npm audit fix not working with npm@7 (lockfileVersion: 2)
See original GitHub issueDescribe the bug
npm audit fix doesn’t work with npm@7.18.1 { statusCode: 400, error: ‘Bad Request’, message: ‘Invalid package tree, run npm install to rebuild your package-lock.json’ }
npm audit works as expected
To Reproduce
verdaccio --config ./config.yaml create package.json with at least one dependency and npm install npm audit fix --registry http://localhost:4873/
Expected behavior
found 0 vulnerabilities
Configuration File (cat ~/.config/verdaccio/config.yaml)
listen: 'http://localhost:4873'
max_body_size: 50mb
storage: ./storage
plugins: ./plugins
middlewares:
audit:
enabled: true
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
'**':
access: $all
publish: admin
unpublish: admin
proxy: npmjs
logs: { type: stdout, format: pretty, level: http }
Environment information
Environment Info: System: OS: macOS 11.4 CPU: Intel Binaries: npm: 7.18.1 npmGlobalPackages: verdaccio: 5.1.1
Debugging output
npm audit fix --ddd --registry http://localhost:4873/
npm verb cli [
npm verb cli '/.../.n/bin/node',
npm verb cli '/.../.n/bin/npm',
npm verb cli 'audit',
npm verb cli 'fix',
npm verb cli '--ddd',
npm verb cli '--registry',
npm verb cli 'http://localhost:4873/'
npm verb cli ]
npm info using npm@7.18.1
npm info using node@v14.17.1
npm timing npm:load:whichnode Completed in 1ms
npm timing config:load:defaults Completed in 2ms
npm timing config:load:file:..../npm/npmrc Completed in 1ms
npm timing config:load:builtin Completed in 1ms
npm timing config:load:cli Completed in 4ms
npm timing config:load:env Completed in 0ms
npm timing config:load:file:..../audit-test/.npmrc Completed in 1ms
npm timing config:load:project Completed in 2ms
npm timing config:load:file:..../.npmrc Completed in 2ms
npm timing config:load:user Completed in 2ms
npm timing config:load:global Completed in 0ms
npm timing config:load:validate Completed in 2ms
npm timing config:load:credentials Completed in 1ms
npm timing config:load:setEnvs Completed in 1ms
npm timing config:load Completed in 15ms
npm timing npm:load:configload Completed in 16ms
npm timing npm:load:setTitle Completed in 23ms
npm timing npm:load:setupLog Completed in 1ms
npm timing npm:load:cleanupLog Completed in 3ms
npm timing npm:load:configScope Completed in 0ms
npm timing npm:load:projectScope Completed in 1ms
npm timing npm:load Completed in 48ms
npm timing config:load:flatten Completed in 6ms
npm timing arborist:ctor Completed in 1ms
npm sill audit bulk request { lodash: [ '4.17.21' ] }
npm http fetch POST 404 http://localhost:4873/-/npm/v1/security/advisories/bulk 34ms
npm sill audit bulk request failed <!DOCTYPE html>
npm sill audit <html lang="en">
npm sill audit <head>
npm sill audit <meta charset="utf-8">
npm sill audit <title>Error</title>
npm sill audit </head>
npm sill audit <body>
npm sill audit <pre>Cannot POST /-/npm/v1/security/advisories/bulk</pre>
npm sill audit </body>
npm sill audit </html>
npm sill audit
npm http fetch POST 200 http://localhost:4873/-/npm/v1/security/audits/quick 1023ms
npm timing auditReport:getReport Completed in 1068ms
npm sill audit report {}
npm timing auditReport:init Completed in 0ms
npm timing audit Completed in 1126ms
npm timing idealTree:init Completed in 1ms
npm timing idealTree:userRequests Completed in 0ms
npm sill idealTree buildDeps
npm timing idealTree:#root Completed in 0ms
npm timing idealTree:buildDeps Completed in 0ms
npm timing idealTree:fixDepFlags Completed in 0ms
npm timing idealTree Completed in 3ms
npm timing arborist:ctor Completed in 0ms
npm timing reify:loadTrees Completed in 10ms
npm timing reify:diffTrees Completed in 1ms
npm sill reify moves {}
npm timing reify:retireShallow Completed in 0ms
npm timing reify:createSparse Completed in 0ms
npm timing reify:loadBundles Completed in 0ms
npm sill audit bulk request { lodash: [ '4.17.21' ] }
npm timing reify:unpack Completed in 0ms
npm timing reify:unretire Completed in 0ms
npm timing build:queue Completed in 0ms
npm timing build:deps Completed in 0ms
npm timing build Completed in 1ms
npm timing reify:build Completed in 1ms
npm timing reify:trash Completed in 0ms
npm timing reify:save Completed in 3ms
npm http fetch POST 404 http://localhost:4873/-/npm/v1/security/advisories/bulk 12ms
npm sill audit bulk request failed <!DOCTYPE html>
npm sill audit <html lang="en">
npm sill audit <head>
npm sill audit <meta charset="utf-8">
npm sill audit <title>Error</title>
npm sill audit </head>
npm sill audit <body>
npm sill audit <pre>Cannot POST /-/npm/v1/security/advisories/bulk</pre>
npm sill audit </body>
npm sill audit </html>
npm sill audit
npm http fetch POST 400 http://localhost:4873/-/npm/v1/security/audits/quick 338ms
npm verb audit error HttpErrorGeneral: 400 Bad Request - POST http://localhost:4873/-/npm/v1/security/audits/quick - Bad Request
npm verb audit error at /.../.n/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:95:15
