npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit returns 400 from registry when non-registry packages satisfy specs that exist in the registry

What I Wanted to Do

run npm audit and get a report back

What Happened Instead

audit fails with this output:

npm ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/joshclow/.npm/_logs/2018-07-12T21_42_03_918Z-debug.log

Reproduction Steps

This package.json should reproduce the issue:

  "name": "audit-test",
  "version": "1.0.0",
  "description": "Reduced repro for issue with npm audit",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "asap": "https://registry.npmjs.org/asap/-/asap-2.0.6.tgz",
    "react": "^16.4.1"
  }
}

Details

The reduced repro above is definitely contrived, but it points to what I think is happening here. By adding “asap” (which react has as a dependency) and pointing directly to the tar hosted on registry.npmjs.org, it satisfies the react dependency when building the dependency/requires data to be sent over the wire to the registry in npm audit.

However, because I’m writing it as a remote dependency instead of a registry dependency, it gets tagged as needing to be scrubbed in lib/install/audit.js and so the dependency ends up getting its name/spec obfuscated. However, the “requires” data for the rest of the tree still contains "asap": "~2.0.3" which now doesn’t match the obfuscated reference and I believe this is why the audit report fails and comes back as a 400 from registry.npmjs.org.

Again, this is a contrived example to show the repro. The actual real scenario we’re hitting in my organization is that we have a private fork of a registry-hosted package in order to get a bug fix that’s not yet in the mainline code. That private fork is satisfying the requirements for other packages that also depend on it, but then gets obfuscated and then the audit fails.

Platform Info

$ npm --versions
{ 'audit-test': '1.0.0',
  npm: '6.1.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.7.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.10.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }
$ node -p process.platform
darwin


I’m interested in an answer, as well. There’s been a thread on Github that’s covering the same issue, but hasn’t seen any solutions which have worked for me (i.e. rm package-lock.json && npm i && npm audit fix).


I’m also interested in the answer. Topic is marked as #triaged — does that mean there’s some info/update available?

* also not entirely sure how to overcome issues with tarballs and npm audit in a meanwhile…


@joshclow @tsanth @DeTeam Let’s vote for the issue! It seems they have added this functionality quite recently - it’s right near the title