Running npm audit when using private registry

As I wrote previously, NPM got a great tool for checking security of the dependencies – npm audit.

However, if running npm audit and using private package registry (Proget, Artifactory, etc), it may fail with “npm ERR! 400 Bad Request – POST” when trying to send audit details collected about your dependencies for checking to https://<YOUR FEED URI>/-/npm/v1/security/audits – the assumed security audit endpoint of the private registry. Most likely, your registry doesn’t replicate official npm security API.

To fix the issue, simply add the public registry endpoint to your npm audit command line:

npm audit --registry=""

1 Comment

  1. May says:

    It works great on command line. Thanks.
    My problem is that : i want to add it to script to enable every developer using it without add the public entry point.
    To do this i simply add a script line in my package.json as following:
    “audit”: “npm audit –registry=”
    However “npm run audit” not only outputs the security analysis result (same as run it from common line), but also appended one error message as following:

    npm ERR! code ELIFECYCLE
    npm ERR! errno 1
    npm ERR! myFrontEnd@1.0.0 audit: `npm audit –registry=`
    npm ERR! Exit status 1
    npm ERR!
    npm ERR! Failed at the myFrontEnd@1.0.0 audit script.
    npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

    npm ERR! A complete log of this run can be found in:
    npm ERR! C:\Users\…\Roaming\npm-cache\_logs\2019-01-14T02_50_05_437Z-debug.log

    Any idea?

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s