"npm audit fix" replaces custom registry in package-lock.json

What I Wanted to Do

Run β€œnpm audit fix” with custom registry:

npm audit fix --registry=http://localhost:9002/

There were some found vulnerabilities, but none could be fixed:

up to date in 16.603s
fixed 0 of 9 vulnerabilities in 46092 scanned packages
  1 package update for 9 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

I didn’t run again with --force option, so I expected no changes to package-lock.json.

What Happened Instead

package-lock.json had been changed. The command replaced my custom registry within the resolved field with the default npm registry at registry.npmjs.org:

$ git diff package-lock.json
 modified: package-lock.json
 @ package-lock.json:64 @
        "dependencies": {
          "memoize-one": {
            "version": "3.1.1",
 -          "resolved": "http://localhost:9002/memoize-one/-/memoize-one-3.1.1.tgz",
 +          "resolved": "http://registry.npmjs.org/memoize-one/-/memoize-one-3.1.1.tgz",
            "integrity": "sha512-YqVh744GsMlZu6xkhGslPSqSurOv6P+kLN2J3ysBZfagLcL5FdRK/0UpgLoL8hwjjEvvAVkjJZyFP+1T6p1vgA=="
 @ package-lock.json:99 @
      "@babel/helper-module-imports": {
        "version": "7.0.0",
 -      "resolved": "http://localhost:9002/@babel%2fhelper-module-imports/-/helper-module-imports-7.0.0.tgz",
 +      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.0.0.tgz",
        "integrity": "sha512-aP/hlLq01DWNEiDg4Jn23i+CXxW/owM4WpDLFUbpjxe4NS3BhLVZQ5i7E0ZrxuQ/vwekIeciyamgB1UIYxxM6A==",
        "requires": {
          "@babel/types": "^7.0.0"
 @ package-lock.json:135 @
[... and so on ...]

Platform Info

$ npm --versions
{ 'myproject': '0.1.0',
  npm: '6.5.0',
  ares: '1.15.0',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  llhttp: '1.0.1',
  modules: '67',
  napi: '3',
  nghttp2: '1.34.0',
  node: '11.4.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.24.0',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

Your custom registry can’t just proxy audit results like this – it needs to patch the results themselves if you want this to look right. npm audit fix just uses whatever those results are.

That said, you can probably ignore this just fine, because we’ll still download tarballs from your proxy. The resolved field is only a suggestion and optimization. You can also just patch your pkglock.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.