Error with "npm audit"
See original GitHub issueDescribe the bug
When running βnpm auditβ in my dev-project, it works fine if the registry is set to βhttps://registry.npmjs.orgβ But I get the following error when running βnpm auditβ after running βnpm set registry PRIVATE-VERDACCIO-REGISTRYβ -
npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (PRIVATE-VERDACCIO-REGISTRY) does not support audit requests, or the audit endpoint is temporarily unavailable.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/**
This error is new, and wasnβt there before I upgraded verdaccio to the latest release, so not sure what Iβm missing
To Reproduce Steps to reproduce the behavior:
npm set registry PRIVATE-VERDACCIO-REGISTRY
npm install
npm audit
Expected behavior When i ran βnpm install; npm auditβ, I had expected back list of vulnerabilities like -
=== npm audit security report ===
Run npm install express-fileupload@1.1.6 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Low β Denial of Service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β express-fileupload β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β express-fileupload β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β express-fileupload β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/1216 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 1 low severity vulnerability in 323 scanned packages
1 vulnerability requires semver-major dependency updates.
Docker || Kubernetes (please complete the following information):
Iβm running private registry Verdaccio 4.7.2 in a AWS ECS container created off of dockerhub image verdaccio/verdaccio
Configuration File (cat ~/.config/verdaccio/config.yaml) /opt/verdaccio # cat /verdaccio/conf/config.yaml
This is the config file used for the docker images.
It allows all users to do anything, so don't use it on production systems.
Do not configure host and port under listen in this file
as it will be ignored when using docker.
see https://github.com/verdaccio/verdaccio/blob/master/wiki/docker.md#docker-and-custom-port-configuration
Look here for more config file examples:
https://github.com/verdaccio/verdaccio/tree/master/conf
path to a directory with all packages
storage: /verdaccio/storage
store:
aws-s3-storage:
bucket: private-npm-registry
region: us-west-1 # US West (N. California)
web:
WebUI is enabled as default, if you want disable it, just uncomment this line
title: NPM Registry
logo: https://xxx.cloudfront.net/wp-content/themes/xxx/assets/img/logo.svg
auth:
htpasswd:
file: /verdaccio/conf/htpasswd
max_users: -1
a list of other known repositories we can talk to
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'@/':
access: $authenticated
publish: $authenticated
proxy: npmjs
'**':
access: $authenticated
publish: $authenticated
proxy: npmjs
middlewares:
audit:
enabled: true
logs:
{type: stdout, format: pretty, level: http}
Debugging output
$ NODE_DEBUG=request verdaccio display request calls (verdaccio <β> uplinks) $ DEBUG=express:* verdaccio enable extreme verdaccio debug mode (verdaccio api) $ npm -ddd prints:
npm info it worked if it ends with ok
npm verb cli [
npm verb cli '/usr/local/Cellar/node/12.5.0/bin/node',
npm verb cli '/usr/local/bin/npm',
npm verb cli '-ddd'
npm verb cli ]
npm info using npm@6.9.0
npm info using node@v12.5.0
Usage: npm <command>
where <command> is one of:
access, adduser, audit, bin, bugs, c, cache, ci, cit,
clean-install, clean-install-test, completion, config,
create, ddp, dedupe, deprecate, dist-tag, docs, doctor,
edit, explore, get, help, help-search, hook, i, init,
install, install-ci-test, install-test, it, link, list, ln,
login, logout, ls, org, outdated, owner, pack, ping, prefix,
profile, prune, publish, rb, rebuild, repo, restart, root,
run, run-script, s, se, search, set, shrinkwrap, star,
stars, start, stop, t, team, test, token, tst, un,
uninstall, unpublish, unstar, up, update, v, version, view,
whoami
npm <command> -h quick help on <command>
npm -l display full usage info
npm help <term> search for help on <term>
npm help npm involved overview
Specify configs in the ini-formatted file:
/path/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config
$ npm config get registry prints: PRIVATE-VERDACCIO-REGISTRY
Additional context The log file that was generated upon running of βnpm auditβ has the following content - cat .npm/_logs/2020-07-01T00_53_25_931Z-debug.log
0 info it worked if it ends with ok
1 verbose cli [
1 verbose cli '/usr/local/Cellar/node/12.5.0/bin/node',
1 verbose cli '/usr/local/bin/npm',
1 verbose cli 'audit'
1 verbose cli ]
2 info using npm@6.9.0
3 info using node@v12.5.0
4 verbose npm-session 8821fc6732d58b82
5 http fetch POST 500 PRIVATE-VERDACCIO-REGISTRY/-/npm/v1/security/audits 15290ms
6 verbose stack Error: Your configured registry (PRIVATE-VERDACCIO-REGISTRY) does not support audit requests, or the audit endpoint is temporarily unavailable.
6 verbose stack at /usr/local/lib/node_modules/npm/lib/audit.js:201:18
6 verbose stack at tryCatcher (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
6 verbose stack at Promise._settlePromiseFromHandler (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
6 verbose stack at Promise._settlePromise (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
6 verbose stack at Promise._settlePromise0 (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:614:10)
6 verbose stack at Promise._settlePromises (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:690:18)
6 verbose stack at _drainQueueStep (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:138:12)
6 verbose stack at _drainQueue (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:131:9)
6 verbose stack at Async._drainQueues (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:147:5)
6 verbose stack at Immediate.Async.drainQueues [as _onImmediate] (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
6 verbose stack at processImmediate (internal/timers.js:439:21)
7 verbose cwd /xxxxx
8 verbose Darwin 19.4.0
9 verbose argv "/usr/local/Cellar/node/12.5.0/bin/node" "/usr/local/bin/npm" "audit"
10 verbose node v12.5.0
11 verbose npm v6.9.0
12 error code ENOAUDIT
13 error audit Your configured registry (PRIVATE-VERDACCIO-REGISTRY) does not support audit requests, or the audit endpoint is temporarily unavailable.
14 verbose exit [ 1, true ]
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (11 by maintainers)
Top GitHub Comments
@juanpicado, I agree with you, because I havenβt enough time for solving this problem right now. I will come back here later.
@hydra13 Iβm thinking to rollback that PR, I could not find other way. We can re-apply it later when a solution is being available.