatmap-stream
npm audit fix
# Notice the ENOAUDIT error

Details

~/.npmrc is empty. registry.npmjs.org seems to be generating an error, resulting in a 500 response. There are 2 problems I think need to be addressed:

  1. The error that npmjs is generating needs to be resolved.
  2. npm audit fix should not output Your configured registry (https://registry.npmjs.org/) does not support audit requests. whenever it receives a 500 error. The registry does support audits, but it just failed to handle my request.

Platform Info

$ npm --versions
{ 'probot-auto-merge': '1.0.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.33.0',
  node: '10.10.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.0',
  v8: '6.8.275.30-node.24',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

Your configured registry (https://registry.npmjs.org/) does not support audit requests.
(Perry Mitchell) #2

Can confirm that this is also present with the latest node and seems to be entirely npm-related:

{ 'mini-state-machine': '0.4.2',
  npm: '6.4.1',
  ares: '1.15.0',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  modules: '67',
  napi: '3',
  nghttp2: '1.34.0',
  node: '11.3.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '7.0.276.38-node.11',
  zlib: '1.2.11' }

(Cole Furfaro Strode) #3

I had this same issue in one library, but not others. I found that when I uninstalled nodemon the npm audit command started working again. I dug in and found that the version of nodemon we were using relied on the unpublished versions of both event-stream (3.3.6) and flatmap-stream (0.1.1). I think there may be an npm bug with trying to audit unpublished versions of packages.

If you have either of those dependencies try changing event-stream to >=4.0.0 | |<=3.3.5 and seeing if that fixes the issue with npm audit.


(Geoff Adams) #4

This solution worked for me.

Since event-stream was only included as a dependency of pstree.remy, a dependency of nodemon, I had to make the change in the package-lock.json. I decided to switch out 3.3.6 (the unpublished, vulnerable version) for 3.3.5:

    ...
    "event-stream": {
      "version": "3.3.5",
      "resolved": "https://registry.npmjs.org/event-stream/-/event-stream-3.3.5.tgz",
      ...

After this, npm audit worked. It displayed the critical vulnerability which I was then able to fix with npm audit fix. Note that above, I didn’t touch the integrity hash, as I knew I was going to run a fix immediately afterwards.

I agree that this seems to be a bug with the way npm audit handles unpublished packages. The HTTP 500 from the audit endpoint then being reported to the user as ENOAUDIT is misleading, too.


(Jakub Buriánek) #5

I have the same problem, however this happen when we use Verdaccio (wait, i know that this is third party, but i think that the issue is the same).
We have packages hosted at private repository and when I run npm audit --registry=https://registry.npmjs.org it also fails with this message. So the cause here might be also looking for nonexistent packages?


(Bob Van Der Linden) #6

This is a problem in both npmjs.org as well as the npm client. Is this forum the right place to do the bug reportsfor both projects?

I guess that most third party repositories proxy calls to npmjs.org and thus will also respond with 500 status code.

The confusing part is that the npm client tells the user that the repository does not support audits when the repository responds with an error.

Also, my method of working around the problem was:

npm remove nodemon
npm install --save-dev nodemon
npm audit fix