npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

"npm audit fix" replaces custom registry in package-lock.json

What I Wanted to Do

Run “npm audit fix” with custom registry:

npm audit fix --registry=http://localhost:9002/

There were some found vulnerabilities, but none could be fixed:

up to date in 16.603s
fixed 0 of 9 vulnerabilities in 46092 scanned packages
  1 package update for 9 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

I didn’t run again with --force option, so I expected no changes to package-lock.json.

What Happened Instead

package-lock.json had been changed. The command replaced my custom registry within the resolved field with the default npm registry at registry.npmjs.org:

$ git diff package-lock.json
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 modified: package-lock.json
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 @ package-lock.json:64 @
        "dependencies": {
          "memoize-one": {
            "version": "3.1.1",
 -          "resolved": "http://localhost:9002/memoize-one/-/memoize-one-3.1.1.tgz",
 +          "resolved": "http://registry.npmjs.org/memoize-one/-/memoize-one-3.1.1.tgz",
            "integrity": "sha512-YqVh744GsMlZu6xkhGslPSqSurOv6P+kLN2J3ysBZfagLcL5FdRK/0UpgLoL8hwjjEvvAVkjJZyFP+1T6p1vgA=="
          }
        }
 @ package-lock.json:99 @
      },
      "@babel/helper-module-imports": {
        "version": "7.0.0",
 -      "resolved": "http://localhost:9002/@babel%2fhelper-module-imports/-/helper-module-imports-7.0.0.tgz",
 +      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.0.0.tgz",
        "integrity": "sha512-aP/hlLq01DWNEiDg4Jn23i+CXxW/owM4WpDLFUbpjxe4NS3BhLVZQ5i7E0ZrxuQ/vwekIeciyamgB1UIYxxM6A==",
        "requires": {
          "@babel/types": "^7.0.0"
 @ package-lock.json:135 @
[... and so on ...]

Platform Info

$ npm --versions
{ 'myproject': '0.1.0',
  npm: '6.5.0',
  ares: '1.15.0',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  llhttp: '1.0.1',
  modules: '67',
  napi: '3',
  nghttp2: '1.34.0',
  node: '11.4.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.24.0',
  v8: '7.0.276.38-node.13',
  zlib: '1.2.11' }
$ node -p process.platform
darwin


Your custom registry can’t just proxy audit results like this – it needs to patch the results themselves if you want this to look right. npm audit fix just uses whatever those results are.

That said, you can probably ignore this just fine, because we’ll still download tarballs from your proxy. The resolved field is only a suggestion and optimization. You can also just patch your pkglock.