[BUG] When lockfile-version=3, using a custom registry breaks npm audit

christo8989 commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

This issue exists in the latest npm version

[X] I am using the latest npm

Current Behavior

npmrc

registry=https://npm.customdomain.com/
legacy-peer-deps=true

Cli

npm install
npm audit

Output

npm WARN audit 400 Bad Request - POST https://npm.customdomain.com/-/npm/v1/security/audits/quick - Bad Request
{
  statusCode: 400,
  error: 'Bad Request',
  message: 'Invalid package tree, run  npm install  to rebuild your package-lock.json'
}
npm ERR! audit endpoint returned an error

However, if I comment out the custom registry, then npm audit works as expected.

Expected Behavior

npm audit works as expected with a custom registry.

Steps To Reproduce

See "Current Behavior"

Environment

npm: 9.8.0
Node.js: 20.5.1
OS Name: macOS 13.2.1
System Model Name: Apple M2 Pro

npm config:

; node bin location = /Users/xxx/.nvm/versions/node/v20.5.1/bin/node
; node version = v20.5.1
; npm local prefix = /Users/xxx/Code/repo
; npm version = 9.8.0
; cwd = /Users/xxx/Code/repo
; HOME = /Users/xxx

christo8989 commented 1 year ago

chovyy commented 10 months ago

I can confirm that Bug. Very weird behavior, it took me a long time to find out what's the actual problem here.

Since most of our servers don't have internet access, we have a Apache Proxy on one machine that passes through all requests to registry.npmjs.org:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName npm.customdomain.com

        AllowEncodedSlashes NoDecode

        ProxyRequests Off
        ProxyPreserveHost Off
        SSLProxyEngine On

        ProxyPass /repository/npm/-/npm/v1/security/audits      https://registry.npmjs.org/-/npm/v1/security/audits

        [...]
    </VirtualHost>
</IfModule>

When I use https://registry.npmjs.org as registry on a machine with internet access, npm audit works fine. When I use https:///npm.customdomain.com/repository/npm as registry, npm audit fails with the same package-lock.json file as described above by the OP. When I change lockfileVersion to 2 in this file, it works again.

; node version = v20.9.0
; npm version = 10.1.0

Maybe related? #6257

@christo8989 I cannot actually see how.

christo8989 commented 10 months ago

It's been a while since I've visited this.

That other issue might not be related and I don't remember why I tagged it. Maybe just because it's related to npm audit but I can't say for certain.

chovyy commented 10 months ago

It's been a while since I've visited this.

@christo8989 Have you found any workaround? I had to downgrade to npm v8. :disappointed:

chovyy commented 10 months ago

OK, I finally got it! Besides /-/npm/v1/security/audits, you now have to also forward /-/npm/v1/security/advisories (see also https://docs.npmjs.com/cli/v9/commands/npm-audit#bulk-advisory-endpoint):

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName npm.customdomain.com

        AllowEncodedSlashes NoDecode

        ProxyRequests Off
        ProxyPreserveHost Off
        SSLProxyEngine On

        ProxyPass /repository/npm/-/npm/v1/security/audits        https://registry.npmjs.org/-/npm/v1/security/audits
        ProxyPass /repository/npm/-/npm/v1/security/advisories    https://registry.npmjs.org/-/npm/v1/security/advisories

        [...]
    </VirtualHost>
</IfModule>

christo8989 commented 10 months ago

I haven't due to time constraints. The plan is to update the version of the private registry.

npm / cli