npm verb audit error at processTicksAndRejections (internal/process/task_queues.js:95:5)
npm verb audit error at async Map.[getReport] (/.../.n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:318:21)
npm verb audit error at async Map.run (/.../.n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:105:19)
npm verb audit error at async Arborist.reify (/.../.n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:139:5)
npm verb audit error at async Audit.audit (/.../.n/lib/node_modules/npm/lib/audit.js:66:5)
npm verb audit error HttpErrorGeneral: 400 Bad Request - POST http://localhost:4873/-/npm/v1/security/audits/quick - Bad Request
npm verb audit error at /.../.n/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:95:15
npm verb audit error at processTicksAndRejections (internal/process/task_queues.js:95:5)
npm verb audit error at async Map.[getReport] (/.../.n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:318:21)
npm verb audit error at async Map.run (/.../.n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:105:19)
npm verb audit error at async Arborist.reify (/.../.n/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:139:5)
npm verb audit error at async Audit.audit (/.../.n/lib/node_modules/npm/lib/audit.js:66:5) {
npm verb audit error headers: [Object: null prototype] {
npm verb audit error 'x-powered-by': [ 'verdaccio/5.1.1' ],
npm verb audit error 'access-control-allow-origin': [ '*' ],
npm verb audit error date: [ 'Fri, 25 Jun 2021 17:04:21 GMT' ],
npm verb audit error 'content-type': [ 'application/json; charset=utf-8' ],
npm verb audit error 'content-length': [ '126' ],
npm verb audit error connection: [ 'keep-alive' ],
npm verb audit error 'cf-ray': [ '664fc6461e6e6249-OTP' ],
npm verb audit error 'cache-control': [ 'no-cache' ],
npm verb audit error vary: [ 'origin, Accept-Encoding' ],
npm verb audit error 'cf-cache-status': [ 'DYNAMIC' ],
npm verb audit error 'access-control-allow-credentials': [ 'true' ],
npm verb audit error 'access-control-expose-headers': [ 'Content-Type,Content-Length' ],
npm verb audit error 'cf-request-id': [ '0ae5ba3fce000062496' ],
npm verb audit error 'expect-ct': [
npm verb audit error 'max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"'
npm verb audit error ],
npm verb audit error server: [ 'cloudflare' ],
npm verb audit error 'x-fetch-attempts': [ '1' ]
npm verb audit error },
npm verb audit error statusCode: 400,
npm verb audit error code: 'E400',
npm verb audit error method: 'POST',
npm verb audit error uri: 'http://localhost:4873/-/npm/v1/security/audits/quick',
npm verb audit error body: {
npm verb audit error statusCode: 400,
npm verb audit error error: 'Bad Request',
npm verb audit error message: 'Invalid package tree, run npm install to rebuild your package-lock.json'
npm verb audit error },
npm verb audit error pkgid: undefined
npm verb audit error }
npm sill audit error [object Object]
npm timing auditReport:getReport Completed in 358ms
npm sill audit report null
npm timing reify:audit Completed in 358ms
npm timing reify Completed in 373ms
npm WARN audit 400 Bad Request - POST http://localhost:4873/-/npm/v1/security/audits/quick - Bad Request
{
statusCode: 400,
error: 'Bad Request',
message: 'Invalid package tree, run npm install to rebuild your package-lock.json'
}
npm timing command:audit Completed in 1503ms
npm ERR! audit endpoint returned an error
npm verb exit 1
npm timing npm Completed in 2016ms
npm verb code 1
set DEBUG 'express: verdaccio request’ & verdaccio --config ./config.yaml*
warn --- http address - http://localhost:4873/ - verdaccio/5.1.1
express:router dispatching POST /-/npm/v1/security/advisories/bulk +11s
express:router query : /-/npm/v1/security/advisories/bulk +0ms
express:router expressInit : /-/npm/v1/security/advisories/bulk +1ms
express:router corsMiddleware : /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +1ms
http --- 127.0.0.1 requested 'POST /-/npm/v1/security/advisories/bulk'
express:router errorReportingMiddleware : /-/npm/v1/security/advisories/bulk +2ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
express:router compression : /-/npm/v1/security/advisories/bulk +1ms
express:router trim prefix (/-/npm/v1/security) from url /-/npm/v1/security/advisories/bulk +0ms
express:router router /-/npm/v1/security : /-/npm/v1/security/advisories/bulk +0ms
express:router dispatching POST /advisories/bulk +0ms
express:router router : /-/npm/v1/security/advisories/bulk +1ms
express:router dispatching POST /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
express:router jsonParser : /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +25ms
express:router encodeScopePackage : /-/npm/v1/security/advisories/bulk +0ms
express:router router : /-/npm/v1/security/advisories/bulk +1ms
express:router dispatching POST /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
