npm audit returns 400 from registry when non-registry packages satisfy specs that exist in the registry

cli
security
priority:medium
triaged

(Josh Clow) #1

What I Wanted to Do

run npm audit and get a report back

What Happened Instead

audit fails with this output:

npm ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/joshclow/.npm/_logs/2018-07-12T21_42_03_918Z-debug.log

Reproduction Steps

This package.json should reproduce the issue:

  "name": "audit-test",
  "version": "1.0.0",
  "description": "Reduced repro for issue with npm audit",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "asap": "https://registry.npmjs.org/asap/-/asap-2.0.6.tgz",
    "react": "^16.4.1"
  }
}

Details

The reduced repro above is definitely contrived, but it points to what I think is happening here. By adding “asap” (which react has as a dependency) and pointing directly to the tar hosted on registry.npmjs.org, it satisfies the react dependency when building the dependency/requires data to be sent over the wire to the registry in npm audit.

However, because I’m writing it as a remote dependency instead of a registry dependency, it gets tagged as needing to be scrubbed in lib/install/audit.js and so the dependency ends up getting its name/spec obfuscated. However, the “requires” data for the rest of the tree still contains "asap": "~2.0.3" which now doesn’t match the obfuscated reference and I believe this is why the audit report fails and comes back as a 400 from registry.npmjs.org.

Again, this is a contrived example to show the repro. The actual real scenario we’re hitting in my organization is that we have a private fork of a registry-hosted package in order to get a bug fix that’s not yet in the mainline code. That private fork is satisfying the requirements for other packages that also depend on it, but then gets obfuscated and then the audit fails.

Platform Info

$ npm --versions
{ 'audit-test': '1.0.0',
  npm: '6.1.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.7.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.10.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

Cannot run npm audit
NPM audit making non-RFC-compliant requests to server resulting in 400 Bad Request (+ PR with fix)
Npm audit returns Bad Request (error 400) for GitHub dependencies which are required by other dependencies - draft-js example
npm audit returns error code E400 when dependency has empty string instead of version number
(Stephen Uy) #2

I’m interested in an answer, as well. There’s been a thread on Github that’s covering the same issue, but hasn’t seen any solutions which have worked for me (i.e. rm package-lock.json && npm i && npm audit fix).


(Timur Amirov) #3

I’m also interested in the answer. Topic is marked as #triaged — does that mean there’s some info/update available?

* also not entirely sure how to overcome issues with tarballs and npm audit in a meanwhile…


(Alexey Subach) #4

@joshclow @tsanth @DeTeam Let’s vote for the issue! It seems they have added this functionality quite recently - it’s right near the title