npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit returns error code E400 when dependency has empty string instead of version number

What I Wanted to Do

I wanted to run npm audit and get some helpful information on what packages I need to upgrade. I narrowed it town to the simplest possible test case to reproduce the issue, which is just a bare package.json with a single dependency that has no version specified.

What Happened Instead

I always got an ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits

Reproduction Steps

mkdir temp
cd temp
npm init

Accept all defaults.
Then edit package.json and add the following:

"dependencies": {
    "almond": ""
}

Finally, run:

npm i
npm audit

Result:

npm ERR! code E400                                                                                                                                                                   
npm ERR! 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits                                                                                                  
                                                                                                                                                                                 
npm ERR! A complete log of this run can be found in:                                                                                                                                 
npm ERR!     /home/me/.npm/_logs/2018-09-08T03_58_13_333Z-debug.log                                                                                                              

Details

This is the full package.json file:

{                                                                                                                                                                                    
  "name": "audite400",                                                                                                                                                               
  "version": "1.0.0",                                                                                                                                                                
  "description": "",                                                                                                                                                                 
  "main": "index.js",                                                                                                                                                                
  "scripts": {                                                                                                                                                                       
    "test": "echo \"Error: no test specified\" && exit 1"                                                                                                                            
  },                                                                                                                                                                                 
  "author": "",                                                                                                                                                                      
  "license": "ISC",                                                                                                                                                                  
  "dependencies": {                                                                                                                                                                  
    "almond": ""                                                                                                                                                                     
  }                                                                                                                                                                                  
} 

It doesn’t matter which dependency you use instead of almond.

Here is npm-debug.log:

0 info it worked if it ends with ok                                                                                                                                              
1 verbose cli [ '/home/me/.nvm/versions/node/v8.11.4/bin/node',                                                                                                                  
1 verbose cli   '/home/me/.nvm/versions/node/v8.11.4/bin/npm',                                                                                                                   
1 verbose cli   'audit' ]                                                                                                                                                        
2 info using npm@6.4.1                                                                                                                                                           
3 info using node@v8.11.4                                                                                                                                                        
4 verbose npm-session 8cdfcf533c528420                                                                                                                                           
5 timing audit compress Completed in 3ms                                                                                                                                         
6 info audit Submitting payload of 2869 bytes                                                                                                                                    
7 http fetch POST 400 https://registry.npmjs.org/-/npm/v1/security/audits 440ms                                                                                                  
8 verbose stack Error: 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits                                                                                
8 verbose stack     at res.buffer.catch.then.body (/home/me/.nvm/versions/node/v8.11.4/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:94:15)             
8 verbose stack     at <anonymous>                                                                                                                                               
8 verbose stack     at process._tickCallback (internal/process/next_tick.js:188:7)                                                                                               
9 verbose statusCode 400                                                                                                                                                         
10 verbose cwd /home/me/temp2                                                                                                                                              
11 verbose Linux 4.4.132-14168-gf0bafd65338d                                                                                                                                     
12 verbose argv "/home/me/.nvm/versions/node/v8.11.4/bin/node" "/home/me/.nvm/versions/node/v8.11.4/bin/npm" "audit"                                                             
13 verbose node v8.11.4                                                                                                                                                          
14 verbose npm  v6.4.1                                                                                                                                                           
15 error code E400                                                                                                                                                               
16 error 400 Bad Request - POST https://registry.npmjs.org/-/npm/v1/security/audits                                                                                              
17 verbose exit [ 1, true ]                                                                                                                                                      

Platform Info

$ npm --versions
    { audite400: '1.0.0',                                                                                                                                                            
      npm: '6.4.1',                                                                                                                                                                  
      ares: '1.10.1-DEV',                                                                                                                                                            
      cldr: '32.0',                                                                                                                                                                  
      http_parser: '2.8.0',                                                                                                                                                          
      icu: '60.1',                                                                                                                                                                   
      modules: '57',                                                                                                                                                                 
      napi: '3',                                                                                                                                                                     
      nghttp2: '1.32.0',                                                                                                                                                             
      node: '8.11.4',                                                                                                                                                                
      openssl: '1.0.2p',                                                                                                                                                             
      tz: '2017c',                                                                                                                                                                   
      unicode: '10.0',                                                                                                                                                               
      uv: '1.19.1',                                                                                                                                                                  
      v8: '6.2.414.54',                                                                                                                                                              
      zlib: '1.2.11' }                                                                                                                                                               

$ node -p process.platform
linux


This is related to npm audit returns 400 from registry when non-registry packages satisfy specs that exist in the registry, but I don’t think strictly a duplicate. /cc @nlf