express:router setSecurityWebHeaders : /-/npm/v1/security/advisories/bulk +1ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +1ms
express:router final : /-/npm/v1/security/advisories/bulk +0ms
http --- 404, user: null(127.0.0.1), req: 'POST /-/npm/v1/security/advisories/bulk', bytes: 42/173
express:router dispatching POST /-/npm/v1/security/audits/quick +18ms
express:router query : /-/npm/v1/security/audits/quick +1ms
express:router expressInit : /-/npm/v1/security/audits/quick +0ms
express:router corsMiddleware : /-/npm/v1/security/audits/quick +0ms
express:router <anonymous> : /-/npm/v1/security/audits/quick +0ms
http --- 127.0.0.1 requested 'POST /-/npm/v1/security/audits/quick'
express:router errorReportingMiddleware : /-/npm/v1/security/audits/quick +1ms
express:router <anonymous> : /-/npm/v1/security/audits/quick +0ms
express:router compression : /-/npm/v1/security/audits/quick +0ms
express:router trim prefix (/-/npm/v1/security) from url /-/npm/v1/security/audits/quick +0ms
express:router router /-/npm/v1/security : /-/npm/v1/security/audits/quick +1ms
express:router dispatching POST /audits/quick +0ms
http --- 200, user: null(127.0.0.1), req: 'POST /-/npm/v1/security/audits/quick', bytes: 259/145
express:router dispatching POST /-/npm/v1/security/advisories/bulk +604ms
express:router query : /-/npm/v1/security/advisories/bulk +0ms
express:router expressInit : /-/npm/v1/security/advisories/bulk +0ms
express:router corsMiddleware : /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
http --- 127.0.0.1 requested 'POST /-/npm/v1/security/advisories/bulk'
express:router errorReportingMiddleware : /-/npm/v1/security/advisories/bulk +1ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +1ms
express:router compression : /-/npm/v1/security/advisories/bulk +0ms
express:router trim prefix (/-/npm/v1/security) from url /-/npm/v1/security/advisories/bulk +0ms
express:router router /-/npm/v1/security : /-/npm/v1/security/advisories/bulk +0ms
express:router dispatching POST /advisories/bulk +0ms
express:router router : /-/npm/v1/security/advisories/bulk +0ms
express:router dispatching POST /-/npm/v1/security/advisories/bulk +1ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
express:router jsonParser : /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +1ms
express:router encodeScopePackage : /-/npm/v1/security/advisories/bulk +0ms
express:router router : /-/npm/v1/security/advisories/bulk +2ms
express:router dispatching POST /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
express:router setSecurityWebHeaders : /-/npm/v1/security/advisories/bulk +0ms
express:router <anonymous> : /-/npm/v1/security/advisories/bulk +0ms
express:router final : /-/npm/v1/security/advisories/bulk +0ms
http --- 404, user: null(127.0.0.1), req: 'POST /-/npm/v1/security/advisories/bulk', bytes: 42/173
express:router dispatching POST /-/npm/v1/security/audits/quick +8ms
express:router query : /-/npm/v1/security/audits/quick +0ms
express:router expressInit : /-/npm/v1/security/audits/quick +0ms
express:router corsMiddleware : /-/npm/v1/security/audits/quick +1ms
express:router <anonymous> : /-/npm/v1/security/audits/quick +0ms
http --- 127.0.0.1 requested 'POST /-/npm/v1/security/audits/quick'
express:router errorReportingMiddleware : /-/npm/v1/security/audits/quick +0ms
express:router <anonymous> : /-/npm/v1/security/audits/quick +0ms
express:router compression : /-/npm/v1/security/audits/quick +0ms
express:router trim prefix (/-/npm/v1/security) from url /-/npm/v1/security/audits/quick +0ms
express:router router /-/npm/v1/security : /-/npm/v1/security/audits/quick +0ms
express:router dispatching POST /audits/quick +1ms
http --- 400, user: null(127.0.0.1), req: 'POST /-/npm/v1/security/audits/quick', bytes: 140/126
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Npm install gives warnings, npm audit fix not working
Delete your node_modules folder. Try npm install again. This used to fix several issues when adding new packages in my angular apps.
Read more >lockfileversion - You.com | The search engine you control.
Is 'lockfileVersion: 2' in package-lock.json from npm 7 compatible with older versions ... run:\n npm audit fix\n\nTo address all issues (including breaking ...
Read more >The Step-by-Step Guide to Understanding and Adopting ...
On the npm 6 window, the peer dependency, React, is not installed by ... by npm 7 have a newer format, using "lockfileVersion":...
Read more >Beta Release! And: SemVer-Major Changes in npm v7
npm audit. Output and data structure is significantly refactored to call attention to issues, identify classes of fixes not previously available ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Should be fixed with
v5.1.4
Hello,
I fell here after having a “Invalid package tree, run npm install to rebuild your package-lock.json” error while running
npm audit
on npm@8.This is not related to Verdaccio, but to anyone having the same problem, you can run the following to make it works.